Distinguish between OpenVPN and XMPP

Hi there,

I recently setup haproxy (Version 1.7 on pfsense) in order to do some tcp routing and therefore to share port 443 with different services.

The services to be used are: Https, OpenVPN, XMPP. The config itself works fine for each of the 3 services. However I was not able to find a way to destinguish successfully between OpenVPN and XMPP.

My current config looks like this:

[code]frontend ssl
mode tcp
bind 0.0.0.0:443 name frontend-ssl
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend main-ssl if { req.ssl_hello_type 1 }
use_backend openvpn if !{ req.ssl_hello_type 1 } !{ req.len 0 }
use_backend xmpp if { payload(0,5) 3c3f786d6c } !{ req.ssl_hello_type 1 } !{ req.len 0 }

backend main-ssl
mode tcp
server main-ssl 127.0.0.1:8443 send-proxy

backend openvpn
mode tcp
server openvpn-localhost 127.0.0.1:1194

backend xmpp
mode tcp
server xmpp-localhost 127.0.0.1:5222

[/code]

As you can see payload(0,5) 3c3f786d6c is used to identify the xml payload of an xmpp message. This works for some XMPP clients like pidgin. However, other clients like Xabber cannot connect, their requests seem to be not recognized correctly.

So, question is: How can I destinguish between OpenVPN and XMPP ? Is there a way to identify the payload of OpenVPN ?

Thank you for your help in advance.
Regards,

Can you share some example handshake captures for OpenVPN and XMPP?

Well, after several tries I found a working solution:

In the above example I used “payload(0,5) 3c3f786d6c” to identify XMPP traffic by its xml payload, where
3c3f786d6c = <?xml

Unfortunatly some XMPP clients send “<? xml” <-- With space between ? and x !

However, I managed to find another position in the payload which seems to be identical with every client:

^^ This does do the trick and identifies XMPP.

Cheers