[stunnel-users] Stunnel server as transparent proxy

Derek Cole derek.cole at gmail.com
Thu Oct 23 18:13:48 CEST 2014


Thanks for the reply. Is this the normal way people would do this, or would
you normally just run an stunnel in client mode on that server, and have
firefox connect to it, which would then be able to transparently proxy to
the internet?

Or is it pretty much always necessary to be running some actual proxy
software, regardless whether stunnel is in client or server mode?



On Thu, Oct 23, 2014 at 11:26 AM, Suresh Ramasamy <suresh at drsuresh.net>
wrote:

> Hi Derek,
>
> You will need a proxy software on your server as the endpoint. (For e.g.
> squid)
>
> If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as
> the endpoint.
> On 23 Oct 2014 22:08, "Derek Cole" <derek.cole at gmail.com> wrote:
>
>> Hello,
>>
>> Is it possible to use stunnel server as a transparent proxy? I was
>> digging through the manpage and I see the
>>
>> transparent=
>>
>> option. What I would like to do is have an stunnel client connect to the
>> stunnel server, and once traffic is at the server, go to the original
>> destination that the traffic going to the stunnel client was destined for.
>>
>> I.E. Can I have firefox proxy to my stunnel client, which connects to my
>> stunnel server, and then that traffic goes to whatever website the end user
>> was trying to hit in firefox?
>>
>>
>> My Stunnel server is on a CentOS box:
>>
>> [root at CentOSTunTest ~]# uname -a
>> Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC
>> 2013 x86_64 x86_64 x86_64 GNU/Linux
>>
>> And my stunnel.conf
>>
>> foreground = yes
>>> debug = 7
>>> options = NO_SSLv2
>>> fips = no
>>> output=/usr/local/etc/stunnel/stunnel.log
>>>
>>>
>>> [https]
>>> cert=/usr/local/etc/stunnel/stunnel.pem
>>> accept = 443
>>> connect = 80
>>>
>>> [Internet]
>>> cert=/usr/local/etc/stunnel/stunnel.pem
>>> sni = https:Internet
>>> transparent=destination
>>>
>>
>>
>> So basically in the transparent option is Internet is what I am wondering
>> if it works the way I expect. I see this in the log file:
>>
>> 2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol not
>> available (92)
>> 2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to SSL,
>> 0 byte(s) sent to socket
>>
>> I see this in the stunnel manpage:
>>
>> For a connect target installed on the same host:
>>
>>     /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
>>         -m ! --uid-owner <stunnel_user_id> \
>>         -j DNAT --to-destination <local_ip>:<stunnel_port>
>>
>> For a connect target installed on a remote host:
>>
>> /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
>> /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i
>> eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
>>
>>
>> What does it mean "for a connect target installed on the same host"
>> I thought transparent meant I was not using a connect target except the original destination. Does this mean I should implement the IPTables for a remote host, since I want my client to just reach the internet?
>>
>>
>> Thanks for the help in advance!
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20141023/6fdb51f9/attachment.html>


More information about the stunnel-users mailing list