First to define my terms. I will call the PC from which I am connecting, e.g. from my home computer REMOTE, and the one at the office to which I want to RDC I'll call OFFICE. What I'm wanting to do is require the REMOTE user to enter credentials when trying to connect to OFFICE. I recall that stunnel used to work that way when I first used it (5 years ago!).
Why? Because the cyber insurance company doesn't want to see RDC ports accessible from the Internet. I figure with stunnel as a layer, probing the RDC ports will return a stunnel handshake and not the RDC fingerprint.
Although I had stunnel running 5 years ago, my notes are incomplete and there is no good tutorial on setting it up. The stunnel "documentation" consists of manpage-like descriptions of the various conf parameters, so one basically already needs to know how to set up stunnel and can use the docs as a refresher reference.
The first task I'm attempting is to set up OFFICE, which I've already done incorrectly since it is the server, not the client. I've changed the config to:
Code:
[WIN10]
accept = 127.0.0.1:3389
CAfile = stunnel.pem
But I still get the permission denied error. You wrote: "Windows runs RDP on 3389, so you can't rebind the port." Maybe I'm going about this wrong and stunnel should not be running on OFFICE at all.
Here's my setup: There's another computer in the mix, located at the office I'll call ROUTER, which is Linux. Windows computer REMOTE is at e.g. a home office somewhere on planet Earth. It attempts an RDC connection to ROUTER using secret port 1234 (not 3389). ROUTER re-directs port 1234 to host OFFICE:3389. It does this for several office workstations. For example port 4567 redirected to JANE:3389, etc. This all works now.
Perhaps I should have stunnel running as a server on ROUTER, not on the target Windows workstation?