OpenWrt Forum Archive

Topic: Conflict between uhttpsd and OpenVPN servers on port 443 TCP

The content of this topic has been archived on 24 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi all,

I am quite new to the OpenWRT world, and it is quickly growing on me.
I installed OpenWRT on my Linksys WRT1900ACSv2. I need some help to set up my OpenVPN server. I successfully started an OpenVPN server on port 1194 UDP, but due to some firewall restrictions (when I connect to a certain network) I need to set up another on port 443 TCP. The problem is that it would interfere with luci, since it also runs on 443 TCP.

I read that openvpn does support the option "port-share", which would do exactly what I need, allowing me to reroute luci traffic on, say, port 4443.

But, trying to put the option in the openvpn config file I get a syntax error. I am using openvpn-openssl of course. Is it not supported? Is there any way to enable this option? How can I contact the developers of openvpn-openssl to ask for assistance on the matter?

Alternatively (and complementarily), could I simply change the port on which luci listens to, say, 88? Then I should probably be able to access the luci page from web browser by specifying the port instead of using the htps protocol.

Any advice? It would be extremely appreciated.
(If anybody needs any clarification I would be happy to comply, I simply thought the question is general enough)

EDIT: more appropriate title

(Last edited by abovethecloud on 13 Aug 2017, 14:00)

Where did you read that OpenWRT supports "port-share"?

rj-45 wrote:

Where did you read that OpenWRT supports "port-share"?

Actually, I read that OpenVPN (not OpenWRT) supports a "port-share" option. To my understanding, it's the OpenVPN server that redirects the non-VPN traffic that comes on its port (in my case 443) on another port (on which I would have my luci uht*tpd running.

I am unable to provide a link, but i read about this function there (and in other places): ht*ps://doc.pfsense.org/index.php/Sharing_a_Port_with_OpenVPN_and_a_Web_Server

NOTE: substitute '*' with 't'

have you tried tcp instead of udp, as mentioned in the pfsence howto?

rj-45 wrote:

have you tried tcp instead of udp, as mentioned in the pfsence howto?

yeah, well, of course. The problem is exactly that I want the OpenVPN server running on port 443 with protocol TCP. The issue is in fact the conflict with the uht*pd server which allows the luci access from the web browser on port 443 TCP (ht*ps, indeed).

The openvpn config file that I set is:

config openvpn 'myvpntcp'
    option enabled '0'
    option dev 'tun1'
    option port '443'
    option proto 'tcp'
#    option port-share localhost 4443
    option status '/var/log/openvpn_tcp_status.log'
    option log '/tmp/openvpn_tcp.log'
    option verb '3'
    option mute '5'
    option keepalive '10 120'
    option persist_key '1'
    option persist_tun '1'
    option user 'nobody'
    option group 'nogroup'
    option ca '/etc/easy-rsa/keys/ca.crt'
    option cert '/etc/easy-rsa/keys/myvpn.crt'
    option key '/etc/easy-rsa/keys/myvpn.key'
    option dh '/etc/easy-rsa/keys/dh2048.pem'
    option mode 'server'
    option tls_server '1'
    option tls_auth '/etc/easy-rsa/keys/ta.key 0'
    option server '10.8.1.0 255.255.255.0'
    option topology 'subnet'
    option route_gateway 'dhcp'
    option client_to_client '1'
    list push 'persist-key'
    list push 'persist-tun'
    list push 'redirect-gateway def1'
    # allow your clients to access to your network
    list push 'route 192.168.1.0 255.255.255.0'
    # push DNS to your clients
    list push 'dhcp-option DNS 192.168.1.1'
    option comp_lzo 'no'

where the commented line is the port-share option that OpenVPN running on OpenWRT does not recognise (it gives syntax error for the option if uncommented).
I believe that the problem is that the option is not supported by the package openvpn-openssl, or the syntax is different. Though, I can't seem to find documentation in this regard. I don't know who I might contact to ask.
The only page I found mentioning the port-share option in the context of OpenVPN on OpenWRT is this: ht*ps://dev.openwrt.org/browser/trunk/package/network/services/openvpn/Config-openssl.in, but I don't know what to do with that.

NOTE: as above, substitute '*' with 't' where appropriate.

maybe is is the easiest way to change the port auf uhttpd
the config file you can find here:
/etc/config/uhttpd

rj-45 wrote:

maybe is is the easiest way to change the port auf uht*pd
the config file you can find here:
/etc/config/uht*pd

Thanks!
Actually I knew that I could change there the port, but I am afraid that by doing that I may lose access to the luci page, since the browser will force ht*ps. I'd rather share the port using the existing (tough maybe unsupported by openvpn-openssl?) option port-share.

Does anyone know if the option can be enabled (or who to ask this)?

Hey there.

I think you did some reading but and there's quite a bit you got right, but there's something you got wrong, too.

