[stunnel-users] RES: Stunnel 5.50 Transparent Both (Source+Destination)

Luis Monteiro luis.monteiro440 at gmail.com
Fri Feb 1 21:16:27 CET 2019


Just to document the solution that was pretty hard to discovery since I had
to understand what Stunnel was doing together with tproxy/ip_transparent.

When you set both stunnel use all kind of sockets access, local and remote.
With both options enable the local socket instead of connect to lo interface
get the outside ethernet in my case ens192.

The solutions in use socket options in config file as bellow:

Socket = l:SO_BINDTODEVICE=lo

If you believe in witches bind access and remote as well to access interface
ens224 and remote ens192 in my case:

Socket = a:SO_BINDTODEVICE=ens224

Socket = r:SO_BINDTODEVICE=ens192

Now everything will work fine.

The solution is not documented in the manual page.

Good luck.

Luis

 

De: Luis Monteiro <luis.monteiro440 at gmail.com> 
Enviada em: quinta-feira, 31 de janeiro de 2019 22:46
Para: stunnel-users at stunnel.org
Assunto: Stunnel 5.50 Transparent Both (Source+Destination)

 

Sirs. I´m trying to make Stunnel work in both source and destination
transparent proxy and after looking every possibility I started to track the
packet that is locally generated (Stunnel client sending to stunnel server).

The packet goes out from process to raw table output chain. It deliveries to
connect tracking that pass the packet to mangle output but it disappears
before arriving in the nat table output chain.

Stunnel Packet destination 7.0.0.2:80(Original
destination)------raw/output-----connectTrack------mangle/output-------XXXX
disappear

With transparent destination off it works fine.

Stunnel Packet destination 9.0.0.2:443(Stunnel Server
IP)------raw/output-----connectTrack------mangle/output-------nat/output----
filter/output----interface

 

The problem is probably regarding the tproxy/ip_transparent that stunnel use
to control the connection and get the original src/dst to use.

I tried 3 different distribution of linux with the same behavior.

Does someone already use transparent=both  and give me a setup that worked
link linux distribution/version, stunnel version and so on?

Thanks,

Luis Monteiro

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190201/d5f6bebb/attachment.html>


More information about the stunnel-users mailing list