RTKLIB using stunnel for TLS connection to NTRIP host

RTKLIB does not currently natively support TLS, hopefully it will in time.

This article details configuration of RTKLIB rtknavi to work on a Win10 workstation using stunnel to connect to a NTRIP server that is only available using TLS.

The version of rtklib used is v2.4.3b33, and stunnel v5.60.


The GPS receiver used here is a U-blox LEA-6T.

Serial mouse detection

GPS traffic may be falsely detected by Windows as mouse traffic, and cause havoc

If you are not using a serial mouse (and most of us do not these days) t is advisable to disable serial mouse detection at startup. You can do that with the following command in a administrator authorised Powershell.

Set-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\sermouse" -name "start" -Value 4

Reboot for it to take effect.

Serial options

Above is a screenshot of the serial port options. Use an appropriate COM port for your configuration.

Serial commands at startup

!UBX CFG-RATE 200 1 1
!UBX CFG-MSG 2 16 0 1 0 1 0 0
!UBX CFG-MSG 2 17 0 1 0 1 0 0
!UBX CFG-MSG 240 0 0 1 0 1 # NMEA GGA
!UBX CFG-MSG 240 1 0 0 0 0 # NMEA GLL
!UBX CFG-MSG 240 2 0 0 0 0 # NMEA GSA
!UBX CFG-MSG 240 3 0 0 0 0 # NMEA GSV
!UBX CFG-MSG 240 4 0 1 0 1 # NMEA RMC
!UBX CFG-MSG 240 5 0 0 0 0 # NMEA VTG
!UBX CFG-MSG 240 8 0 0 0 0 # NMEA ZDA

The above commands set the message rate, enable the raw messages needed and disable some of the default NMEA messages.

Serial commands at shutdown


The above command resets the GPS to avoid the binary messages continuing after shutdown of the RTKLIB connection.


NTRIP client options

The combination localhost:2102 directs the packets to stunnel running on the workstation, which in turns forwards the packets in an SSL tunnel. Use your user-id and password.


Stunnel needs the following section added to its configuration file and activated. This redirects connections to localhost:2102 to ntrip.host:443 in this case, but use the applicable destination host and port

verifyChain = yes
CAfile = ca-certs.pem

Stunell needs to be directed to reload the configuration when updated.

You must start stunnel before attempting to connect with rtklib, otherwise it will fail to connect to localhost:2102. If you see that message, check that you have stunnel configured correctly and running.


This solution works with Geoscience Australia's TLS NTRIP caster.

Other client apps

The stunnel solution might well work with other NTRIP client apps.