Can't connect to OpenVPN through sslh from behind squid proxy

[fourpoint]

Our work network is behind Squid proxy and only ports 80, 443 are usable. I'm trying to connect to my server with openVPN so my server have to run HTTPS and openVPN on port 443 so i'm using sslh. But when the openVPN connection goes through squid proxy is somehow modificated so the sslh sending it to ssl (HTTPS) so it's making this erros messsage:

[me]----[Squid]--------(internet)---------{[sslh]-[OpenVPN]} { my server }

Thu Nov 30 11:05:14 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Nov 30 11:05:14 2017 MANAGEMENT: CMD 'state on'
Thu Nov 30 11:05:14 2017 MANAGEMENT: CMD 'log all on'
Thu Nov 30 11:05:14 2017 MANAGEMENT: CMD 'echo all on'
Thu Nov 30 11:05:14 2017 MANAGEMENT: CMD 'hold off'
Thu Nov 30 11:05:14 2017 MANAGEMENT: CMD 'hold release'
Thu Nov 30 11:05:14 2017 MANAGEMENT: CMD 'proxy HTTP proxy.[proxyName].cz 3128'
Thu Nov 30 11:05:15 2017 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Nov 30 11:05:15 2017 MANAGEMENT: >STATE:1512036315,RESOLVE,,,,,,
Thu Nov 30 11:05:15 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.0.44:3128
Thu Nov 30 11:05:15 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Nov 30 11:05:15 2017 Attempting to establish TCP connection with [AF_INET]10.0.0.44:3128 [nonblock]
Thu Nov 30 11:05:15 2017 MANAGEMENT: >STATE:1512036315,TCP_CONNECT,,,,,,
Thu Nov 30 11:05:16 2017 TCP connection established with [AF_INET]10.0.0.44:3128
Thu Nov 30 11:05:16 2017 Send to HTTP proxy: 'CONNECT [My Server IP]:443 HTTP/1.0'
Thu Nov 30 11:05:16 2017 Send to HTTP proxy: 'Host: [My Server IP]'
Thu Nov 30 11:05:16 2017 HTTP proxy returned: 'HTTP/1.0 200 Connection established'
Thu Nov 30 11:05:18 2017 TCP_CLIENT link local: (not bound)
Thu Nov 30 11:05:18 2017 TCP_CLIENT link remote: [AF_INET]10.0.0.44:3128
Thu Nov 30 11:05:18 2017 MANAGEMENT: >STATE:1512036318,WAIT,,,,,,
Thu Nov 30 11:05:18 2017 WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Thu Nov 30 11:05:18 2017 Connection reset, restarting [0]
Thu Nov 30 11:05:18 2017 SIGUSR1[soft,connection-reset] received, process restarting
Thu Nov 30 11:05:18 2017 MANAGEMENT: >STATE:1512036318,RECONNECTING,connection-reset,,,,,
Thu Nov 30 11:05:18 2017 Restart pause, 5 second(s)

(i changed IPs)

How can I solve it ?

[Xiretza]

What's your sslh log? Might be a duplicate of #133.

[yrutschle]

On Tue, Dec 19, 2017 at 06:07:11AM -0800, fourpoint wrote:

Dec 19 15:04:35 2e-server sslh[9207]: forward to openvpn failed:connect: Connection refused Dec 19 15:04:35 2e-server sslh[9207]: connect: Connection refused

This contradicts your description: it's clearly forwarding to openvpn, and openvpn is not there listening. Check which port sslh connects to for openvpn, and check that openvpn really is listening on that port (netstat -lpte or something like that).

Y.

[fourpoint]

OpenVPN is working properly. My issue happens only when traffic goes through squid and sslh. When I connect to VPN directly with sslh [me]--------(internet)---------{[sslh]-[OpenVPN]} it is ok. And when I connect only through squid [me]----[Squid]--------(internet)---------{[OpenVPN]} it is ok too.

[mateuszdrab]

Weird, I've been running SSLH for a while and only recently after upgrading PFsense (server of openvpn) I started having issues with OpenVPN connections dropping or being forwarded to SSH. I think there might have been a change in the OpenVPN protocol or something since without SSLH everything works fine.