How can I route my HAProxy frontend traffic to a backend thats connected via an OpenVPN S2S VPN between pfSense and remote location?
-
Workstations on LAN can reach the remote subnet(s) and webserver(s) fine, however HAProxy and pfSense cannot reach them, or even ping the servers over the OpenVPN. Does anyone know what has to be done to allow HAProxy hosted on my pfSense router to be able to route over the OpenVPN VPN?
With this article i managed to got other HAProxy backends on a IPsec VPN working but this trick does not work with OpenVPN...
https://www.netgate.com/docs/pfsense/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html
-
@wisheh
You can ping the remote webserver from LAN devices, but you can't from pfSense??Is the HAproxy in transparent mode?
-
Thats correct, i can ping and access the pages of the webserver behind the site2site OpenVPN from the LAN but the firewall itself and HAProxy can't.
I can ping from the pfSense web-gui if i choose "Source address" = "LAN" but source on auto or direct ping from the pfsense CLI to the remote webserver it doesnt know how to route traffic.
A traceroute from CLI shows its routes traffic over the WAN instead the ovpn interface but a traceroute from a client on LAN shows the correct route through the LAN IP and then OpenVPN tunnel network and completed at target IP. -
@wisheh you probably need an assigned interface on the openvpn instance on the server side so reply-to can send reply traffic back to arbitrary sources out the proper connection instead of that router's default gateway.
This is a reasonably-advanced topic and is discussed at:
https://www.youtube.com/watch?v=PtZxuC9IyTgThe meat there is at about minute 19 but you should probably just watch the whole thing.
-
@wisheh
I suspect, that your outbound NAT is in manual mode. So you might have to add a rule to the OpenVPN interface.
