I am a long user of sslh [1] on my server to have multiple services listen on port 443 (very useful behind evil corporate proxies). Is there any way to do something similar directly on the turris omnia?
I could keep doing the same but it is not very clean, as for instance, my Openvpn connection is going from my router (on port 443), to sslh on my server (on port 443) and back to my router (on port 1194).
Porting SSLH to turris omnia may be a solution but I would prefer a more native solution, if there is such a thing.
You don’t need to port SSLH, it’s part of OpenWrt:
opkg update
opkg | grep sslh
And then, maybe you could:
# Default config for SSLH…
echo > /etc/config/sslh
uci set sslh.default=default
uci set sslh.default.enable=1
uci set sslh.default.listen=0.0.0.0:443
uci set sslh.default.openvpn=‘localhost:1194’
uci set sslh.default.ssh=‘localhost:8022’
uci set sslh.default.ssl=‘localhost:8443’
uci set sslh.default.timeout=2
uci set sslh.default.verbose=1
And you know about OpenVPN’s Port Sharing feature, right?
For the OpenVPN-over-SSL tunnel…
uci set openvpn.vpn2.proto=tcp
uci set openvpn.vpn2.port_share="localhost 8443"
uci set openvpn.vpn2.port=443
And the other thing I liked to do was run nginx as a reverse proxy. You can certainly do that on OpenWrt-based systems (i.e. it’s a opkg package), but it may be better to put it in an lxc container.
And I can strongly recommend guacamole: it’s a HTTPS to SSH/RDP gateway. It may solve some of your problems, and it will work nicely in an lxc container. See here for a rough, unfinished guide to installing it.
I did not know about OpenVPN port sharing feature. It seems very useful. What source IP is seen by the webserver in that case?
I already heard of Guacamole or similar software but it seems very restrictive to only be able to access through HTML and I do not trust the security of such software. But I may be able to drop the requirement for a SSH listening on port 443 as I should always have the possibility to mount a VPN connection before SSH-ing to my server.
I had already looked at what could be done with nginx (as I already use it for my webserver) but I do not see how it would be able to differentiate traffic coming to the same IP/Port couple. There is some way to do it for VPN and HTTPS traffic but not for SSH: https://stackoverflow.com/a/40135151
Oh X-dark! You say so much that implies all sorts of questions in addition to those you explicitly ask.
All I can say is this: everything you want is doable and the great thing about hacking with your own gear is the joy of making these things work! Have a good think about your use-cases before you jump in, though.
And also, the idea with guacamole would be to use HTTPS (over SSL), not HTTP - if you do that (properly), it will sufficiently secure, and broadens your clients to RDP & VNC as well as SSH (which I’ll admit is better using native SSH clients).
OK so I have switched to having sslh run on the router. It is cleaner than running it on the server.
Now I am looking to enable the transparent proxying setting of sslh. But one of the prerequisite is either having sslh compiled with LIBPCAP=1 (which does not seem the case) or enabling the CAP_NET_ADMIN on the executable. But I cannot do that as libpcap is shipped without the setpcat/getpcap utilities.