Skip to content
Indus LeveL
haproxy vpn openconnect ssh centos7

How to use port 443 for SSH and OpenConnect VPN on Linux using HAProxy

Learn how to share port 443 for both SSH and OpenConnect VPN using HAProxy to bypass ISP port blocking.

2 min read
Cover image for HAProxy port sharing guide

I had setup Openconnect VPN Server on my CentOS 7 Linux VM. I wanted to use the same port 443 for accessing my VM using SSH. The reason is, my ISP has blocked most of the ports including SSH port 22 except port 443. In this article, we will use port 443 for running multiple services.

Prerequisites

We are going to install the HAProxy on CentOS 7. This article assumes that you have VM available which has Openconnect VPN running as well as VM is accessible via SSH on port 22.

Update the Installation

It is always a good approach to install latest updates

sudo yum update -y

HAProxy Installation

Install HAProxy package

yum install haproxy -y

Backup Original Configuration

Backup the default configuration which can be used in case we want to start over

cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak

Edit Openconnect Server Configuration

We need to reconfigure the Openconnect Server to free the port tcp/443 which will be used by HAProxy.

cat > /etc/ocserv/ocserv.conf <<'EOF'
enable-auth = "plain[passwd=/etc/ocserv/ocpasswd]"
auth = "certificate"
listen-host = 127.0.0.1 ################################# Update this line to 127.0.0.1
udp-listen-host = 10.0.0.154 ############################ Update this line to the Machine IP
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
server-cert = /etc/letsencrypt/live/vpn.induslevel.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.induslevel.com/privkey.pem
ca-cert = /etc/ocserv/ssl/ca-cert.pem
isolate-workers = true
max-clients = 16
max-same-clients = 2
listen-proxy-proto = true
rate-limit-ms = 100
server-stats-reset-time = 604800
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
log-level = 1
device = vpns
predictable-ips = true
default-domain = vpn.induslevel.com
ipv4-network = 192.168.250.0/24
dns = 1.1.1.3
ping-leases = false
no-route = 192.168.5.0/255.255.255.0
cisco-client-compat = true
dtls-legacy = true
cisco-svc-client-compat = false
client-bypass-protocol = false
camouflage = false
camouflage_secret = "mysecretkey"
camouflage_realm = "Restricted Content"
included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
included-http-headers = X-Frame-Options: deny
included-http-headers = X-Content-Type-Options: nosniff
included-http-headers = Content-Security-Policy: default-src 'none'
included-http-headers = X-Permitted-Cross-Domain-Policies: none
included-http-headers = Referrer-Policy: no-referrer
included-http-headers = Clear-Site-Data: "cache","cookies","storage"
included-http-headers = Cross-Origin-Embedder-Policy: require-corp
included-http-headers = Cross-Origin-Opener-Policy: same-origin
included-http-headers = Cross-Origin-Resource-Policy: same-origin
included-http-headers = X-XSS-Protection: 0
included-http-headers = Pragma: no-cache
included-http-headers = Cache-control: no-store, no-cache
EOF

Reload the Configuration

Restart the Openconnect service to reload new configuration

systemctl restart ocserv

Verify the Service

Check the netstat output to see if the Openconnect server is running on 127.0.0.1:443

netstat -anp|grep ocserv

Output:

tcp  0  0 127.0.0.1:443  0.0.0.0:*          LISTEN      2063/ocserv-main    
udp  0  0 10.0.0.154:443 0.0.0.0:*                      2063/ocserv-main    

Edit HAProxy Configuration

We need to setup frontend and backend configuration in HAProxy. Setting up frontend will enable HAProxy to listen on port 443 and pass the traffic to backend server which in Openconnect and SSH service depending upon the type of incoming traffic.

cat > /etc/haproxy/haproxy.conf <<'EOF'
global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
defaults
    mode                    tcp
    log                     global
    option                  tcplog
    option                  dontlognull
    option http-server-close
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
frontend https
   bind 10.0.0.154:443 ############################################Listen on port 443
   mode tcp
   tcp-request inspect-delay 5s
   tcp-request content accept if { req_ssl_hello_type 1 }
   acl is_ssh payload(0,7) -m bin 5353482d322e30  ##### checking if the payload for ssh connection
   use_backend ssh if is_ssh ######################if it is ssh then send traffic to ssh port 22
   use_backend ocserv if { req_ssl_sni -i us-vpn.induslevel.com } ## check SNI field for vpn URL
backend ocserv
   mode tcp
   option ssl-hello-chk
   server ocserv 127.0.0.1:443 send-proxy-v2
backend ssh
    mode tcp
    server ssh-server 127.0.0.3:22 check
EOF

Service Start

Start the HAProxy service

systemctl start haproxy

Enable on Boot

Enable the service to start on system boot

systemctl enable haproxy

Check SSH Connectivity

SSH to the VM using ssh client such as Kitty on port 443.

Kitty SSH Connection Screenshot

Check VPN Connectivity

Open the Cisco Anyconnect app.

Check VPN Connectivity Intro Screenshot

  1. Click on the Connections. Step 1: Connections
  2. Click on the Plus sign. Step 2: Plus Sign
  3. Add name and URL for the server and press Done. Step 3: Add Connection
  4. Connection has been added. Step 4: Connection Added
  5. Click on the toggle button to start the connection. Step 5: Toggle Start
  6. You will be asked for username. Enter username and press Connect. Step 6: Username Prompt
  7. Enter the password and press Connect. Step 7: Password Prompt
  8. You will see connected status. Step 8: Connected Status

Check your IP using whatismyip.com.

Back to Blog
Share:

Follow along

Stay in the loop — new articles, thoughts, and updates.