[Solution Learning] Secure DDS communication through Internet using stunnel

Introduction

When using Huawei Cloud Document Database Service (DDS), you can enable Secure Socker Layer (SSL) in order to establish an encrypted connection between your client and the DDS instance you want to access. However, since the SSL certificate is issued using the internal management IP address of DDS, you need to download and manually configure the SSL certificate in all your applications that connect to DDS.

If your applications connect to DDS using a private network (e.g. by being deployed in the same Virtual Private Cloud (VPC) or through a Virtual Private Network (VPN)) but you still want to securely connect to DDS through the Internet without the hassle of configuring the SSL certificate in all your applications, you need to use a third-party solution to secure the communication.

This article shows how to use stunnel to implement a secure communication between your local machine and your DDS instance on Huawei Cloud, without exposing it directly to the Internet. As described on their homepage, "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code."

Solution architecture

The following architecture will be used as reference for this solution. Given that you already have a DDS instance deployed on Huawei Cloud, you will need to deploy an Elastic Cloud Server (ECS) with an Elastic IP (EIP) bound to it (203.0.113.1 is used as an example). In this ECS, you need to install and configure stunnel to listen for incoming connections in a specified port (58635 is used as an example) and then forward the traffic to the IP address of primary node of DDS (10.0.0.10 is used as an example, port 8635).

Note: this stunnel can only be used to connect to a single DDS node. The primary node is used in this example. If you wish to connect to the secondary node, you need to replicate the configuration.

Example environment

• Document Database Service (DDS) instance. Primary node IP is 10.0.0.10 in this example, with port 8635;
• Elastic Cloud Server (ECS) instance with Ubuntu 22.04 server OS. The smallest flavor is enough (t6.small.1);
• Elastic IP (EIP) bound to the ECS. IP address 203.0.113.1 is used in this example;
• Local computer with Windows OS and a MongoDB client;

Stunnel server configuration

Log in to the ECS and install stunnel:

sudo apt update && sudo apt install -y stunnel

Generate the SSL private key and the certificate. Fill the certificate information as you wish.

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/stunnel/dds.key -out /etc/stunnel/dds.pem

Restrict access to the key file:

sudo chmod 600 /etc/stunnel/dds.key

Create the stunnel server configuration file /etc/stunnel/dds.conf and add the following content:

pid = /run/stunnel-dds.pid
    
[dds-primary]
cert = /etc/stunnel/dds.pem
key = /etc/stunnel/dds.key
; listen to incoming connections in this port
accept = 58635
; DDS primary node IP and port
connect = 10.0.0.10:8635

Get the contents of the certificate file /etc/stunnel/dds.pem and save to the local machine.

Ensure the security group of your ECS allows inbound traffic to the port configured in the accept parameter (58653 in this case)

Restart stunnel and then confirm it's running. "active (running)" should be displayed.

sudo service stunnel4 restart
sudo service stunnel4 status

Stunnel client configuration (Windows)

Download and install stunnel in your local machine: https://www.stunnel.org/downloads.html

Search for "stunnel GUI Start" on your Start Menu and click it. The stunnel icon should appear in the system tray

Right-click on stunnel icon in the system tray and select "Show Log Window"

In the top menu of stunnel log window, select Configuration > Edit Configuration

Put the following content at the end of the configuration file and then save it:

[dds-primary]
client = yes
; listen to this port in local machine
accept = 127.0.0.1:58635
; EIP associated to your ECS (stunnel server) and port
connect = 203.0.113.1:58635
; certificate file obtained from stunnel server
CAfile = dds.pem
verify = 4

Save the certificate file [obtained from stunnel server] as dds.pem in the same folder as the stunnel configuration file.

• If you installed stunnel for all users, the location should be C:\Program Files (x86)\stunnel\config
• If you installed stunnel for your current user only, the location should be C:\Users\<username>\AppData\Local\Programs\stunnel\config
• You can also confirm the configuration file location in the stunnel log window: Reading configuration from file C:\...\stunnel\config\stunnel.conf

In the top menu of stunnel log window, select Configuration > Reload Configuration. You should not see any errors.

If you see the following error message "No trusted certificates found", it means the certificate file was not saved to the correct location or it does not have the right filename/extension. Double check and try again.

Mongo client configuration

Once stunnel is running and configured successfully (both in your local machine and in your ECS on Huawei Cloud), you can connect to your Huawei Cloud DDS through stunnel using the following connection string (replace {PASSWORD} and {DATABASE} - you also can use "test" as database):

mongodb://rwuser:{PASSWORD}@localhost:58635/{DATABASE}?authSource=admin&directConnection=true

Note: the directConnection=true option is required for this solution. If not specified, the client attempts to discover all servers in the replica set (this is the default behavior). This discovery operation will return the private IP addresses of DDS nodes, which cannot be accessed directly by the local machine.

MongoDB Compass is used as an example in the screenshots below:

Stunnel log window should show the connection was successful as well:

Troubleshooting

If your mongo client is not able to connect to DDS, check the logs in Stunnel window. Here are some errors you can find and their possible root causes:

• s_connect: s_poll_wait x.x.x.x:58635: TIMEOUTconnect exceeded - The local machine cannot connect to stunnel server. The `connect` parameter in the stunnel client configuration file may be wrong (wrong EIP or port), or the security group associated to the ECS may not be allowing inbound traffic to the specified port;
• s_connect: connect x.x.x.x:58635: Connection refused (WSAECONNREFUSED) (10061) - stunnel may not be running in your ECS or the `accept` parameter in the stunnel server configuration file may be wrong;
• transfer: SSL_read: Connection reset by peer (WSAECONNRESET) (10054) - The ECS cannot connect to DDS. The `connect` parameter in stunnel server configuration may be incorrect (wrong DDS primary IP or port) or the security group associated to the DDS instance may not be allowing inbound traffic from the ECS.
• error queue: X509_load_cert_crl_file_ex / No trusted certificates found - The certificate path may be wrong in the stunnel client configuration file.
• CERT: Pre-verification error: certificate not found in local repository: self-signed certificate - The certificate configured in stunnel client may not be the same as the one in stunnel server.

You can also get the following error on your mongo client: connect ETIMEDOUT x.x.x.x:8635 There was a problem connecting to localhost:58635, (where x.x.x.x is the private IP address of one of the DDS nodes). This means you did not specify the directConnection=true option in the connection string.