Fedora 20: SSLH + SSH And Getting Through Firewalls

SUMMARY
So, I have this nice shiny SSH server at home that I use for, well, just about everything. But for this post, I'll focus on the fact that I like to tunnel my VNC service through my SSH connection. Nothing special here, it is just the normal:

ssh -C -X -p 22 -L 5905:localhost:5905 danny@ssh.thelupine.com

Then I connect to localhost:5905 for my VNC service. Easy enough, and I do that regularly from my phone. Here comes the issue. At work, the firewall blocks outbound SSH. In fact, it appears to block everything except outbound 80 and 443. What to do? Well, thanks to an application called sslh, I can use my HTTPS port, 443, and SSLH well accept and forward the necessary services across this shared port. To quote the developer's web site, "sslh acts as a protocol demultiplexer". This is how I got everything setup on my Fedora 20 server.

 

INSTRUCTIONS
** NOTE ** Most of these instructions are taken directly from the developer's helpful GitHub site: https://github.com/yrutschle/sslh

1.) Go grab the tarball from the site, for this example I am using http://www.rutschle.net/tech/sslh-v1.16.tar.gz

2.) On my Fedora 20 server, I also needed to install the libconfig-devel package

yum -y install libconfig-devel

3.) Now just extract the tarball, cd into the directory, and run the following:

make
cp sslh-fork /usr/local/sbin/sslh
cp scripts/systemd.sslh.service /etc/systemd/system/
mkdir /etc/sslh
cp basic.cfg /etc/sslh/sslh.conf

4.) Of course I needed to update the /etc/systemd/system/systemd.sslh.service and /etc/sslh/sslh.conf files. They are commented, and pretty easy to adjust. Also, I made sure to enable the new systemd sslh service:

systemctl enable sslh.service

5.) Once all done, I needed to make sure that my web server was not listening on my external IP anymore, as sslh would be listening on that IP and port 443 from now on. Again, easy enough, I just edited the /etc/httpd/conf.d/ssl.conf file, and made sure to update the listeners like so:

Listen 127.0.0.1:443 https
Listen 192.168.10.1:443 https

6.) With all that done, I restarted httpd and I launched the newly installed sslh service:

systemctl restart httpd.service
systemctl start sslh.service

7.) All done. Some netstat -taunp commands, and I was able to see the correct services listening on the correct ports.

8.) Testing: Simple enough, I changed the SSH port on the normal command I type at work to

ssh -C -X -p 443 -L 5905:localhost:5905 danny@ssh.thelupine.com

I was able to connect from work, through the more restrictive firewall, and then launched my VNC connection to localhost. Everything worked as expected, and just as fast as a normal SSH connection!

 

CONCLUSION
So far, I have found no weird side effects, or related security issues. The speed and reliability is pretty much the same as hitting it directly to SSH. Checking the local work workstation, all I see is me hitting my server on 443. It is an easy to implement solution, and gave me exactly what I needed. Thanks Yves Rütschlé!!!

Pages