1

Can sslh tell the difference between OpenVPN traffic and HTTPS traffic efter they have both been through STunnel? Like this:

   .---------.     .------.HTTP/TCP.-------------.
-->| stunnel |---->| sslh |------->| HTTP server |
   '---------'     '------'|       '-------------'
                       |       .----------------.
                       '------>| OpenVPN server |
                    OpenVPN/TCP'----------------'

I can only see this working if STunnel essentially separates the two itself before passing them on. Or is that it's purpose? Does it only encrypt the traffic on it's way out (and decrypt if it came from a STunnel client) or does the traffic stay wrapped in that extra layer of TLS even after coming through? Thanks.

Benji Collins
  • 11
  • 2
  • 1
    From your question I'm not sure you understand the purpose of stunnel. Can you give details about what you want to achieve? Why would you want to send OpenVPN traffic or HTTPS traffic through stunnel? – RalfFriedl Aug 01 '18 at 06:22
  • @RalfFriedl I want to use STunnel to hide OpenVPN on port 443 from DPI while still allowing Apache to run on that same port. WHat I'm not sure about is how STunnel handles regular traffic coming in when it's not connected to a client. – Benji Collins Aug 01 '18 at 06:56
  • Is stunnel supposed to run on the server together with the other programs, or on the client side? – RalfFriedl Aug 01 '18 at 16:44

2 Answers2

0

The sslh works is by looking at the packet content to see what type of traffic it is, then route the traffic to whatever endpoint matches that. So, if you connect with stunnel, then however the stunnel packet data looks in the first packet will decide on where sslh sends it.

I haven't tested, but I think what you want to achieve will not work since sslh will route stunnel based on the stunnel header, not what is inside.

Fredrik
  • 528
  • 2
  • 10
0

I set stunnel to listen on publicip:80 and forward everything from there to 127.0.0.1:80. That’s where SSLH was listening. From there the data was split between Apache and OpenVPN. It seems that once data has gone through stubble it is stripped of its stunnel encryption and looks like regular traffic.

Benji Collins
  • 11
  • 2