How to have SSLH on IPv4 and IPv6

Linux/Linux Tutorials

This is a post about the SSLH port multiplexer which allows you to have OpenVPN, SSH, HTTP, HTTPS, and more all on the same port!

I use SSLH to have OpenVPN, SSH, and HTTPS all on port 443, but I can also access all of those on port 80, should the need arise(it was probably useful to me once, and I’ve been to lazy to change the config since). The SSLH readme.md file is actually quite informative, and helped me achieve what I wanted.

I use SSLH in transparent mode, so it appears as if the requests are coming from the origin IP, and not localhost, which is a must have for DDoS protection and such. Anyways, here are the iptables rules I use

iptables-save | grep SSLH:
:SSLH - [0:0]
-A OUTPUT -o ens3 -p tcp -m tcp --sport 22 -j SSLH
-A OUTPUT -o ens3 -p tcp -m tcp --sport 4433 -j SSLH
-A OUTPUT -o ens3 -p tcp -m tcp --sport 1194 -j SSLH
-A OUTPUT -o ens3 -p tcp -m tcp --sport 8080 -j SSLH
-A SSLH -j MARK --set-xmark 0x1/0xffffffff
-A SSLH -j ACCEPT
ip6tables-save | grep SSLH:
:SSLH - [0:0]
-A OUTPUT -o ens3 -p tcp -m tcp --sport 22 -j SSLH
-A OUTPUT -o ens3 -p tcp -m tcp --sport 4433 -j SSLH
-A OUTPUT -o ens3 -p tcp -m tcp --sport 1194 -j SSLH
-A OUTPUT -o ens3 -p tcp -m tcp --sport 8080 -j SSLH
-A SSLH -j MARK --set-xmark 0x1/0xffffffff
-A SSLH -j ACCEPT

I have SSH listening on port 22, Apache HTTPS on port 4433, OpenVPN on port 1194, and Apache HTTP on port 8080. Now, the hard part was getting it to work in the SSLH config file. I ended up using:

--user sslh --transparent --listen realip:443 --listen realip:80 --ssh realip:22 --ssl realip:4433 --http realip:8080 --openvpn realip:1194

Which using realip, which is resolved in the hostfile(/etc/hosts) with your server’s IPv4 and IPv6 addresses:

IPv4addresshere realip
IPv6addresshere realip

Be sure to replace my IP with yours. It took me hours to figure this out, and no guide on the internet was there to help, so I made this one. Most of it is from the readme.md file though.

I decided to add IPv6 support as the amount of IPv4 addresses available is dangerously close to zero, and will no longer be allocated soon.

3 thoughts on “How to have SSLH on IPv4 and IPv6

Leave a Reply