System Servicesprotocolmultiplexersslsshopenvpntincxmpphttps

sslh

sslh is an applicative protocol multiplexer that accepts HTTPS, SSH, OpenVPN, tinc, and XMPP connections on the same port. It enables connecting to these services on port 443, bypassing corporate firewalls that rarely block it, while still serving HTTPS.

Description

sslh allows multiple protocols to share a single port, primarily port 443, which is commonly open for HTTPS traffic. This is particularly useful in environments like corporate networks where outbound connections to standard SSH or VPN ports are blocked, but HTTPS is permitted. By multiplexing protocols on port 443, users can securely access SSH, OpenVPN, tinc, or XMPP servers without altering firewall rules.

The tool acts as a front-end proxy that inspects incoming connections and forwards them to the appropriate backend service based on protocol detection. It supports a range of protocols including SSL/TLS, SSH, OpenVPN, tinc, WireGuard, XMPP, HTTP, and others. This setup maintains HTTPS availability on the same port for web servers.

sslh comes in variants like sslh (default), sslh-ev, and sslh-select, with the main binary providing extensive configuration options for logging, verbosity, and protocol forwarding.

How It Works

sslh operates as a protocol demultiplexer, listening on a specified port (e.g., 443) and probing incoming packets to identify the protocol. It uses techniques like packet inspection (hexdump for probing) to distinguish between HTTPS/SSL/TLS, SSH, OpenVPN, tinc, XMPP, and other supported protocols. Once identified, it forwards the connection transparently to the designated backend host:port for that protocol. Internals include support for UDP, syslog integration, timeout handling, and verbose logging at various levels for connections, packets, and errors.

Installation

bash

sudo apt install sslh

Flags

-F, --config=<file>Specify configuration file

--verbose-config=<n>Print configuration at startup

--verbose-config-error=<n>Print configuration errors

--verbose-connections=<n>Trace established incoming address to forward address

--verbose-connections-try=<n>Connection errors

--verbose-connections-error=<n>Connection attempts towards targets

--verbose-fd=<n>File descriptor activity, open/close/whatnot

--verbose-packets=<n>Hexdump packets on which probing is done

-t <n>Timeout value

--udp-max-connections=<n>Maximum UDP connections

-u <str>User to run as

-P <file>PID file

-p <host:port>Listening address and port

--ssh=<host:port>SSH backend host:port

--tls=<host:port>TLS backend host:port

--ssl=<host:port>SSL backend host:port

--openvpn=<host:port>OpenVPN backend host:port

--tinc=<host:port>tinc backend host:port

--wireguard=<host:port>WireGuard backend host:port

--xmpp=<host:port>XMPP backend host:port

Examples

Display help and usage information for sslh

sslh -h

Run sslh with a specific configuration file

sslh -F /etc/sslh.cfg

Enable verbose logging for established connections

sslh --verbose-connections=1

Listen on port 443 and forward SSH to localhost:22 and TLS to localhost:443

sslh -p 0.0.0.0:443 --ssh=127.0.0.1:22 --tls=127.0.0.1:443

Multiplex OpenVPN and XMPP on port 443

sslh --openvpn=127.0.0.1:1194 --xmpp=127.0.0.1:5222 -p 443

Run with config file and syslog logging

sslh --config=/etc/sslh.cfg --syslog

Display help for sslh-ev variant

sslh-ev -h

Display help for sslh-select variant

sslh-select -h

Updated 2026-04-16kali.org ↗