Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.
I am using DRBD for disaster recovery from a remote location, and I'd like to encrypt the DRBD network traffic. Additional IP addresses are unavailable for a VPN on both nodes. It seems stunnel was the best solution. It took me a while to conceptualize the configuration, but i've got it working and wanted to share what i did. An stunnel client and server needs to be running on both nodes. If we consider the example configuration[1]: First, generate some certificates on each of the nodes: alice:/etc/stunnel# openssl req -new -nodes -x509 -out drbd-alice-pub.pem -keyout drbd-alice-private.pem alice:/etc/stunnel# chmod 400 drbd-alice-pub.pem drbd-alice-private.pem bob:/etc/stunnel# openssl req -new -nodes -x509 -out drbd-bob-pub.pem -keyout drbd-bob-private.pem bob:/etc/stunnel# chmod 400 drbd-bob-pub.pem drbd-bob-private.pem Then copy the public keys to the other server using scp for example: alice:/etc/stunnel# scp drbd-alice-pub.pem 10.1.1.32:/etc/stunnel bob:/etc/stunnel# scp drbd-bob-pub.pem 10.1.1.31:/etc/stunnel Now setup the stunnel configurations: alice:/etc/stunnel# cat drbd-client.conf [drbd to bob] client = yes accept = 127.0.0.1:7790 connect = 10.1.1.32:5000 verify = 2 CAfile = /etc/stunnel/drbd-bob-pub.pem alice:/etc/stunnel# cat drbd-server.conf chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid cert = /etc/stunnel/drbd-alice-pub.pem key = /etc/stunnel/drbd-alice-private.pem ; Disable support for insecure SSLv2 protocol options = NO_SSLv2 ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE [drbd from bob] accept = 5000 connect = 127.0.0.1:7789 bob:/etc/stunnel# cat drbd-client.conf [drbd to alice] client = yes accept = 127.0.0.1:7789 connect = 10.1.1.31:5000 verify = 2 CAfile = /etc/stunnel/drbd-alice-pub.pem bob:/etc/stunnel# cat drbd-server.conf chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup pid = /stunnel.pid cert = /etc/stunnel/drbd-bob-pub.pem key = /etc/stunnel/drbd-bob-private.pem ; Disable support for insecure SSLv2 protocol options = NO_SSLv2 ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE [drbd from alice] accept = 5000 connect = 127.0.0.1:7790 (make sure the chroot /usr/local/var/lib/stunnel/ is owned by nobody.nogroup) Now, modify the DRBD resource configuration: update the address for alice to be 127.0.0.1:7789 and bob to be 127.0.0.1:7790 start stunnel on both nodes and make sure there are no errors, then bring up the drbd resource on both nodes. verify (with netstat for example) that the only inter-node network connections are happening on port 5000, the encrypted stunnel. Summary: for the DRBD traffic from alice to bob: alice connects to bob using bob's defined address 127.0.0.1:7790 (from /etc/drbd.d/r0.res), which is a stunnel client daemon that encrypts the traffic and sends it to bob at 10.1.1.32:5000 (alice:/etc/stunnel/drbd-client.conf), which is a stunnel server daemon that receives the encrypted data, decrypts it and forwards it to 127.0.0.1:7790 (bob:/etc/stunnel/drbd-server.conf). for the DRBD traffic from bob to alice: bob connects to alice using the defined address of 127.0.0.1:7789 (from /etc/drbd.d/r0.res), which is a stunnel client daemon that encrypts the traffic and connects to alice at 10.1.1.31:5000 (bob:/etc/stunnel/drbd-client.conf), which is a stunnel server daemon that receives the encrypted data, decrypts it and forwards it to 127.0.0.1:7789 (alice:/etc/stunnel/drbd-server.conf) Please comment if you feel I've overlooked anything. Thanks 1. http://www.drbd.org/en/doc/users-guide-84/s-configure-resource