Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Can SSL/SSH tunneling be used on pfsense when using openvpn?

    OpenVPN
    4
    11
    5588
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mithrondil last edited by

      Airvpn.org is offering SSL and SSH tunneling as part of their openvpn service, but apperently it only works on windows, osx and linux clients.

      Can SSL and SSH tunneling be used on pfsense at all?

      If so, please link me to a guide.

      1 Reply Last reply Reply Quote 0
      • M
        Mithrondil last edited by

        No responce = bump.

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          If they provide openvpn service - why would you not just use that?  There is a stunnel package, not sure if maintained or works on 2.2, etc.  Nor the details of it - as to a standard ssh tunnel..  You want to have pfsense ssh to something and then tunnel traffic through that from your client on the lan side of pfsense?  Hmmmm??

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi last edited by

            Yes - You can use pfsense SSH as a dynamic socks proxy to access http, https TCP traffic on the web - like an anonymous proxy.

            This is actually not a terrible way to admin a remote pfsense box, however, VPN is better in most respects, so I use that.

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              Sure a socks proxy.. I was thinking he wanted to route traffic out the connection like you can with openvpn.. ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi last edited by

                I'm honestly not quite sure what he wanted since it wasn't that specific, so I just told him about the low hanging fruit.  The rest will get complicated quick.

                1 Reply Last reply Reply Quote 0
                • J
                  JohnP_SHA last edited by

                  Increased Internet "Security"/Censorship in China is blocking OpenVPN with very effective Deep Packet Inspection and other mechanisms. Therefore it is necessary to hide the actuall OpenVPN traffic in a "less suspicious" SSL, TLS, SSH traffic…

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi last edited by

                    I think the biggest way china is profiling VPN is by IP.

                    If you are using a small pfsense with one or two VPN users in China on it and using TCP on port 443 most likely you will be flying under the radar.

                    If you are on a known IP like strongvpn or PIA sure - I imagine they will have you with little effort.

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      I doubt they are doing any sort of DPI to be honest..  You want to shutdown the traffic tunnel through your great firewall..  How about just block ssh..  Fire up a ssh server and in minutes there are hits from china IP..

                      I would think china is got some decent talent in IT, that they leave ssh open and want to block vpn is just come on - really??

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                      1 Reply Last reply Reply Quote 0
                      • J
                        JohnP_SHA last edited by

                        Unfortunately they do and constantly increase their measures, there are enough articles on the internet about it, just google it if you can, in China google is now completely blocked, with people remaining without access to their Gmail accounts i.e.
                        Just this January they massively upgraded the DPI and blocks with OpenVPN getting blocked and IPsec not working at all, not only for VPN providers but for everyone including corporate VPNs where no government permission was applied for. SSH isn't completely unblocked either, its got massive lags to outside of China and frequent interrupts apparently SSL tunnel is about the only thing that might work for private users.

                        1 Reply Last reply Reply Quote 0
                        • K
                          kejianshi last edited by

                          Seriously - TCP on port 443 to a box that only one or two people use and you will get through.

                          Trust me.  Mine is working fine (-;

                          When you connect, do use IP - Not DNS.  DNS poisoning is how they shut most down or by blocking DNS to certain sites.

                          (Now - I suppose that if you try to pipe 1/2 a gigabit on that you might get caught but if you keep the traffic reasonable, they got no time for you)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post