Skip to content

Running a HTTPS Website and SoftEtherVPN along side each other.

Jump to bottom Edit New page
Andrew edited this page Dec 14, 2021 · 13 revisions

Running Webserver (or other HTTPS application) along with SoftEtherVPN can be difficult. The reason? Well it's because SoftEther and HTTPS both use port 443. Port 443 is only required for the SSTP protocol, however port 443 may be your only option if for example you are trying to connect in a restrictive network. So if you only have one VPS (or one IP address like in a home network) you may need share or "multiplex" port 443 with other services. To multiplex port 443 we will be using SSLH since it's the easiest and quickest to get up and running.

Specifications for this guide:

  • All services are hosted on the same machine, running Ubuntu 20.04
  • SoftEtherVPN is installed with TCP Listener Port 443 disabled (ListenerDisable 443 in vpncmd)
  • SSLH is compiled (using below instructions)
  • Apache2 is the websever, running on port 4434.
  • UFW is used to control open and closed ports.
  • Let's Encrypt for SSL.
  • The domain mydomain.tld will be used in the examples. YOU NEED A DOMAIN NAME!

Apache2 and Let's Encrypt

Install

  • sudo apt update && sudo apt upgrade If necessary.
  • sudo systemctl stop softether-vpnserver OR vpnserver stop based on your configuration (just make sure SE is stopped)
  • sudo apt install apache2
  • sudo apt-get install certbot python3-certbot-apache

Configure Your First Subdomain

  • sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/www.conf
  • sudo nano /etc/apache2/sites-available/www.conf and uncomment ServerName www.example.com around line 8. Set www.example.com to www.yourdomain.tld (replace yourdomain.tld with your real domain)
  • sudo a2ensite www.conf
  • sudo systemctl restart apache2

Get your first SSL certificate

  • sudo certbot --apache
  • Follow the instructions, Select the number with www.yourdomain.tld. It is most likely 1. Once that is complete We can now change the ports.
  • sudo nano /etc/apache2/ports.conf Change all instances of port 443 to something else such as 4434.
  • nano /etc/apache2/sites-available/www-le-ssl.conf and change the :443 to :4434 or whatever you changed 443 in the ports file to.

Second and Later Sites.

WHEN YOU NEED TO CREATE A SECOND SITE OR SSL CERTIFCATE, REFER TO THIS- (Chnage sitex to your new subdomain of choice)

  • sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/sitex.conf
  • sudo nano /etc/apache2/sites-available/sitex.conf and uncomment ServerName www.example.com around line 8. Set www.example.com to sitex.yourdomain.tld (replace yourdomain.tld with your real domain)
  • sudo a2ensite sitex.conf
  • sudo systemctl restart apache2

Get your second or newer SSL Certificate

  • sudo certbot certonly --apache This will ONLY generate certifcates. Not configure Apache! Follow the instructions, Select the number with sitex.yourdomain.tld. Look for which number corresponds with it. Once that is complete, we can create the apache file.
  • sudo cp /etc/apache2/sites-available/www-le-ssl.conf /etc/apache2/sites-available/sitex-le-ssl.conf
  • sudo nano /etc/apache2/sites-available/sitex-le-ssl.confaround line 8. Set www.yourdomain.tld to sitex.yourdomain.tld (replace yourdomain.tld with your real domain).
  • At the bottom where you see /etc/letsencrypt/live/www.yourdomain.tld/X.pem change the www to sitex for both the fullchain.pem and privkey.pem lines.
  • sudo a2ensite sitex-le-ssl.conf
  • sudo systemctl restart apache2

SoftEther configuration

Disable Port 443

Start SoftEther with systemctl start softether-vpnserver or vpnserver start based on your configuration. Just run ListenerDisable 443 in vpncmd as the Administrator and you should be fine.

Get an SSL certificate.

  • sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/vpn.conf
  • sudo nano /etc/apache2/sites-available/vpn.conf and uncomment ServerName www.example.com around line 8. Set www.example.com to vpn.yourdomain.tld (replace yourdomain.tld with your real domain)
  • sudo a2ensite vpn.conf
  • sudo systemctl restart apache2
  • sudo certbot certonly --apache
  • Once that is done, you can disable the Apache site using
  • sudo a2dissite vpn.conf
  • sudo systemctl restart apache2

Apply the certificate to SoftEtherVPN

  • Run sudo vpncmd on the server (be sure to use vpncmd as root).
  • ServerCertSet /LOADCERT:/etc/letsencrypt/live/vpn.yourdomain.tld/fullchain.pem /LOADKEY:/etc/letsencrypt/live/vpn.yourdomain.tld/privkey.pem Replace yourdomain.tld with your domain.

SSLH Installation and Configuration.

