[sslh] SSLH seems to forward OpenVPN connection to SSH port
Kai
kai2 at blicke.de
Fri Jul 6 10:36:23 CEST 2012
Hello all,
May one help me getting the following scenario working?
1. I have compiled SSLH version 1.13b from
http://www.rutschle.net/tech/sslh-1.13b.tar.gz and using it on Debian 6.0.5.
2. It works well for 443->SSH redirection. I do not have a HTTP server
listening under localhost:443.
3. I also set up OpenVPN to listen on TCP port 1194 and it works fine as
well.
Example config snip from the server:
NOTE: 192.168.1.21 is not the real server IP.
##################
# cat /etc/openvpn/tun0_tcp.conf
dev tun1
ifconfig 10.9.9.1 10.9.9.2
<---removing some authentication settings here-->
push "route 0.0.0.0 0.0.0.0"
push "dhcp-option DNS 8.8.8.8"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# TCP or UDP server?
proto tcp-server
##################
# ps -ef | grep sslh
sslh 1399 1 0 Jun30 ? 00:00:00 /usr/local/sbin/sslh -u
sslh -p 192.168.1.21 443 --ssh 127.0.0.1 22022 --openvpn 127.0.0.1 1194
--ssl 127.0.0.1 443 -P /var/run/sslh.pid
sslh 1401 1399 0 Jun30 ? 00:00:00 /usr/local/sbin/sslh -u
sslh -p 192.168.1.21 443 --ssh 127.0.0.1 22022 --openvpn 127.0.0.1 1194
--ssl 127.0.0.1 443 -P /var/run/sslh.pid
root 6996 6975 0 10:19 pts/2 00:00:00 grep sslh
# netstat -an | grep -e 443 -e 1194
tcp 0 0 0.0.0.0:1194 0.0.0.0:*
LISTEN
tcp 0 0 192.168.1.21:443 0.0.0.0:*
LISTEN
udp 0 0 0.0.0.0:1194 0.0.0.0:*
#
4. So if I modify the same working OpenVPN TCP connection settings on my
client, I see the following errors:
Jul 06 10:23:08: Viscosity 1.3.5 (1051)
Jul 06 10:23:08: Checking reachability status of connection...
Jul 06 10:23:08: Connection is reachable. Starting connection attempt.
Jul 06 10:23:10: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [SSL] [LZO2]
[PKCS11] [eurephia] built on Aug 1 2011
Jul 06 10:23:10: NOTE: OpenVPN 2.1 requires '--script-security 2' or
higher to call user-defined scripts or executables
Jul 06 10:23:10: LZO compression initialized
Jul 06 10:23:10: TUN/TAP device /dev/tun0 opened
Jul 06 10:23:10: /sbin/ifconfig tun0 delete
Jul 06 10:23:10: NOTE: Tried to delete pre-existing tun/tap instance --
No Problem if failure
Jul 06 10:23:10: /sbin/ifconfig tun0 10.9.9.2 10.9.9.1 mtu 1500 netmask
255.255.255.255 up
Jul 06 10:23:10: Attempting to establish TCP connection with
192.168.1.21:443 [nonblock]
Jul 06 10:23:13: TCP connection established with 192.168.1.21:443
Jul 06 10:23:13: TCPv4_CLIENT link local: [undef]
Jul 06 10:23:13: TCPv4_CLIENT link remote: 192.168.1.21:443
Jul 06 10:23:13: WARNING: Bad encapsulated packet length from peer
(21331), which must be > 0 and <= 1547 -- please ensure that --tun-mtu
or --link-mtu is equal on both peers -- this condition could also
indicate a possible active attack on the TCP link -- [Attempting restart...]
Jul 06 10:23:13: Connection reset, restarting [0]
Jul 06 10:23:13: SIGUSR1[soft,connection-reset] received, process restarting
The corresponding SSLH log lines on the server are:
Jul 6 10:23:12 ellinger sslh[1399]: connection from
§$%$&$.t-dialin.net:50962 to localhost.localdomain:https forwarded from
localhost:35599 to localhost:23022
Jul 6 10:23:13 ellinger sshd[7015]: Did not receive identification
string from 127.0.0.1
Many thanks for any help.
/Kai
More information about the sslh
mailing list