Port sharing with an HTTPS server

A common OpenVPN setup to allow road warriors to reach the home office is to have OpenVPN listen on the secure web server (HTTPS) port  443. The downside is that you can no longer use that port on the OpenVPN server to actually host a secure website. OpenVPN 2.1 introduces a new port-sharing directive, enabling dual use of a TCP port. All traffic that is detected as OpenVPN traffic is processed by the OpenVPN server itself, and all other traffic is forwarded to another (local) machine and/or port.

In this recipe, we will set up an OpenVPN server to share TCP port 443 with a web server and we will show that both OpenVPN and a web browser can successfully connect to this server.

Getting ready

We will use the following network layout:

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.12. The client was running Windows 7 64 bit and OpenVPN 2.3.10. Keep the server configuration file, example8-9-server.conf, from the Tuning TCP-based connections recipe from Chapter 8Performance Tuning at hand, as well as the client configuration file, example8-9.ovpn, from the same recipe.

On the server computer, a secure web server was running on port 8443.

How to do it...

  1. Create the server configuration file by modifying the example8-9-server.conf file. Change the following line:
    port 1194
    

    Change it to the following:

    port 443
    port-share localhost 8443
    

    Save it as example10-9-server.conf.

  2. Start the server:
    [root@server]# openvpn --config example10-9-server.conf
    
  3. Next, modify the client configuration file, example8-9.ovpn, by also changing the port to 443. Save the client configuration file as example10-9.ovpn.
  4. Start the client and verify that the client can connect to the VPN server.
  5. After the client has connected, start a web browser and browse to:
            https://openvpnserver.example.com 
    

    The OpenVPN server log file will show lines similar to the following:

            ... Re-using SSL/TLS context 
            ... TCP connection established with <client-ip>:53356 
            ... TCPv4_SERVER link local: [undef] 
            ... TCPv4_SERVER link remote: <client-ip>:53356 
            ... <client-ip>:53356 Non-OpenVPN client protocol detected 
    

How it works...

When port-share is used, OpenVPN will inspect the incoming traffic on port 443. If this traffic is a part of an OpenVPN session or if it is an initial OpenVPN handshake, then the OpenVPN server processes it by itself. If it is not recognizable as OpenVPN traffic, it is forwarded out to the host and port specified in the port-share directive.

Hence, it is the OpenVPN server process that is always listening on port 443. The web server must be listening on a different host, interface, or port. With this setup, the same port can be used to offer two different services.

There's more...

The web server that OpenVPN forwards its traffic to must be a secure (HTTPS) web server. This is due to the nature of the inbound SSL traffic on the OpenVPN server itself. It is not possible to forward the traffic to a regular (HTTP) web server. If the traffic is forwarded to port 80, the Apache web server used in this recipe, the following error will appear in the web server error log file:

[error] [client 127.0.0.1] Invalid method in request x16x03x01 

Alternatives

There are many alternatives available that can achieve the same functionality. One example tool that can distinguish between OpenVPN, SSL (HTTPS), and SSH traffic is the Linux-based sslh tool.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.69.83