Hello,

I struggled recently, with combining sslh and nginx daisy-chaining ip-transparent connections, and realised the same problem, other users reported, when using stunnel.
Now that I have found a fix, which solves my problem with sslh, I checked into the stunnel code, and adapted my proposed fix for stunnel:

diff client.c_original client.c
1721a1722,1723
>         if (setsockopt(c->fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof on))
>             sockerror("setsockopt SO_REUSEADD");
1769a1772,1776
>     int on = 1;
> #ifdef IP_TRANSPARENT
>     if (setsockopt(c->fd, SOL_IP, IP_TRANSPARENT, &on, sizeof on))
>         sockerror("setsockopt SO_IP_TRANSPARENT");
> #endif

I described my findings here in Detail: https://github.com/ftasnetamot/sslh/blob/2024-07-28--documentation/doc/Daisy-Chaining-Transparency-Explained.md
This article helped me to figure out, what is wrong: https://blog.cloudflare.com/how-to-stop-running-out-of-ephemeral-ports-and-start-to-love-long-lived-connections

I wrote as well some weeks earlier two documents, describing how to configure ip-transparent connections only with routing and no firewall rules involved.
The same works 1:1 with stunnel.
https://github.com/yrutschle/sslh/blob/master/doc/simple_transparent_proxy.md
https://github.com/yrutschle/sslh/blob/master/doc/scenarios-for-simple-transparent-proxy.md

Happy tunneling

  .f

Sicher versendet mit Proton Mail.