tinc behind sslh
Varda Zklir
v20z at yahoo.com
Sat Nov 12 15:52:15 CET 2011
Hello Guus.
I've reading mailing list archives threads about it at http://www.tinc-vpn.org/pipermail/tinc/2011-July/thread.html#2757 and http://rutschle.net/pipermail/sslh/2011-July/thread.html and now trying to hide tinc server behind sslh multiplexer but without luck.
First of all directly it works fine. Initiator (instance of tincd with ConnectTo statement) successfully establishes connection and run tunnel with server (instance of tincd witch is listening for incoming connections). Server and client on physically separate machines and different IP addresses.
When I'm moving tinc server to 127.0.0.1:443 hiding it behind sslh which listens on 192.168.0.1:443 and started with appropriate switch (--tinc) connection not establishes. Even client tinc say that it:
Trying to connect to server (192.168.0.1 port 443)
Connected to server (192.168.0.1 port 443)
Sending ID to server (192.168.0.1 port 443): 0 client 17.0
Sending 14 bytes of metadata to server (192.168.0.1 port 443)
Connection closed by server (192.168.0.1 port 443)
Closing connection with server (192.168.0.1 port 443)
Hexadecimal tcpdump do not show that identification string "0 client 17.0" appeared at all and thus sslh stupidly waiting for "0 " and not switching to tincd server.
When I'm connecting to server behind sslh manually and entering ID by hand I get multiplexing working:
telnet 192.168.0.1 443
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
0 client 17.0
0 server 17.0
1 94 64 0 0 XXXXXXXXX...
If i'm telnetting to tincd server directly it send it's identification immediately without waiting for client ID:
telnet 127.0.0.1 655
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
0 server 17.0
And again I can initiate handshaking manually during this telnet session:
0 client 17.0
1 94 64 0 0 XXXXXXXXX...
As I've reading documentation at http://www.tinc-vpn.org/documentation-1.1/tinc_7.html "7.3.1 Authentication protocol" and see from debug messages client and server exchanges identifications simultaneously at the same time.
Is this rigth behavior of tincd client which waits that opposite ID message from server side is mandatory? If tincd clent don't send it ID to server then it is impossible for sslh to detect tinc protocol. Or is this problem of sslh?
Thank You.
More information about the tinc
mailing list