OpenVPN port shared with Apache/SSL

I'm trying to set up OpenVPN to listen on port 443, and then pass all HTTPS traffic to Apache, by using the port-share option. Relevant config snippets are: OpenVPN local ${PUBLIC_IP} port 443 port-share localhost 443 Apache with SSL Listen localhost:443 My OpenVPN client connects just fine, but when opening the HTTPS enabled page, I get errors. Firefox says: SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) Curl says curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol The request ends up on Apache, since I see in the error logs the following messages: [Wed Oct 06 01:10:20 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01 [Wed Oct 06 01:11:04 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01 [Wed Oct 06 01:11:51 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01 The messages entry for a HTTPS connection is Oct 6 01:13:21 ns1 openvpn[20154]: Re-using SSL/TLS context Oct 6 01:13:21 ns1 openvpn[20154]: LZO compression initialized Oct 6 01:13:21 ns1 openvpn[20154]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Oct 6 01:13:21 ns1 openvpn[20154]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Oct 6 01:13:21 ns1 openvpn[20154]: Local Options hash (VER=V4): 'c0103fa8' Oct 6 01:13:21 ns1 openvpn[20154]: Expected Remote Options hash (VER=V4): '69109d17' Oct 6 01:13:21 ns1 openvpn[20154]: TCP connection established with ${CLIENT_IP}:56203 Oct 6 01:13:21 ns1 openvpn[20154]: TCPv4_SERVER link local: [undef] Oct 6 01:13:21 ns1 openvpn[20154]: TCPv4_SERVER link remote: ${CLIENT_IP}:56203 Oct 6 01:13:21 ns1 openvpn[20154]: ${CLIENT_IP}:56203 Non-OpenVPN client protocol detected Oct 6 01:13:21 ns1 openvpn[20154]: TCP/UDP: Closing socket Using httpd-2.2.3-43.el5.centos and openvpn-2.1.1-2.el5 . What should I do to make port sharing work? Update: Using port 443 port-share localhost 10443 and Listen localhost:10443 makes no difference. Update 2 : some command output [root@ns1 ~]# openvpn --help | grep port-share --port-share host port : When run in TCP mode, proxy incoming HTTPS sessions [root@ns1 ~]# netstat -nltp | grep 443 tcp 0 0 127.0.0.1:10443 0.0.0.0:* LISTEN 20088/httpd tcp 0 0 ${PUBLIC_IP}:443 0.0.0.0:* LISTEN 20066/openvpn apache2 ssl openvpn share|improve this question edited Oct 6 '10 at 21:21 asked Oct 5 '10 at 22:16 Robert Munteanu 6121226

2 Answers

active oldest votes

up vote 5 down vote accepted

the port-share option sets the port the other application is listening. What you want to do, is to configure port-share 10443 and set Apache to listen on port 10443: Listen <your-public-ip>:10443 That's because two applications can't open same port at once. share|improve this answer edited Aug 15 '12 at 13:23 answered Oct 5 '10 at 22:55 Hubert Kario 3,939843

Thanks for your reply. OpenVPN binds on the public address, while Apache binds on localhost. I'll change the Apache port when I have the chance, but two applications can bind on the same port, given that they use different addresses. – Robert Munteanu Oct 6 '10 at 7:23 yes, true, but it's likely that openVPN will redirect to the same IP, not localhost (that would be the sane thing to do) – Hubert Kario Oct 6 '10 at 9:57 I actually meant to say port-share localhost 443. I tried port-share localhost 10443, but it still did not work, same error. – Robert Munteanu Oct 6 '10 at 20:40 ah, sorry, I was saying one thing and showing config for the other. I'd guess that apache has to listen on the same IP openvpn is listening, that is, public, not localhost. Updated my answer. – Hubert Kario Oct 6 '10 at 20:44 One more thing, are you sure your version of openvpn does support this option? (try with openvpn --help | grep port-share). And are you sure that apache listens on the configured port and has SSL working? – Hubert Kario Oct 6 '10 at 20:53 show 2 more comments

up vote 1 down vote

OpenVPN's port-share option allows you to redirect traffic to another HTTPS site , not to a regular web server; the error you're seeing [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01 occurs when an SSL request is sent to a non-0SSL site. I can reproduce the error by using port-share localhost 80 (instead of 443) If you set up your HTTPS site correctly then port-sharing will work.

from http://serverfault.com/questions/187915/openvpn-port-share-with-apache-ssl