Re: Limiting ssh access: by MAC Address?

[Ángel <debian-user@debian.16bits.net>]

On 2023-01-04 at 19:20 +0000, Tim Woodall wrote:
> It doesn't work through a transparent proxy unfortunately (at least the
> android client doesn't) which I assume was doing SNI snooping - but I've
> only encountered that once in the UK so far.
> 
> My plan was to write something that used a dns request to tell ovpn to
> expect an HTTPS wrapped ovpn stream - but it's one of those projects
> that I'll probably never actually get around to.

You can do this with stunnel, see
https://www.stunnel.org/static/stunnel.html#EXAMPLES

However, openvpn supports running directly as https://, so if you place
it on port 443 it is indistinguishable from a normal https server for
networks restricting the ports.* (Maybe you were using udp?)

There are no transparent proxies for https. They would either pass
traffic without inspecting it, or they would need to break the TLS
connection to MITM it, and -unless the client has installed a CA for
the proxy- cause all https connections to fail due to untrusted
certificate.


(*) an advanced filtering solution might be able to notice that the
traffic patterns don't match with those of https but are likely a VPN.