[stunnel-users] transparent = source, not working

Michal Trojnara Michal.Trojnara at mirt.net
Sun Aug 4 09:05:32 CEST 2013

On 2013-08-04 00:02, Rubén Cardenal wrote:
> So: service's box receives a SYN packet from my home IP address
> (originated from stunnel's box), and answers with a proper ACK packet.
> That's ok. But as that ACK reply has as destination an external IP,
> goes to the box's default gateway (and not to the box where stunnel is
> running) and gets lost.

The very purpose of of "transparent = source" is to make your server
think it's connected directly by the clients.  The returning packets
obviously need to be routed back through the stunnel box to achieve this
purpose.  Otherwise the mangle PREROUTING tricks wouldn't make sense,
would they?

Using this feature is quite easy at the user-space level (this is what
stunnel handles), but quite tricky at the kernel level (netfilter and
routing configuration).  A good HOWTO would be very useful.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130804/3162b5aa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130804/3162b5aa/attachment.sig>

More information about the stunnel-users mailing list