stunnel

stunnel is properly configured :
- no error at startup
- no error in the logs
I do have an stunnel process running :
pgrep stunnel
```
13831
```

the configured network socket (12.34.56.78:1234) is currently used by stunnel :

netstat -laputen | grep 12.34.56.78

tcp	0	0	12.34.56.78:1234	0.0.0.0:*	LISTEN	0	2656233	13831/stunnel		same PID as earlier

ss -punta | grep 12.34.56.78

tcp	LISTEN	0	128	12.34.56.78:1234	*:*	users:(("stunnel",pid=13831,fd=6))		the shown fd is also visible in the logs

Probing the listening socket timeouts :

nc -vz 12.34.56.78:1234

12.34.56.78: inverse host lookup failed: Unknown host
(UNKNOWN) [12.34.56.78] 1234 (?) : Connection timed out
	sent 0, rcvd 0

This creates no new entry in the logs

Stuff that was not perfectly configured but not the cause of this behavior either

certificates
having a DNS or /etc/hosts entry to reverse lookup the listening address 12.34.56.78

That was a pretty stupid one : I had an iptables rule specifically dropping all packets to 12.34.56.78:1234 ()

list all rules (source) :

iptables -L -n -v

(this gives details about interfaces)

Chain INPUT (policy )


Chain FORWARD (policy )


Chain OUTPUT (policy ACCEPT 448 packets, 58769 bytes)
pkts	bytes	target	prot	opt	in	out	source		:destination
0	0	ACCEPT	all	--	*	lo	0.0.0.0/0	0.0.0.0/0	owner GID match 2000		the last field is the rule parameters, not a comment
0	0	DROP 	tcp	--	*	lo	0.0.0.0/0	0.0.0.0/0	tcp dpt:1234			(idem)

flush everything (source) :
iptables -P INPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT; iptables -t nat -F; iptables -t mangle -F; iptables -F; iptables -X
test the network connectivity :
nc -vz 12.34.56.78 1234
```
stunnel [12.34.56.78] 1234 (?) open
```
test the TLS connectivity :
openssl s_client -connect 12.34.56.78:1234

More about iptables

In the rule defined above, as well as in /etc/iptables/rules.v4 (which can be restored with iptables-restore < /etc/iptables/rules.v4) :

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o lo -m owner --gid-owner 2000 -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --dport 1234 -j DROP
COMMIT

the TCP port 1234 appears as a destination and is actually filtered, although it's the entry point of my stunnel. Why ???

That's because iptables analyzes packets as they pass, and those going into the tunnel are actually heading to '12.34.56.78:1234'

Configuration

flag	usage
debug=level

Actions

	sysVinit	systemd
start	/etc/init.d/stunnel4 start	systemctl start stunnel4
view logs	less /var/log/stunnel4/stunnel.log	journalctl -u stunnel4 I've seen stunnel logging in /var/log/stunnel4/stunnel.log even though handled by systemd. This _may_ be because of a transitional situation where systemd actually fires sysVinit scripts

https://charlesreid1.com/wiki/Stunnel/Client
https://charlesreid1.com/wiki/Stunnel/Troubleshooting
https://bbs.archlinux.org/viewtopic.php?id=101866
http://edunham.net/2016/01/09/troubleshooting_stunnel.html

stunnel - TLS offloading and load-balancing proxy

stunnel accepts no connection, nothing in the logs

Situation

Details

Stuff that was not perfectly configured but not the cause of this behavior either

Solution

More about iptables

Configuration

Actions