leepa
April 21, 2025, 2:32pm
1
Hi,
I am trying to setup sslh on MT6000 (running 24.10.0 release)./etc/sslh.conf) configuration.
root@rtr
❯ sslh -F /etc/sslh.conf
Landlock: Failed to create a ruleset#
However, I cannot start it via service:
❯ service sslh start
❯ echo $?
1
and there is no sslh process running.
I would assume it may be because of that "Landlock: Failed to create a ruleset" but I am unable to work around this. I will appreciate any help
leepa:
/etc/sslh.conf
Assume it's empty, since you're not posting it ?
leepa
April 21, 2025, 3:00pm
3
No, it is not. I thought its content does not matter, since it is working perfectly fine when ran from shell.
Anyways:
package 'sslh'
config 'sslh' 'default'
option configfile '/etc/sslh.conf'
/etc/sslh.conf
foreground: false;
inetd: false;
numeric: true;
transparent: false;
timeout: 2;
on-timeout: "timeout";
user: "nobody";
pidfile: "/var/run/sslh.pid";
chroot: "/var/empty";
listen:
(
{ host: "redacted"; port: "443"; }
);
protocols:
(
{ name: "ssh"; service: "ssh"; host: "192.168.199.199"; port: "22"; fork: true; transparent: true; },
{ name: "openvpn"; host: "192.168.199.199"; port: "1194"; transparent: true; },
{ name: "tls"; host: "redacted"; port:"3343"; sni_hostnames: [ "redacted" ]; log_level: 0; },
{ name: "timeout"; host: "1.2.3.4"; port: "1234"; }
);
Check /etc/init.d/sslh too, I don't have Openwrt device access atm.
leepa
April 21, 2025, 3:07pm
5
/etc/init.d/sslh
#!/bin/sh /etc/rc.common
# Copyright (C) 2009-2017 OpenWrt.org
START=95
# XXX: pid-files are useless because sslh forks after creating them
SERVICE_USE_PID=
start_instance() {
local section="$1"
# check if section is enabled (default)
local enable
config_get_bool enable "${section}" 'enable' '0'
[ ${enable} -gt 0 ] || return 1
local args=""
local val
# A) listen parameter
config_get vals "${section}" listen
[ -n "${vals}" ] && for val in $vals; do append args "-p${val}"; done
# B) ssh parameter
config_get val "${section}" ssh
[ -n "${val}" ] && append args "--ssh ${val}"
# C) tls parameter
config_get val "${section}" tls
[ -n "${val}" ] && append args "--tls ${val}"
# D) openvpn parameter
config_get val "${section}" openvpn
[ -n "${val}" ] && append args "--openvpn ${val}"
# E) tinc parameter
config_get val "${section}" tinc
[ -n "${val}" ] && append args "--tinc ${val}"
# F) xmpp parameter
config_get val "${section}" xmpp
[ -n "${val}" ] && append args "--xmpp ${val}"
# G) timeout (before a connection is considered to be SSH)
config_get val "${section}" timeout
[ -n "${val}" ] && append args "-t ${val}"
# H) verbose parameter
local verbosed
config_get_bool verbosed "${section}" verbose 0
[ "${verbosed}" -ne 0 ] && append args "-v"
# I) sslh config file (cmd line args override file settings)
config_get val "${section}" configfile
[ -n "${val}" ] && append args "-F${val}"
# J) http parameter
config_get val "${section}" http
[ -n "${val}" ] && append args "--http ${val}"
# K) transparent parameter
config_get_bool val "${section}" transparent 0
[ "${val}" -ne 0 ] && append args "--transparent"
# Defaults were removed for --user and --pidfile options
# in sslh 1.11; Define them here instead.
append args "--user nobody"
append args "--pidfile /var/run/sslh.pid"
# XXX: allow more that one instance to run simultaneously
SERVICE_MATCH_NAME=1 SERVICE_NAME="sslh-dummy-$$" \
service_start /usr/sbin/sslh ${args}
}
start() {
config_load 'sslh'
config_foreach start_instance 'sslh'
}
stop() {
service_stop /usr/sbin/sslh
}
Here's your 1st show stopper.
leepa
April 21, 2025, 3:13pm
7
That was quick
Added option enable '1' to /etc/config/sslh and it worked!
Thanks a lot!
There's usually a option enable 0 in the file, no idea why it's not there.
leepa
April 21, 2025, 3:22pm
9
Well, the original confiig file is looking like this: https://github.com/fett327/packages/blob/master/net/sslh/files/sslh.config
2 Likes
system
May 1, 2025, 3:23pm
10
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
