OpenVPN - New Instances cannot use Advanced options like "port-share"

[utmoab]

Some roadwarrior users use their openVPN connection on very restricred networks where they are usually allowed only port 80 et 443. We only have one public IP address and host a couple of web applications on the same 443 port.

As such, I have setup an openVPN server over TCP, port 443 with the option "port-share" where non-openVPN traffic (i.e. normal https traffic) is forwarded to an nginx reverse proxy.

On the new "Instances" UI, there is not anymore the possibility to use advances options like "port-share". On the "old" UI for openVPN server, the Advanced option is even commented with "This option will be removed in the future due to being insecure by nature".

Is there any plan to add the posbility to use the "port-share" option on the new Instances UI ?

[franco]

Hi,

That's sort of why we don't like advanced options: people add useful features and nobody requests a GUI inclusion.

I think this can go in, but I'm asking to create a ticket for it: https://github.com/opnsense/core/issues/new?assignees=&labels=&projects=&template=feature_request.md&title=


Cheers,
Franco

[Patrick M. Hausen]

The port share feature tends to be slow in my experience. I recommend investigating the os-sslh plugin instead. It works great.

[seed]

I also need this option and created a feature request on github:
https://github.com/opnsense/core/issues/6758

[seed]

it lloks like port-share will not be inplemented 

[franco]

Well, not today.


Cheers,
Franco

[Patrick M. Hausen]

Can't you use os-sslh? It's orders of magnitude faster!

[smema79]

Just tried it, setting up a new Instance.

through the use of os-sslh plugin I can safely make up for not being able to use port-share... in fact, it is more practical.

thanks for the suggestion.
Regards

[seed]

i prefer openvpn running on port 443 and use port-share.

The reason:

when sslh stops i cant reach my box. When openvpn is running on tht port its is "closer" to the net. when nginx stop i can connect using openvpn and start the service again. when sslh stops i cant connect to vpn and figure out what happend.
Its also not possible to the the "real" ip in the openvpn log.

[smema79]

Correct. In the previous post, I was referring to a home/test use condition.
Indeed, the port-share solution has the merits as you indicated and is more convenient in case of traceability of the connections/tunnels/users.
At the moment and pending further development, this plugin gives the possibility to test on the new instance mode if we are in the condition of having only one public IP and need to use port 443 for both, nginx/haproxy and OpenVPN.

Inviato dal mio SM-A336B utilizzando Tapatalk

[utmoab]

Following the advice on this thread, I have been trying the sslh package for the last few days. This is really easy to setup.
However, there is one problem I have not yet been able to solve. Because sslh takes port 443 and "forward" to services hosted on other ports on localhost (like 1194 for openVPN et 444 for nginx, for exemple), the source IP that is logged by these services is only the localhost IP, and not the real source IP. Thus, IP ACLs setup in Nginx do not work, for exemple.

The original software  has a "transparent mode" that solve this problem, but this mode does not seem (or I was not able to find it) to be available on OPNsense.

[Patrick M. Hausen]

As far as I get from the available documentation transparent mode for sslh is supported on FreeBSD. You would need manual inbound and outbound firewall/NAT rules to make it work, though. I found this article which explains all the basics, but uses ipfw instead of pf. But one can probably adapt the rules quite easily:

https://www.rutschle.net/tech/sslh/doc/config

[smema79]

what I did not understand is whether or not the port-share command on new openvpn instances (not legacy) can, or will, be used again in the future. If yes, at this point I will wait for development to transition.

SSLH can be used in the meantime for just testing compatibility openvpn configurations between clients and legacy/new.

[seed]

I don't understand why features like port sharing are not possible.
Removing the extended free text section is fine. But not offering a form where you can set this configuration is not very nice.
If I want a dumb firewall with no finetuning options, I'll take something like a Sophos. The detailed configuration has always been a reason for Opnsense.

i had to vent.

[franco]

There's no reason not to work on a PR for anyone. Expecting someone else to spend their time on it instead is where there is contention. It's probably "easy", but making sure to double-check the OpenVPN documentation and consider the constraints and put them into place and update the help text correctly is what makes this time consuming especially for someone else not using this feature, because then someone else needs to pick it up and wait and debug and so on and so forth.


Cheers,
Franco