stunnel - TLS offloading and load-balancing proxy


stunnel accepts no connection, nothing in the logs



Stuff that was not perfectly configured but not the cause of this behavior either

  • certificates
  • having a DNS or /etc/hosts entry to reverse lookup the listening address


That was a pretty stupid one : I had an iptables rule specifically dropping all packets to ()
  1. list all rules (source) :
    iptables -L -n -v
    (this gives details about interfaces)
    Chain INPUT (policy )
    Chain FORWARD (policy )
    Chain OUTPUT (policy ACCEPT 448 packets, 58769 bytes)
    pkts	bytes	target	prot	opt	in	out	source		:destination
    0	0	ACCEPT	all	--	*	lo	owner GID match 2000		the last field is the rule parameters, not a comment
    0	0	DROP 	tcp	--	*	lo	tcp dpt:1234			(idem)
  2. flush everything (source) :
    iptables -P INPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT; iptables -t nat -F; iptables -t mangle -F; iptables -F; iptables -X
  3. test the network connectivity :
    nc -vz 1234
    stunnel [] 1234 (?) open
  4. test the TLS connectivity :
    openssl s_client -connect

More about iptables

In the rule defined above, as well as in /etc/iptables/rules.v4 (which can be restored with iptables-restore < /etc/iptables/rules.v4) :

-A OUTPUT -o lo -m owner --gid-owner 2000 -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --dport 1234 -j DROP
the TCP port 1234 appears as a destination and is actually filtered, although it's the entry point of my stunnel. Why ???

That's because iptables analyzes packets as they pass, and those going into the tunnel are actually heading to ''




flag usage


sysVinit systemd
start /etc/init.d/stunnel4 start systemctl start stunnel4
view logs less /var/log/stunnel4/stunnel.log journalctl -u stunnel4
I've seen stunnel logging in /var/log/stunnel4/stunnel.log even though handled by systemd. This _may_ be because of a transitional situation where systemd actually fires sysVinit scripts