Transparent SSLH for 443/TCP
-
Hi,
searched forum and googled but couldn't get it work.Trying to get sslh (https://github.com/yrutschle/sslh) to work transparently on pfsense 2.2.6.
My pfsense setup is with two nics (WAN and LAN).
I want Openvpn on 443/TCP because of known reasons (IPS restrictions etc). I only need OpenVPN and HTTPS. I tried openvpn port-share feature but HTTPS access from outside is terribly slow. OpenVPN is on PFSense and HTTPS is on another PC on LAN.I installed sslh from repository with "pkg install sslh". Version 1.18.
I got it working as a nontransparent proxy. But web server logs have only proxy IP as incoming connections.With transparent=true in sslh.conf whatever I tried with NAT and firewall rules I couldn't get it work. It stays saying "connecting to …" and then timeouts.
What rules do I need for transparent sslh proxy? Any clue?
Regards
PFSense --> 192.168.80.4
Web Server --> 192.168.80.5sslh.conf
# This is a basic configuration file that should provide # sensible values for "standard" setup. verbose: true; foreground: true; inetd: false; numeric: false; transparent: true; timeout: 10; user: "root"; pidfile: "/var/run/sslh.pid"; # Change hostname with your external address name. listen: ( { host: "192.168.80.4"; port: "443"; } ); protocols: ( { name: "openvpn"; host: "192.168.80.4"; port: "1194"; log_level: 5; }, { name: "ssl"; host: "192.168.80.5"; port: "443"; log_level: 5; }, { name: "anyprot"; host: "192.168.80.4"; port: "443"; } );
output
[2.2.6-RELEASE][root@192.168.80.4]/usr/local/etc/rc.d: ./sslh onestart Starting sslh. openvpn addr: 192.168.80.4:1194\. libwrap service: (null) log_level: 5 family 2 2 [] ssl addr: 192.168.80.5:https. libwrap service: (null) log_level: 5 family 2 2 [] anyprot addr: 192.168.80.4:https. libwrap service: (null) log_level: 1 family 2 2 [] listening on: 192.168.80.4:https [] timeout: 10 on-timeout: openvpn listening to 1 addresses turning into root sslh-select 1.18 started selecting... max_fd=4 num_probing=0 accepted fd 4 on slot 0 selecting... max_fd=5 num_probing=1 processing fd0 slot 0 **** writing deferred on fd -1 probing for openvpn probing for ssl connecting to 192.168.80.5:https family 2 len 16 forward to ssl failed:connect: Operation timed out closing fd 4 selecting... max_fd=5 num_probing=0
sslh package info
[2.2.6-RELEASE][root@coco.micsis.no-ip.com]/usr/local/etc/rc.d: pkg info sslh sslh-1.18 Name : sslh Version : 1.18 Installed on : Wed May 25 13:23:06 2016 EEST Origin : net/sslh Architecture : freebsd:10:x86:32 Prefix : /usr/local Categories : net Licenses : GPLv2 Maintainer : olivier@FreeBSD.org WWW : http://www.rutschle.net/tech/sslh.shtml Comment : SSL/SSH multiplexer Options : EXAMPLES : on LIBWRAP : on Shared Libs required: libconfig.so.9 Annotations : repo_type : binary repository : FreeBSD Flat size : 85.6KiB Description : sslh accepts HTTPS, SSH, OpenVPN, tinc and XMPP connections on the same port. This makes it possible to connect to any of these servers on port 443 while still serving HTTPS on that port. WWW: http://www.rutschle.net/tech/sslh.shtml
-
anyone?