OpenVPN on Port 443
-
hello all,
is it possible to use OpenVPN via TCP on port 443? Unfortunately cloudron does not allow this in the app option menu. Background is that the firewall in my usage area only allows connections via port 443 and blocks the default VPN port 7494. -
@7dowwilkes Currently, this is not possible on Cloudron since 443 is where we have put the reverse proxy/nginx for https traffic.
One thing is a smart enough firewall can always filter out traffic that is not https. So, the firewall admins can always detect openvpn traffic at 443 and block it.
That said, I understand why something like this can be useful when things are not in your control.
-
There is a way to proxy this via Nginx, see:
-
ok i understand. thank you both for your help!
-
@girish actually, it's supposed to be very hard to distinguish between OpenVPN TCP and HTTPS traffic on a network level, because they both are in an SSL tunnel, so a firewall cannot see into it and know what kind of protocol is going on inside the tunnel.
-
@mehdi said in OpenVPN on Port 443:
actually, it's supposed to be very hard to distinguish between OpenVPN TCP and HTTPS traffic on a network level, because they both are in an SSL tunnel, so a firewall cannot see into it and know what kind of protocol is going on inside the tunnel.
a colleague of mine, who works in the same environment as me, uses OpenVPN via his Synology DiskStation on port 443 and it works there. this confirms what mehdi said. i will keep looking for ways...
-
@7dowwilkes Honestly, I don't think there is any way to do it with cloudron, as 443 is already taken by HTTPS and there is no way to do both on the same server (well, there are, but they would not work in this case).
However, I think you should look for other ports that your network will allow through, there most probably are some others, like IMAP / SMTP ports, maybe ftp, stuff like that. You most probably would be able to put OpenVPN on these and get it to work.
-
@mehdi nginx can distinguish and filter the two on the same port simply via domain destination (vhost). vpn.d.c vs www.d.c
See my post above.
-
@robi I do not mean that it is impossible to do. I said that it would not work in this case with the current software : Even if one manages to find a nginx config which would work, Cloudron does not support custom edits of the nginx config, as they would get overwritten all the time. And this would be very custom ^^
-
-
thank you all. i've almost resigned myself to the fact that it doesn't work with simple gui settings. i also don't know enough to tinker with config files on my own. i asked my colleague again about his settings on synology. he redirects port 443 to the default port 1194 via his home router. So he uses the router-nat, is reachable from outside via 443 and simply routes to the VPN instance.
there is probably no comparable NAT function in cloudron, is there?
while searching the internet i found the "haproxy" in docker-hub. maybe such a container (app) could transparently redirect from a host with port 443 to an internal ip with port 7494. but this is probably going too far and i don't want to overuse your help.
