[stunnel-users] Stunnel server as transparent proxy

• Previous message (by thread): [stunnel-users] Stunnel server as transparent proxy
• Next message (by thread): [stunnel-users] Stunnel server as transparent proxy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Derek,

You will need a proxy software on your server as the endpoint. (For e.g.
squid)

If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as the
endpoint.
On 23 Oct 2014 22:08, "Derek Cole" <derek.cole at gmail.com> wrote:

> Hello,
>
> Is it possible to use stunnel server as a transparent proxy? I was digging
> through the manpage and I see the
>
> transparent=
>
> option. What I would like to do is have an stunnel client connect to the
> stunnel server, and once traffic is at the server, go to the original
> destination that the traffic going to the stunnel client was destined for.
>
> I.E. Can I have firefox proxy to my stunnel client, which connects to my
> stunnel server, and then that traffic goes to whatever website the end user
> was trying to hit in firefox?
>
>
> My Stunnel server is on a CentOS box:
>
> [root at CentOSTunTest ~]# uname -a
> Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC
> 2013 x86_64 x86_64 x86_64 GNU/Linux
>
> And my stunnel.conf
>
> foreground = yes
>> debug = 7
>> options = NO_SSLv2
>> fips = no
>> output=/usr/local/etc/stunnel/stunnel.log
>>
>>
>> [https]
>> cert=/usr/local/etc/stunnel/stunnel.pem
>> accept = 443
>> connect = 80
>>
>> [Internet]
>> cert=/usr/local/etc/stunnel/stunnel.pem
>> sni = https:Internet
>> transparent=destination
>>
>
>
> So basically in the transparent option is Internet is what I am wondering
> if it works the way I expect. I see this in the log file:
>
> 2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol not
> available (92)
> 2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to SSL,
> 0 byte(s) sent to socket
>
> I see this in the stunnel manpage:
>
> For a connect target installed on the same host:
>
>     /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
>         -m ! --uid-owner <stunnel_user_id> \
>         -j DNAT --to-destination <local_ip>:<stunnel_port>
>
> For a connect target installed on a remote host:
>
> /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
> /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i
> eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
>
>
> What does it mean "for a connect target installed on the same host"
> I thought transparent meant I was not using a connect target except the original destination. Does this mean I should implement the IPTables for a remote host, since I want my client to just reach the internet?
>
>
> Thanks for the help in advance!
>
>
>
>
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20141023/b02c3b4e/attachment.html>

• Previous message (by thread): [stunnel-users] Stunnel server as transparent proxy
• Next message (by thread): [stunnel-users] Stunnel server as transparent proxy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]