30 Nov 2017
Use case
Sometimes when I'm behind a corporate firewall I want to get my connection secure and private against any traffic inspection. The quickest way is by using SSH as SOCKS5 proxy or a VPN but the firewall blocks my SSH and VPN ports! After a quick scan, the open ports are 53, 80 and 443. Ah ha! that's it, just change my SSH or VPN port to 443 since that port is common and less suspicious but you can't just changing the SSH/VPN port to 443 as you have a website running through that port. So this is where sslh comes in handy.
Introduction
sslh is a program that allows you to run sereval programs on port 443. Mainly it allows SSH server and web server to share same port.
sslh accepts connections on specified ports(443) and forwards them further based on test performed on the first data packet sent by the remote client.
It probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to SSH from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.
Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port.
source: github.com
This guide will show you how to install and setup sslh to use SSH, OpenVPN, and HTTPS webserver running on the same port.
Prerequisites
Before following this guide, I assume you already have Nginx webserver with HTTPS, OpenSSH, and OpenVPN installed.
Install
Install sslh in your server via apt install. In my opinion, the best is to install from package distribution not to compile from source as installing from apt can keep track of the package, easy to uninstall and upgrade the package.
sudo apt install sslhWhen it ask you how sslh to be run, choose standalone.
Configure
There's not much to configure. I keep the same port 22 on SSH so that I can connect SSH normally via port 22 and 443 via sslh, and OpenVPN on 8080/TCP. Important to make sure your OpenVPN on any TCP port not UDP. The things to change is the SSL listener port on Nginx.
Change OpenVPN to listen to TCP
If your OpenVPN already listen to TCP port, skip this. Open /etc/openvpn/server.conf
sudo nano /etc/openvpn/server.confChange your port to something else and proto TCP
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
proto tcp
;proto udp
Save and close.
Changing Nginx SSL listener port
Find somewhere on your nginx config files that listen to port 443 for SSL and change that to something else like 4433.
# usually:
listen 443 ssl;
# change that to:
listen 127.0.0.1:4433 ssl;
We make nginx to listen to localhost on port 4433. By using sslh we will redirect https port 443 to nginx 4433.
Configure SSLH
Once you have made the webservers to listen on local interface only, edit SSLH bashconfig file:
sudo nano /etc/default/sslhfind the following line:
Run=no
and change it to:
Run=yes
Then, scroll a little bit down and modify the following line to allow SSLH to listen on port 443 on all available interfaces (Eg. 0.0.0.0:443).
DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:4433 --openvpn 127.0.0.1:1194 --pidfile /var/run/sslh/sslh.pid --timeout 5"
Where,
--user sslh : Requires to run under this specified username.
--listen 0.0.0.0:443 : SSLH is listening on port 443 on all available interfaces.
--ssh 127.0.0.1:22 : Route SSH traffic to port 22 on the localhost.
--ssl 127.0.0.1:4433 : Route HTTPS/SSL traffic to port 4433 on the localhost.
--openvpn 127.0.0.1:1194 : Route OpenVPN traffic to port 1194 on the localhost.
--timeout 5 : Give sslh a timeout for 5sec. To be use when your OpenVPN connect to HTTP proxy.
Save and close the file.
Finally, enable and start sslh service to update the changes.
sudo systemctl enable sslh
sudo service sslh start
sudo service openvpn restart
sudo service sshd restart
sudo service nginx restartTesting
Check if the sslh daemon is running and listening to 443. Your output is probably same like me.
ps -ef | grep sslh
sslh 1187 1 0 Jan01 ? 00:00:00 /usr/sbin/sslh --foreground --user sslh --listen 0.0.0.0 443 --ssh 127.0.0.1 22 --openvpn 127.0.0.1 1194 --ssl 127.0.0.1 4433 --pidfile /var/run/sslh/sslh.pid --timeout 5
sslh 1188 1187 0 Jan01 ? 00:00:00 /usr/sbin/sslh --foreground --user sslh --listen 0.0.0.0 443 --ssh 127.0.0.1 22 --openvpn 127.0.0.1 1194 --ssl 127.0.0.1 4433 --pidfile /var/run/sslh/sslh.pid --timeout 5
sslh 29544 1188 0 16:40 ? 00:00:00 /usr/sbin/sslh --foreground --user sslh --listen 0.0.0.0 443 --ssh 127.0.0.1 22 --openvpn 127.0.0.1 1194 --ssl 127.0.0.1 4433 --pidfile /var/run/sslh/sslh.pid --timeout 5
user 29599 29586 0 16:41 pts/0 00:00:00 grep --color=auto sslhCheck your webserver
Open your browser and try to browse to your website over https.