  • Create a TAP device in SoftEther for any virtual hub that links to your server. It does not matter which one since all this is for is to create a "Loopback" that isn't 127.0.0.1.
  • git clone https://github.com/yrutschle/sslh.git
  • sudo apt install libconfig-dev make gcc libcap-dev pcre2-utils libwrap0-dev libbsd-dev libpcre2-dev libsystemd-dev libev-dev
  • cd sslh
  • nano Makefile Enable UNIX capibilites (seen below)
## Install
 
VERSION=$(shell ./genver.sh -r)
ENABLE_REGEX=1         # Enable regex probes
USELIBCONFIG=1         # Use libconfig? (necessary to use configuration files)
USELIBPCRE=1           # Use libpcre? (needed for regex on musl)
USELIBWRAP=1           # Use libwrap?
USELIBCAP=1            # Use libcap?
USESYSTEMD=1           # Make use of systemd socket activation
COV_TEST=              # Perform test coverage?
PREFIX=/usr/local
BINDIR=$(PREFIX)/sbin
MANDIR=$(PREFIX)/share/man/man8
MAN=sslh.8.gz          # man page name
 
# End of configuration -- the rest should take care of
# itself
  • sudo make install
  • sudo mkdir /etc/sslh
  • sudo mkdir /var/empty
  • sudo useradd sslh
  • sudo mkdir /home/sslh && sudo chown sslh:sslh /home/sslh
  • sudo nano /lib/systemd/system/sslh.service
[Unit]
Description=SSL/SSH multiplexer
After=network.target
Documentation=man:sslh(8)
 
[Service]
#EnvironmentFile=/etc/default/sslh
#ExecStart=/usr/local/sbin/sslh $DAEMON_OPTS
ExecStart=/usr/local/sbin/sslh -F /etc/sslh/sslh.cfg
KillMode=process
 
[Install]
WantedBy=multi-user.target

Configure

  • sudo nano /etc/sslh/sslh.cfg
#verbose: true;
foreground: true;
inetd: false;
numeric: true;
transparent: true;
timeout: 2;
user: "sslh";
pidfile: "/var/run/sslh.pid";
chroot: "/var/empty";

listen:
(
# REPLACE 12.34.45.56 WITH YOUR DEVICES IP ADDRESS! (i.e. the one you see in ifconfig for eth0)
{ host: "12.34.45.56"; port: "443"; }
);
 
# sslh demultiplexes based on the Protocol and Hostname
protocols:
(
# Apache Website
{ name: "tls"; sni_hostnames: [ "www.yourdomain.tld" ]; host: "192.168.30.10"; port: "4434"; log_level: 1; },
# SoftEther
{ name: "tls"; sni_hostnames: [ "vpn.yourdomain.tld" ]; host: "192.168.30.10"; port: "5555"; log_level: 1; },
# You can try SSH. I couldn't get it to work but maybe you can.
{ name: "ssh"; host: "192.168.30.10"; port: "22"; log_level: 1; }
);

Iptables

  • sudo nano /usr/local/sbin/server_tproxy_add.sh Add more ports after --sport if needed.
iptables -t mangle -N SSLH
iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 4434,5555 --jump SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

ip6tables -t mangle -N SSLH6
ip6tables -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH6
ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 4434,5555 --jump SSLH6
ip6tables -t mangle -A SSLH6 --jump MARK --set-mark 0x3
ip6tables -t mangle -A SSLH6 --jump ACCEPT
ip -6 rule add fwmark 0x3 lookup 103
ip -6 route add local ::/0 dev lo table 103
  • sudo nano /usr/local/sbin/server_tproxy_rm.sh Add more ports after --sport if needed.
iptables -t mangle -D PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -t mangle -D OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 4434,5555 --jump SSLH
iptables -t mangle -D SSLH --jump MARK --set-mark 0x1
iptables -t mangle -D SSLH --jump ACCEPT
iptables -t mangle -X SSLH
ip rule del fwmark 0x1 lookup 100
ip route del local 0.0.0.0/0 dev lo table 100

ip6tables -t mangle -D PREROUTING -p tcp -m socket --transparent -j SSLH6
ip6tables -t mangle -D OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 4434,5555 --jump SSLH6
ip6tables -t mangle -D SSLH6 --jump MARK --set-mark 0x3
ip6tables -t mangle -D SSLH6 --jump ACCEPT
ip6tables -t mangle -X SSLH6
ip -6 rule del fwmark 0x3 lookup 103
ip -6 route del local ::/0 dev lo table 103

  • chmod +rx /usr/local/sbin/server_tproxy_add.sh

  • chmod +rx /usr/local/sbin/server_tproxy_rm.sh

  • systemctl enable sslh.service

  • systemctl start sslh.service

  • sudo /usr/local/sbin/server_tproxy_add.sh

Having issues with DNS Resolution?

  • sudo nano /etc/resolv.conf
  • Change the nameserver to a real DNS server such as 8.8.8.8
  • chattr +i /etc/resolv.conf to lock the file

Notes

This may still be incomplete! Please leave comments and suggestions.

Add a custom footer
Add a custom sidebar
Clone this wiki locally