HAProxy with OpenVPN over tcp/443 on pfSense

daggr

Hi,

Recently replaced my HAProxy VM into pfSense HAProxy package instead and that works fine.
I had OpenVPN on a server before but now i want to run it in pfSense as well.
The problem is that i want to run OpenVPN over tcp/443 through HAProxy but i cant get it to work.

Today i've set up a frontend which listens to WAN address port 80 (type http /https(offloading)) and redirects to HTTPS.
Then a frontend listening on WAN address port 443 (type http /https(offloading)) with ACLs for different domain names and backends.

I've set OpenVPN to listen to TCP/1194 and a backend accordingly.
I've tried making a shared frontend but it seems that you can only share the same type (http, tcp and so on).

How should i proceed to configure HAProxy for using tcp/443 to my OpenVPN (on the pfSense machine)?

Thanks!

daggr

I got it working. Here’s the config if anyone else want to do the same thing.

# Automaticaly generated, dont edit manually.
# Generated on: 2020-01-19 12:06
global
	maxconn			4096
	stats socket /tmp/haproxy.socket level admin 
	uid			80
	gid			80
	nbproc			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state
	ssl-default-bind-options no-sslv3 no-tlsv10
	ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
	

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend PROD_HTTP
	bind			WAN ADDRESS:80 name WAN ADDRESS:80   
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	errorfile			503 /var/etc/haproxy/errorfile_PROD_HTTP_503_MAINT
	acl			redirect	var(txn.txnhost) -m end -i domain.com
	http-request set-var(txn.txnhost) hdr(host)
	http-request redirect code 301 location https://%[hdr(host)]%[path]  if  redirect 

frontend PROD_HTTPS
	bind			127.0.0.1:9443 name 127.0.0.1:9443  no-sslv3 no-tlsv10 no-tlsv11 ssl crt-list /var/etc/haproxy/PROD_HTTPS.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	errorfile			503 /var/etc/haproxy/errorfile_PROD_HTTPS_503_MAINT
	acl			cloud	var(txn.txnhost) -m str -i cloud.domain.com
	acl			grafana	var(txn.txnhost) -m str -i grafana.domain.com

	acl			aclcrt_PROD_HTTPS	var(txn.txnhost) -m reg -i ^cloud\.domain\.com(:([0-9]){1,5})?$
	acl			aclcrt_PROD_HTTPS	var(txn.txnhost) -m reg -i ^grafana\.domain\.com(:([0-9]){1,5})?$

	http-request set-var(txn.txnhost) hdr(host)
	use_backend webserver01_ipvANY  if  cloud aclcrt_PROD_HTTPS
	use_backend webserver02_ipvANY  if  grafana aclcrt_PROD_HTTPS

frontend TCP_HTTPS
	bind			WAN ADDRESS:443 name WAN ADDRESS:443   
	mode			tcp
	log			global
	timeout client		50000
	tcp-request content accept if { req.ssl_hello_type 1 }
	tcp-request inspect-delay	5s
	acl			http	req.ssl_ver gt 0
	tcp-request content accept if { req.ssl_ver gt 0 }
	use_backend https-term_ipvANY  if  http 
	default_backend pfsense_openvpn_tcp_1194_ipvANY

backend webserver01_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			webserver01 192.168.37.14:8080 id 101 check inter 1000  

backend webserver02_ipvANY
	mode			http
	id			106
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			webserver02 192.168.37.15:3000 id 101 check inter 1000  

backend https-term_ipvANY
	mode			tcp
	id			110
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	mode tcp
	server			https-term 127.0.0.1:9443 id 101  

backend pfsense_openvpn_tcp_1194_ipvANY
	mode			tcp
	id			109
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	mode tcp
	server			pfsense_openvpn_tcp_1194 127.0.0.1:1194 id 101

manustar

I'm also looking for this configuration, noting yours I saw that https is on 9443 and tcp on 443, so in this case to access web services I should put the link https://miodominio.com:9443 and for the client openvpn mydomain.com 443 TCP

johnpoz

@manustar huh?

I do sharing of the port with openvpn, which sends non openvpn traffic to port haproxy is listing on

in the custom option box on the vpn instance for tcp 443

port-share 127.0.0.1 9443

Haproxy listens 9443, and then sends that to the appropriate backend based on the fqdn.

If you hit your https://fqdn you are sent to the appropriate server based upon that fqdn. Since the vpn instance says hey that is not vpn traffic and sends it to the haproxy port on the loopback address.

manustar

@johnpoz said in HAProxy with OpenVPN over tcp/443 on pfSense:

9443

sorry I'm not an expert.
my haproxy is listening on 443 wan and I put on openvpn the same port in tcp and add port-share 127.0.0.1 443 ?

johnpoz

if you want to use both 443 for openvpn and stuff behind pfsense. Then pick a different port for haproxy to listen on.. like 9443 or 8443, and send your openvpn port share to that port on loopback.

You can not have 2 things listening on the same port on the same IP.

While you could have vpn listen on public IP, and not loopback, and haproxy listen on loopback and not public IP. Its just easier to use a different port for your haproxy.. Since its never going to be seen by any client that port..

manustar

@johnpoz thx