[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: how to share tcp port 443 between OpenVpn and Apache?


  • Subject: Re: [Openvpn-users] Re: how to share tcp port 443 between OpenVpn and Apache?
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Sun, 23 Jan 2005 23:16:23 -0700 (MST)

On Sun, 23 Jan 2005, Jspot wrote:

> Konrad Karl <kk_konrad <at> gmx.at> writes:
> 
> > 
> > On Wed, Jan 19, 2005 at 04:20:34PM +0100, Fritz Elfert wrote:
> > > Hi Konrad (or is it Karl?),
> > 
> {deleted)
> > 
> > > 
> > >   SSL-client -> SSLmux -> TCP thru proxies on port 443 -> SSLmux -> 
> (multiple 
> > > servers)
> > > 
> > > On the client side, SSLmux would listen on various ports, intercepting SSL 
> > > Hello Packets and insert 2 private CipherSuit IDs at the top of the list of 
> > > supported ciphersuites:
> > > 
> > >  1. [0xFF, 0x12] (A flag, indicating that the next 2 bytes are _not_
> > >                      a ciphersuite but in reality an application mux 
> selector
> > >  2. [depending on the app]
> > > 
> > > On the server side, SSLmux would have to intercept traffic as well and if
> > > a hello packet arrives which contains the above defined CipherSuite
> > > [0xFF, 0x12], then use the selector to find the local destination, and
> > > hand over the hello packet with the previously added special CipherSuites
> > > stripped off.
> > > 
> Hi,
> 
> I am running into the exact same issue. I am trying to use openvpn to connect 
> to my home network from my office. I dont have control of their firewall, and 
> from what I can tell it only seems to allow a connection through port 443; 
> however, Im running a web server on 443 on my only ip address. If there were a 
> way to multiplex this port, I think that it would be very useful (of-course Im 
> running IIS on 443 not apache).
> If you would willing to share any progress you've made, I'd be grateful. 

Actually, this might be easier than needing to add the pseudo-ciphersuite.

When OpenVPN is run in TCP mode, it writes a cleartext uint16_t length
word before every packet, so that it can extract the packets from the TCP
stream at the other end of the connection (this is to replace the UDP
packet size value which of course doesn't exist for TCP because it is a
stream-based transport protocol).

If you wanted to write a TCP 443 demultiplexing proxy, I think that you
might be able to use these initial two bytes to determine whether or not
the connection is OpenVPN or HTTPS.

James


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users