I'm trying to set up OpenVPN to listen on port 443, and then pass all HTTPS traffic to Apache, by using the port-share option. Relevant config snippets are:
OpenVPN
local ${PUBLIC_IP}
port 443
port-share localhost 443
Apache with SSL
Listen localhost:443
My OpenVPN client connects just fine, but when opening the HTTPS enabled page, I get errors. Firefox says:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
Curl says
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
The request ends up on Apache, since I see in the error logs the following messages:
[Wed Oct 06 01:10:20 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
[Wed Oct 06 01:11:04 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
[Wed Oct 06 01:11:51 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
The messages entry for a HTTPS connection is
Oct 6 01:13:21 ns1 openvpn[20154]: Re-using SSL/TLS context
Oct 6 01:13:21 ns1 openvpn[20154]: LZO compression initialized
Oct 6 01:13:21 ns1 openvpn[20154]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Oct 6 01:13:21 ns1 openvpn[20154]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Oct 6 01:13:21 ns1 openvpn[20154]: Local Options hash (VER=V4): 'c0103fa8'
Oct 6 01:13:21 ns1 openvpn[20154]: Expected Remote Options hash (VER=V4): '69109d17'
Oct 6 01:13:21 ns1 openvpn[20154]: TCP connection established with ${CLIENT_IP}:56203
Oct 6 01:13:21 ns1 openvpn[20154]: TCPv4_SERVER link local: [undef]
Oct 6 01:13:21 ns1 openvpn[20154]: TCPv4_SERVER link remote: ${CLIENT_IP}:56203
Oct 6 01:13:21 ns1 openvpn[20154]: ${CLIENT_IP}:56203 Non-OpenVPN client protocol detected
Oct 6 01:13:21 ns1 openvpn[20154]: TCP/UDP: Closing socket
Using httpd-2.2.3-43.el5.centos and openvpn-2.1.1-2.el5 .
What should I do to make port sharing work?
Update: Using
port 443
port-share localhost 10443
and
Listen localhost:10443
makes no difference.
Update 2 : some command output
[root@ns1 ~]# openvpn --help | grep port-share
--port-share host port : When run in TCP mode, proxy incoming HTTPS sessions
[root@ns1 ~]# netstat -nltp | grep 443
tcp 0 0 127.0.0.1:10443 0.0.0.0:* LISTEN 20088/httpd
tcp 0 0 ${PUBLIC_IP}:443 0.0.0.0:* LISTEN 20066/openvpn
the
port-shareoption sets the port the other application is listening.What you want to do, is to configure
and set Apache to listen on port 10443:
That's because two applications can't open same port at once.
OpenVPN's port-share option allows you to redirect traffic to another HTTPS site , not to a regular web server; the error you're seeing
occurs when an SSL request is sent to a non-0SSL site. I can reproduce the error by using
(instead of 443) If you set up your HTTPS site correctly then port-sharing will work.
HTH,
JJK
While finding an answer that suits my server I found everyone talking about
portsharefunction of the OpenVPN config. However, in my case, I need to know the actual client IP address for logging and other functions. I found that usingportsharecauses the local IP of the server to be logged.To fix this,
portshare [port]function in OpenVPN[port]ProxyProtocol Onin the Apache config.It should work and serve the above purpose. Just posted this and hope it can help someone who wants to do something like I did.
Update: I noticed that the IP address of website visitors will always be
127.0.0.1in web server logs. This is a problem if you want to know the origin of a connection or want to use a tool likefail2ban. It looks like there is no way to have the real IP address of the visitor in Apache logs if we are using OpenVPN'sport-share(https://forums.openvpn.net/viewtopic.php?t=22599), so I used the tool SSLH in transparent mode: https://unix.stackexchange.com/questions/373717/how-does-sslhs-transparent-mode-work/532333#532333Original answer:
If someone is using OpenVPN Access Server, you have to go to
/usr/local/openvpn_as/scripts/(for example on Debian) and execute these command:./sacli --key "vpn.server.port_share.enable" --value "true" ConfigPut ./sacli --key "vpn.server.port_share.service" --value "custom" ConfigPut ./sacli --key "vpn.server.port_share.ip_address" --value <LOCAL_IP> ConfigPut ./sacli --key "vpn.server.port_share.port" --value <PORT> ConfigPut ./sacli startSource:
https://forums.openvpn.net/viewtopic.php?p=78630#p78630
https://openvpn.net/vpn-server-resources/managing-settings-for-the-web-services-from-the-command-line/#Change_the_web_service_forwarding_settings
In my case I did not need to do the command for the key
vpn.server.port_share.serviceand I used the commandservice openvpnas restartinstead of./sacli start.I replaced
<LOCAL_IP>with127.0.0.1and<PORT>with4443since I configured Apache to listen on port 4443.My file
/etc/apache2/ports.confis configured like this:And my Apache SSL configuration in
/etc/apache2/sites-enabled/000-default.confstarts like this:<IfModule mod_ssl.c> <VirtualHost *:4443>Note: I used OpenVPN Access Server in the past since it was easy to setup. There are also alternative scripts to setup OpenVPN which have the advantage to be open source and not limit the number of users, for example: https://github.com/Nyr/openvpn-install