SSLH: Hide SSH / HTTPS / OpenVPN / Telegram behind a single port 443

SSH / HTTPS / OpenVPN / Telegram and everything on one port ?! What?!
- Yes!

• Do you want to hide some services?
• In a public wi-fi network, everything is blocked except for 443 (https) ports?
• Have you set up a Telegram Proxy / OpenVPN and do not want to “shine” it?
• SSH connection to your server from censored countries?

There is one answer to all these questions - Multiplexing of SSL / TLS connections, or SSLH.

In the post, we will look at how to hide a bunch of services behind 1 port in 1 command .

Why?

With the recent release of Telegram Proxy which almost completely looks like SSL traffic, an interesting question has appeared in the comments to the post :
Newton :

I have a pretty noob question - isn't it real to start this together with sslh?

After a quick check of the sslh application's capabilities, it seemed to me that it would not be possible to “start”, but I was very interested in this application, and, as it turned out, it is still possible to cross it with a hedgehog .

How?

The SSLH application is a multiplexer, in other words, it analyzes traffic (actually performing mini-DPI operation) and, depending on the type of traffic, sends it to the local port 8443/999/991 or any other ...

That allows us to use DPI technology for the first time .

Task

For an example of using SSLH, we set the task:

The following applications are installed on the server - Telegram Proxy, Apache, SSH and we want to let all these services into the world through port 443.

The server in our example is Ubuntu 16.04.4 LTS, Apache2 + LetsEncrypt, SSH, Telegram Proxy in Docker.

At the moment, it works, as expected, Apache.

Installation & Setup

Install SSLH:

sudo apt-get install --no-install-recommends sslh 

When installing, you will be asked about the usage mode, there are two of them:

• stable but more resource intensive
• fast but with loss of connections when the process drops

I am for the second option, you, of course, can choose another.

Check if our miracle works with the following command:

 sudo sslh-select -f --listen IP:8443 --tls 127.0.0.1:443 --ssh 127.0.0.1:22 --anyprot 127.0.0.1:9443 

IP - external server IP
8443 - the port on which our multiplexer will be launched
443 - where Apache lives
Pay attention to the option of anyprot - this is where our Telegram Proxy will live, in other words, if the traffic did not fit under any type - send there.

Attention! If your configuration does not have Telegram or SSH - remove the extra startup keys.

Check?

Open your browser at the address of your server with port 8443 - you should see the response from Apache, then try connecting via SSH or via Telegram Proxy.

Moving Apache to another port

To transfer Apache from a standard port (443) to another, for example, to 7443, visit the following files:

 sudo nano /etc/apache2/ports.conf sudo nano /etc/apache2/sites-enabled/000-default-le-ssl.conf 

In the example Apache + SSL / HTTPS was installed using LetsEncrypt with a different certificate, the configuration files can be in different ways.

Autostart

It's time to set up autostart.

Edit the file:

 sudo nano /etc/default/sslh 

In the DAEMON_OPTS = field, add attributes when you run the sslh-select command, set RUN to = yes.

Run:

 sudo systemctl start sslh 

Make sure everything is fine:

 sudo systemctl status sslh 

What is the result?

After going through this tutorial, you should have a server that can access several services at once through a single port (which you can choose from) .

And how are things with OpenVPN? What protocols can the application still have?

At the time of writing, sslh is able to identify and multiplex the following protocols:

 [--ssh <addr>] [--openvpn <addr>] [--tinc <addr>] [--xmpp <addr>] [--http <addr>] [--ssl <addr>] [--tls <addr>] [--anyprot <addr>] 

Before using, it is better to make sure which protocols your version supports (suddenly it is newer) using:

 sslh-select -h 

Links

SSLH development takes place on github, in this repository: github.com/yrutschle/sslh

Docker

I did not succeed in assembling the working version of sslh in the docker, along with all the other services, in my opinion there will be an interesting docker-compose file that can be raised on port 443:

• Apache + LetsEncrypt
• Telegram Proxy
• OpenVPN (optional)
• Use local SSH

If someone succeeds - write in the comments - add to the article, in my opinion, it will be useful.

You may also be interested.

• Pavel Durov: After the request of the ILV, Apple has blocked Telegram updates worldwide
• SSLH: Hide SSH / HTTPS / OpenVPN / Telegram behind a single port 443