Can HAProxy pass OpenVPN

guardian

I have an OpenVPN server that I ocasionally run as TCP/443 for those times when I think I might be caught behind a restrictive firewall.

I would like to also run a few https web apps which will require port 443.

This is a home setup, and would have at most 2 users and would receive only light occasional use.

It seems like it should be easy enough to construct the appropriate ACLs, but my questions are:

1. Can HAProxy route OpenVPN traffic (assuming appropriate Front/Back end rules?

2. Any suggestions as to how I would set up the back end? What interface would I use for the server, and how would I set up the back end rule.

Any hints would be much appreciated. (Or is there a better way to do this than HAProxy?)

johnpoz

I do the same thing... Here is how I do it... You open 443 on wan, openvpn listens on 443.. You then set openvpn to do port sharing via custom option (box near the bottom of openvpn setup)

port-share 127.0.0.1 9443

You could use whatever port you want, I chose 9443.. You then setup your haproxy frontend for that port, and have it do whatever you want for your backends.

Openvpn sees the traffic, and knows right away if its openvpn traffic or not, if not then it passes it to your local port that haproxy is listening on.

easy peasy lemon squezzy

edit: Or are you running your openvpn server on something behind pfsense? Why? ;)

guardian

@johnpoz said in Can HAProxy pass OpenVPN:

I do the same thing... Here is how I do it... You open 443 on wan, openvpn listens on 443.. You then set openvpn to do port sharing via custom option (box near the bottom of openvpn setup)

port-share 127.0.0.1 9443

You could use whatever port you want, I chose 9443.. You then setup your haproxy frontend for that port, and have it do whatever you want for your backends.

Openvpn sees the traffic, and knows right away if its openvpn traffic or not, if not then it passes it to your local port that haproxy is listening on.

easy peasy lemon squezzy

edit: Or are you running your openvpn server on something behind pfsense? Why? ;)

Thanks @johnpoz for the quick reply. I get where you are going with this. OpenVPN is a first level traffic cop, and then HAProxy gets anything that OpenVPN doesn't recognize as VPN traffic.

Yes, OpenVPN and HAProxy will both be runnig on pfSense.

Will this still work if I have the OpenVPN hardened with a TLS Certificate? I am hoping to have everything secured with certificates to keep my attack surface to a minimum.
Would the OpenVPN TLS Cert protect the HAProxy as well?
I was planning to use client certificates to restrict access to the back end web services so they stay secure without needing to go through the VPN.

Since this stuff is just for myself/wife it's easy enough to deploy certs, and if connections won't even begin without a valid cert, bots/scanners/script kiddies will get bored very quickly and go elsewhere.

I want the VPN available for those times when I'm behind a nasty firewall, but would normally want to use the web services without having to connect a VPN (which would be a challange for my wife). Also VPNs tend to be hard on the phone battery life and an encrypted TLS session is quite adequate for security.

Any thoughts/suggestions appreciated.

johnpoz

Yes this works with certs.. How else to be honest would you use openvpn ;) other then with cert auth..

guardian

@johnpoz said in Can HAProxy pass OpenVPN:

Yes this works with certs.. How else to be honest would you use openvpn ;) other then with cert auth..

Thanks @johnpoz - Sorry I wasn't clear with my question :(

IIUC, both OpenVPN and HAProxy behave as they normally would, essentially ignoring each others traffic.

OpenVPN will use the TLS key/identity keys it is configured with, and HAProxy will use/respond to any certs it is configured with. The only difference is that HAProxy is listening on localhost:9443 instead of the WAN interface.

Have I got this correct?

guardian

@johnpoz said in Can HAProxy pass OpenVPN:

Yes this works with certs.. How else to be honest would you use openvpn ;) other then with cert auth..

Thanks @johnpoz... I guess I wasn't clear with my question:
Setting OpenVPN/HAProxy up as you are suggesting is it possible to have a TLS certificate for OpenVPN (not just an identity certificate-as you said, how else would you use openvpn) and a Client Certificate for the HAProxy Web Services?

Since I am not running services for the public, it would be ideal if my internet facing access would ignore scanners and any device that didn't have a valid certificate. That is easy to do with OpenVPN, but I don't want to have to fire up a VPN to access the web services-too complicated for the wife, and very hard on mobile battery life.

johnpoz

Well for haproxy to pass it on it would have to meet your acls... So say some random guy hit your IP. Unless he was calling for your exact fqdn say host.domain.tld ha proxy would not pass it on to your server.

Or whatever other acls you setup on haproxy.

guardian

@johnpoz said in Can HAProxy pass OpenVPN:

Well for haproxy to pass it on it would have to meet your acls... So say some random guy hit your IP. Unless he was calling for your exact fqdn say host.domain.tld ha proxy would not pass it on to your server.

Or whatever other acls you setup on haproxy.

Thanks @johnpoz ... Do you know if HAProxy returns an error like a 401/403 or if it just drops/rejects the connection?