Preserving Client IP Address - stunnel-users

21 May 2025


      Has anyone followed the stunnel man page instructions and been able to successfully pass/preserve the connecting client's original IP address?
Checking history on this issue back to 2010, it looks people with problems, no reports of success. Though it seems so fundamental, you would hope it was smooth as the man page indicates
For example, I set up an iptables 'mangle' table for DIVERT routing, ip rule, ip route, etc, for the server as given in the stunnel man page for a Red Hat 8 system.
When the stunnel server is then also configured with "transparent = source" and restarted, the remote-initiated connection -hangs- without connecting for a few seconds before closing.
Take out "transparent = source" from the server config, and the connection works successfully (though the client IP address is not available to applications).
Logs are the same up until the point (shown below), which shows the "hanging/failed" case timing out after reporting "Cannot assign an AF=2 address an AF=10 socket".
Don't know what the "Cannot assign AF ..." refers to, or how to address it, but the process goes downhill and hangs after that.  7111 is the open port stunnel is monitoring.
2025.05.21 10:07:16 LOG7[0]: Cannot assign an AF=2 address an AF=10 socket
2025.05.21 10:07:16 LOG6[0]: IP_TRANSPARENT socket option set
2025.05.21 10:07:16 LOG6[0]: bind succeeded on the original port
2025.05.21 10:07:16 LOG6[0]: s_connect: connecting 127.0.0.1:7111
2025.05.21 10:07:16 LOG7[0]: s_connect: s_poll_wait 127.0.0.1:7111: waiting 10 seconds
2025.05.21 10:07:16 LOG7[0]: FD=6 events=0x2001 revents=0x0
2025.05.21 10:07:16 LOG7[0]: FD=11 events=0x2005 revents=0x1
2025.05.21 10:07:26 LOG3[0]: s_connect: s_poll_wait 127.0.0.1:7111: TIMEOUTconnect exceeded
2025.05.21 10:07:26 LOG3[0]: No more addresses to connect
2025.05.21 10:07:26 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2025.05.21 10:07:26 LOG7[0]: local_rfd/local_wfd reset (FD=3)
2025.05.21 10:07:26 LOG7[0]: Local descriptor (FD=3) closed
2025.05.21 10:07:26 LOG7[0]: Service [TLS SERVER] finished (0 left)
The log for the successful case when "transparent = source is NOT specified in server config) instead says:
2025.05.21 09:59:58 LOG6[0]: s_connect: connecting ::1:7111
2025.05.21 09:59:58 LOG7[0]: s_connect: s_poll_wait ::1:7111: waiting 10 seconds
2025.05.21 09:59:58 LOG7[0]: FD=6 events=0x2001 revents=0x0
2025.05.21 09:59:58 LOG7[0]: FD=11 events=0x2005 revents=0x1
2025.05.21 09:59:58 LOG5[0]: s_connect: connected ::1:7111
2025.05.21 09:59:58 LOG6[0]: persistence: ::1:7111 cached
2025.05.21 09:59:58 LOG5[0]: Service [TLS SERVER] connected remote server from ::1:49806
2025.05.21 09:59:58 LOG7[0]: Setting remote socket options (FD=11)
Any insight on what "Cannot assign an AF=2 address an AF=10 socket" is and how to fix it to preserve client IP address?
stunnel is running as root, setuid is not used. I might not correctly understand the man page comment "This option is currently available in: Remote mode (connect option) on Linux >=2.6.28", but think it means a normal  external connection request. Hopefully not a special configuration on the client side.