[stunnel-users] Stunnel server as transparent proxy

Derek Cole derek.cole at gmail.com
Thu Oct 23 16:08:27 CEST 2014


Hello,

Is it possible to use stunnel server as a transparent proxy? I was digging
through the manpage and I see the

transparent=

option. What I would like to do is have an stunnel client connect to the
stunnel server, and once traffic is at the server, go to the original
destination that the traffic going to the stunnel client was destined for.

I.E. Can I have firefox proxy to my stunnel client, which connects to my
stunnel server, and then that traffic goes to whatever website the end user
was trying to hit in firefox?


My Stunnel server is on a CentOS box:

[root at CentOSTunTest ~]# uname -a
Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC
2013 x86_64 x86_64 x86_64 GNU/Linux

And my stunnel.conf

foreground = yes
> debug = 7
> options = NO_SSLv2
> fips = no
> output=/usr/local/etc/stunnel/stunnel.log
>
>
> [https]
> cert=/usr/local/etc/stunnel/stunnel.pem
> accept = 443
> connect = 80
>
> [Internet]
> cert=/usr/local/etc/stunnel/stunnel.pem
> sni = https:Internet
> transparent=destination
>


So basically in the transparent option is Internet is what I am wondering
if it works the way I expect. I see this in the log file:

2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol not
available (92)
2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to SSL, 0
byte(s) sent to socket

I see this in the stunnel manpage:

For a connect target installed on the same host:

    /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
        -m ! --uid-owner <stunnel_user_id> \
        -j DNAT --to-destination <local_ip>:<stunnel_port>

For a connect target installed on a remote host:

/sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i
eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>


What does it mean "for a connect target installed on the same host"
I thought transparent meant I was not using a connect target except
the original destination. Does this mean I should implement the
IPTables for a remote host, since I want my client to just reach the
internet?


Thanks for the help in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20141023/b7f2b27d/attachment.html>


More information about the stunnel-users mailing list