Running a HTTPS Website and SoftEtherVPN along side each other.
Running Webserver (or other HTTPS application) along with SoftEtherVPN can be difficult. The reason? Well it's because SoftEther and HTTPS both use port 443. Port 443 is only required for the SSTP protocol, however port 443 may be your only option if for example you are trying to connect in a restrictive network. So if you only have one VPS (or one IP address like in a home network) you may need share or "multiplex" port 443 with other services. To multiplex port 443 we will be using SSLH since it's the easiest and quickest to get up and running.
- All services are hosted on the same machine, running Ubuntu 20.04
- SoftEtherVPN is installed with TCP Listener Port 443 disabled (
ListenerDisable 443
invpncmd
) - SSLH is compiled (using below instructions)
- Apache2 is the websever, running on port 4434.
- UFW is used to control open and closed ports.
- Let's Encrypt for SSL.
- The domain
mydomain.tld
will be used in the examples. YOU NEED A DOMAIN NAME!
-
sudo apt update && sudo apt upgrade
If necessary. -
sudo systemctl stop softether-vpnserver
ORvpnserver stop
based on your configuration (just make sure SE is stopped) sudo apt install apache2
sudo apt-get install certbot python3-certbot-apache
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/www.conf
-
sudo nano /etc/apache2/sites-available/www.conf
and uncommentServerName www.example.com
around line 8. Setwww.example.com
towww.yourdomain.tld
(replace yourdomain.tld with your real domain) sudo a2ensite www.conf
sudo systemctl restart apache2
sudo certbot --apache
- Follow the instructions, Select the number with
www.yourdomain.tld
. It is most likely1
. Once that is complete We can now change the ports. -
sudo nano /etc/apache2/ports.conf
Change all instances of port443
to something else such as4434
. -
nano /etc/apache2/sites-available/www-le-ssl.conf
and change the:443
to:4434
or whatever you changed 443 in the ports file to.
WHEN YOU NEED TO CREATE A SECOND SITE OR SSL CERTIFCATE, REFER TO THIS- (Chnage sitex to your new subdomain of choice)
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/sitex.conf
-
sudo nano /etc/apache2/sites-available/sitex.conf
and uncommentServerName www.example.com
around line 8. Setwww.example.com
tositex.yourdomain.tld
(replace yourdomain.tld with your real domain) sudo a2ensite sitex.conf
sudo systemctl restart apache2
-
sudo certbot certonly --apache
This will ONLY generate certifcates. Not configure Apache! Follow the instructions, Select the number withsitex.yourdomain.tld
. Look for which number corresponds with it. Once that is complete, we can create the apache file. sudo cp /etc/apache2/sites-available/www-le-ssl.conf /etc/apache2/sites-available/sitex-le-ssl.conf
-
sudo nano /etc/apache2/sites-available/sitex-le-ssl.conf
around line 8. Setwww.yourdomain.tld
tositex.yourdomain.tld
(replace yourdomain.tld with your real domain). - At the bottom where you see
/etc/letsencrypt/live/www.yourdomain.tld/X.pem
change thewww
tositex
for both thefullchain.pem
andprivkey.pem
lines. sudo a2ensite sitex-le-ssl.conf
sudo systemctl restart apache2
Start SoftEther with systemctl start softether-vpnserver
or vpnserver start
based on your configuration.
Just run ListenerDisable 443
in vpncmd
as the Administrator and you should be fine.
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/vpn.conf
-
sudo nano /etc/apache2/sites-available/vpn.conf
and uncommentServerName www.example.com
around line 8. Setwww.example.com
tovpn.yourdomain.tld
(replace yourdomain.tld with your real domain) sudo a2ensite vpn.conf
sudo systemctl restart apache2
sudo certbot certonly --apache
- Once that is done, you can disable the Apache site using
sudo a2dissite vpn.conf
sudo systemctl restart apache2
- Run
sudo vpncmd
on the server (be sure to usevpncmd
as root). -
ServerCertSet /LOADCERT:/etc/letsencrypt/live/vpn.yourdomain.tld/fullchain.pem /LOADKEY:/etc/letsencrypt/live/vpn.yourdomain.tld/privkey.pem
Replaceyourdomain.tld
with your domain.
