Hello,
I would suggest to improve 'transparent = yes | no (Unix only)' section of http://www.stunnel.org/faq/stunnel.html#service_level_options
and how this option work on OS X.
I think that this part
remote mode (I<connect> option) on Linux >=2.6.28 remote mode (I<connect> option) 2.2.x local mode (I<exec> option)
is not clear. Remote mode is a "I<connect> option"? What the heck? And local mode is a "I<exec> option"? Does this "I" thingie stand for unnamed pipe or capital "i" or small cap "L"??
I ran to this problem when I tried to set up stunnel on Mac OS X and carelessly used some example config on web. Setting "transparent = yes" in Mac OS X will result in very funny behavior. Consider this conf
debug=7 output=stunnel.log verify=0 foreground=yes client=yes pid= [https] accept=localhost:8080 connect=google.com:443 transparent=yes
will result in unbelievable error - "local_bind (original port): Address family not supported by protocol family (47)" Using 127.0.0.1 instead of localhost will do better - "Service https bound to 127.0.0.1:8080" - BUT when you try to access 127.0.0.1:8080 nothing reasonable happens and log will show another strange error "connect_blocking: connect <ip_address>: Network is unreachable (51)"
The next spectacular thing is that when you use only localhost connect and accept parameter, than transparent=yes works OK.
I would suggest rewriting that part to reflect these kind of situations in more clear way - they are very hard to debug, and honestly I couldn't figure it out even though I read FAQ several times.
Final question - is it possible on OS X (which doesn't have iptables interface, but has ipfw) to set up transparent proxy tunnel with stunnel?
Thanks.
Ivan Trancik descent89@gmail.com wrote:
Remote mode is a "I<connect> option"? What the heck? And local mode is a "I<exec> option"? Does this "I" thingie stand for unnamed pipe or capital "i" or small cap "L"??
My mistake. I updated in on http://stunnel.mirt.net/static/stunnel.html#service_level_options Brian Hatch may eventually mirror it to stunnel.org.
I ran to this problem when I tried to set up stunnel on Mac OS X and carelessly used some example config on web.
Please read the following paragraphs. They explicitly lists supported platforms.
Setting "transparent = yes" in Mac OS X will result in very funny behavior.
Non-local-bind needs to be supported by the OS kernel. It's not possible to get this feature running without kernel support.
Final question - is it possible on OS X (which doesn't have iptables interface, but has ipfw) to set up transparent proxy tunnel with stunnel?
No.
Mike