[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: how to share tcp port 443 between OpenVpn and Apache?


  • Subject: Re: [Openvpn-users] Re: how to share tcp port 443 between OpenVpn and Apache?
  • From: Konrad Karl <kk_konrad@xxxxxx>
  • Date: Mon, 24 Jan 2005 12:53:33 +0100

On Sun, Jan 23, 2005 at 11:16:23PM -0700, James Yonan wrote:
[ deleted]
> > > > On the server side, SSLmux would have to intercept traffic as well and if
> > > > a hello packet arrives which contains the above defined CipherSuite
> > > > [0xFF, 0x12], then use the selector to find the local destination, and
> > > > hand over the hello packet with the previously added special CipherSuites
> > > > stripped off.
> > > > 
> > Hi,
> > 
> > I am running into the exact same issue. I am trying to use openvpn to connect 
> > to my home network from my office. I dont have control of their firewall, and 
> > from what I can tell it only seems to allow a connection through port 443; 
> > however, Im running a web server on 443 on my only ip address. If there were a 
> > way to multiplex this port, I think that it would be very useful (of-course Im 
> > running IIS on 443 not apache).
> > If you would willing to share any progress you've made, I'd be grateful. 
> 
> Actually, this might be easier than needing to add the pseudo-ciphersuite.
> 
> When OpenVPN is run in TCP mode, it writes a cleartext uint16_t length
> word before every packet, so that it can extract the packets from the TCP
> stream at the other end of the connection (this is to replace the UDP
> packet size value which of course doesn't exist for TCP because it is a
> stream-based transport protocol).

Thanks, this method is the simplest one I have heard about.

What I am still looking for: I want to avoid having a forwarding program
running all times at port 443 (during the whole Apache/openvpn session),
instead I want to either hack/modify Apache's SSL front end to make the
decision based on knowledge from the first two bytes and then either
continue web serving or hand over the open socket to openvpn via 
the method described in Stevens book. (less overhead once the connection
is established, less propability of failures etc.) The missing two bytes
could be sent the same way I think.

Thanks for your input

PS: is there any known method (Linux) to do the equivalent of
ungetchar of more than one bytes on a socket?

PPS: does anybody here if the muxing could be done on Linux
using a special netfilter module?

Konrad

> 
> If you wanted to write a TCP 443 demultiplexing proxy, I think that you
> might be able to use these initial two bytes to determine whether or not
> the connection is OpenVPN or HTTPS.
> 
> James