With help of SNI in stunnel, we can support both road warrior and ssh function on the same TCP/443 port.
VPS Server:
Install stunnel v5.31 with openssl v1.0.2, and listen on port 443
Install dante v1.4.1, and listen on port 1080
Install openssh, and listen on port 22
Stunnel config for VPS server
chroot = /var/lib/stunnel/
pid=/stunnel.pid
setuid = stunnel
setgid = stunnel
;debug =debug
debug = err
;foreground = yes
log = append
;log = overwrite
output = /stunnel.log
cert = /etc/stunnel/stunnel.pem
;key = /etc/stunnel/stunnel.pem
verify = 3
CApath = /certs
; performance
socket = l:TCP_NODELAY=1
;compression = deflate
compression = zlib
[tls]
accept = 0.0.0.0:443
connect = 127.0.0.1:1080
[ssh]
sni = tls:22.vps.server.net
connect = 127.0.0.1:22
[socks]
sni = tls:vps.server.net
connect = 127.0.0.1:1080
stunnel listen on 22 for ssh connection
stunnel listen on 1080 for socks connection
Stunnel config for client within Corp’s network:
chroot = /var/lib/stunnel/
pid=/stunnel.pid
setuid = stunnel
setgid = stunnel
;debug = alert/crit/err/warning/notice/info/debug
debug = err
;foreground = yes
cert = /etc/stunnel/stunnel.pem
;compression = deflate | zlib
compression = zlib
client = yes
; performance
socket = l:TCP_NODELAY=1
[socks-http-proxy]
accept = 127.0.0.1:1080
connect = http_proxy_ip:http_proxy_port
protocol = connect
protocolHost = vps.server.net:443
[ssh-http-proxy]
accept = 0.0.0.0:22
connect = http_proxy_ip:http_proxy_port
protocol = connect
protocolHost = vps.server.net:443
sni = 22.vps.server.net
How to
Road Warrier:
set socks proxy of browser to 127.0.0.1:1080
SSH to vps.server.net
ssh -p 22 user@localhost