With help of SNI in stunnel,  we can  support both  road warrior and ssh function on the same TCP/443 port.

 

VPS Server:

Install  stunnel v5.31 with  openssl  v1.0.2, and listen on port 443

Install dante v1.4.1,  and listen on port 1080

Install openssh, and listen on port 22

 

Stunnel config for VPS server

chroot = /var/lib/stunnel/
pid=/stunnel.pid
setuid = stunnel
setgid = stunnel

;debug =debug
debug = err
;foreground = yes

log = append
;log = overwrite
output = /stunnel.log

cert = /etc/stunnel/stunnel.pem
;key = /etc/stunnel/stunnel.pem

verify = 3
CApath = /certs

; performance
socket = l:TCP_NODELAY=1

;compression = deflate
compression = zlib

[tls]
accept = 0.0.0.0:443
connect = 127.0.0.1:1080

[ssh]
sni = tls:22.vps.server.net
connect = 127.0.0.1:22

[socks]
sni = tls:vps.server.net
connect = 127.0.0.1:1080

 

stunnel listen on 22 for ssh connection

stunnel listen on 1080 for socks connection

 

Stunnel config for client within Corp’s network:

chroot = /var/lib/stunnel/
pid=/stunnel.pid
setuid = stunnel
setgid = stunnel

;debug = alert/crit/err/warning/notice/info/debug
debug = err

;foreground = yes

cert = /etc/stunnel/stunnel.pem

;compression = deflate | zlib
compression = zlib

client = yes

; performance
socket = l:TCP_NODELAY=1

[socks-http-proxy]
accept = 127.0.0.1:1080
connect = http_proxy_ip:http_proxy_port

protocol = connect
protocolHost = vps.server.net:443

[ssh-http-proxy]
accept = 0.0.0.0:22
connect = http_proxy_ip:http_proxy_port
protocol = connect
protocolHost = vps.server.net:443
sni = 22.vps.server.net

 

 

How to

Road Warrier: 

set socks proxy of browser to 127.0.0.1:1080

 

SSH to vps.server.net

ssh -p 22  user@localhost