[stunnel-users] transparent = source, not working (solved)

Rubén Cardenal cosas at ruben.cn
Sun Aug 4 11:46:23 CEST 2013

El 04/08/13 09:05, Michal Trojnara escribió:
> The very purpose of of "transparent = source" is to make your server 
> think it's connected directly by the clients.  The returning packets 
> obviously need to be routed back through the stunnel box to achieve 
> this purpose.  Otherwise the mangle PREROUTING tricks wouldn't make 
> sense, would they?

Yep. That's why the "need to be on separate boxes" part seemed strange 
to me. As the incoming connections are from any, the only option would 
be the stunnel box being the gw for the service box. So I added a static 
route in the service box for my home IP via the stunnel box, and in that 
case, of course it works. But it's not a practical solution.

I've found the way of making it work without needing to alter that 
default gateway. Apart from the configurations to be done in the stunnel 
box, in the service box:

iptables -t mangle -I OUTPUT -p tcp --sport SERVICE_PORT -s SERVICE_IP 
-j MARK --set-mark 1 (this can be tweaked in every single case to 
granularly catch only desired packets)
ip rule add fwmark 1 lookup 100
ip route add via STUNNEL_IP table 100 (other people might need 
to add "dev XXX")

Note: /proc/sys/net/ipv4/ip_forward doesn't need to be touched in any of 
the boxes.

> Using this feature is quite easy at the user-space level (this is what 
> stunnel handles), but quite tricky at the kernel level (netfilter and 
> routing configuration).  A good HOWTO would be very useful.

Indeed! Thanks for the hints ;)



More information about the stunnel-users mailing list