[sslh] SSLH seems to forward OpenVPN connection to SSH port
Yves Rutschle
yves at naryves.com
Fri Jul 6 15:19:30 CEST 2012
You can try increasing the timeout that switches to sslh. The default is 2s and is known to be too fast for openvpn.
Also, there is something strange with the ssh port: configuration says it should forward to 22022, but the log talks about 23022.
Finally, you don't need ti specify --SSL if you have no https.
Hth,
Y.
Kai <kai2 at blicke.de> wrote:
>Hello all,
>
>May one help me getting the following scenario working?
>
>1. I have compiled SSLH version 1.13b from
>http://www.rutschle.net/tech/sslh-1.13b.tar.gz and using it on Debian 6.0.5.
>
>2. It works well for 443->SSH redirection. I do not have a HTTP server
>listening under localhost:443.
>
>3. I also set up OpenVPN to listen on TCP port 1194 and it works fine as
>well.
>
>Example config snip from the server:
>
>NOTE: 192.168.1.21 is not the real server IP.
>
>##################
># cat /etc/openvpn/tun0_tcp.conf
>
>dev tun1
>ifconfig 10.9.9.1 10.9.9.2
><---removing some authentication settings here-->
>push "route 0.0.0.0 0.0.0.0"
>push "dhcp-option DNS 8.8.8.8"
>comp-lzo
>
>keepalive 10 60
>ping-timer-rem
>persist-tun
>persist-key
>
># TCP or UDP server?
>proto tcp-server
>##################
>
># ps -ef | grep sslh
>sslh 1399 1 0 Jun30 ? 00:00:00 /usr/local/sbin/sslh -u
>sslh -p 192.168.1.21 443 --ssh 127.0.0.1 22022 --openvpn 127.0.0.1 1194
>--ssl 127.0.0.1 443 -P /var/run/sslh.pid
>sslh 1401 1399 0 Jun30 ? 00:00:00 /usr/local/sbin/sslh -u
>sslh -p 192.168.1.21 443 --ssh 127.0.0.1 22022 --openvpn 127.0.0.1 1194
>--ssl 127.0.0.1 443 -P /var/run/sslh.pid
>root 6996 6975 0 10:19 pts/2 00:00:00 grep sslh
># netstat -an | grep -e 443 -e 1194
>tcp 0 0 0.0.0.0:1194 0.0.0.0:*
>LISTEN
>tcp 0 0 192.168.1.21:443 0.0.0.0:*
>LISTEN
>udp 0 0 0.0.0.0:1194 0.0.0.0:*
>
>#
>
>4. So if I modify the same working OpenVPN TCP connection settings on my
>client, I see the following errors:
>
>Jul 06 10:23:08: Viscosity 1.3.5 (1051)
>Jul 06 10:23:08: Checking reachability status of connection...
>Jul 06 10:23:08: Connection is reachable. Starting connection attempt.
>Jul 06 10:23:10: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [SSL] [LZO2]
>[PKCS11] [eurephia] built on Aug 1 2011
>Jul 06 10:23:10: NOTE: OpenVPN 2.1 requires '--script-security 2' or
>higher to call user-defined scripts or executables
>Jul 06 10:23:10: LZO compression initialized
>Jul 06 10:23:10: TUN/TAP device /dev/tun0 opened
>Jul 06 10:23:10: /sbin/ifconfig tun0 delete
>Jul 06 10:23:10: NOTE: Tried to delete pre-existing tun/tap instance --
>No Problem if failure
>Jul 06 10:23:10: /sbin/ifconfig tun0 10.9.9.2 10.9.9.1 mtu 1500 netmask
>255.255.255.255 up
>Jul 06 10:23:10: Attempting to establish TCP connection with
>192.168.1.21:443 [nonblock]
>Jul 06 10:23:13: TCP connection established with 192.168.1.21:443
>Jul 06 10:23:13: TCPv4_CLIENT link local: [undef]
>Jul 06 10:23:13: TCPv4_CLIENT link remote: 192.168.1.21:443
>Jul 06 10:23:13: WARNING: Bad encapsulated packet length from peer
>(21331), which must be > 0 and <= 1547 -- please ensure that --tun-mtu
>or --link-mtu is equal on both peers -- this condition could also
>indicate a possible active attack on the TCP link -- [Attempting restart...]
>Jul 06 10:23:13: Connection reset, restarting [0]
>Jul 06 10:23:13: SIGUSR1[soft,connection-reset] received, process restarting
>
>The corresponding SSLH log lines on the server are:
>
>Jul 6 10:23:12 ellinger sslh[1399]: connection from
>§$%$&$.t-dialin.net:50962 to localhost.localdomain:https forwarded from
>localhost:35599 to localhost:23022
>Jul 6 10:23:13 ellinger sshd[7015]: Did not receive identification
>string from 127.0.0.1
>
>Many thanks for any help.
>
>/Kai
>
>
>
>_______________________________________________
>sslh mailing list
>sslh at rutschle.net
>http://rutschle.net/cgi-bin/mailman/listinfo/sslh
>
More information about the sslh
mailing list