Put STUN/Turn server on 443 TCP/UDP (Add SSLH) or use caddy? #3576
-
This may not be worth putting into prime time, and personally I use NC on bare metal, but I saw that the AIO version had all the talk stuff included and I thought someone might be interested in this. From my experience, the stun and turnserver avoids a lot firewall issues if it runs off of 443/TCP instead of the 3478/TCP. ( For example if a phone with the talk app is using some public wifi that has other ports blocked). Now granted that port is of course being used by the web service. It is still very possible to work around that by using sslh https://github.com/yrutschle/sslh as an intermediary proxy and switch board. Its a simple program that listens on 443, scans the incoming packets and forwards the connection to the correct application according to the ACL rules set in the sslh.cfg file. It has sslh-fork and sslh-ev variants (ev being the more robust version) that also support scanning for UDP protocols as well. To pick up the turn packets I just added to my sslh.cfg file:
Now this gets a little more complicated if you want to use the transparent proxy feature. That would allow the webservice to see the actual ip of the incoming connection which could be important for fail2ban or various other services. To make that feature work I had to modify my systemd service file to look like this
Supposedly SSLH supports dealing with QUIC as well, but I haven't gotten that to work. |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 7 replies
-
Hi, thanks for the idea! However I would rather not add yet another dependency to this project. Also we are using caddy internally. If we can somehow make it work with caddy, I would be fine with this idea :) |
Beta Was this translation helpful? Give feedback.
-
Understandable. I use nginx as my reverse proxy and webserver and it listens on interface 127.0.0.2 at port 443. (though really it can be any port and then no need to specify the interface) and SSLH forwards web traffic to it through the TLS rule. I would think caddy would be the same with SSLH in front of it. |
Beta Was this translation helpful? Give feedback.
-
Hmm maybe something like this caddy plugin would be useful https://github.com/mholt/caddy-l4. Though that's skirting the line on extra dependencies. |
Beta Was this translation helpful? Give feedback.
-
Hi, I was wondering: could Tailscale maybe be used for this? |
Beta Was this translation helpful? Give feedback.
Hi, it looks like Caddyfile support is now implemented for https://github.com/mholt/caddy-l4 via mholt/caddy-l4#217. So feel free to add this module to https://github.com/szaimen/aio-caddy and change the Caddyfile in there in order to allow to proxy STUN/TURN server via 443 TCP/UDP :)