SSL port multiplexer (SSH, OpenVPN, HTTPS on one port)

John Nielsen lists at jnielsen.net
Wed Aug 16 11:49:39 MDT 2017


> On Aug 15, 2017, at 12:44 PM, Michael Torrie <torriem at gmail.com> wrote:
> 
> I just discovered a neat little project that may be of interest to some
> of you. It's called sslh[1] and it's a smart SSL port multiplexer that
> allows you to run SSH, HTTPS, OpenVPN, and other protocols (can be
> expanded using regex rules to custom protocols) all on the same port,
> for example port 443. Why would you want to do this? Well in some public
> networks port 22 or the OpenVPN ports are blocked, but port 443 is
> rarely blocked.  So you can run your web server, vpn server and sshd all
> on port 443 as it were and sslh will forward the packets to the right
> local server based on what kind of protocol it detects.  As well, it can
> differentiate between protocols wrapped inside SSL by inspecting the
> unencrypted bytes as they come in. This of course means that the sslh
> daemon has to have the necessary certificate to offer SSL connections,
> and that cert would have to have the right Common Name aliases to handle
> all the different host names (virtual hosts) that might be using that port.
> 
> sslh is in most distros standard repository.  It's a neat little gem
> that for me has been lying there undiscovered for some time.  Here's a
> basic howto article:
> 
> https://www.ostechnix.com/sslh-share-port-https-ssh/
> 
> And of course the projects website has more information, such as how to
> multiplex openvpn as well, and use transparent IP proxying in
> conjunction with it to preserve the source IP addresses for logging, and
> make things like fail2ban work:
> 
> [1] http://www.rutschle.net/sslh
> 
> Pretty neat. I'm going to set this up on my VPS when I get some time.
> Would be interested to know if anyone else has used this or would like
> to set it up.

Thanks for sharing! I'm going to give this a try and see if I can stop paying for a 2nd IP on my VPS just to run a firewall-friendly OpenVPN server.


More information about the PLUG mailing list