Hello,

Regarding that IPtables line that is mentioned in the manpage - what is the redirected port? 

/sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>

I am using the stunnel configuration I posted in the first email, and I want traffic on the stunnel server to end up at localhost:9040 so I think I would use that as the --to-destination, but I am unsure what to put in the --dport. Is that going to be any port that I may be connecting to transparently (i.e. if I am using this as a web browser, would it be 80, 8000, 8080, etc?)

On Thu, Oct 23, 2014 at 12:13 PM, Derek Cole <derek.cole@gmail.com> wrote:

Thanks for the reply. Is this the normal way people would do this, or would you normally just run an stunnel in client mode on that server, and have firefox connect to it, which would then be able to transparently proxy to the internet?

Or is it pretty much always necessary to be running some actual proxy software, regardless whether stunnel is in client or server mode?

On Thu, Oct 23, 2014 at 11:26 AM, Suresh Ramasamy <suresh@drsuresh.net> wrote:

Hi Derek,

You will need a proxy software on your server as the endpoint. (For e.g. squid)

If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as the endpoint.

On 23 Oct 2014 22:08, "Derek Cole" <derek.cole@gmail.com> wrote:

Hello,

Is it possible to use stunnel server as a transparent proxy? I was digging through the manpage and I see the

transparent=

option. What I would like to do is have an stunnel client connect to the stunnel server, and once traffic is at the server, go to the original destination that the traffic going to the stunnel client was destined for.

I.E. Can I have firefox proxy to my stunnel client, which connects to my stunnel server, and then that traffic goes to whatever website the end user was trying to hit in firefox?

My Stunnel server is on a CentOS box:

[root@CentOSTunTest ~]# uname -a
Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

And my stunnel.conf

foreground = yes
debug = 7
options = NO_SSLv2
fips = no
output=/usr/local/etc/stunnel/stunnel.log


[https]
cert=/usr/local/etc/stunnel/stunnel.pem
accept = 443
connect = 80

[Internet]
cert=/usr/local/etc/stunnel/stunnel.pem
sni = https:Internet
transparent=destination

So basically in the transparent option is Internet is what I am wondering if it works the way I expect. I see this in the log file:

2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol not available (92)
2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

I see this in the stunnel manpage:

For a connect target installed on the same host:

    /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
        -m ! --uid-owner <stunnel_user_id> \
        -j DNAT --to-destination <local_ip>:<stunnel_port>

For a connect target installed on a remote host:

/sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>

What does it mean "for a connect target installed on the same host" 
I thought transparent meant I was not using a connect target except the original destination. Does this mean I should implement the IPTables for a remote host, since I want my client to just reach the internet?


Thanks for the help in advance!

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users