[stunnel-users] Enhance description of transparent mode in FAQ

Ivan Trancik descent89 at gmail.com
Thu Nov 25 01:03:55 CET 2010


I would suggest to improve 'transparent = yes | no (Unix only)'
section of http://www.stunnel.org/faq/stunnel.html#service_level_options

and how this option work on OS X.

I think that this part

remote mode (I<connect> option) on Linux >=2.6.28
remote mode (I<connect> option) 2.2.x
local mode (I<exec> option)

is not clear. Remote mode is a "I<connect> option"? What the heck? And
local mode is a "I<exec> option"? Does this "I" thingie stand for
unnamed pipe or capital "i" or small cap "L"??

I ran to this problem when I tried to set up stunnel on Mac OS X and
carelessly used some example config on web.
Setting "transparent = yes" in Mac OS X will result in very funny
behavior. Consider this conf


will result in unbelievable error - "local_bind (original port):
Address family not supported by protocol family (47)"
Using instead of localhost will do better - "Service https
bound to" - BUT when you try to access
nothing reasonable happens and log will show another strange error
"connect_blocking: connect <ip_address>: Network is unreachable (51)"

The next spectacular thing is that when you use only localhost connect
and accept parameter, than transparent=yes works OK.

I would suggest rewriting that part to reflect these kind of
situations in more clear way - they are very hard to debug, and
honestly I couldn't figure it out even though I read FAQ several

Final question - is it possible on OS X (which doesn't have iptables
interface, but has ipfw) to set up transparent proxy tunnel with


More information about the stunnel-users mailing list