If you need to administrate your home network while on the move, you will soon realize that you need different type of accesses.
The standard accesses you may need are :
- Https to access your secured pages or webdav shares
- SSH to administrate your main server
- OpenVPN to get a full unrestricted access to your LAN
The only problem is that many Internet providers are blocking most of the ports used by these protocols. With some very restrictive providers (or with some corporate proxy) the only available ports may be 80 & 443.
So the solution to that problem is to allow Https, SSH & OpenVPN to share the same 443 port. With such setting, all your connexions needs can be handled from any type of network.
To help us to reach that goal, a fantastic little tool is available under Linux : sslh.
This tool listens on one specific port, analyse the stream & forward it to a specific local port according to thits type. To be able to handle any type of SSH client and OpenVPN connection, we need to install and configure the latest version of SSLH (1.9 minimum).
This guide will explain how to install the latest version of sslh, which is not available in the distribution repository, on a Debian Squeeze. It should also work on Debian Lenny and on some flavours of Ubuntu also.
The following guide suppose that you are connected as root.
If not, you should start all the console commands with sudo.
1. Install the package
SSLH is available as a standard package. So you can just install it thru aptitude :
# aptitude update
# aptitude install sslh
2. Compile & replace with latest version
At the time of this article, latest version of sslh is 1.10.
To be able to handle OpenVPN connexion and to accept any type of SSH client (even the ones not following the full protocol), you need to get version 1.9 minimum.
In case you did not installed the latest version, you need to get it and to compile it.
First thing, if not already done is to install the standard compilation environment :
# aptitude install build-essential
Then comes the compilation of the latest sslh binary :
# cd /tmp
# wget http://www.rutschle.net/tech/sslh-1.10.tar.gz
# tar xvzf sslh-1.10.tar.gz
# cd sslh-1.10
# make install
gcc -Wall -g -D'VERSION="v1.10"' -c common.c
install -D sslh-fork /usr/local/sbin/sslh
install -D -m 0644 sslh.8.gz /usr/local/share/man/man8/sslh.8.gz
The latest sslh binary is now available under /usr/local/sbin/sslh
To use it instead of the packaged version, we have to modify the /etc/init.d/sslh :
DAEMON=/usr/local/sbin/sslh # Introduce the server's location here
3. Configure SSLH
You need to configure /etc/default/sslh to configure the listen & forward ports & interfaces :
- -p : common listen port
- --ssh : SSH forward
- --ssl : HHTPS forward
- --openvpn : OpenVPN forward
Be carefull, the parameters order is very important as SSHL expects parameters in a specific order. If you do not respect it, nothing will work !
# allow start at boot
# wait for 2 seconds to avoid error
# options for listen & forward
DAEMON_OPTS="-u sslh -p 192.168.xxx.xxx:443 --ssh 127.0.0.1:22 --openvpn 127.0.0.1:1194 --ssl 127.0.0.1:443 -P /var/run/sslh.pid"
4. Configure Apache https port
By default, Apache listen on all the network interfaces available.
You have to make sure that port 443 of your LAN interface is available for SSLH.
The easiest is to limit the 443 port to the localhost interface only.
This can be done easily by editing /etc/apache2/ports.conf
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
5. Start the daemon
You can now test you new sslh daemon
# /etc/init.d/sslh start
Starting ssl/ssh multiplexer : sslh.
The sslh daemon is now running fine, you can check it with
# ps -ef | grep sslh
sslh 22042 1 0 11:54 pts/3 00:00:00 /usr/local/sbin/sslh -u sslh -p ...
sslh 22044 22042 0 11:54 pts/3 00:00:00 /usr/local/sbin/sslh -u sslh -p ...
You can now connect on your server thru the standard https 443 port for your SSH, OpenVPN & HTTPS connexions.
Hope it helps.