[stunnel-users] Transparente destination

Luis Monteiro luis.monteiro440 at gmail.com
Thu Jan 17 20:12:44 CET 2019

Sirs. I tested the stunnel client connect to a stunnel server to proxy
transparent a http traffic.


I used a traffic generator from Ixia (BPS), a tap to get the traffic between
stunnel´s using ntop license pf_ring (Kernel bypass) with tcpdump accessing
their libs and export pcaps from source and destination from Ixia.


Transparent source worked flawless easily using the information on man page.


Transparent destination didn´t worked. The instructions in the stunnel
documentation for each are:

/sbin/iptables -I INPUT -i client_interface -p tcp --dport 443 (I´m using
default port os https) -j ACCEPT ----- It is filter INPUT that is executed
after routing decision after nat to allow packets with destination port 443

/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 (Destination port of
http in client_interface \

        -i client_interface -j DNAT --to-destination (connect
destination on server Stunnel)

The second input in iptables is executed before the routing decision and
that is the problem. Looking the hit count of in iptables the nat table
PREROUTING always have a hit but the filter table  filter INPUT doesn´t.

I set a policy routing to delivey packets to to local process
and the filter table  filter INPUT started to receive the hit in the
counters as well but stunnel didn´t worked.

If I change the connect destination address to local interface I
do not need the pocily routing since it´s local but Stunnel did not worked

The stunnel configuration for the client is bellow:

#setgid = root

#setuid = root

debug = 7

log = overwrite

syslog = no

output = /root/stunnel.log

;engine = ENGINE_ID


;engineDefault = TASK_LIST



client = yes

accept =

;connect =

ciphers = AES128-GCM-SHA256

requireCert = no

sslVersion = TLSv1.2

transparent = destination


At the end I´d like to use both source and destination but I´m testing

Does anyone know if there is a bug related or if there is a version working

Even with a lot o resource I don´t have more what to do about and any help
would be appreciated.

Luis Monteiro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190117/7dfdb648/attachment.html>

More information about the stunnel-users mailing list