DNS 325 - Funplug 0.7 : SSLH ... share port 443 for Https, Ssh, OpenVPN and Tinc

Contents[Hide]

dropcap-dns325-sslh

If you need to administrate your home network while on the move, you will soon realize that you need different type of accesses.

The standard accesses you may need are :

  • HTTS to access your secured pages or webdav shares
  • SSH to administrate your main server
  • OpenVPN or Tinc to get a full unrestricted access to your LAN

The only problem is that many Internet providers are blocking most of the ports used by these protocols. With some very restrictive providers (or with some corporate proxy) the only available ports may be 80 & 443.

So the solution to that problem is to allow HTTPS, SSH, OpenVPN or Tinc to share the same 443 port. With such setting, all your connexions needs can be handled from any type of network.

To help us to reach that goal, a fantastic little tool is available under Linux : SSLH

This tool listens on one specific port, analyse the stream & forward it to a specific local port according to its type.

This guide explains how to install the latest version of sslh on your DNS-325 which will become the conductor of your secured streams.

As this guide will need few compilation steps, you need to have setup a DNS 325 - Compilation Environment as a pre-requisite.

1. Compilation

1.1. libconfig library

SSLH uses libconfig library, which is a simple library for processing structured configuration files.

Libconfig is very compact. This makes it well-suited for memory-constrained systems like handheld devices.

To compile libconfig library, we need to :

  1. download sources from libconfig site
  2. configure compilation with /ffp as a prefix
  3. compile & install

# wget http://www.hyperrealm.com/libconfig/libconfig-1.4.9.tar.gz
# tar xvzf libconfig-1.4.9.tar.gz
# cd libconfig-1.4.9
# ./configure --enable-static --prefix=/ffp
# make
# make install

1.2. sslh

sslh is quite simple to compile, you only need to have libconfig library installed.

To compile sslh, we need to :

  1. download sources from sslh site
  2. modify Makefile to get PREFIX=/ffp
  3. compile & install

# wget http://www.rutschle.net/tech/sslh-1.14.tar.gz
# tar xvzf sslh-1.14.tar.gz
# cd sslh-1.14
# sed -i 's/\/usr\/local/\/ffp/g' Makefile
# make
# make install

SSLH is now ready to run on your DNS-325.

2. Startup Script

To have SSLH to start at every boot, we need to create a startup script under /ffp/start

As default web server listen on port 443, your startup script will need to restart it and make it listen on another port (444 here). This will allow sslh to listen on port 443.

To do this, you need to :

  1. Reconfigure /etc/lighttpd/lighttpd.conf to change default https port to 444
  2. Kill the lighttpd web server process (it will restart automatically afetr few seconds)
  3. Start sslh on port 443

Startup script will also allow to configure the redirection host & ports for all the protocols handled by SSLH (ssh, https, openvpn, tinc, ...).

/ffp/start/sshl.sh

#!/ffp/bin/sh
#
# SSLH startup script
#
# History :
# 10/02/2013, V1.0 - Creation by N. Bernaerts
# 15/04/2013, V2.0 - Now handles restart

# PROVIDE: sslh
# REQUIRE: LOGIN

. /ffp/etc/ffp.subr

name="sslh"
start_cmd="sslh_start"
stop_cmd="sslh_stop"
restart_cmd="sslh_restart"

# --------------------------------------------
# Beginning of Configuration

# New port for DNS-325 web administration
SSL_PORT=444

# List of protocols to handle (address:port)
# Leave empty if not used
SRV_SSH="192.168.x.x:22"
SRV_SSL="192.168.x.x:443"
SRV_OPENVPN="192.168.x.x:1194"
SRV_TINC=""

# End of configuration
# --------------------------------------------

# set process PID
SSLH_PID="/var/run/sslh.pid"

# get DNS-325 ethernet IP
ETH_IP=`ifconfig | grep "inet" | grep -v "127.0.0.1" | sed 's/^.*addr:\([0-9\.]*\).*$/\1/g'`
echo "SSLH will listen on interface $ETH_IP, port 443"

# add PID to SSLH command
SSLH_COMMAND="--pidfile $SSLH_PID"

# add listening port to SSLH command
SSLH_COMMAND="$SSLH_COMMAND --listen $ETH_IP:443"

# if needed, add SSH server to SSLH command
if [ ! -z $SRV_SSH ]; then SSLH_COMMAND="$SSLH_COMMAND --ssh $SRV_SSH"; fi

# if needed, add SSL server to SSLH command
if [ ! -z $SRV_SSL ]; then SSLH_COMMAND="$SSLH_COMMAND --ssl $SRV_SSL"; fi

# if needed, add TINC server to SSLH command
if [ ! -z $SRV_TINC ]; then SSLH_COMMAND="$SSLH_COMMAND --tinc $SRV_TINC"; fi

# if needed, add OpenVPN server to SSLH command
if [ ! -z $SRV_OPENVPN ]; then SSLH_COMMAND="$SSLH_COMMAND --openvpn $SRV_OPENVPN"; fi

sslh_start()
{
  # change administration interface default https port to 444
  sed -i 's/:443/:'$SSL_PORT'/g' /etc/lighttpd/lighttpd.conf

  # kill administration interface web server (it will restart after few seconds)
  killall lighttpd

  # start sslh, listening on default https port 443
  sslh $SSLH_COMMAND
}

sslh_stop()
{
  # kill running instance from PID
  kill `cat $SRV_PID`

  # delete PID file
  rm $SSLH_PID

  # change administration interface default https port back to 443
  sed -i 's/:'$SSL_PORT'/:443/g' /etc/lighttpd/lighttpd.conf

  # kill administration interface web server (it will restart after few seconds)
  killall lighttpd
}

sslh_restart()
{
  # kill running instance from PID
  kill `cat $SRV_PID`

  # delete PID file
  rm $SSLH_PID

  # start sslh, listening on default https port 443
  sslh $SSLH_COMMAND
}

# run the command given as parameter
run_rc_command "$1"

You can now start sslh to test the stream redirection :

# sh /ffp/start/sslh.sh start

If everything is running fine :

  • you should access your ssh server thru ssh -p 443 ip.of.dns.325
  • you should access your secured web server thru https://ip.of.dns.325/
  • you should be able to connect to the NAS administration interface thru https://ip.of.dns.325:444/

To make it automatic at startup, just make the script executable :

# chmod +x /ffp/start/sslh.sh

That's it.

 

Hope it helps.

Signature Technoblog

This article is published "as is", without any warranty that it will work for your specific need.
If you think this article needs some complement, or simply if you think it saved you lots of time & trouble,
just let me know at This email address is being protected from spambots. You need JavaScript enabled to view it.. Cheers !

icon linux icon debian icon apache icon mysql icon php icon piwik icon googleplus