by df » Wed Oct 31, 2018 12:30 pm
@Lan
That's something I'm working on at the moment, offering ECC on other ports outside of 5060.
I'm pretty sure I've figured out a way to do ECC & RSA instances on the same IP both on ports 1-29999 (excluding 30000-65535 since that's reserved for port forwarding).
For UDP, the iptables u32 module is used to do this. For TCP, haproxy is used. With the haproxy setup, it'll be fairly easy to also add SSH & SSL tunneling to the mix as well, also on the above ports.
All that's left is to do more tests from different devices to make sure it actually works in all scenarios.
If I can get it to work the way I imagine it will, it means all of our current VPN IPs (probably excluding the legacy ones) will have RSA & ECC OpenVPN and Wireguard on all UDP ports of every IP, and for TCP it would be RSA & ECC OpenVPN plus SSL & SSH tunneling on all TCP ports of every IP.
The only thing I know I won't be able to implement is Ed25519 or Ed448 in the same way, so those two will have to continue to stay on ports 5061 and 5062. That should be fine though since most customers aren't using OpenSSL 1.1.1 yet, which both of those require.
@Lan
That's something I'm working on at the moment, offering ECC on other ports outside of 5060.
I'm pretty sure I've figured out a way to do ECC & RSA instances on the same IP both on ports 1-29999 (excluding 30000-65535 since that's reserved for port forwarding).
For UDP, the iptables u32 module is used to do this. For TCP, haproxy is used. With the haproxy setup, it'll be fairly easy to also add SSH & SSL tunneling to the mix as well, also on the above ports.
All that's left is to do more tests from different devices to make sure it actually works in all scenarios.
If I can get it to work the way I imagine it will, it means all of our current VPN IPs (probably excluding the legacy ones) will have RSA & ECC OpenVPN and Wireguard on all UDP ports of every IP, and for TCP it would be RSA & ECC OpenVPN plus SSL & SSH tunneling on all TCP ports of every IP.
The only thing I know I won't be able to implement is Ed25519 or Ed448 in the same way, so those two will have to continue to stay on ports 5061 and 5062. That should be fine though since most customers aren't using OpenSSL 1.1.1 yet, which both of those require.