At IIT Kharagpur and many other institutes or workplaces, WiFi networks often block SSH altogether. This means you can’t git clone, deploy code, or connect to remote servers. Even switching SSH from port 22 to port 443 doesn’t help, since Deep Packet Inspection (DPI) can still detect and terminate SSH traffic.

The solution is stunnel. It wraps your SSH traffic inside TLS/SSL, making it look like HTTPS. Firewalls see a normal HTTPS handshake and encrypted packets, not SSH. Here’s the architecture and step-by-step guide.

Architecture

This architecture uses stunnel to wrap SSH traffic inside a secure TLS/SSL tunnel, making it appear as standard HTTPS traffic. This allows the connection to bypass firewalls that block SSH by sending it over port 443. A remote stunnel instance then receives the encrypted traffic, unwraps it, and forwards the original SSH connection to the target server.

Why this works:

• Port: Firewalls must allow 443 (otherwise HTTPS breaks).

• Protocol disguise: DPI sees TLS handshakes, not SSH fingerprints.

• Preservation: SSH authentication and features remain unchanged.

Step 1: Server Setup ☁️

1. Provision a server

Use an AWS EC2 or any cloud VM. Open inbound TCP 443 in security groups so that it can receive HTTPS requests.

2. Install stunnel

It'll be used to unwrap incoming HTTPS requests and wrap the SSH response back to HTTPS

sudo apt update
sudo apt install stunnel4 -y

3. Generate an SSL certificate required by stunnel to work

sudo openssl req -x509 -newkey rsa:4096 \
  -keyout /etc/stunnel/stunnel.key \
  -out /etc/stunnel/stunnel.pem \
  -nodes -days 365
sudo chmod 600 /etc/stunnel/stunnel.key

4. Configure stunnel

Create /etc/stunnel/ssh-tunnel.conf:

pid = /var/run/stunnel4/stunnel.pid
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.key

[ssh-proxy]
accept = 443
connect = 127.0.0.1:22

5. Enable service

sudo systemctl enable stunnel4.service
sudo systemctl restart stunnel4.service

Step 2: Client Setup (Laptop) 💻

1. Install stunnel

• macOS: brew install stunnel

• Ubuntu/Debian: sudo apt install stunnel4

• Arch: sudo pacman -S stunnel

• Windows: Download Installer

2. Create config

File: /etc/stunnel/stunnel.conf

client = yes

[ssh-proxy]
accept = 127.0.0.1:2222
connect = YOUR_SERVER_PUBLIC_IP:443

3. Start service

sudo systemctl enable stunnel4.service
sudo systemctl restart stunnel4.service

Step 3: SSH Config ⚡

1. Manual test

You can use this command to connect to the proxy server via stunnel and check whether stunnel is configured correctly.

ssh -p 2222 ubuntu@127.0.0.1

Note that we're connecting to localhost here. stunnel listens for SSH requests on port 2222 and forwards them to the proxy server after wrapping them in HTTPS.

2. Automate with ~/.ssh/config

This step configures all SSH requests to route through the proxy server.

Host jump-server
  HostName 127.0.0.1
  Port 2222
  User ubuntu
  IdentityFile /path/to/identity-file.pem

Host * !jump-server
  ProxyJump jump-server

Why This Works So Well

• Right port: 443 is always open.

• Right protocol: TLS looks like HTTPS.

• Right behavior: Standard SSL handshake, no SSH signature visible.

Conclusion

With just a small setup, stunnel makes your SSH sessions look like HTTPS. Architecture is simple:

SSH → Local TLS → Remote TLS → SSH.

Now you can code, deploy, and push without your firewall even noticing.