• 15
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I'm trying to set up OpenVPN to listen on port 443, and then pass all HTTPS traffic to Apache, by using the port-share option. Relevant config snippets are:

OpenVPN

local ${PUBLIC_IP}
port 443
port-share localhost 443

Apache with SSL

Listen localhost:443

My OpenVPN client connects just fine, but when opening the HTTPS enabled page, I get errors. Firefox says:

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

Curl says

curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

The request ends up on Apache, since I see in the error logs the following messages:

[Wed Oct 06 01:10:20 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
[Wed Oct 06 01:11:04 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
[Wed Oct 06 01:11:51 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01

The messages entry for a HTTPS connection is

Oct  6 01:13:21 ns1 openvpn[20154]: Re-using SSL/TLS context
Oct  6 01:13:21 ns1 openvpn[20154]: LZO compression initialized
Oct  6 01:13:21 ns1 openvpn[20154]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Oct  6 01:13:21 ns1 openvpn[20154]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Oct  6 01:13:21 ns1 openvpn[20154]: Local Options hash (VER=V4): 'c0103fa8'
Oct  6 01:13:21 ns1 openvpn[20154]: Expected Remote Options hash (VER=V4): '69109d17'
Oct  6 01:13:21 ns1 openvpn[20154]: TCP connection established with ${CLIENT_IP}:56203
Oct  6 01:13:21 ns1 openvpn[20154]: TCPv4_SERVER link local: [undef]
Oct  6 01:13:21 ns1 openvpn[20154]: TCPv4_SERVER link remote: ${CLIENT_IP}:56203
Oct  6 01:13:21 ns1 openvpn[20154]: ${CLIENT_IP}:56203 Non-OpenVPN client protocol detected
Oct  6 01:13:21 ns1 openvpn[20154]: TCP/UDP: Closing socket

Using httpd-2.2.3-43.el5.centos and openvpn-2.1.1-2.el5 .

What should I do to make port sharing work?


Update: Using

port 443
port-share localhost 10443

and

Listen localhost:10443

makes no difference.


Update 2 : some command output

[root@ns1 ~]# openvpn --help | grep port-share
--port-share host port : When run in TCP mode, proxy incoming HTTPS sessions
[root@ns1 ~]# netstat -nltp | grep 443
tcp        0      0 127.0.0.1:10443             0.0.0.0:*                   LISTEN      20088/httpd         
tcp        0      0 ${PUBLIC_IP}:443             0.0.0.0:*                   LISTEN      20066/openvpn       

the port-share option sets the port the other application is listening.

What you want to do, is to configure

port-share 10443

and set Apache to listen on port 10443:

Listen <your-public-ip>:10443

That's because two applications can't open same port at once.

  • 8
Reply Report
      • 2
    • Thanks for your reply. OpenVPN binds on the public address, while Apache binds on localhost. I'll change the Apache port when I have the chance, but two applications can bind on the same port, given that they use different addresses.
    • I actually meant to say port-share localhost 443. I tried port-share localhost 10443, but it still did not work, same error.
    • ah, sorry, I was saying one thing and showing config for the other. I'd guess that apache has to listen on the same IP openvpn is listening, that is, public, not localhost. Updated my answer.
      • 2
    • One more thing, are you sure your version of openvpn does support this option? (try with openvpn --help | grep port-share). And are you sure that apache listens on the configured port and has SSL working?

While finding an answer that suits my server I found everyone talking about portshare function of the OpenVPN config. However, in my case, I need to know the actual client IP address for logging and other functions. I found that using portshare causes the local IP of the server to be logged.

To fix this,

  1. Add portshare [port] function in OpenVPN
  2. Set Apache server to listen to [port]
  3. Install the ProxyProtocol extension (following the instructions in the repo readme), available from: https://github.com/roadrunner2/mod-proxy-protocol
  4. Add the line ProxyProtocol On in the Apache config.

It should work and serve the above purpose. Just posted this and hope it can help someone who wants to do something like I did.

  • 2
Reply Report

OpenVPN's port-share option allows you to redirect traffic to another HTTPS site , not to a regular web server; the error you're seeing

[error] [client 127.0.0.1] Invalid method in request \x16\x03\x01

occurs when an SSL request is sent to a non-0SSL site. I can reproduce the error by using

  port-share localhost 80

(instead of 443) If you set up your HTTPS site correctly then port-sharing will work.

HTH,

JJK

  • 1
Reply Report

Update: I noticed that the IP address of website visitors will always be 127.0.0.1 in web server logs. This is a problem if you want to know the origin of a connection or want to use a tool like fail2ban. It looks like there is no way to have the real IP address of the visitor in Apache logs if we are using OpenVPN's port-share (https://forums.openvpn.net/viewtopic.php?t=22599), so I used the tool SSLH in transparent mode: https://unix.stackexchange.com/questions/373717/how-does-sslhs-transparent-mode-work/532333#532333

Original answer:

If someone is using OpenVPN Access Server, you have to go to /usr/local/openvpn_as/scripts/ (for example on Debian) and execute these command:

./sacli --key "vpn.server.port_share.enable" --value "true" ConfigPut ./sacli --key "vpn.server.port_share.service" --value "custom" ConfigPut ./sacli --key "vpn.server.port_share.ip_address" --value <LOCAL_IP> ConfigPut ./sacli --key "vpn.server.port_share.port" --value <PORT> ConfigPut ./sacli start

Source:

https://forums.openvpn.net/viewtopic.php?p=78630#p78630

https://openvpn.net/vpn-server-resources/managing-settings-for-the-web-services-from-the-command-line/#Change_the_web_service_forwarding_settings

In my case I did not need to do the command for the key vpn.server.port_share.service and I used the command service openvpnas restart instead of ./sacli start.

I replaced <LOCAL_IP> with 127.0.0.1 and <PORT> with 4443 since I configured Apache to listen on port 4443.

My file /etc/apache2/ports.conf is configured like this:

Listen 80

<IfModule ssl_module>
        Listen 4443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 4443
</IfModule>

And my Apache SSL configuration in /etc/apache2/sites-enabled/000-default.conf starts like this: <IfModule mod_ssl.c> <VirtualHost *:4443>

Note: I used OpenVPN Access Server in the past since it was easy to setup. There are also alternative scripts to setup OpenVPN which have the advantage to be open source and not limit the number of users, for example: https://github.com/Nyr/openvpn-install

  • 0
Reply Report

Trending Tags