The "port share" feature of OpenVPN means OpenVPN listens exclusively to that TCP port, let's say 443. Whenever traffic is coming in through that port, OpenVPN determins if its VPN traffic or not. VPN traffic is handled by OpenVPN, every other traffic is passed to a different IP/Port combination.

That means:
* uhttpd must not listen to TCP port 443 but something different
** Let's say uhttpd listens to TCP port 4443
* OpenVPN must listen to TCP port 443
* OpenVPN must be configured to "port-share localhost 4443" in order to redirect every non-VPN traffic to uhttpd

OpenVPN port share feature does *not* mean that both, OpenVPN and uhttpd can occupie the same TCP port at the same time. That's just not possible. Maybe "port share" is a bit missleading. But that's how it is. And quite frankly, I can't come up with a better name either.

But:
If you get a syntax error on "port-share localhost 4443", that might as well mean that port-share is not part of OpenWRTs OpenVPN package.

If "port-share" is not part of your OpenVPN package, you might give "sslh" a try.

Regards,
Stephan.

Try using "port_share" instead of "port-share" in the config file; if I read the code correctly, the init script will revert it back to "port-share".

golialive wrote:

Hey there.

I think you did some reading but and there's quite a bit you got right, but there's something you got wrong, too.

The "port share" feature of OpenVPN means OpenVPN listens exclusively to that TCP port, let's say 443. Whenever traffic is coming in through that port, OpenVPN determins if its VPN traffic or not. VPN traffic is handled by OpenVPN, every other traffic is passed to a different IP/Port combination.

That means:
* uht*pd must not listen to TCP port 443 but something different
** Let's say uht*pd listens to TCP port 4443
* OpenVPN must listen to TCP port 443
* OpenVPN must be configured to "port-share localhost 4443" in order to redirect every non-VPN traffic to uht*pd

OpenVPN port share feature does *not* mean that both, OpenVPN and uht*pd can occupie the same TCP port at the same time. That's just not possible. Maybe "port share" is a bit missleading. But that's how it is. And quite frankly, I can't come up with a better name either.

But:
If you get a syntax error on "port-share localhost 4443", that might as well mean that port-share is not part of OpenWRTs OpenVPN package.

If "port-share" is not part of your OpenVPN package, you might give "sslh" a try.

Regards,
Stephan.

First of all, thanks for the answer! Actually, I think I understood this concept, since what I wanted to do was exactly that: let OpenVPN listen on 443, uht*pd on 4443, and redirect non-VPN traffic on port 443 towards port 4443 (for uht*pd to listen).
Though, you are right to say that I got something wrong, since:

eduperez wrote:

Try using "port_share" instead of "port-share" in the config file; if I read the code correctly, the init script will revert it back to "port-share".

This actually solves the syntax problem! Thank you very much! But now the OpenVPN instance doesn't start anymore (so, it does recognize the syntax and the option but there is some error preventing it from working - not only the port share option, the whole VPN server won't start). My config file now looks like:

config openvpn 'myvpntcp'
    option enabled '0'
    option dev 'tun1'
    option port '443'
    option proto 'tcp'
#    option port_share 'localhost 4443'
    option status '/var/log/openvpn_tcp_status.log'
    option log '/tmp/openvpn_tcp.log'
    option verb '3'
    option mute '5'
    option keepalive '10 120'
    option persist_key '1'
    option persist_tun '1'
    option user 'nobody'
    option group 'nogroup'
    option ca '/etc/easy-rsa/keys/ca.crt'
    option cert '/etc/easy-rsa/keys/myvpn.crt'
    option key '/etc/easy-rsa/keys/myvpn.key'
    option dh '/etc/easy-rsa/keys/dh2048.pem'
    option mode 'server'
    option tls_server '1'
    option tls_auth '/etc/easy-rsa/keys/ta.key 0'
    option server '10.8.1.0 255.255.255.0'
    option topology 'subnet'
    option route_gateway 'dhcp'
    option client_to_client '1'
    list push 'persist-key'
    list push 'persist-tun'
    list push 'redirect-gateway def1'
    # allow your clients to access to your network
    list push 'route 192.168.1.0 255.255.255.0'
    # push DNS to your clients
    list push 'dhcp-option DNS 192.168.1.1'
    option comp_lzo 'no'

Any ideas?

which are the error messages?

rj-45 wrote:

which are the error messages?

Actually there was no error, but the luci interface showed that the server didn't start. But I tried anyway to connect and lo and behold I could connect to OpenVPN via TCP on port 443 and could as well access the uht*pd server on the same port (thanks to the port_share option of OpenVPN, the uht*pd server is actually running on another port).
So, the only problem now is the inconsistency of luci with the fact that the Server is actually started and running.
I have no idea why.
Does somebody have any explaination?

P.S. I would upload a screenshot but I have no idea how. So, instead, I will report what the luci section OpenVPN says:
Enabled: checked
Started: no
Start/Stop: Start (and clicking this does nothing)
Port: 443
Protocol: tcp

The discussion might have continued from here.