Nginx and openvpn on port 443

JanJansen · November 12, 2018, 1:47am

Hi,
I created a image and using nginx as a reverse proxy server. Also using dehydrated to create ssl certificates.This is working great. My virtual machines are now accessible from outside with a valid certificate. The next step is to add openvpn to it. However this has to be run also on port 443 because of restrictions on other places. I tried to use the stream module of nginx, but this is not supported. Also don't see an option to use this in make menuconfig uder nginx-ssl-configuration. Is this possible?
Br, Johan

fuller · November 12, 2018, 8:33am

yes

openvpn has option port-share which will redirect non-vpn traffic to the given ip-port.

diizzy · November 12, 2018, 8:46am

These settings were renamed in later versions of OpenVPN so if you're "lucky" it might be in by mistake as it's enabled by default according to the information generated by ./configure

  --disable-port-share    disable TCP server port-share support (--port-share)
                          [default=yes]

Here's a PR bumping the version and fixing the configuration mismatches.

JanJansen · March 5, 2019, 1:27am

thanks, this is working good.
The only disadvantage is now that i cant see the original ip adres anymore in my nginx log when its a https call. is there a way that openvpn can put the original ip address in a header?

JanJansen · August 18, 2019, 10:19am

Hi, I found a better solution with the help of sslh. I am not a linux expert, but this was working for me. Tips and suggestions are welcome.
I used the solution of kadrim4 in the thread https://forum.nginx.org/read.php?11,273526,280919#msg-280919
In this case sslh is listening on port 443 and checks if the protocol is openvpn or other. If openvpn then reroute to port 1194 and other ssl to port 9443 where nginx is listening.
My router is behind another router, so my wan ip = 192.168.1.8 and the router itself has 192.168.2.1
In the /etc/config/sslh i enabled

option 'listen' '192.168.1.8:443'
option 'ssl' '192.168.2.1:9443'
option 'openvpn' '192.168.2.1:1194'

I updated the /etc/init.d/sslh file to modify the startup parameters that were not working from the /etc/config/sslh file.

append args "--user root"
append args "--pidfile /var/run/sslh.pid"
append args "--transparent"

in the nginx.conf file I added a stream block and some server blocks

stream { 

   log_format sni_multiplexer '$remote_addr [$time_local] '
        '$protocol $status '
        'connection.id: $connection ssl_preread:'
        '$ssl_preread_server_name $ssl_preread_alpn_protocols $ssl_preread_protocol '
        'bytes:$bytes_sent $bytes_received time:$session_time'
; 
   server { 
       listen 9443; 
       proxy_pass https_backend; 
       proxy_connect_timeout 30s; 
       proxy_timeout 30s; 
       proxy_protocol on; 
       ssl_preread on; 
       access_log  /mnt/sda1/Nginx/stream.log sni_multiplexer;
    }

    upstream https_backend { 
       server 127.0.0.1:4443; 
    } 
}


http {
   include       mime.types;
   default_type  application/octet-stream;

   log_format combined2 '$proxy_protocol_addr:$proxy_protocol_port - $remote_user [$time_local] '
                        'id:$connection:$connection_requests $status '
                        '"$http_referer" "$request" req.time:$request_time req.length:$request_length ';

    log_format proxy '[$time_local] X-Real-IP $proxy_protocol_addr;'
                     'X-Forwarded-For $proxy_add_x_forwarded_for;'
                     'Host $http_host;'
                     'X-Forwarded-Proto $scheme;';


  server {
            listen 80;
            server_name  mydomain.com 192.168.2.1;
            access_log  /var/log/nginx/http.access.log;
            location /.well-known/acme-challenge {
                       alias /etc/dehydrated/www/;
                       }

       }

    server {
        listen 4443 proxy_protocol http2 ssl;
        server_name localhost www.mydomain.com 192.168.2.1;        
     
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
        ssl_session_tickets off;

        ssl_certificate /etc/dehydrated/certs/mydomain/cert.pem;
        ssl_certificate_key /etc/dehydrated/certs/mydomain/privkey.pem;
        
        location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
                      expires 365d;
                    }

        access_log  /mnt/sda1/Nginx/https.access.log combined2;
        access_log  /mnt/sda1/Nginx/https.proxy.log proxy;
        include luci_uwsgi.conf;
    }
}

I also had to added the iptables rules like in the thread. I added these to the custom rules under Network -> Firewall.

iptables -t mangle -N SSLH 
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0.2 --sport 1194 --jump SSLH 
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0.2 --sport 9443 --jump SSLH 
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1 
iptables -t mangle -A SSLH --jump ACCEPT 
ip rule add fwmark 0x1 lookup 100 
ip route add local 0.0.0.0/0 dev lo table 100

But that was not surviving a reboot. So I added these also to the /etc/rc.local.

iptables -t mangle -N SSLH 
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0.2 --sport 1194 --jump SSLH 
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0.2 --sport 9443 --jump SSLH 
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1 
iptables -t mangle -A SSLH --jump ACCEPT 
ip rule add fwmark 0x1 lookup 100 
ip route add local 0.0.0.0/0 dev lo table 100 
exit 0

system · August 28, 2019, 10:19am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.