sslh in transparent mode on FreeBSD

A few things I came across while setting up sslh.

connect: Operation not permitted

Make sure /usr/local/etc/sslh.conf contains user: "root"; and not user: "nobody";

Timeout and/or stalled connections

Make sure that your firewall forwards outbound traffic from localhost (where the real service like an SSL enabled webserver or OpenVPN is bound to) back to the public ip address of your server, where sslh is bound to on port 443. These forward rules have to be specified before those default rules which deny any traffic from and to 127.0.0.0/8 and ::1:

00100 allow ip from any to any via lo0
00110 fwd 192.168.23.42,443 tcp from 127.0.0.1 443 to any 1024-65535 established out
00120 fwd 192.168.23.42,443 tcp from 127.0.0.1 1194 to any 1024-65535 established out
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
Rules 100, and 200 - 500 are usually set up by the firewall script /etc/rc.firewall. You have to place rules 110 and 120 before those default deny rules.