Aha! The bind problem wasn't fatal.
On Mon, Aug 18, 2025 at 04:02:37PM +0100, Jonathan Dowland wrote:
> If I configure the accept to my public IPv4 address, I get past that
> specific error, but inexplicably the server terminates shortly
> afterwards.
I'd missed (in README.md) that "foreground = yes" was required on the
_stunnel_ configuration; I'd attributed that to the _systemd service_,
since it's in the "Per-config-file systemd services" section. I've
raised an MR that I think clarifies this, for your consideration:
https://salsa.debian.org/debian/stunnel/-/merge_requests/4
With that, stunnel is working for me via generator, even with the bind
issue. More on that:
> Note: I'd rather not encode my public IPv4 in this file, but I can't
>see another way to say "bind on IPv4 only":
According to /usr/share/doc/stunnel4/stunnel.html (and stunnel(8)),
> If no host specified, defaults to all IPv4 addresses for the local
> host.
So, specifying "accept = 1234" should only attempt to bind on IPv4. But
that's not what is happening. Here's an strace which clarifies what it
is doing.
> socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 9
> setsockopt(9, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
> bind(9, {sa_family=AF_INET, sin_port=htons(1234),
> sin_addr=inet_addr("0.0.0.0")}, 16) = 0
> listen(9, 4096) = 0
> getsockname(9, {sa_family=AF_INET, sin_port=htons(1234),
> sin_addr=inet_addr("0.0.0.0")}, [112 => 16]) = 0
> socket(AF_INET6, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 10
> setsockopt(10, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
> bind(10, {sa_family=AF_INET6, sin6_port=htons(1234), sin6_flowinfo=htonl(0),
> inet_pton(AF_INET6, "::", &sin6_addr), sin6_scope_id=0}, 28) = -1 EADDRINUSE
> (Address already in use)
> close(10) = 0
And (with accept = 1234):
> $ sudo lsof -ni:1234
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> stunnel4 1435740 root 9u IPv4 20267002 0t0 TCP *:1234 (LISTEN)
So the documentation does not match the behaviour.
In my case, I don't mind it listening on IPv6, and I can ignore the bind
warning.
I'll retitle this bug to reflect the remaining issue.
