I’m absolutely baffled there isn’t more information out there about this. It seems like web managers and techs would be all over this, but there’s barely any information out there on this. I had a hard time finding documentation on OpenVPN’s site itself!
As one guy stated here (the post where I finally understood how this works) it’s not really “sharing” the port per se, but OpenVPN is deciphering between HTTP/S traffic and OpenVPN traffic and then forwarding web traffic over to another port, defined below. That’s crucial to understand.
Before I start, I want to note this doesn’t have to be done on an SSL port, as I understand it. I’m just using that as an example because it seems to be the most logical way to make it work if this is your configuration (you know, an SSL VPN going to an SSL port).
It should also be noted in this configuration example that OpenVPN, using the port-share parameter, is actually doing the listening on TCP port 443 and acting as a proxy itself that forwards non-OpenVPN traffic to the NGINX SSL port which we’ll layout below. You cannot do this utilizing UDP, that I know of.
So here’s what you do.
1) Set your NGINX or Apache listening ports. Set your NGINX standard http port 80 and SSL listening port to something OTHER than 443 … so, for arguments’ sake, let’s set it to 4443.
So it would look like this for Apache and NGINX:
For Apache, in the main httpd.conf (Windows) or in ports.conf (Ubuntu/Linux):
Listen 4443
For NGINX, in /etc/nginx/sites-available/defaults:
server {
listen 4443;
location / {
root /web/etc/blah;
}
}
Once implemented, restart your respective service, Apache or NGINX.
2) Next, you’re going to set your OpenVPN server parameters. Set your listening port to 443 from its standard 1194 and add the port-share parameter to point to the Apache or NGINX port created above. The config should look as follows now:
port 443 port-share 127.0.0.1 4443 proto tcp
OpenVPN will now be ready to accept connections over 443 and route the appropriate https/SSL traffic to Apache or NGINX.
3) Change your firewall settings. Leave your TCP port 80 rule pointing directly to Apache or NGINX. Then point your SSL rule to TCP port 443 running on your OpenVPN server. OpenVPN will now catch the traffic directed at it and decipher between OpenVPN traffic and HTTPS traffic.
4) Change the configuration in your OpenVPN clients. Point your OpenVPN clients to TCP port 443 instead of the port you were using before:
remote domain.name.com 443
or
remote [IP ADDRESS] 443
Hope it works. Cheers!
Lunastyx
Hi,
First, thanks for sharing, it could have help me a lot if I havn’t misunderstood : « For NGINX, in /etc/nginx/sites-available/defaults: »
So to future travalers, beware, you should edit you’re website configuration and absolutely not /etc/nginx/conf.d/default 😉
After a long time of search I finally found the problem and solve it : now it works fine. So, thanks ! 🙂
sorrowrock
hi
what should i do for this (Leave your TCP port 80 rule pointing directly to Apache or NGINX. Then point your SSL rule to TCP port 443 running on your OpenVPN server)
Can you explain more?
tnx
David Westerfield
I’ll try to break it down:
1) Set your OpenVPN listening port to 443 … all requests to TCP 443 for either web/https or OpenVPN will come through this port: “port 443”
2) Set your port-sharing rule … this is what your Apache/NGINX servers’ port is set to, on the same box, in other words, this is what you’re telling OpenVPN to connect to for web/https traffic; for argument sake assume your Apache server is listening on port 4443): “port-share 127.0.0.1 4443”
Make anymore sense?
sorrowrock
i have cent os 5 32 bit
and apache
in the httpd.conf
I’ve changed Listen 80 to Listen 4443
and Open VPN settings to the following
local [IP ADDRESS]
port 443
port-share 127.0.0.1 4443
proto tcp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /etc/openvpn/plugins/rp.so /etc/openvpn/plugins/rp.cnf
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push “redirect-gateway def1”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
and OpenVPN Config File (.ovpn) Is as follows
client
dev tun
proto tcp
port-share 127.0.0.1 4443
remote [IP ADDRESS] 443 # – Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ENGLAND.1.crt
comp-lzo
verb 3
auth-user-pass
script-security 3
What I’m doing wrong?
And make adjustments where
I did not do?
Completely explain it?
Thank you
David Westerfield
One of the first things I see is that your client file doesn’t need the port-share parameters. I’ll try to respond more thoroughly in a bit. Thanks …
sorrowrock
Thanks for your kindness
I am waiting for your response
I hope that everyone can be a full training
Even for Beginners
Thank you
David Westerfield
Hop in here and we can chat about this in realtime … https://www.westerfunk.net/chat/
sorrowrock
Sorry
My English is not so good for a chat
It is possible for you to send my server information?
You look please?And fix the problem?
Thereafter
Can you tell me where is the problem?
Please also send me your email
I could send the server information
Thanks for everything
David Westerfield
I’ll post an example of my stuff.
David Westerfield
Hop in my chat room and I’ll post the info in there.
chx
There’s SSLH which allows for HTTP, SSL, SSH, OpenVPN, tinc, XMPP on the same port. http://www.rutschle.net/tech/sslh.shtml
David Westerfield
Thanks for the suggestion!
unfitforsociety
port-share is OpenVPNs ass, port is it’s mouth. It’s shits useless data out and other deamons are eating it up :+)
anon
Thanks for this, really helped me. Though I did edit /etc/nginx/sites-enabled/default instead.
PANiCnz
If OpenVPN and the proxy server are running on different servers (VM’s) I assume I don’t need to change the SSL listening port?
i.e. just change the IP address in “port-share 127.0.0.1 4443” to the proxy server and revert the port back to 443?
David Westerfield
Yeah if they’re on different vm’s/ip’s, you don’t need to change it.