1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sslh on Tomato? (Shibby or Toastman)

Discussion in 'Tomato Firmware' started by spaze, Oct 12, 2012.

  1. spaze

    spaze Serious Server Member

    Hi all,

    I'm investigating the options for upgrading my Asus RT-N66U with Shibby's or Toastman's Tomato, but there is one issue I can't find anywhere. Does any Tomato build (or RMerlin or dd-wrt) support sslh (http://www.rutschle.net/tech/sslh.shtml) on the router?

    It would seem like a useful addition to any router firmware to be able to reuse port 443 (the only port that's generally available from a corporate LAN proxy) for https, ssh and openvpn at the same time. Currently I'm using a Linux VM as router and I'm very pleased with sslh.

    From what I could find, none of the custom firmwares have support for it, nor does it exist in optware. I know that OpenVPN can share the port with https, but not with SSH. Layer 7 filtering can probably identify one kind of traffic from the other, but is not able to redirect or reroute and thus is no option.

    A possible workaround would be to forward 443 as is to a backend Linux VM with sslh and do the demultiplexing there, but I'd rather have it done on the firewall/router. I'm not aware of any other workaround or alternative for this setup, but if someone does, please let me know.

    Thanks for your replies!

    Cheers,
    -- spaze
     
  2. maurer

    maurer LI Guru Member

  3. Steph217

    Steph217 Serious Server Member

    Hi,

    I've been looking for sslh also and wasn't able to find it.
    Here is sslh compiled with tomato.git toolchain for optware
    You can download it from: https://www.dropbox.com/sh/t17re2lvhuv5yhb/NuLCXrUdtY

    I'm running Tomato v1.28.0500 MIPSR2Toastman-RT-N K26 USB VLAN-VPN on a E4200.

    there are 2 archives.

    The CLI one only contains sslh and the man pages.
    Just copy the file and use cli to launch (/opt/sbin/sslh -p X.X.X.X:443 --ssh X.X.X.X:22 --ssl X.X.X.X:8081 -u nobody).

    The init.d one has startup script and kind of configuration file.
    Edit /opt/etc/default/sslh and start with /opt/etc/init.d/sslh.

    I'm a newbie, there might be some mistakes :)
    It has been running on my tomato for half a day now, without issues!

    Hope this will help.

    Steph217
     
  4. Garais

    Garais Serious Server Member

    Good day,
    This'll be a somewhat noobish post. Is there any updates on sslh compatibility with tomato? I've been using the ssh daemon for some time on the stock tomato 1.28, but that doesn't work any more due to a problem with the ssh port. Are there any news on this becoming a feature in future versions? Or is there a clear way to launch the files supplied by Steph above?
    Thanks
     
  5. Steph217

    Steph217 Serious Server Member

    Hi Garais,
    First of all, you will need Optware: http://tomatousb.org/doc:optware

    Let's use CLI version sslh_1.13_opt_cli.tar.gz.
    Copy the file sslh to /opt/sbin and forget about the sslh.8 file.
    Add to your firewall script the below line:
    /opt/sbin/sslh -p X.X.X.X:443 --ssh Y.Y.Y.Y:22 --ssl Y.Y.Y.Y:8081 -u nobody

    X.X.X.X represents the listening IP address for sslh (put 0.0.0.0 if you want to listen on all network interface).
    Y.Y.Y.Y represents the listening IP address for other services (in the example 22 for ssh and 8081 for alternate www)

    Hope this will help.

    Steph217
     

Share This Page