How to recognize tinc TCP connection with iptables
Nikolaus Rath
Nikolaus at rath.org
Sat Aug 31 22:05:43 CEST 2013
Guus Sliepen <guus-NnCthlHDAqpg9hUCZPvPmw at public.gmane.org> writes:
> On Sat, Aug 31, 2013 at 10:27:55AM -0700, Nikolaus Rath wrote:
>
>> What I want to do is be able to talk to a tinc server on port 443
>> (https) using just TCP, so that the client has the best possible chance
>> of making it through any overly restrictive firewalls imposed by some
>> WiFi hotspots.
>>
>> However, I still want to be able to serve regular https on the same
>> server. Thus the idea of adding some iptables rule on the server that
>> identify tinc packets and locally redirect those to the regular tinc
>> port (while everything else reaches the webserver as usual).
>>
>> So I think as long as my rule is specific enough to distinguish tinc and
>> TLS, I should be good.
>
> In that case, you can just match the "0 " at the start of the connection, you
> don't have to look further.
Hmm. It seems it's a bit more complicated than that. Unless I'm
mistaken, a tinc client waits for the tinc server to send his greeting
before it sends his own -- but TLS does the opposite. So unless I
forward every connection on :443 to tinc by default, I cannot do
matching on the first packet. But trying to let tinc handle every
connection would result in TLS error in the browser...
> Instead of using iptables, you could also have a
> look at sslh:
>
> http://www.rutschle.net/tech/sslh.shtml
I'll take a look, thanks.
Best,
-Nikolaus
--
»Time flies like an arrow, fruit flies like a Banana.«
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C
More information about the tinc
mailing list