[stunnel-users] Enhance description of transparent mode in FAQ

Ivan Trancik descent89 at gmail.com
Thu Nov 25 01:03:55 CET 2010


Hello,

I would suggest to improve 'transparent = yes | no (Unix only)'
section of http://www.stunnel.org/faq/stunnel.html#service_level_options

and how this option work on OS X.

I think that this part

remote mode (I<connect> option) on Linux >=2.6.28
remote mode (I<connect> option) 2.2.x
local mode (I<exec> option)

is not clear. Remote mode is a "I<connect> option"? What the heck? And
local mode is a "I<exec> option"? Does this "I" thingie stand for
unnamed pipe or capital "i" or small cap "L"??

I ran to this problem when I tried to set up stunnel on Mac OS X and
carelessly used some example config on web.
Setting "transparent = yes" in Mac OS X will result in very funny
behavior. Consider this conf

debug=7
output=stunnel.log
verify=0
foreground=yes
client=yes
pid=
[https]
accept=localhost:8080
connect=google.com:443
transparent=yes

will result in unbelievable error - "local_bind (original port):
Address family not supported by protocol family (47)"
Using 127.0.0.1 instead of localhost will do better - "Service https
bound to 127.0.0.1:8080" - BUT when you try to access 127.0.0.1:8080
nothing reasonable happens and log will show another strange error
"connect_blocking: connect <ip_address>: Network is unreachable (51)"

The next spectacular thing is that when you use only localhost connect
and accept parameter, than transparent=yes works OK.

I would suggest rewriting that part to reflect these kind of
situations in more clear way - they are very hard to debug, and
honestly I couldn't figure it out even though I read FAQ several
times.

Final question - is it possible on OS X (which doesn't have iptables
interface, but has ipfw) to set up transparent proxy tunnel with
stunnel?

Thanks.



More information about the stunnel-users mailing list