- Create a TAP device in SoftEther for any virtual hub that links to your server. It does not matter which one since all this is for is to create a "Loopback" that isn't 127.0.0.1.
git clone https://github.com/yrutschle/sslh.git
sudo apt install libconfig-dev make gcc libcap-dev pcre2-utils libwrap0-dev libbsd-dev libpcre2-dev libsystemd-dev libev-dev
cd sslh
-
nano Makefile
Enable UNIX capibilites (seen below)
## Install
VERSION=$(shell ./genver.sh -r)
ENABLE_REGEX=1 # Enable regex probes
USELIBCONFIG=1 # Use libconfig? (necessary to use configuration files)
USELIBPCRE=1 # Use libpcre? (needed for regex on musl)
USELIBWRAP=1 # Use libwrap?
USELIBCAP=1 # Use libcap?
USESYSTEMD=1 # Make use of systemd socket activation
COV_TEST= # Perform test coverage?
PREFIX=/usr/local
BINDIR=$(PREFIX)/sbin
MANDIR=$(PREFIX)/share/man/man8
MAN=sslh.8.gz # man page name
# End of configuration -- the rest should take care of
# itself
sudo make install
sudo mkdir /etc/sslh
sudo mkdir /var/empty
sudo useradd sslh
sudo mkdir /home/sslh && sudo chown sslh:sslh /home/sslh
sudo nano /lib/systemd/system/sslh.service
[Unit]
Description=SSL/SSH multiplexer
After=network.target
Documentation=man:sslh(8)
[Service]
#EnvironmentFile=/etc/default/sslh
#ExecStart=/usr/local/sbin/sslh $DAEMON_OPTS
ExecStart=/usr/local/sbin/sslh -F /etc/sslh/sslh.cfg
KillMode=process
[Install]
WantedBy=multi-user.target
sudo nano /etc/sslh/sslh.cfg
#verbose: true;
foreground: true;
inetd: false;
numeric: true;
transparent: true;
timeout: 2;
user: "sslh";
pidfile: "/var/run/sslh.pid";
chroot: "/var/empty";
listen:
(
# REPLACE 12.34.45.56 WITH YOUR DEVICES IP ADDRESS! (i.e. the one you see in ifconfig for eth0)
{ host: "12.34.45.56"; port: "443"; }
);
# sslh demultiplexes based on the Protocol and Hostname
protocols:
(
# Apache Website
{ name: "tls"; sni_hostnames: [ "www.yourdomain.tld" ]; host: "192.168.30.10"; port: "4434"; log_level: 1; },
# SoftEther
{ name: "tls"; sni_hostnames: [ "vpn.yourdomain.tld" ]; host: "192.168.30.10"; port: "5555"; log_level: 1; },
# You can try SSH. I couldn't get it to work but maybe you can.
{ name: "ssh"; host: "192.168.30.10"; port: "22"; log_level: 1; }
);
-
sudo nano /usr/local/sbin/server_tproxy_add.sh
Add more ports after --sport if needed.
iptables -t mangle -N SSLH
iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 4434,5555 --jump SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
ip6tables -t mangle -N SSLH6
ip6tables -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH6
ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 4434,5555 --jump SSLH6
ip6tables -t mangle -A SSLH6 --jump MARK --set-mark 0x3
ip6tables -t mangle -A SSLH6 --jump ACCEPT
ip -6 rule add fwmark 0x3 lookup 103
ip -6 route add local ::/0 dev lo table 103
-
sudo nano /usr/local/sbin/server_tproxy_rm.sh
Add more ports after --sport if needed.
iptables -t mangle -D PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -t mangle -D OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 4434,5555 --jump SSLH
iptables -t mangle -D SSLH --jump MARK --set-mark 0x1
iptables -t mangle -D SSLH --jump ACCEPT
iptables -t mangle -X SSLH
ip rule del fwmark 0x1 lookup 100
ip route del local 0.0.0.0/0 dev lo table 100
ip6tables -t mangle -D PREROUTING -p tcp -m socket --transparent -j SSLH6
ip6tables -t mangle -D OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 4434,5555 --jump SSLH6
ip6tables -t mangle -D SSLH6 --jump MARK --set-mark 0x3
ip6tables -t mangle -D SSLH6 --jump ACCEPT
ip6tables -t mangle -X SSLH6
ip -6 rule del fwmark 0x3 lookup 103
ip -6 route del local ::/0 dev lo table 103
-
chmod +rx /usr/local/sbin/server_tproxy_add.sh
-
chmod +rx /usr/local/sbin/server_tproxy_rm.sh
-
systemctl enable sslh.service
-
systemctl start sslh.service
-
sudo /usr/local/sbin/server_tproxy_add.sh
sudo nano /etc/resolv.conf
- Change the nameserver to a real DNS server such as
8.8.8.8
-
chattr +i /etc/resolv.conf
to lock the file
This may still be incomplete! Please leave comments and suggestions.