I'm running legacy applications in which I do not have access to the source code. These components talk to each other using plaintext on a particular port. I would like to be able to secure the communications between the two or more nodes using something like stunnel to facilitate peer-to-peer communication rather than using a more traditional (and centralized) VPN package like OpenVPN, etc.

Ideally, the traffic flow would go like this:

1. app@hostA:1234 tries to open a TCP connection to app@hostB:1234.
2. iptables captures and redirects the traffic on port 1234 to stunnel running on hostA at port 5678.
3. stunnel@hostA negotiates and establishes a connection with stunnel@hostB:4567.
4. stunnel@hostB forwards any decrypted traffic to app@hostB:1234.

In essence, I'm trying to set this up to where any outbound traffic (generated on the local machine) to port N forwards through stunnel to port N+1, and the receiving side receives on port N+1, decrypts, and forwards to the local application at port N.

I'm not particularly concerned about losing the hostA origin IP address/machine identity when stunnel@hostB forwards to app@hostB because the communications payload contains identifying information.

The other trick in this is that normally with stunnel you have a client/server architecture. But this application is much more P2P because nodes can come and go dynamically and hard-coding some kind of "connection = hostN:port" in the stunnel configuration won't work.