10

I'm trying to set up OpenVPN to listen on port 443, and then pass all HTTPS traffic to Apache, by using the port-share option. Relevant config snippets are:

OpenVPN

local ${PUBLIC_IP}
port 443
port-share localhost 443

Apache with SSL

Listen localhost:443

My OpenVPN client connects just fine, but when opening the HTTPS enabled page, I get errors. Firefox says:

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

Curl says

curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

The request ends up on Apache, since I see in the error logs the following messages:

[Wed Oct 06 01:10:20 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
[Wed Oct 06 01:11:04 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
[Wed Oct 06 01:11:51 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01

The messages entry for a HTTPS connection is

Oct  6 01:13:21 ns1 openvpn[20154]: Re-using SSL/TLS context
Oct  6 01:13:21 ns1 openvpn[20154]: LZO compression initialized
Oct  6 01:13:21 ns1 openvpn[20154]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Oct  6 01:13:21 ns1 openvpn[20154]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Oct  6 01:13:21 ns1 openvpn[20154]: Local Options hash (VER=V4): 'c0103fa8'
Oct  6 01:13:21 ns1 openvpn[20154]: Expected Remote Options hash (VER=V4): '69109d17'
Oct  6 01:13:21 ns1 openvpn[20154]: TCP connection established with ${CLIENT_IP}:56203
Oct  6 01:13:21 ns1 openvpn[20154]: TCPv4_SERVER link local: [undef]
Oct  6 01:13:21 ns1 openvpn[20154]: TCPv4_SERVER link remote: ${CLIENT_IP}:56203
Oct  6 01:13:21 ns1 openvpn[20154]: ${CLIENT_IP}:56203 Non-OpenVPN client protocol detected
Oct  6 01:13:21 ns1 openvpn[20154]: TCP/UDP: Closing socket

Using httpd-2.2.3-43.el5.centos and openvpn-2.1.1-2.el5 .

What should I do to make port sharing work?

Update: Using

port 443
port-share localhost 10443

and

Listen localhost:10443

makes no difference.

Update 2 : some command output

[root@ns1 ~]# openvpn --help | grep port-share
--port-share host port : When run in TCP mode, proxy incoming HTTPS sessions
[root@ns1 ~]# netstat -nltp | grep 443
tcp        0      0 127.0.0.1:10443             0.0.0.0:*                   LISTEN      20088/httpd         
tcp        0      0 ${PUBLIC_IP}:443             0.0.0.0:*                   LISTEN      20066/openvpn
Community
  • 1
Robert Munteanu
  • 1,644
  • 5
  • 23
  • 41

4 Answers4

9

the port-share option sets the port the other application is listening.

What you want to do, is to configure 

port-share 10443

and set Apache to listen on port 10443:

Listen <your-public-ip>:10443

That's because two applications can't open same port at once.

Hubert Kario
  • 6,361
  • 6
  • 36
  • 65
  • Thanks for your reply. OpenVPN binds on the public address, while Apache binds on localhost. I'll change the Apache port when I have the chance, but two applications _can_ bind on the same port, given that they use different addresses. – Robert Munteanu Oct 06 '10 at 07:23
  • yes, true, but it's likely that openVPN will redirect to the same IP, not localhost (that would be the sane thing to do) – Hubert Kario Oct 06 '10 at 09:57
  • I actually meant to say `port-share localhost 443`. I tried `port-share localhost 10443`, but it still did not work, same error. – Robert Munteanu Oct 06 '10 at 20:40
  • ah, sorry, I was saying one thing and showing config for the other. I'd guess that apache has to listen on the same IP openvpn is listening, that is, public, not localhost. Updated my answer. – Hubert Kario Oct 06 '10 at 20:44
  • One more thing, are you sure your version of openvpn does support this option? (try with `openvpn --help | grep port-share`). And are you sure that apache listens on the configured port and has SSL working? – Hubert Kario Oct 06 '10 at 20:53
  • Please see my update. And SSL is working, yes. – Robert Munteanu Oct 06 '10 at 21:21
  • Well ... SSL was working fine but the virtualhost was declared as ${SERVER_NAME}:443 . Once I changed to ${SERVER_NAME}:10443 all was fine. Thanks for your help. – Robert Munteanu Oct 06 '10 at 21:26
  • Don't forget to change your vhosts ports if needed – Benoit Duffez Jul 26 '21 at 16:36
2

OpenVPN's port-share option allows you to redirect traffic to another HTTPS site , not to a regular web server; the error you're seeing

[error] [client 127.0.0.1] Invalid method in request \x16\x03\x01

occurs when an SSL request is sent to a non-0SSL site. I can reproduce the error by using

  port-share localhost 80

(instead of 443) If you set up your HTTPS site correctly then port-sharing will work.

HTH,

JJK

janjust
  • 592
  • 2
  • 5
2

While finding an answer that suits my server I found everyone talking about portshare function of the OpenVPN config. However, in my case, I need to know the actual client IP address for logging and other functions. I found that using portshare causes the local IP of the server to be logged.

To fix this,

  1. Add portshare [port] function in OpenVPN
  2. Set Apache server to listen to [port]
  3. Install the ProxyProtocol extension (following the instructions in the repo readme), available from: https://github.com/roadrunner2/mod-proxy-protocol
  4. Add the line ProxyProtocol On in the Apache config.

It should work and serve the above purpose. Just posted this and hope it can help someone who wants to do something like I did.

Nguyen H Chan
  • 31
  • 7
0

Update: I noticed that the IP address of website visitors will always be 127.0.0.1 in web server logs. This is a problem if you want to know the origin of a connection or want to use a tool like fail2ban. It looks like there is no way to have the real IP address of the visitor in Apache logs if we are using OpenVPN's port-share (https://forums.openvpn.net/viewtopic.php?t=22599), so I used the tool SSLH in transparent mode: https://unix.stackexchange.com/questions/373717/how-does-sslhs-transparent-mode-work/532333#532333

Original answer:

If someone is using OpenVPN Access Server, you have to go to /usr/local/openvpn_as/scripts/ (for example on Debian) and execute these command:

./sacli --key "vpn.server.port_share.enable" --value "true" ConfigPut ./sacli --key "vpn.server.port_share.service" --value "custom" ConfigPut ./sacli --key "vpn.server.port_share.ip_address" --value <LOCAL_IP> ConfigPut ./sacli --key "vpn.server.port_share.port" --value <PORT> ConfigPut ./sacli start

Source:

https://forums.openvpn.net/viewtopic.php?p=78630#p78630

https://openvpn.net/vpn-server-resources/managing-settings-for-the-web-services-from-the-command-line/#Change_the_web_service_forwarding_settings

In my case I did not need to do the command for the key vpn.server.port_share.service and I used the command service openvpnas restart instead of ./sacli start.

I replaced <LOCAL_IP> with 127.0.0.1 and <PORT> with 4443 since I configured Apache to listen on port 4443.

My file /etc/apache2/ports.conf is configured like this:

Listen 80

<IfModule ssl_module>
        Listen 4443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 4443
</IfModule>

And my Apache SSL configuration in /etc/apache2/sites-enabled/000-default.conf starts like this: <IfModule mod_ssl.c> <VirtualHost *:4443>

Note: I used OpenVPN Access Server in the past since it was easy to setup. There are also alternative scripts to setup OpenVPN which have the advantage to be open source and not limit the number of users, for example: https://github.com/Nyr/openvpn-install

baptx
  • 105
  • 7