No joke, it just came up at work as a possible solution to something. We have some legacy systems that talk over TCP in plaintext. It's all within well-secured networks on locked down machines, so fine. But now we want to move things to Megaport, and their agreement says "btw don't put anything in plaintext ever, we guarantee nothing". So stunnel will probably be the fix.

▲

Piraty 4 hours ago | parent | next [-]

I was involved in a very similar situation once. I recommend wireguard for this, it's mature for years, has superb support in linux and some BSDs and there are userspace implementations if you need that. It wraps traffic in UDP, the overhead is much smaller thus throughput mich higher than traditional TCP-based VPN (you want to avoid tcp-in-tcp!). There were once patches posted to lkml that passed QoS-flags from the inner packet to the wireguard packet, if you need that. not sure if that landed upstream in the end. key distribution and lifecycle management is what was still unsolved years back when this was evaluated, nowadays tailscale and its clones and similar oss should serve you well.

▲

danlitt 2 hours ago | parent | prev | next [-]

This is cool, but "legacy systems that talk over TCP in plaintext" sounds like it might qualify for "horribly outdated", no?

▲

nine_k 9 hours ago | parent | prev [-]

Not wireguard?

	▲	pfix 6 hours ago \| parent \| next [-]
		Not a security expert and also curious about implications: I always considered it the best solution to have both: VPN encryption and TLS encryption over the VPN. Different OSI Layers. Different Attack Surfaces. Not sure if that is a recommended pratice though (see initial remark ;) )
	▲	01HNNWZ0MV43FF 7 hours ago \| parent \| prev [-]
		Maybe they need something that works without root and IP space allocation. I like WireGuard and use it myself but it is a bit of an installation compared to binding a port