Back to Home

SSLH: Hide SSH / HTTPS / OpenVPN / Telegram behind a single port 443

SSH / HTTPS / OpenVPN / Telegram and everything on one port ?! What?! - Yes! Do you want to hide some services? In a public wi-fi network · everything is blocked except for 443 (https) ports? Configured ...

SSLH: Hide SSH / HTTPS / OpenVPN / Telegram behind a single port 443

  • Tutorial
image

SSH / HTTPS / OpenVPN / Telegram and everything on one port ?! What?!
- Yes!
  • Do you want to hide some services?
  • In a public wi-fi network, everything is blocked except for 443 (https) ports?
  • Have you set up a Telegram Proxy / OpenVPN and do not want to “shine” it?
  • SSH connection to your server from censored countries?

There is one answer to all these questions - Multiplexing SSL / TLS connections, or SSLH.

In the post we will look at how to hide a bunch of services behind 1 port in 1 command .

Why?


With the recent release of Telegram Proxy which almost completely looks like SSL traffic, an interesting question has appeared in the comments to the post :
Newton :
I have a pretty noob question - isn't it real to start this together with sslh?
After a quick check of the sslh application's capabilities, it seemed to me that it would not be possible to “get”, but I was very interested in this application, and, as it turned out, it is still possible to cross the grass with the hedgehog .

How?


Appendix SSLH - multipleksor, in other words, it is analyzing the traffic (in fact, doing the work mini-DPI) and depending on the type of traffic, sends it to a local port 8443/999/991 or whatever ...

That allows us for the first time to use DPI technology for the benefit .

Task


For the example of using SSLH we will set the task:

The following applications are installed on the server - Telegram Proxy, Apache, SSH and we want to let all these services into the world through port 443.

The server in our example is Ubuntu 16.04.4 LTS, Apache2 + LetsEncrypt, SSH, Telegram Proxy in Docker.

At the moment, it works, as expected, Apache.

Installation & Setup


Install SSLH:

sudo apt-get install --no-install-recommends sslh

When installing, you will be asked about the usage mode, there are two of them:

  • stable but more resource intensive
  • fast but with loss of connections when the process drops

I am for the second option, you, of course, can choose another.

Check if our miracle works with the following command:


sudo sslh-select -f --listen IP:8443 --tls 127.0.0.1:443  --ssh 127.0.0.1:22 --anyprot 127.0.0.1:9443

IP - external IP of the server
8443 - the port on which our multiplexer
443 will be launched - where Apache lives
Pay attention to the anyprot option - this is where our Telegram Proxy will live, in other words, if the traffic did not fit any type - send there.

Attention! If your configuration does not have Telegram or SSH - remove unnecessary startup keys.

Check?


Open your browser at the address of your server with port 8443 - you should see the response from Apache, then try connecting via SSH or via Telegram Proxy.

Moving Apache to another port


To transfer Apache from a standard port (443) to another, for example on 7443, visit the following files:


sudo nano /etc/apache2/ports.conf
sudo nano /etc/apache2/sites-enabled/000-default-le-ssl.conf

In the example Apache + SSL / HTTPS was installed using LetsEncrypt with a different certificate, the configuration files can be in different ways.

Autostart


It's time to set up autostart.

Edit the file:


sudo nano /etc/default/sslh

In the DAEMON_OPTS = field, add attributes when running the sslh-select command, set RUN to = yes.

Run:


sudo systemctl start sslh

Make sure everything is fine:


sudo systemctl status sslh

What is the result?


After going through this tutorial, you should have a server that has several services available via a single port (which are your choice) .

And how are things with OpenVPN? What protocols can the application still have?


At the time of writing, sslh is able to identify and multiplex the following protocols:

	[--ssh <addr>]
	[--openvpn <addr>]
	[--tinc <addr>]
	[--xmpp <addr>]
	[--http <addr>]
	[--ssl <addr>]
	[--tls <addr>]
	[--anyprot <addr>]

Before using, it is better to make sure which protocols your version supports (suddenly it is newer) using:

sslh-select -h


Links


SSLH development takes place on github, in this repository: github.com/yrutschle/sslh

Docker


I did not succeed in collecting a working version of sslh in the docker, along with all the other services, in my opinion there will be an interesting docker-compose file that can be raised on port 443:
  • Apache + LetsEncrypt
  • Telegram Proxy
  • OpenVPN (optional)
  • Use local SSH


If someone succeeds - write in the comments - add to the article, in my opinion, it will be useful.

You may also be interested.


Read Next