[sslh] obfs4 over sslh?
Yves Rutschle
yves at rutschle.net
Thu Oct 11 06:48:10 UTC 2018
On Wed, Oct 10, 2018 at 09:47:18PM +0100, Alexandre Badalo wrote:
> So anyprot is a setting on sslh? In that case this seems more than possible (sslh would probe first for openssh, https and openvpn and everything else would be forwarded to obfs4?
Yes, check out basic.cfg (and various mentions in the man
page). It's conspicuously missing in example.cfg...
> My idea with "tagging" would be "inside" the server (so sslh would strip that identifing packet part), maybe its just a plain bad idea ;)
Well, I suppose you could argue that rolling your own
encapsulation protocol would bypass existing DPI filters, as
it'd be unique to your usage... So you could imagine a small
protoocol whereby the TCP stream gets chopped up in frames
with a data format e.g.:
"hello"<packet length><TCP data>
and sslh probing for "hello". This would be trivial for a
filter to detect, but only if they care to look for it.
At that point you're probably better off trying to build a
TCP-over-HTTP tunnel as solutions already exist and you use
one of the protocols that's most likely authorised through
most filters.
Y.
More information about the sslh
mailing list