Connect to SSH to port 443
Try connect SSH to your VPS from port 443:
ssh -p 443 [email protected]Now, you can access your remote server via SSH using port 443. You may want to use the SSH connection as SOCKS5 proxy. Check it out here.
Connect OpenVPN
Edit the protocol and remote address port in your client.ovpn file.
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote {your_vpn_server_ip} 443
Save and close the file. Try to connect to VPN:
sudo openvpn --config client.ovpnConclusion
See? I can now be able to access the remote server via SSH even if the default SSH port 22 is blocked. As you see in the above example, I have used the https port 443 for SSH connection and OpenVPN. For more details, check the project’s website URL given below.
Cheers!
Reference: http://www.rutschle.net/tech/sslh.shtml
Github: https://github.com/yrutschle/sslh
'%3E%3Cg id='Group'%3E%3Cg id='Combined Shape'%3E%3Cuse xlink:href='%23path0_fill' transform='translate(5201.49 697.468)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Logo'%3E%3Cg id='Fill 1'%3E%3Cuse xlink:href='%23path1_fill' transform='translate(5188.19 700.863)' fill='%23FF9100'/%3E%3C/g%3E%3Cg id='Fill 2'%3E%3Cuse xlink:href='%23path2_fill' transform='translate(5188.19 700.863)' fill='%23FFDD00'/%3E%3C/g%3E%3Cg id='Fill 3'%3E%3Cuse xlink:href='%23path3_fill' transform='translate(5186.75 699.413)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Stroke 4'%3E%3Cuse xlink:href='%23path4_stroke' transform='translate(5186.75 699.413)'/%3E%3C/g%3E%3Cg id='Fill 6'%3E%3Cuse xlink:href='%23path5_fill' transform='translate(5188.24 697.056)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Group 11'%3E%3Cg id='Stroke 7'%3E%3Cuse xlink:href='%23path6_stroke' transform='translate(5188.24 697.056)' fill='%23050505'/%3E%3C/g%3E%3Cg id='Stroke 9'%3E%3Cuse xlink:href='%23path7_stroke' transform='translate(5187.29 700.863)'/%3E%3C/g%3E%3C/g%3E%3Cg id='Fill 12'%3E%3Cuse xlink:href='%23path8_fill' transform='translate(5187.07 705.304)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Stroke 13'%3E%3Cuse xlink:href='%23path9_stroke' transform='translate(5187.07 705.304)'/%3E%3C/g%3E%3C/g%3E%3Cg id='Oval' opacity='0.2'%3E%3Cmask id='mask0_outline_ins'%3E%3Cuse xlink:href='%23path10_fill' fill='white' transform='translate(5180.65 701.166)'/%3E%3C/mask%3E%3Cg mask='url(%23mask0_outline_ins)'%3E%3Cuse xlink:href='%23path11_stroke_2x' transform='translate(5180.65 701.166)' fill='%23FFFFFF'/%3E%3C/g%3E%3C/g%3E%3Cg id='Oval' opacity='0.2'%3E%3Cuse xlink:href='%23path12_fill' transform='translate(5200.84 707.692)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Oval'%3E%3Cuse xlink:href='%23path12_fill' transform='translate(5184.56 712.696)' fill='%23FFFFFF'/%3E%3C/g%3E%3C/g%3E%3C/g%3E%3Cdefs%3E%3Cpath id='path0_fill' fill-rule='evenodd' d='M 1.11914 0.172241C 1.02246 0.272827 0.962891 0.409363 0.962891 0.559753L 0.962891 0.962952L 0.55957 0.962952C 0.250488 0.962952 0 1.21356 0 1.52277C 0 1.83191 0.250488 2.08252 0.55957 2.08252L 0.962891 