A common OpenVPN setup to allow road warriors to reach the home office is to have OpenVPN listen on the secure web server (HTTPS) port 443
. The downside is that you can no longer use that port on the OpenVPN server to actually host a secure website. OpenVPN 2.1 introduces a new port-sharing
directive, enabling dual use of a TCP port. All traffic that is detected as OpenVPN traffic is processed by the OpenVPN server itself, and all other traffic is forwarded to another (local) machine and/or port.
In this recipe, we will set up an OpenVPN server to share TCP port 443
with a web server and we will show that both OpenVPN and a web browser can successfully connect to this server.
We will use the following network layout:
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.12. The client was running Windows 7 64 bit and OpenVPN 2.3.10. Keep the server configuration file, example8-9-server.conf
, from the Tuning TCP-based connections recipe from Chapter 8, Performance Tuning at hand, as well as the client configuration file, example8-9.ovpn
, from the same recipe.
On the server computer, a secure web server was running on port 8443
.
example8-9-server.conf
file. Change the following line:port 1194
Change it to the following:
port 443 port-share localhost 8443
Save it as example10-9-server.conf
.
[root@server]# openvpn --config example10-9-server.conf
example8-9.ovpn
, by also changing the port to 443
. Save the client configuration file as example10-9.ovpn
.https://openvpnserver.example.com
The OpenVPN server log file will show lines similar to the following:
... Re-using SSL/TLS context ... TCP connection established with <client-ip>:53356 ... TCPv4_SERVER link local: [undef] ... TCPv4_SERVER link remote: <client-ip>:53356 ... <client-ip>:53356 Non-OpenVPN client protocol detected
When port-share
is used, OpenVPN will inspect the incoming traffic on port 443
. If this traffic is a part of an OpenVPN session or if it is an initial OpenVPN handshake, then the OpenVPN server processes it by itself. If it is not recognizable as OpenVPN traffic, it is forwarded out to the host and port specified in the port-share
directive.
Hence, it is the OpenVPN server process that is always listening on port 443
. The web server must be listening on a different host, interface, or port. With this setup, the same port can be used to offer two different services.
The web server that OpenVPN forwards its traffic to must be a secure (HTTPS) web server. This is due to the nature of the inbound SSL traffic on the OpenVPN server itself. It is not possible to forward the traffic to a regular (HTTP) web server. If the traffic is forwarded to port 80
, the Apache web server used in this recipe, the following error will appear in the web server error log file:
[error] [client 127.0.0.1] Invalid method in request x16x03x01
18.224.69.83