Search

Debian - Share same port for HTTPS, SSH and OpenVPN

Contents[Hide]

Debian

If you need to administrate your home network while on the move, you will soon realize that you need different type of accesses.

The standard accesses you may need are :

  • Https to access your secured pages or webdav shares
  • SSH to administrate your main server
  • OpenVPN to get a full unrestricted access to your LAN

The only problem is that many Internet providers are blocking most of the ports used by these protocols. With some very restrictive providers (or with some corporate proxy) the only available ports may be 80 & 443.

So the solution to that problem is to allow Https, SSH & OpenVPN to share the same 443 port. With such setting, all your connexions needs can be handled from any type of network.

To help us to reach that goal, a fantastic little tool is available under Linux : sslh.

This tool listens on one specific port, analyse the stream & forward it to a specific local port according to thits type. To be able to handle any type of SSH client and OpenVPN connection, we need to install and configure the latest version of SSLH (1.9 minimum).

This guide will explain how to install the latest version of sslh, which is not available in the distribution repository, on a Debian Squeeze. It should also work on Debian Lenny and on some flavours of Ubuntu also.

The following guide suppose that you are connected as root.
If not, you should start all the console commands with sudo.

1. Install the package

SSLH is available as a standard package. So you can just install it thru aptitude :

# aptitude update
# aptitude install sslh

2. Compile & replace with latest version

At the time of this article, latest version of sslh is 1.10.

To be able to handle OpenVPN connexion and to accept any type of SSH client (even the ones not following the full protocol), you need to get version 1.9 minimum.

In case you did not installed the latest version, you need to get it and to compile it.

First thing, if not already done is to install the standard compilation environment :

# aptitude install build-essential

Then comes the compilation of the latest sslh binary :

# cd /tmp
# wget http://www.rutschle.net/tech/sslh-1.10.tar.gz
# tar xvzf sslh-1.10.tar.gz
# cd sslh-1.10
# make install
gcc -Wall -g -D'VERSION="v1.10"' -c common.c
...
install -D sslh-fork /usr/local/sbin/sslh
install -D -m 0644 sslh.8.gz /usr/local/share/man/man8/sslh.8.gz

The latest sslh binary is now available under /usr/local/sbin/sslh

To use it instead of the packaged version, we have to modify the /etc/init.d/sslh :

/etc/init.d/sslh
...
DAEMON=/usr/local/sbin/sslh # Introduce the server's location here
...

3. Configure SSLH

You need to configure /etc/default/sslh to configure the listen & forward ports & interfaces :

  • -p : common listen port
  • --ssh : SSH forward
  • --ssl : HHTPS forward
  • --openvpn : OpenVPN forward

Be carefull, the parameters order is very important as SSHL expects parameters in a specific order. If you do not respect it, nothing will work !

/etc/default/sslh

...

# allow start at boot
RUN=yes

# wait for 2 seconds to avoid error
STARTTIME=2

# options for listen & forward
DAEMON_OPTS="-u sslh -p 192.168.xxx.xxx:443 --ssh 127.0.0.1:22 --openvpn 127.0.0.1:1194 --ssl 127.0.0.1:443 -P /var/run/sslh.pid"

4. Configure Apache https port

By default, Apache listen on all the network interfaces available.

You have to make sure that port 443 of your LAN interface is available for SSLH.

The easiest is to limit the 443 port to the localhost interface only.

This can be done easily by editing /etc/apache2/ports.conf

/etc/apache2/sites-available/default

<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 127.0.0.1:443
</IfModule>

<IfModule mod_gnutls.c>
Listen 127.0.0.1:443
</IfModule>

5. Start the daemon

You can now test you new sslh daemon

# /etc/init.d/sslh start
Starting ssl/ssh multiplexer : sslh.

The sslh daemon is now running fine, you can check it with

# ps -ef | grep sslh
sslh 22042 1 0 11:54 pts/3 00:00:00 /usr/local/sbin/sslh -u sslh -p ...
sslh 22044 22042 0 11:54 pts/3 00:00:00 /usr/local/sbin/sslh -u sslh -p ...

You can now connect on your server thru the standard https 443 port for your SSH, OpenVPN & HTTPS connexions.

Hope it helps.

Signature Technoblog

This article is published "as is", without any warranty that it will work for your specific need.
If you think this article needs some complement, or simply if you think it saved you lots of time & trouble,
just let me know at This email address is being protected from spambots. You need JavaScript enabled to view it.. Cheers !

icon linux icon debian icon apache icon mysql icon php icon piwik icon googleplus