I recently decided to stop using SSLH because it was causing me too many problems. However, I still needed to have OpenVPN on port TCP 443 because all my devices are already configured to use that, and I obviously need HTTPS to be on TCP 443(I know the title says SSL and it’s technically TLS now, but whatever). So, I found out that OpenVPN has built-in functionality to share a port with another service. I’m pretty sure this was intended for HTTPS, but the log files only show “non-OpenVPN protocol detected”, which makes me think that it could also be used for SSH, but not for more than one service at a time.
Setting this up
The first thing to do, is configure OpenVPN to listen on TCP 443. This can be done by modifying the
proto options to the following:
port 443 proto tcp
Keep in mind that
port-share will (probably) only work with TCP. After this is done, add the following
port-share option to the config:
port-share server port
for most of you reading this tutorial, the server will probably be
localhost. For this to work, you basically have two options:
- Configure the web server to use a different port(i.e. 8443)
- Configure the web server to only listen on TCP 443 for localhost
If you’re switching to this from another multiplexer, the first one is probably already done. Now, if you are switching from SSLH in transparent mode, be sure to remove all
iptables rules that have anything to do with SSLH. Otherwise, OpenVPN will have a problem forwarding the connections.
Problems and solutions
I need the real IP of the visitor!
When OpenVPN forwards the connections, the web server sees connections coming from
localhost, and not the true IP of the visitor. As pointed out on one of the forums somewhere(I forgot where), it is stated that OpenVPN can’t add a header, such as
X-Forwarded-For because it can’t modify the encrypted HTTPS traffic. While they can technically add transparent support, like in SSLH, I don’t think the effort is worth it, and would rather have the developers spend their time on making OpenVPN faster and more secure. However, there is still a way: Cloudflare. Cloudflare is a reverse-proxy for your website that among many other things, will add a header:
CF-Connecting-IP with the visitor’s IP.
I need one port for more than just two services!
Unfortunately, OpenVPN cannot yet do this, and you will need to use another multiplexer, such as sslh. Alternatively, you can add another IP to your VPS, which is usually not that expensive, and configure the services on the same ports, but on different IP addresses. Or, you can technically have the web server running on IPv6 only, and OpenVPN on IPv4 only, and using a service like Cloudflare can allow IPv4-only visitors to access your site.
Update– Apparently re-compiling SSLH 99 times seems to have fixed the problem(and disabling keep-alive).