[stunnel-users] hostapd & stunnel

Mon May 20 14:22:44 CEST 2019

Hi,

I'm running stunnel 5.39 on a Raspberry Pi with Raspbian 9 (stretch). 
The Pi has two network interfaces (eth0, wlan0) and I'm running an 
access point with hostapd. What I want to do is to route all traffic 
from my wifi-clients (connected via wlan0) through stunnel/socks.

working iptables configuration to access the internet from eth0/wlan0:

iptables -A FORWARD -i eth0 -o wlan0 -m state --state \ 
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;

if add the following lines (from stunnel.org) local traffic on eth0 goes 
to the stunnel-server but my wireless clients can't access the internet 
anymore. I tried several configurations, but without success...

# stunnel socks
iptables -t nat -A OUTPUT -p tcp -d TARGET-SERVER --dport 9080 -j ACCEPT
iptables -t nat -A OUTPUT -o lo -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 9050 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports 9051
iptables -t nat -A PREROUTING -p tcp --dport 9050 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 9051

# /etc/stunnel/stunnel.conf

[SOCKS Client Direct]
client = yes
PSKsecrets = secrets.txt
accept = :::9050
connect = TARGET-SERVER:9080

[SOCKS Client Transparent IPv4]
client = yes
PSKsecrets = secrets.txt
accept = 127.0.0.1:9051
connect = TARGET-SERVER:9080
protocol = socks

Has anyone a solution for that?

Best regards,

Johannes