HAProxy with OpenVPN

gelcom

Hi, sorry for the noob question but here I go.

I live in a country where local ISP blocks inbound connections from ports <1024 to residential internet.

I have a local nextcloud server and a personnal webserver I want to expose to internet and I need inbound connectins from ports 80/443

To achieve this, I've setup a free AWS account and configure it as a VPN client of my local pfSense box.

By doing so, all ongoing connections to my AWS public IP address are forwarded to my local pfSense box.

Connections from my AWS IP on port 80 gets forwarded to my pfSense VPN interface port 8080

Connections from my AWS IP on port 443 gets forwarded to my pfSense VPN interface port 8443.

So far so good.

Then I setup a HAProxy with SSL offload so inbound connections to nextcloud.mydomain.com:80 or 443 gets forwarded to local server 192.168.10.100:443 and connections to www.mydomain.com:80 or 443 gets forwarded to local server 192.168.20.100:443

If I set HAProxy Fontend "Listen address" to "Use custom address" pointed to my VPN local IP server (192.168.100.1) it does not work.

To make this work I have to set HAProxy FrontEnd "Listen address" to "any (IPv4)" as my VPN server interface is not listed on "Listen Address" dropbox list.

The problem is that I don't want to route my connection to AWS when I'm home on my WiFi local network so I need to have 2 rules on HAProxy:

1)connections from Local LAN WiFi network on port 80 or 443 should go to my servers on port 443 with SSL Offload

2)connections from my VPN on ports 8080 or 8443 should go to my servers on port 443 with SSL Offload

If I set HAProxy FrontEnd "Listen address" to "any (IPv4)" I get rule 2 working but not rule 1

How to accomplish that?

Ps. Sorry for my poor English

kind regards

zeeohsix

Is it not an option to set up a remote access VPN server that will drop you into the inside local IP space when connected? Split-tunnel would send only traffic destined for home services through the VPN. Just cut out AWS completely.

One way you could fix this is with DNS. One record for use when remote, one record to use when home.

I would find out how/why rule 1 doesn't work. Run packet captures on all interfaces involved. TCP Dump for a live view. Check firewall rules, check gateway settings.

gelcom

@zeeohsix said in HAProxy with OpenVPN:

Is it not an option to set up a remote access VPN server that will drop you into the inside local IP space when connected? Split-tunnel would send only traffic destined for home services through the VPN. Just cut out AWS completely.

This is what my AWS instance does: it works as a VPN client for inbound connections on my AWS Fixed IP.
AWS Fixed IP allows inbound connections from all ports.

@zeeohsix said in HAProxy with OpenVPN:

I would find out how/why rule 1 doesn't work. Run packet captures on all interfaces involved. TCP Dump for a live view. Check firewall rules, check gateway settings.

I believe the problem is that rule 1 doesn't work because to make this work I have to set HAProxy FrontEnd "Listen address" to "any (IPv4)" and then this "any" rule takes predecence on HAProxy rule processing over the second rule.

I think the answer to my problem is get a way of setting a HAProxy Frontend rule that allows it to listen only to my VPN interface and not "any" interface.

I wonder why VPN interface is not listed on "Listen Address" dropbox list and also why if I set "Listen Address" to "Use custom address" pointed to my VPN local IP server (192.168.100.1) it does not work either.

thanks for the support
regards

stephenw10

You need to assign the OpenVPN server as an interface to be able to select it.

The two front ends should not conflict though because they are listening on different ports.

Steve

gelcom

@stephenw10 said in HAProxy with OpenVPN:

You need to assign the OpenVPN server as an interface to be able to select it.

My VPN Server It's assigned to an interface but it still does not show on Frontend / Edit HAProxy Frontend / External address / Table / Listen address.

All other interfaces are showing ok but not the OpenVPN server interface.

I think this is the problem in here.

Any help is appreciated!

kind regards

stephenw10

Hmm, OK I'm seeing that too.

You could run it on localhost with port forwards.

You should be able to run on 'All' though. I can't see why that would be a problem for the two frontends.

Steve

gelcom

@stephenw10 said in HAProxy with OpenVPN:

Hmm, OK I'm seeing that too.

You could run it on localhost with port forwards.

Thanks for the suggestion but how to accomplish that?

You should be able to run on 'All' though. I can't see why that would be a problem for the two frontends.

Steve

Unfortunatelly this is not an option either as if I set on "all" interfaces I get a "[ALERT] 188/071715 (10609) : Starting frontend XYZ: cannot bind socket [0.0.0.0:443]

kind regards

stephenw10

Set HA proxy to run on localhost. Add port forwards to the OpenVPN server interface to forward traffic to it. Add forwards to other interfaces as you need it.

Do you still have the pfSense webgui running on port 443? That will conflict with HAProxy if so.

Steve

gelcom

@stephenw10 said in HAProxy with OpenVPN:

Set HA proxy to run on localhost. Add port forwards to the OpenVPN server interface to forward traffic to it. Add forwards to other interfaces as you need it.

Do you still have the pfSense webgui running on port 443? That will conflict with HAProxy if so.

Steve

Thanks. Port forward and pfSense HTTPS port remap did the trick.

Although this issue with VPN Interfaces not showing on the list made me change my pfSense standard port from 443 so I can set HAProxy to listen to "all" interfaces on port 443.

kind regards

stephenw10

I note that it does show WireGuard interfaces so that might be an alternative.
I haven't tested that myself though.

Steve

gelcom

@stephenw10 said in HAProxy with OpenVPN:

I note that it does show WireGuard interfaces so that might be an alternative.
I haven't tested that myself though.

Steve

Thanks. I once heard that WireGuard implementation on pfSense is still "beta" and should not be used.

Is this absense of VPN interfaces on HAProxy Frontend list a bug? Should I report it anywhere?

kind regards

stephenw10

The WireGuard package is considered experimental because it has only recently been added and I'm sure there will be things discovered. I use it here though and have not seen any issues for a while now. The current package version seems good.

The lack of OpenVPN interfaces there is probably not a bug, more likely the presence of WG interfaces would be. However you can open a feature request to add them:
https://redmine.pfsense.org/projects/pfsense-packages

Steve