2.08252L 0.962891 2.48566C 0.962891 2.7948 1.21338 3.04547 1.52246 3.04547C 1.83203 3.04547 2.08252 2.7948 2.08252 2.48566L 2.08252 2.08252L 2.48584 2.08252C 2.79492 2.08252 3.04541 1.83191 3.04541 1.52277C 3.04541 1.21356 2.79492 0.962952 2.48584 0.962952L 2.08252 0.962952L 2.08252 0.559753C 2.08252 0.25061 1.83203 0 1.52246 0C 1.36377 0 1.2207 0.06604 1.11914 0.172241Z'/%3E%3Cpath id='path1_fill' fill-rule='evenodd' d='M 5.02978 0.0305451L 0 0L 2.46998 15.7258L 3.00889 15.7258L 7.94885 15.7258L 8.48776 15.7258L 10.9577 0L 5.02978 0.0305451Z'/%3E%3Cpath id='path2_fill' fill-rule='evenodd' d='M 5.02978 0.0305451L 0 0L 2.46998 15.7258L 3.00889 15.7258L 6.69141 15.7258L 7.23031 15.7258L 9.7003 0L 5.02978 0.0305451Z'/%3E%3Cpath id='path3_fill' fill-rule='evenodd' d='M 0 1.45021L 12.9786 1.45021L 12.9786 0L 0 0L 0 1.45021Z'/%3E%3Cpath id='path4_stroke' d='M 0 1.45021L -0.440282 1.45021L -0.440282 1.8905L 0 1.8905L 0 1.45021ZM 12.9786 1.45021L 12.9786 1.8905L 13.4189 1.8905L 13.4189 1.45021L 12.9786 1.45021ZM 12.9786 0L 13.4189 0L 13.4189 -0.440282L 12.9786 -0.440282L 12.9786 0ZM 0 0L 0 -0.440282L -0.440282 -0.440282L -0.440282 0L 0 0ZM 0 1.8905L 12.9786 1.8905L 12.9786 1.00993L 0 1.00993L 0 1.8905ZM 13.4189 1.45021L 13.4189 0L 12.5384 0L 12.5384 1.45021L 13.4189 1.45021ZM 12.9786 -0.440282L 0 -0.440282L 0 0.440282L 12.9786 0.440282L 12.9786 -0.440282ZM -0.440282 0L -0.440282 1.45021L 0.440282 1.45021L 0.440282 0L -0.440282 0Z'/%3E%3Cpath id='path5_fill' fill-rule='evenodd' d='M 8.98176 0L 5.88305 0L 4.04179 0L 0.943084 0L 0 2.17532L 4.04179 2.17532L 5.88305 2.17532L 9.92484 2.17532L 8.98176 0Z'/%3E%3Cpath id='path6_stroke' d='M 8.98176 0L 9.38571 -0.175129L 9.27076 -0.440282L 8.98176 -0.440282L 8.98176 0ZM 0.943084 0L 0.943084 -0.440282L 0.654085 -0.440282L 0.539131 -0.175129L 0.943084 0ZM 0 2.17532L -0.403953 2.00019L -0.670758 2.6156L 0 2.6156L 0 2.17532ZM 9.92484 2.17532L 9.92484 2.6156L 10.5956 2.6156L 10.3288 2.00019L 9.92484 2.17532ZM 8.98176 -0.440282L 5.88305 -0.440282L 5.88305 0.440282L 8.98176 0.440282L 8.98176 -0.440282ZM 5.88305 -0.440282L 4.04179 -0.440282L 4.04179 0.440282L 5.88305 0.440282L 5.88305 -0.440282ZM 4.04179 -0.440282L 0.943084 -0.440282L 0.943084 0.440282L 4.04179 0.440282L 4.04179 -0.440282ZM 0.539131 -0.175129L -0.403953 2.00019L 0.403953 2.35045L 1.34704 0.175129L 0.539131 -0.175129ZM 0 2.6156L 4.04179 2.6156L 4.04179 1.73504L 0 1.73504L 0 2.6156ZM 4.04179 2.6156L 5.88305 2.6156L 5.88305 1.73504L 4.04179 1.73504L 4.04179 2.6156ZM 5.88305 2.6156L 9.92484 2.6156L 9.92484 1.73504L 5.88305 1.73504L 5.88305 2.6156ZM 10.3288 2.00019L 9.38571 -0.175129L 8.5778 0.175129L 9.52089 2.35045L 10.3288 2.00019Z'/%3E%3Cpath id='path7_stroke' d='M 5.92796 0.0305451L 5.92569 0.470845L 5.93023 0.470821L 5.92796 0.0305451ZM 0 0L 0.00226862 -0.440276L -0.515251 -0.442943L -0.43495 0.0683159L 0 0ZM 2.46998 15.7258L 2.03503 15.7941L 2.09346 16.166L 2.46998 16.166L 2.46998 15.7258ZM 9.38594 15.7258L 9.38594 16.166L 9.76246 16.166L 9.82089 15.7941L 9.38594 15.7258ZM 11.8559 