Hi,
I created a image and using nginx as a reverse proxy server. Also using dehydrated to create ssl certificates.This is working great. My virtual machines are now accessible from outside with a valid certificate. The next step is to add openvpn to it. However this has to be run also on port 443 because of restrictions on other places. I tried to use the stream module of nginx, but this is not supported. Also don't see an option to use this in make menuconfig uder nginx-ssl-configuration. Is this possible?
Br, Johan
yes
openvpn has option port-share
which will redirect non-vpn traffic to the given ip-port.
These settings were renamed in later versions of OpenVPN so if you're "lucky" it might be in by mistake as it's enabled by default according to the information generated by ./configure
--disable-port-share disable TCP server port-share support (--port-share)
[default=yes]
Here's a PR bumping the version and fixing the configuration mismatches.
thanks, this is working good.
The only disadvantage is now that i cant see the original ip adres anymore in my nginx log when its a https call. is there a way that openvpn can put the original ip address in a header?
Hi, I found a better solution with the help of sslh. I am not a linux expert, but this was working for me. Tips and suggestions are welcome.
I used the solution of kadrim4 in the thread https://forum.nginx.org/read.php?11,273526,280919#msg-280919
In this case sslh is listening on port 443 and checks if the protocol is openvpn or other. If openvpn then reroute to port 1194 and other ssl to port 9443 where nginx is listening.
My router is behind another router, so my wan ip = 192.168.1.8 and the router itself has 192.168.2.1
In the /etc/config/sslh i enabled
option 'listen' '192.168.1.8:443'
option 'ssl' '192.168.2.1:9443'
option 'openvpn' '192.168.2.1:1194'
I updated the /etc/init.d/sslh file to modify the startup parameters that were not working from the /etc/config/sslh file.
append args "--user root"
append args "--pidfile /var/run/sslh.pid"
append args "--transparent"
in the nginx.conf file I added a stream block and some server blocks
stream {
log_format sni_multiplexer '$remote_addr [$time_local] '
'$protocol $status '
'connection.id: $connection ssl_preread:'
'$ssl_preread_server_name $ssl_preread_alpn_protocols $ssl_preread_protocol '
'bytes:$bytes_sent $bytes_received time:$session_time'
;
server {
listen 9443;
proxy_pass https_backend;
proxy_connect_timeout 30s;
proxy_timeout 30s;
proxy_protocol on;
ssl_preread on;
access_log /mnt/sda1/Nginx/stream.log sni_multiplexer;
}
upstream https_backend {
server 127.0.0.1:4443;
}
}
http {
include mime.types;
default_type application/octet-stream;
log_format combined2 '$proxy_protocol_addr:$proxy_protocol_port - $remote_user [$time_local] '
'id:$connection:$connection_requests $status '
'"$http_referer" "$request" req.time:$request_time req.length:$request_length ';
log_format proxy '[$time_local] X-Real-IP $proxy_protocol_addr;'
'X-Forwarded-For $proxy_add_x_forwarded_for;'
'Host $http_host;'
'X-Forwarded-Proto $scheme;';
server {
listen 80;
server_name mydomain.com 192.168.2.1;
access_log /var/log/nginx/http.access.log;
location /.well-known/acme-challenge {
alias /etc/dehydrated/www/;
}
}
server {
listen 4443 proxy_protocol http2 ssl;
server_name localhost www.mydomain.com 192.168.2.1;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
ssl_session_tickets off;
ssl_certificate /etc/dehydrated/certs/mydomain/cert.pem;
ssl_certificate_key /etc/dehydrated/certs/mydomain/privkey.pem;
location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
access_log /mnt/sda1/Nginx/https.access.log combined2;
access_log /mnt/sda1/Nginx/https.proxy.log proxy;
include luci_uwsgi.conf;
}
}
I also had to added the iptables rules like in the thread. I added these to the custom rules under Network -> Firewall.
iptables -t mangle -N SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0.2 --sport 1194 --jump SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0.2 --sport 9443 --jump SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
But that was not surviving a reboot. So I added these also to the /etc/rc.local.
iptables -t mangle -N SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0.2 --sport 1194 --jump SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0.2 --sport 9443 --jump SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
exit 0
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.