Routing Virtual IP traffic through VPN gateway

viragomann

@kultigsptrizigfrisch said in Routing Virtual IP traffic through VPN gateway:

all the traffic that reaches SNIProxy is meant to be passed over to the intended remote hosts, based on the original TCP session

And how will sniproxy or pfSense know to which IP the packets are "meant"?

wrobelda

SNIproxy "Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine."

I have it configured to forward the request to the original hostname, thus really just forwarding the original requests as is. Except I want them forwarded over the VPN.

viragomann

@kultigsptrizigfrisch said in Routing Virtual IP traffic through VPN gateway:

I have it configured to forward the request to the original hostname

So this means to me you are forwarding yourdomain.name to yourdomain.name. And I'm wondering how this should work at all.

thus really just forwarding the original requests as is

The hostname is part of the header. The proxy should forward this anyway to the destination server. But in my opinion you have to state the destination IP in the proxy config to get the packets forwarded as you want.

wrobelda

@viragomann said in Routing Virtual IP traffic through VPN gateway:

But in my opinion you have to state the destination IP in the proxy config to get the packets forwarded as you want.

I have a wildcard there that forwards to the original destination:

table {
    .* *
}

The whole reason I am doing this is to avoid geoblocking of some services. SNIProxy configured as such allows me to specify the DNS overrides in dnsmasq config per domain, wildcarded. This wrks as intended on a separate host, but I want to give up using SNIProxy at all and switch to HAProxy directly on the firewall.

viragomann

@kultigsptrizigfrisch
So go to Diagnostics > DNS Lookup and resolve your hostname and you will know where the packets are directed to.

wrobelda

@viragomann said in Routing Virtual IP traffic through VPN gateway:

Diagnostics > DNS Lookup

Truly don't understand what do you mean. I know that my selected DNS domain queries are directed to SNIProxy by dnsmasq, as I intend, because I can see that in the sniproxy logs. What I now need to do is to have that traffic forwarded by SNIProxy to be routed via the VPN gateway, so that it evades the geoblocking. This is the issue at hand.

viragomann

@kultigsptrizigfrisch said in Routing Virtual IP traffic through VPN gateway:

I know that my selected DNS domain queries are directed to SNIProxy by dnsmasq

The question is, where the traffic is directed to behind the proxy.

wrobelda

The question is, where the traffic is directed to behind the proxy.

Still don't follow. Behind the proxy, in this context, is between the sniproxy running on the firewall and the LAN host(s).

viragomann

@kultigsptrizigfrisch
Dude! Simply do what I suggested above to get where the hostname is directed to:
So go to Diagnostics > DNS Lookup and resolve your hostname and you will know where the packets are directed to.

wrobelda

@viragomann said in Routing Virtual IP traffic through VPN gateway:

@kultigsptrizigfrisch
Dude! Simply do what I suggested above to get where the hostname is directed to:
So go to Diagnostics > DNS Lookup and resolve your hostname and you will know where the packets are directed to.

Dude, I am literally telling you that DNS lookups work as intended, i.e. taking an exemplary domain I want to evade the geoblocking for, I see it resolves to sniproxy's Virtual IP, as I already explained, quote:

" I know that my selected DNS domain queries are directed to SNIProxy by dnsmasq, as I intend "

I see the traffic intended for those domains in sniproxy logs, and the websites work just fine, except I can't get it to route through the VPN's gateway and it instead uses the default one.

viragomann

@kultigsptrizigfrisch
So the hostname get resolved to a vitual IP assigned to pfSense itself, as I got you.
Then again, how should the proxy know that the traffic should be directed to the remote network without stating the target IP?

wrobelda

@viragomann said in Routing Virtual IP traffic through VPN gateway:

@kultigsptrizigfrisch
So the hostname get resolved to a vitual IP assigned to pfSense itself, as I got you.
Then again, how should the proxy know that the traffic should be directed to the remote network without stating the target IP?

We're going circles here and both wasting our time. I explained how SNI proxy works above:

SNIproxy "Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine."

If that's not enough than I guess Google "SNI proxy geoblocking".

It's ironic that you assume I don't pay attention to what you're suggesting, meanwhile you seem to not pay attention yourself.

viragomann

@kultigsptrizigfrisch
So I'm wondering, why you don't answer the question, how the proxy should forward the traffic to the desired backend, since you don't tell him its IP address.

I can imagine, how the sniproxy is meant to work this way you've it set up. That works for outside requests, where the traffic is routed to the proxy, while it forwards the traffic according to the hostname resolution in the internal DNS (split DNS).

But if that's not possible for what ever reason in your case, you can as well state a backend IP in the proxy settings. And I'm wondering why you don't do that.

Also again, this all can be done in HAproxy. HAproxy is as well capable to determine the SNI hostname without providing the TLS certificate and forward the traffic to the proper backend IP.