[stunnel-users] Stunnel server as transparent proxy

Tue Oct 28 22:31:00 CET 2014

Hello,

Regarding that IPtables line that is mentioned in the manpage - what is the
redirected port?

/sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i
eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>

I am using the stunnel configuration I posted in the first email, and I
want traffic on the stunnel server to end up at localhost:9040 so I think I
would use that as the --to-destination, but I am unsure what to put in the
--dport. Is that going to be any port that I may be connecting to
transparently (i.e. if I am using this as a web browser, would it be 80,
8000, 8080, etc?)

On Thu, Oct 23, 2014 at 12:13 PM, Derek Cole <derek.cole at gmail.com> wrote:

> Thanks for the reply. Is this the normal way people would do this, or
> would you normally just run an stunnel in client mode on that server, and
> have firefox connect to it, which would then be able to transparently proxy
> to the internet?
>
> Or is it pretty much always necessary to be running some actual proxy
> software, regardless whether stunnel is in client or server mode?
>
>
>
> On Thu, Oct 23, 2014 at 11:26 AM, Suresh Ramasamy <suresh at drsuresh.net>
> wrote:
>
>> Hi Derek,
>>
>> You will need a proxy software on your server as the endpoint. (For e.g.
>> squid)
>>
>> If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as
>> the endpoint.
>> On 23 Oct 2014 22:08, "Derek Cole" <derek.cole at gmail.com> wrote:
>>
>>> Hello,
>>>
>>> Is it possible to use stunnel server as a transparent proxy? I was
>>> digging through the manpage and I see the
>>>
>>> transparent=
>>>
>>> option. What I would like to do is have an stunnel client connect to the
>>> stunnel server, and once traffic is at the server, go to the original
>>> destination that the traffic going to the stunnel client was destined for.
>>>
>>> I.E. Can I have firefox proxy to my stunnel client, which connects to my
>>> stunnel server, and then that traffic goes to whatever website the end user
>>> was trying to hit in firefox?
>>>
>>>
>>> My Stunnel server is on a CentOS box:
>>>
>>> [root at CentOSTunTest ~]# uname -a
>>> Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC
>>> 2013 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> And my stunnel.conf
>>>
>>> foreground = yes
>>>> debug = 7
>>>> options = NO_SSLv2
>>>> fips = no
>>>> output=/usr/local/etc/stunnel/stunnel.log
>>>>
>>>>
>>>> [https]
>>>> cert=/usr/local/etc/stunnel/stunnel.pem
>>>> accept = 443
>>>> connect = 80
>>>>
>>>> [Internet]
>>>> cert=/usr/local/etc/stunnel/stunnel.pem
>>>> sni = https:Internet
>>>> transparent=destination
>>>>
>>>
>>>
>>> So basically in the transparent option is Internet is what I am
>>> wondering if it works the way I expect. I see this in the log file:
>>>
>>> 2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol
>>> not available (92)
>>> 2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to
>>> SSL, 0 byte(s) sent to socket
>>>
>>> I see this in the stunnel manpage:
>>>
>>> For a connect target installed on the same host:
>>>
>>>     /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
>>>         -m ! --uid-owner <stunnel_user_id> \
>>>         -j DNAT --to-destination <local_ip>:<stunnel_port>
>>>
>>> For a connect target installed on a remote host:
>>>
>>> /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
>>> /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i
>>> eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
>>>
>>>
>>> What does it mean "for a connect target installed on the same host"
>>> I thought transparent meant I was not using a connect target except the original destination. Does this mean I should implement the IPTables for a remote host, since I want my client to just reach the internet?
>>>
>>>
>>> Thanks for the help in advance!
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20141028/e9830508/attachment.html>