sslh in transparent mode

Started by Rezer, April 03, 2025, 01:46:08 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 03, 2025, 01:46:08 AM
Well this question isn't strictly specific to OPNsense, more FreeBSD in general, but since I'm trying to get this working on my OPNsense box...

As the title says, I'm trying to get sslh working in transparent mode so server logs will show the external IP and not just the ip of the gateway.  I have some experience doing this in linux, and the write-up at https://github.com/yrutschle/sslh/blob/master/doc/simple_transparent_proxy.md seems straightforward enough, small problem...I have no idea how any of that translates to a FreeBSD environment.  Would anyone happen to know how those commands can be implemented using FreeBSD tools?  It seems to just be setting up a separate routing table that routes all traffic from a specific virtual interface back to sslh, but none of that seems to be supported in the OPNsense UI and FreeBSD isn't exactly my home turf.

Also, it seems to me that using the os-sslh plugin in OPNsense is a nonstarter as there's no support for transparent mode.  I guess this would just have to be tacked on using some scripts that get run after each update?
April 03, 2025, 07:02:33 AM #1
You could also look into mmproxy to unwrap a proxy protocol.

Afterwards you can use ha-proxy or caddy to proxy the ssh connection with the proxy protocol header. mmproxy on the ssh server will then unwrap this and inject the real client IP.

https://docs.opnsense.org/manual/how-tos/caddy.html#ssh-multiplexing-on-https-port

I dont have any example how to use mmproxy on the ssh server side.
Hardware:
DEC740
April 04, 2025, 08:57:09 PM #2
While that seems like it might be an option, it's a lot more moving parts that I have no familiarity with.  Also, I'm trying to multiplex openvpn on port 443, not ssh in particular.  I was hoping somebody might be able to suggest a working FreeBSD config for this as sslh is a fairly common solution to this problem, but it seems the usage of transparent mode is much less popular.
April 04, 2025, 09:55:18 PM #3 Last Edit: April 04, 2025, 09:59:19 PM by Monviech (Cedrik)
You can multiplex openvpn with caddy quite easily.

https://forum.opnsense.org/index.php?topic=38714.msg221662#msg221662
Hardware:
DEC740
Print
Go Up Pages1
User actions