[stunnel-users] SOCKS connection to the IPv4 loopback rejected.

Robert de Bath robert at tvisiontech.co.uk
Sat Apr 15 08:36:28 CEST 2017

Hi everyone,

How do I get rid of this message?

I have a stunnel server setup on a remote machine using the socks
protocol.  I use two keys plus the certificates and a private CA to
protect the SSL link.  On a local machine I have an stunnel client
running without a protocol option set.

If I try to make a socks connection to an interface IP of the remote
server it works perfectly, bypassing the intervening firewalls through
the protected tunnel. But the interface IP changes and I only want to
allow connections to the remote server through the tunnel.

I could setup traditional tunnels, but while one of the services (remote
desktop to the Windows server) is constant the others are dynamically
configurable. I have even considered using SNI to distinguish the incoming
connections to the various services but while this allows there to be
just one tunnel port it will still need a remote reconfiguration of
stunnel every time a service port is added or removed.

The best way to express this limit is that the socks server should ONLY
connect to localhost; but it's "rejected".

In actual operation I will probably need to allow the local network too
which will probably be an rfc1597 address.

Looking at the source it appears that this condition is hard coded into
the "validate" function so my question becomes: can you please remove
this or add a flag to turn it off?

Robert de Bath robert at tvisiontech.co.uk

More information about the stunnel-users mailing list