Transparent SSLH for 443/TCP



  • Hi,
    searched forum and googled but couldn't get it work.

    Trying to get sslh (https://github.com/yrutschle/sslh) to work transparently on pfsense 2.2.6.

    My pfsense setup is with two nics (WAN and LAN).
    I want Openvpn on 443/TCP because of known reasons (IPS restrictions etc). I only need OpenVPN and HTTPS. I tried openvpn port-share feature but HTTPS access from outside is terribly slow. OpenVPN is on PFSense and HTTPS is on another PC on LAN.

    I installed sslh from repository with "pkg install sslh". Version 1.18.
    I got it working as a nontransparent proxy. But web server logs have only proxy IP as incoming connections.

    With transparent=true in sslh.conf whatever I tried with NAT and firewall rules I couldn't get it work. It stays saying "connecting to …" and then timeouts.

    What rules do I need for transparent sslh proxy? Any clue?

    Regards

    PFSense --> 192.168.80.4
    Web Server --> 192.168.80.5

    sslh.conf

    # This is a basic configuration file that should provide
    # sensible values for "standard" setup.
    
    verbose: true;
    foreground: true;
    inetd: false;
    numeric: false;
    transparent: true;
    timeout: 10;
    user: "root";
    pidfile: "/var/run/sslh.pid";
    
    # Change hostname with your external address name.
    listen:
    (
        { host: "192.168.80.4"; port: "443"; }
    );
    
    protocols:
    (
         { name: "openvpn"; host: "192.168.80.4"; port: "1194";  log_level: 5; },
         { name: "ssl"; host: "192.168.80.5"; port: "443"; log_level: 5; },
         { name: "anyprot"; host: "192.168.80.4"; port: "443"; }
    );
    

    output

    [2.2.6-RELEASE][root@192.168.80.4]/usr/local/etc/rc.d: ./sslh onestart
    Starting sslh.
    openvpn addr: 192.168.80.4:1194\. libwrap service: (null) log_level: 5 family 2 2 []
    ssl addr: 192.168.80.5:https. libwrap service: (null) log_level: 5 family 2 2 []
    anyprot addr: 192.168.80.4:https. libwrap service: (null) log_level: 1 family 2 2 []
    listening on:
            192.168.80.4:https     []
    timeout: 10
    on-timeout: openvpn
    listening to 1 addresses
    turning into root
    sslh-select 1.18 started
    selecting... max_fd=4 num_probing=0
    accepted fd 4 on slot 0
    selecting... max_fd=5 num_probing=1
    processing fd0 slot 0
    **** writing deferred on fd -1
    probing for openvpn
    probing for ssl
    connecting to 192.168.80.5:https family 2 len 16
    forward to ssl failed:connect: Operation timed out
    closing fd 4
    selecting... max_fd=5 num_probing=0
    

    sslh package info

    [2.2.6-RELEASE][root@coco.micsis.no-ip.com]/usr/local/etc/rc.d: pkg info sslh
    sslh-1.18
    Name           : sslh
    Version        : 1.18
    Installed on   : Wed May 25 13:23:06 2016 EEST
    Origin         : net/sslh
    Architecture   : freebsd:10:x86:32
    Prefix         : /usr/local
    Categories     : net
    Licenses       : GPLv2
    Maintainer     : olivier@FreeBSD.org
    WWW            : http://www.rutschle.net/tech/sslh.shtml
    Comment        : SSL/SSH multiplexer
    Options        :
            EXAMPLES       : on
            LIBWRAP        : on
    Shared Libs required:
            libconfig.so.9
    Annotations    :
            repo_type      : binary
            repository     : FreeBSD
    Flat size      : 85.6KiB
    Description    :
    sslh accepts HTTPS, SSH, OpenVPN, tinc and XMPP connections on the same port.
    This makes it possible to connect to any of these servers on port 443 while
    still serving HTTPS on that port.
    
    WWW: http://www.rutschle.net/tech/sslh.shtml
    


  • anyone?