[sslh] SSLH seems to forward OpenVPN connection to SSH port

Fri Jul 6 10:36:23 CEST 2012

Hello all,

May one help me getting the following scenario working?

1. I have compiled SSLH version 1.13b from 
http://www.rutschle.net/tech/sslh-1.13b.tar.gz and using it on Debian 6.0.5.

2. It works well for 443->SSH redirection. I do not have a HTTP server 
listening under localhost:443.

3. I also set up OpenVPN to listen on TCP port 1194 and it works fine as 
well.

Example config snip from the server:

NOTE: 192.168.1.21 is not the real server IP.

##################
# cat /etc/openvpn/tun0_tcp.conf

dev tun1
ifconfig 10.9.9.1 10.9.9.2
<---removing some authentication settings here-->
push "route 0.0.0.0 0.0.0.0"
push "dhcp-option DNS 8.8.8.8"
comp-lzo

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

# TCP or UDP server?
proto tcp-server
##################

# ps -ef | grep sslh
sslh      1399     1  0 Jun30 ?        00:00:00 /usr/local/sbin/sslh -u 
sslh -p 192.168.1.21 443 --ssh 127.0.0.1 22022 --openvpn 127.0.0.1 1194 
--ssl 127.0.0.1 443 -P /var/run/sslh.pid
sslh      1401  1399  0 Jun30 ?        00:00:00 /usr/local/sbin/sslh -u 
sslh -p 192.168.1.21 443 --ssh 127.0.0.1 22022 --openvpn 127.0.0.1 1194 
--ssl 127.0.0.1 443 -P /var/run/sslh.pid
root      6996  6975  0 10:19 pts/2    00:00:00 grep sslh
# netstat -an | grep -e 443 -e 1194
tcp        0      0 0.0.0.0:1194            0.0.0.0:* 
LISTEN
tcp        0      0 192.168.1.21:443       0.0.0.0:* 
LISTEN
udp        0      0 0.0.0.0:1194            0.0.0.0:* 

#

4. So if I modify the same working OpenVPN TCP connection settings on my 
client, I see the following errors:

Jul 06 10:23:08: Viscosity 1.3.5 (1051)
Jul 06 10:23:08: Checking reachability status of connection...
Jul 06 10:23:08: Connection is reachable. Starting connection attempt.
Jul 06 10:23:10: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [SSL] [LZO2] 
[PKCS11] [eurephia] built on Aug  1 2011
Jul 06 10:23:10: NOTE: OpenVPN 2.1 requires '--script-security 2' or 
higher to call user-defined scripts or executables
Jul 06 10:23:10: LZO compression initialized
Jul 06 10:23:10: TUN/TAP device /dev/tun0 opened
Jul 06 10:23:10: /sbin/ifconfig tun0 delete
Jul 06 10:23:10: NOTE: Tried to delete pre-existing tun/tap instance -- 
No Problem if failure
Jul 06 10:23:10: /sbin/ifconfig tun0 10.9.9.2 10.9.9.1 mtu 1500 netmask 
255.255.255.255 up
Jul 06 10:23:10: Attempting to establish TCP connection with 
192.168.1.21:443 [nonblock]
Jul 06 10:23:13: TCP connection established with 192.168.1.21:443
Jul 06 10:23:13: TCPv4_CLIENT link local: [undef]
Jul 06 10:23:13: TCPv4_CLIENT link remote: 192.168.1.21:443
Jul 06 10:23:13: WARNING: Bad encapsulated packet length from peer 
(21331), which must be > 0 and <= 1547 -- please ensure that --tun-mtu 
or --link-mtu is equal on both peers -- this condition could also 
indicate a possible active attack on the TCP link -- [Attempting restart...]
Jul 06 10:23:13: Connection reset, restarting [0]
Jul 06 10:23:13: SIGUSR1[soft,connection-reset] received, process restarting

The corresponding SSLH log lines on the server are:

Jul  6 10:23:12 ellinger sslh[1399]: connection from 
§$%$&$.t-dialin.net:50962 to localhost.localdomain:https forwarded from 
localhost:35599 to localhost:23022
Jul  6 10:23:13 ellinger sshd[7015]: Did not receive identification 
string from 127.0.0.1

Many thanks for any help.

/Kai