Thanks for the reply. Is this the normal way people would do this, or would you normally just run an stunnel in client mode on that server, and have firefox connect to it, which would then be able to transparently proxy to the internet?

Or is it pretty much always necessary to be running some actual proxy software, regardless whether stunnel is in client or server mode?



On Thu, Oct 23, 2014 at 11:26 AM, Suresh Ramasamy <suresh@drsuresh.net> wrote:

Hi Derek,

You will need a proxy software on your server as the endpoint. (For e.g. squid)

If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as the endpoint.

On 23 Oct 2014 22:08, "Derek Cole" <derek.cole@gmail.com> wrote:
Hello,

Is it possible to use stunnel server as a transparent proxy? I was digging through the manpage and I see the

transparent=

option. What I would like to do is have an stunnel client connect to the stunnel server, and once traffic is at the server, go to the original destination that the traffic going to the stunnel client was destined for.

I.E. Can I have firefox proxy to my stunnel client, which connects to my stunnel server, and then that traffic goes to whatever website the end user was trying to hit in firefox?


My Stunnel server is on a CentOS box:

[root@CentOSTunTest ~]# uname -a
Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

And my stunnel.conf

foreground = yes
debug = 7
options = NO_SSLv2
fips = no
output=/usr/local/etc/stunnel/stunnel.log


[https]
cert=/usr/local/etc/stunnel/stunnel.pem
accept = 443
connect = 80

[Internet]
cert=/usr/local/etc/stunnel/stunnel.pem
sni = https:Internet
transparent=destination


So basically in the transparent option is Internet is what I am wondering if it works the way I expect. I see this in the log file:

2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol not available (92)
2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

I see this in the stunnel manpage:

For a connect target installed on the same host:

    /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
        -m ! --uid-owner <stunnel_user_id> \
        -j DNAT --to-destination <local_ip>:<stunnel_port>

For a connect target installed on a remote host:

/sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>

What does it mean "for a connect target installed on the same host" 
I thought transparent meant I was not using a connect target except the original destination. Does this mean I should implement the IPTables for a remote host, since I want my client to just reach the internet?


Thanks for the help in advance!






_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users