I need access to my own RDP running outside of a network with DPI-firewall. So SSL is the only option, but I have a SSL web server running. As I have as well only a single IP adress with dynamic IP I am looking to achieve something like the following with Stunnel:

[client-side] rdp --> stunnel-client --------->rdp/ssl https://abc.com ----> [stunnel server] --> rdp ~ Win Client 192.168.1.123:321
                      + user-certificate???

[client-side] web browser --------------------->https/ssl https://abc.com --> [stunnel server] --> http ~ www server 192.168.1.555:80

Explanation: On the local machine I would point rdp to the stunnel which would present the individual user-certificate and the server side would know to send the traffic to server 192.168.1.123 on port 321. But if a web browser would open abc.com the server side would present the http(s) website as there was no individual user certificate existing. So a fast check would bring only the official https web site.

Can someone tell me how I can achieve this. sslh works perfectly but will not prevent detection by DPI as rdp would only use 443. Now I was checking stunnel. It's SNI aware, but will not help either (e.g. rdp.abc.com versus abc.com) It seems I can only use one service (https OR something else).

ON the other hand it has the option redirect = [HOST:]PORT to send all traffic to the http web server in case the certificate was not accepted (by using verify=3 + user-certificate)

Will this work with in my case (and esp. with rdp), any other option to achieve 443 ssl protocol sharing (obfuscating).