OPNsense Forum

Hi,

currently I'm trying to setup a condition that checks if a SNI is present in a request (HTTPS) or if there is no SNI (OpenVPN traffic). However, in the dropdown for the "Condition Type" there are multiple SNI related entries, but all seem to need a server name configured.

Is there a way to simply check if SNI is there, ignoring which server name exactly is requested?

Thanks a lot in advance,

Thomas

The os-sslh plugin can multiplex OpenVPN and TLS traffic on the same port, then hand off to HAproxy. In my experience it is small, fast and reliable.

Quote from: pmhausen on May 04, 2023, 09:59:54 AM
The os-sslh plugin can multiplex OpenVPN and TLS traffic on the same port, then hand off to HAproxy. In my experience it is small, fast and reliable.

Thanks for the hint, I will definitely have a look on this. I never heared of this tool before  :)

But to also improve my understanding of HAproxy: Could someone give me a hint on how to do it with HAproxy and checking the SNI?

Thanks.

OpenVPN is not a regular HTTPS connection handshake, so if you define a single incoming service for both, HAproxy will probably never get to the point to decide if it's with SNI or not. It's simply random garbage.

That's why you need a protocol multiplexer that can detect OpenVPN, HTTPS, ... and act accordingly.

Possibly there is a different method in HAproxy but you won't get a clean request without SNI for sure. You won't get am HTTPS request at all.

Quote from: pmhausen on May 04, 2023, 09:59:54 AM
The os-sslh plugin can multiplex OpenVPN and TLS traffic on the same port, then hand off to HAproxy.

I installed the os-sslh plugin. Could you tell me please what the preferred way is to configure the unused targets in os-sslh in the OPNsense WebGUI? If I keep them empty, they show in a light gray color "localhost:<port>". Do I have to let requests to those targets bang against an closed firewall rule or can I tell os-sslh to not use those targets?

Thanks.

Sorry, never used it with OPNsense, only with plain FreeBSD so I know it works great. The UI could be improved a bit (just installed it to check what you mean). I'd add an enable/disable button to each single service. Let's see if I can get to that shortly.

Please check for yourself what it does and report back.

Quote from: pmhausen on May 04, 2023, 09:24:36 PM
Please check for yourself what it does and report back.

Another issue I found is that HAproxy behind sslh only sees request coming from localhost instead of the client IP address. Regarding to the documentation of sslh the option "--transparent" should be used to make sslh a transparent proxy and to forward the client IP. However, this option seems to be not available in os-sslh  :'(

Addition:
I found the commit https://github.com/opnsense/plugins/pull/2729/commits/d882e31712c4edb99d2e5f3a08ee60f1918be76a (https://github.com/opnsense/plugins/pull/2729/commits/d882e31712c4edb99d2e5f3a08ee60f1918be76a) which states "Remove transparent functionality: Documentation reports this as a "Linux only" feature, remove since there is no provision for using this on FreeBSD."

I am wondering about this, because the documentation of sslh states for the Transparent Proxy "On Linux and FreeBSD you can use the --transparent option to request transparent proxying." (Source: https://github.com/yrutschle/sslh/blob/master/doc/tproxy.md (https://github.com/yrutschle/sslh/blob/master/doc/tproxy.md)).

My feeling is at the moment that the os-sslh implementation is far from complete and does not allow a lot of the features sslh provides.