Proper configuration of stunnel service?

Discussion in 'Tomato Firmware' started by Telex123, May 30, 2012.

  1. Telex123

    Telex123 Networkin' Nut Member

    Can someone please explain how to properly configure the stunnel service so that it automatically starts after the router is rebooted?

    I'm running "Tomato Firmware v1.28.0495 MIPSR2-Toastman-RT-N K26 USB Ext" on a Cisco E3000.

    Here's what I did:
    • Formatted a USB flash drive as ext2. It automounts as "/tmp/mnt/sda1".
    • It must be mounted as "/opt" so I added the following lines (found on a blog) to
      "USB and NAS > USB Support > Run after mounting":
    sleep 5
    umount -f /tmp/mnt/sda1
    mount -rw -o noatime,nodev /dev/sda1 /opt

    NOTE: There's probably a cleaner way of doing this and I'm open to suggestions (something to do with fstab?).
    • Installed "ipkg" as per the instructions in Tomato's Optware tutorial
    • Used ipkg to install stunnel
    • Modified "/opt/etc/stunnel/stunnel.conf" to redirect port 5000 to "". The purpose is to allow simple email clients, that are incapable of handling Secure SMTP, to work with Gmail.
    client = yes
    accept = 5000
    connect =
    • I executed the supplied script "/opt/etc/init.d/S68stunnel" that kills existing stunnel processes and restarts stunnel.
    • From the command prompt on a PC, I can "telnet <MyRouterIPaddress> 5000" and receive a response from Gmail's ESMTP server.
    • Using a non-SSMTP-aware email client, configured to use <MyRouterIpAddress> on port 5000, it can send email using Gmail. Success!
    Here is what I noticed:
    1. Stunnel is not automatically started after the router is rebooted. What is the correct way of configuring stunnel so that it automatically runs as a daemon?
    2. After running "PS", I notice there are multiple stunnel processes (typically seven). Executing "/opt/etc/init.d/S68stunnel" kills all of them and creates a fresh batch of seven stunnel processes. Is this normal?
    3. Initially, stunnel refused to redirect the port (i.e. no response from Gmail on port 5000). Stopping/restarting/rebooting finally cleared the cobwebs. Can someone confirm that stunnel is stable and reliable on Tomato?
  2. Telex123

    Telex123 Networkin' Nut Member


    The stability of stunnel on Tomato appears to be very poor.

    I used an automated script, running on a separate computer, to send email every 5 minutes. It ran for 2 hours and then failed because stunnel stopped accepting requests. I logged in to the router, and found that now there were only two active stunnel processes (down from seven).

    While logged into the router, I tried "telnet localhost 5000" and got "Connection closed by foreign host". I repeated the test from a PC, "telnet MyRouterIPAddress 5000", and it resulted in an unresponsive blank screen.

    I also have stunnel installed as a service on a Windows PC, configured precisely the same way it is configured on the Tomato router, and it is running reliably. As soon as I spotted stunnel's failure on the Tomato router, I tried via the PC's stunnel and it allowed me to connect to Gmail. Therefore "Connection closed by foreign host" has nothing to do with Gmail closing the connection; I can connect to Gmail via the PC's instance of stunnel but not via the Tomato router's instance.

    I ran "S68stunnel" to kill the existing stunnel processes and start new ones. Seven new stunnel processes started and "telnet localhost 5000" allowed me to connect to Gmail. Verdict: Tomato's stunnel is either flawed or I've overlooked to configure something critical to its stability.

    Anyone using stunnel successfully on Tomato?

    I've discovered that logging out of the router and logging back in appears to change the number of active stunnel processes. While logged in, seven stunnel processes are created upon execution of S68stunnel. All processes are owned by "nobody". Logging out and logging back in shows that only two processes remain alive and they no longer redirect ports (i.e. no longer do what stunnel is supposed to do).

    Given that all of my successes occurred while I was logged in to the router, and failures while I was logged out, I strongly suspect I am starting stunnel the wrong way. Help with this would be greatly appreciated!

  3. Telex123

    Telex123 Networkin' Nut Member

    I'm pleased to report I discovered the answers to my questions.

    To automatically mount the USB flash drive as "/opt":
    1. I added a label, "optware", to the single partition on the USB flash drive.
    2. In Administration > Scripts > Init, I added the following line:
      echo "LABEL=optware /opt ext2 rw,noatime 1 1" >> /etc/fstab
    To automatically start/stop the stunnel daemon:
    I chose to use executable ".autorun" and ".autostop" scripts located in the root of the USB flash drive.
    "00-mount.autorun" contains:

    "00-umount.autostop" contains:
    logger -p -t 00-umount.autostop "killall stunnel"
    killall stunnel 2>/dev/null

    • Plug in in the USB flash drive and it automatically mounts as /opt and starts the stunnel daemon.
    • Using USB and NAS > USB Support > Attached Devices to unmount the flash drive will log the event and kill all stunnel processes.

    • Seven stunnel processes appear to be the normal number when stunnel is started.
    • The stunnel processes are owned by user "nobody" (I'm not sure this is normal; all other processes are owned by root).
    • Starting S68stunnel from an .autorun file, or from USB and NAS > USB Support > Run after mounting, results in stable performance. Starting the script during a telnet session, and then logging out, causes several of the seven stunnel processes to terminate and results in a non-functional stunnel.

    Final touch:
    • I desired to have the state of the USB light, on the e3000 router, to correspond to the mount/unmount state.
      • I added "led usb on" to USB and NAS > USB Support > Run after mounting
      • I added "led usb off" to USB and NAS > USB Support > Run before unmounting
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice