[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: how to share tcp port 443 between OpenVpn and Apache?

  • Subject: [Openvpn-users] Re: how to share tcp port 443 between OpenVpn and Apache?
  • From: George Lefter <george.lefter@xxxxxxxxxxxxxxx>
  • Date: Mon, 24 Jan 2005 13:29:31 +0000 (UTC)

Konrad Karl <kk_konrad <at> gmx.at> writes:

> On Sun, Jan 23, 2005 at 11:16:23PM -0700, James Yonan wrote:
> [ deleted]
> > 
> > Actually, this might be easier than needing to add the pseudo-ciphersuite.
> > 
> > When OpenVPN is run in TCP mode, it writes a cleartext uint16_t length
> > word before every packet, so that it can extract the packets from the TCP
> > stream at the other end of the connection (this is to replace the UDP
> > packet size value which of course doesn't exist for TCP because it is a
> > stream-based transport protocol).
> Thanks, this method is the simplest one I have heard about.
> What I am still looking for: I want to avoid having a forwarding program
> running all times at port 443 (during the whole Apache/openvpn session),
> instead I want to either hack/modify Apache's SSL front end to make the
> decision based on knowledge from the first two bytes and then either
> continue web serving or hand over the open socket to openvpn via 
> the method described in Stevens book. (less overhead once the connection
> is established, less propability of failures etc.) The missing two bytes
> could be sent the same way I think.
> Thanks for your input
> PS: is there any known method (Linux) to do the equivalent of
> ungetchar of more than one bytes on a socket?
> PPS: does anybody here if the muxing could be done on Linux
> using a special netfilter module?
> Konrad
> > 
> > If you wanted to write a TCP 443 demultiplexing proxy, I think that you
> > might be able to use these initial two bytes to determine whether or not
> > the connection is OpenVPN or HTTPS.
> > 
> > James


Would it be possible to use virtual domains on the web server, so that
https://www.domain.com would work as it should, and have https://vpn.domain.com
(using mod_proxy) forward the request to the port openvpn is really listening on?
Somethink like: openvpn client -> proxy:8080 -> vpn.domain.com:443 -> openvpn

Im not very sure how I could do this - I would need to issue the CONNECT request
twice, and the second time I must speak ssl (openssl s_client? - doesnt know
about the proxy. could apache be configured to speak ssl on www.domain.com:443
and plain http on vpn.domain.com:443 ?!). It looks like a preconnect script
would still be needed, but I've seen no support in openvpn for that.

Openvpn-users mailing list