<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EstiloDeEmail18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;}
span.EstiloDeEmail19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=PT-BR link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Just to document the solution that was pretty hard to discovery since I had to understand what Stunnel was doing together with tproxy/ip_transparent.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>When you set both stunnel use all kind of sockets access, local and remote. With both options enable the local socket instead of connect to lo interface get the outside ethernet in my case ens192.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>The solutions in use socket options in config file as bellow:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Socket = l:SO_BINDTODEVICE=lo<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>If you believe in witches bind access and remote as well to access interface ens224 and remote ens192 in my case:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Socket = a:SO_BINDTODEVICE=ens224<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Socket = r:SO_BINDTODEVICE=ens192<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Now everything will work fine.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>The solution is not documented in the manual page.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Good luck.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Luis<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='mso-fareast-language:PT-BR'>De:</span></b><span style='mso-fareast-language:PT-BR'> Luis Monteiro <luis.monteiro440@gmail.com> <br><b>Enviada em:</b> quinta-feira, 31 de janeiro de 2019 22:46<br><b>Para:</b> stunnel-users@stunnel.org<br><b>Assunto:</b> Stunnel 5.50 Transparent Both (Source+Destination)<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-US>Sirs. I�m trying to make Stunnel work in both source and destination transparent proxy and after looking every possibility I started to track the packet that is locally generated (Stunnel client sending to stunnel server).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>The packet goes out from process to raw table output chain. It deliveries to connect tracking that pass the packet to mangle output but it disappears before arriving in the nat table output chain.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Stunnel Packet destination 7.0.0.2:80(Original destination)------raw/output-----connectTrack------mangle/output-------XXXX disappear<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>With transparent destination off it works fine.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Stunnel Packet destination 9.0.0.2:443(Stunnel Server IP)------raw/output-----connectTrack------mangle/output-------nat/output----filter/output----interface<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>The problem is probably regarding the tproxy/ip_transparent that stunnel use to control the connection and get the original src/dst to use.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>I tried 3 different distribution of linux with the same behavior.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Does someone already use transparent=both and give me a setup that worked link linux distribution/version, stunnel version and so on?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Luis Monteiro<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></body></html>