Transparent SSLH for 443/TCP

msurg

Hi,
searched forum and googled but couldn't get it work.

Trying to get sslh (https://github.com/yrutschle/sslh) to work transparently on pfsense 2.2.6.

My pfsense setup is with two nics (WAN and LAN).
I want Openvpn on 443/TCP because of known reasons (IPS restrictions etc). I only need OpenVPN and HTTPS. I tried openvpn port-share feature but HTTPS access from outside is terribly slow. OpenVPN is on PFSense and HTTPS is on another PC on LAN.

I installed sslh from repository with "pkg install sslh". Version 1.18.
I got it working as a nontransparent proxy. But web server logs have only proxy IP as incoming connections.

With transparent=true in sslh.conf whatever I tried with NAT and firewall rules I couldn't get it work. It stays saying "connecting to …" and then timeouts.

What rules do I need for transparent sslh proxy? Any clue?

Regards

PFSense --> 192.168.80.4
Web Server --> 192.168.80.5

sslh.conf

# This is a basic configuration file that should provide
# sensible values for "standard" setup.

verbose: true;
foreground: true;
inetd: false;
numeric: false;
transparent: true;
timeout: 10;
user: "root";
pidfile: "/var/run/sslh.pid";

# Change hostname with your external address name.
listen:
(
    { host: "192.168.80.4"; port: "443"; }
);

protocols:
(
     { name: "openvpn"; host: "192.168.80.4"; port: "1194";  log_level: 5; },
     { name: "ssl"; host: "192.168.80.5"; port: "443"; log_level: 5; },
     { name: "anyprot"; host: "192.168.80.4"; port: "443"; }
);

output

[2.2.6-RELEASE][root@192.168.80.4]/usr/local/etc/rc.d: ./sslh onestart
Starting sslh.
openvpn addr: 192.168.80.4:1194\. libwrap service: (null) log_level: 5 family 2 2 []
ssl addr: 192.168.80.5:https. libwrap service: (null) log_level: 5 family 2 2 []
anyprot addr: 192.168.80.4:https. libwrap service: (null) log_level: 1 family 2 2 []
listening on:
        192.168.80.4:https     []
timeout: 10
on-timeout: openvpn
listening to 1 addresses
turning into root
sslh-select 1.18 started
selecting... max_fd=4 num_probing=0
accepted fd 4 on slot 0
selecting... max_fd=5 num_probing=1
processing fd0 slot 0
**** writing deferred on fd -1
probing for openvpn
probing for ssl
connecting to 192.168.80.5:https family 2 len 16
forward to ssl failed:connect: Operation timed out
closing fd 4
selecting... max_fd=5 num_probing=0

sslh package info

[2.2.6-RELEASE][root@coco.micsis.no-ip.com]/usr/local/etc/rc.d: pkg info sslh
sslh-1.18
Name           : sslh
Version        : 1.18
Installed on   : Wed May 25 13:23:06 2016 EEST
Origin         : net/sslh
Architecture   : freebsd:10:x86:32
Prefix         : /usr/local
Categories     : net
Licenses       : GPLv2
Maintainer     : olivier@FreeBSD.org
WWW            : http://www.rutschle.net/tech/sslh.shtml
Comment        : SSL/SSH multiplexer
Options        :
        EXAMPLES       : on
        LIBWRAP        : on
Shared Libs required:
        libconfig.so.9
Annotations    :
        repo_type      : binary
        repository     : FreeBSD
Flat size      : 85.6KiB
Description    :
sslh accepts HTTPS, SSH, OpenVPN, tinc and XMPP connections on the same port.
This makes it possible to connect to any of these servers on port 443 while
still serving HTTPS on that port.

WWW: http://www.rutschle.net/tech/sslh.shtml

msurg

anyone?