[stunnel-users] Transparent Proxy help.

Steven Relf srelf at ukcloud.com
Tue Jul 21 17:38:00 CEST 2020 

Hello List,

I am working on a small project where I need to encrypt nfs traffic, and Stunnel looks to be ideal, the only issue I'm having is getting the transparent part to work

I have a client machine, running stunnel config below

#GLOBAL#######################################################

sslVersion      =       TLSv1.2
TIMEOUTidle     =       600
renegotiation   =       no
        FIPS    =       no
        options =       NO_SSLv2
        options =       NO_SSLv3
        options =       SINGLE_DH_USE
        options =       SINGLE_ECDH_USE
        options =       CIPHER_SERVER_PREFERENCE
        syslog  =       yes
        debug   =       7
        ;chroot  =       /var/empty/stunnel
        libwrap =       yes
        service =       3d-nfsd
        curve   =       secp521r1

#CREDENTIALS##################################################

        verify  =       4
        CAfile  =       /etc/stunnel/nfs-tls.pem
        cert    =       /etc/stunnel/nfs-tls.pem

#ROLE#########################################################

        client  =       yes
        connect =       fqdn:2363

and the client which is running ontop of the nfs-ganesha server config below
#GLOBAL#######################################################

TIMEOUTidle     =       600
renegotiation   =       no
        FIPS    =       no
        options =       NO_SSLv2
        options =       NO_SSLv3
        options =       SINGLE_DH_USE
        options =       SINGLE_ECDH_USE
        options =       CIPHER_SERVER_PREFERENCE
        syslog  =       yes
        debug   =       7
        setuid  =       nobody
        setgid  =       nobody
        chroot  =       /var/empty/stunnel
        libwrap =       yes
        service =       MC-nfsd
        ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
        ; echo 'MC-nfsd: ALL EXCEPT 5.6.7.8' >> hosts.deny;
        ; chcon -t stunnel_etc_t hosts.deny

        curve   =       secp521r1

#CREDENTIALS##################################################

        verify  =       4
        CAfile  =       /etc/stunnel/nfs-tls.pem
        cert    =       /etc/stunnel/nfs-tls.pem

#ROLE#########################################################

        connect =       127.0.0.1:2049

I have had a look through the documentation and I believe I need to set transparent = source on the client side, and then set some ip tables firewall rules. Does anyone have a guide, or some advice on how to get this to work. Generally what happens if I set the firewall rules, on the client, and set the transparent to source I just get connection closed by remote host. I never actually see the traffic leave the client host.

To confirm, when not using transparent everything works correctly, accept the server side sees the connection coming from 127.0.0.1

Thanks

Rgds
Steve.

The future has already arrived. It's just not evenly distributed yet - William Gibson


Steven Relf - 
Technical Authority: Cloud Native Infrastructure
srelf at ukcloud.com
+44 1252 936019 / +44 7500 085 864
www.ukcloud.com
A8, Cody Technology Park, Ively Road, Farnborough, GU14 0LX
Notice: This message contains information that may be privileged or confidential and is the property of UKCloud Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorised to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. UKCloud reserves the right to monitor all e-mail communications through its networks. UKCloud Ltd is registered in England and Wales: Company No: 07619797. Registered office: Hartham Park, Hartham, Corsham, Wiltshire SN13 0RP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image047554.png
Type: image/png
Size: 6421 bytes
Desc: image047554.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image361467.png
Type: image/png
Size: 1986 bytes
Desc: image361467.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image659367.png
Type: image/png
Size: 2017 bytes
Desc: image659367.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image618123.png
Type: image/png
Size: 2290 bytes
Desc: image618123.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image016495.png
Type: image/png
Size: 145246 bytes
Desc: image016495.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0009.png>

More information about the stunnel-users mailing list