0L 12.2909 0.0683159L 12.3712 -0.442943L 11.8537 -0.440276L 11.8559 0ZM 5.93023 -0.409731L 0.00226862 -0.440276L -0.00226862 0.440276L 5.92569 0.470821L 5.93023 -0.409731ZM -0.43495 0.0683159L 2.03503 15.7941L 2.90493 15.6574L 0.43495 -0.0683159L -0.43495 0.0683159ZM 2.46998 16.166L 3.00889 16.166L 3.00889 15.2855L 2.46998 15.2855L 2.46998 16.166ZM 3.00889 16.166L 8.84703 16.166L 8.84703 15.2855L 3.00889 15.2855L 3.00889 16.166ZM 8.84703 16.166L 9.38594 16.166L 9.38594 15.2855L 8.84703 15.2855L 8.84703 16.166ZM 9.82089 15.7941L 12.2909 0.0683159L 11.421 -0.0683159L 8.95099 15.6574L 9.82089 15.7941ZM 11.8537 -0.440276L 5.92569 -0.409731L 5.93023 0.470821L 11.8582 0.440276L 11.8537 -0.440276Z'/%3E%3Cpath id='path8_fill' fill-rule='evenodd' d='M 12.2601 0L 6.34287 0L 5.91723 0L 0 0L 1.10682 6.25405L 6.13005 6.19953L 11.1533 6.25405L 12.2601 0Z'/%3E%3Cpath id='path9_stroke' d='M 12.2601 0L 12.6936 0.0767275L 12.7851 -0.440282L 12.2601 -0.440282L 12.2601 0ZM 0 0L 0 -0.440282L -0.525044 -0.440282L -0.433545 0.0767275L 0 0ZM 1.10682 6.25405L 0.673277 6.33077L 0.73833 6.69835L 1.1116 6.6943L 1.10682 6.25405ZM 6.13005 6.19953L 6.13483 5.75917L 6.12527 5.75927L 6.13005 6.19953ZM 11.1533 6.25405L 11.1485 6.6943L 11.5218 6.69835L 11.5868 6.33077L 11.1533 6.25405ZM 12.2601 -0.440282L 6.34287 -0.440282L 6.34287 0.440282L 12.2601 0.440282L 12.2601 -0.440282ZM 6.34287 -0.440282L 5.91723 -0.440282L 5.91723 0.440282L 6.34287 0.440282L 6.34287 -0.440282ZM 5.91723 -0.440282L 0 -0.440282L 0 0.440282L 5.91723 0.440282L 5.91723 -0.440282ZM -0.433545 0.0767275L 0.673277 6.33077L 1.54037 6.17732L 0.433545 -0.0767275L -0.433545 0.0767275ZM 1.1116 6.6943L 6.13483 6.63978L 6.12527 5.75927L 1.10204 5.81379L 1.1116 6.6943ZM 6.12527 6.63978L 11.1485 6.6943L 11.1581 5.81379L 6.13483 5.75927L 6.12527 6.63978ZM 11.5868 6.33077L 12.6936 0.0767275L 11.8266 -0.0767275L 10.7197 6.17732L 11.5868 6.33077Z'/%3E%3Cpath id='path10_fill' fill-rule='evenodd' d='M 1.845 3.69804C 2.86397 3.69804 3.69001 2.87021 3.69001 1.84902C 3.69001 0.827835 2.86397 0 1.845 0C 0.826036 0 0 0.827835 0 1.84902C 0 2.87021 0.826036 3.69804 1.845 3.69804Z'/%3E%3Cpath id='path11_stroke_2x' d='M 1.845 5.11673C 3.6504 5.11673 5.10869 3.65082 5.10869 1.84902L 2.27132 1.84902C 2.27132 2.0896 2.07754 2.27936 1.845 2.27936L 1.845 5.11673ZM 5.10869 1.84902C 5.10869 0.0472286 3.6504 -1.41869 1.845 -1.41869L 1.845 1.41869C 2.07754 1.41869 2.27132 1.60844 2.27132 1.84902L 5.10869 1.84902ZM 1.845 -1.41869C 0.0396073 -1.41869 -1.41869 0.0472286 -1.41869 1.84902L 1.41869 1.84902C 1.41869 1.60844 1.61246 1.41869 1.845 1.41869L 1.845 -1.41869ZM -1.41869 1.84902C -1.41869 3.65082 0.0396073 5.11673 1.845 5.11673L 1.845 2.27936C 1.61246 2.27936 1.41869 2.0896 1.41869 1.84902L -1.41869 1.84902Z'/%3E%3Cpath id='path12_fill' fill-rule='evenodd' d='M 0.868237 1.74026C 1.34775 1.74026 1.73647 1.35069 1.73647 0.870128C 1.73647 0.38957 1.34775 0 0.868237 0C 0.388723 0 0 0.38957 0 0.870128C 0 1.35069 0.388723 1.74026 0.868237 1.74026Z'/%3E%3C/defs%3E%3C/svg%3E%0A)