mike-ennulat-015
mike-ennulat-016
mike-ennulat-017
mike-ennulat-018
mike-ennulat-019

In: Server-en
Hits: 2458

By default OpenVPN runs on port 1194. This is quite nice, but often this port is not open in the firewalls. Therefor the OpenVPN server is unreachable. It also has advantages to run SSH on port 443. You may have fewer fake logins on the SSH server. In addition, port 22, or even any custom port such as 2020, is blocked by firewalls in most cases as well. If you simply put everything on port 443, this may not work, since Apache is already active for the SSL websites. And that's where SSLH jumps in.

SSLH describes itself as an SSL - SSH multiplexer, but can do a lot more, such as our desired OpenVPN connection. Let's go to the setup on the running system.

1. Installation SSLH
2. Configuration SSLH
3. Configuration Apache
4. Configuration OpenVPN
5. Configuration SSH

Primary we need to install SSLH:

sudo apt install sslh

Now open the config file: 

sudo nano /etc/default/sslh

Lookinng like this:

# Default options for sslh initscript
# sourced by /etc/init.d/sslh

# binary to use: forked (sslh) or single-thread (sslh-select) version
# systemd users: don't forget to modify /lib/systemd/system/sslh.service
DAEMON=/usr/sbin/sslh

DAEMON_OPTS="--user sslh --listen <change-me>:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"

Copy the DAEMON_OPTS= line (it is much easier to recover if aything goes wrong). Replace <change-me> by 0.0.0.0 to listen on all interfaces. Settings for --ssh and --ssl are usually fine. In never versions of SSLH you need to change --ssl to --tls. If you are using different ports for SSH or OpenVPN just put them here. For OpenVPN add the option --openvpn 127.0.0.1:1194 and --timeout 5. The config file should be like this now:

# Default options for sslh initscript
# sourced by /etc/init.d/sslh

# binary to use: forked (sslh) or single-thread (sslh-select) version
# systemd users: don't forget to modify /lib/systemd/system/sslh.service
DAEMON=/usr/sbin/sslh

# DAEMON_OPTS="--user sslh --listen <change-me>:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"
DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --tls 127.0.0.1:4443 --openvpn 127.0.0.1:1194 --timeout 5 --pidfile /var/run/sslh/sslh.pid"

Save the result and restart the service.

sudo service sslh restart

Now we are going to adjust Apache, OpenVPN and SSH.

You need to replace port 443 by port 4443 in all config files. Also add the interface 127.0.0.1 as we do not want Apache to listen on our regular interface anymore. Remember also to change these settings in all vhost files.

Change /etc/apache2/ports.conf

sudo nano /etc/apache2/ports.conf
<IfModule ssl_module>
Listen 443
</IfModule>

to:

<IfModule ssl_module>
Listen 127.0.0.1:4443
</IfModule>

Replace <VirtualHost *:443> in all vhost files with <VirtualHost 127.0.0.1:4443>: 

sudo find /etc/apache2/sites-available/. -type f -exec sed -i 's/*:443/127.0.0.1:4443/g' {} \;

 If something is going wrong, you can easy reverse the changes now:

sudo find /etc/apache2/sites-available/. -type f -exec sed -i 's/127.0.0.1:4443/*:443/g' {} \;

Restart Apache and check the changes:

sudo service apache2 restart

Open a SSL site on your server with your browser.

You don't need to change much on OpenVPN. You need to change the protocol to TCP and if you would like to close the port 1194, you need to add that to the config file. Just add or change the following parameters:

# sudo nano /etc/openvpn/server.conf
local 127.0.0.1
port 1194
proto tcp

Restart OpenVPN:

sudo service openvpn restart

Check with a client. Important: you need to change all clients port to 443 and prototocol to TCP.

It's not a requiremnt to change the SSH configuartion as there usually is not other service running on port 22. But I advice it, so you are able to close port 22 for visitors. Your logfile likes it ;-).

Open /etc/ssh/sshd_config with the editor:

sudo nano /etc/ssh/sshd_config

Add ListenAddress 127.0.0.1:

# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 127.0.0.1

 Save and restart the service:

sudo service sshd restart

In the unlikely event you are loosing your ssh connection, remember to reconnect on port 443.

Comments powered by CComment

(c)2020 - 2021 by Mike Ennulat