Haproxy with OpenVPN
-
Hi Everyone,
I recently built my first pfSense router and it has been a good experience. I got OpenVPN setup rather easily, as well as various other settings. I have web server that accepts https requests on port 443, which is also the port I would like to run OpenVPN on. Now, I realize that I can use the port-share openVPN option for both of these to run on the same port, but what I found it is that with this configuration my apache web server sees all requests coming from the WAN as having the LAN IP address of my router, which doesn't work well for the IPS I have installed on apache, and monitoring logs for any irregularities.
Has anyone used HAProxy to send requests to a web server and to OpenVPN on the same port? I tried for a while and although I was able to successfully direct requests to the web server, the requests that were supposed to go to OpenVPN did not work. My clients were not able to connect to OpenVPN. I tried too many different configs to remember, and I actually needed to step away fora minute :'(
If anyone has done this, I'd appreciate any tips. I'm beyond my depth as I have never used OpenVPN nor HAproxy before a week ago.
Thank you.
-
Be sure to check if enabling 'X-Forwarded-for' in HAProxy will help you.
-
Thanks, I had that set to get the right IP in the apache logs, but I couldn't even connect to OpenVPN through haproxy which is the problem I'm trying to solve.
-
I don't have this working personally (i don't need it) but think i might be able to offer some help..
What does your haproxy.cfg file look like?
I assume you have configured to with mode https/tcp .?
Do you have openvpn as the default backend? And detecting other website domains with SNI to point to the other appropriate backends?
Also some really long timeouts configured?
Do you have health-checks configured? Are the servers all reported as 'up' on the stats page?
-
Below is where is the haproxy.cfg I left off with. I tried many different configs, non working.
My frontend is configured ssl/https (TCP) mode.
Openvpn is set as the default backend. And yes I'm SNI to detect other website domains to point to the appropriate backend. I do have pretty long timeout (600000) for my openvpn backend. The apache backend works fine as is.I had health checks configured and they were always down for the openvpn when I had it set to anything that actually tests the status. The Apache backend was always up. Right now I have health check disabled for the openvpn backend.
Thanks for any help. haproxy.cfg is below.
global maxconn 25 log /var/run/log local0 info stats socket /tmp/haproxy.socket level admin gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats refresh 10 stats admin if TRUE stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend Frontend-Apache bind xx.xx.xx.252:443 name xx.xx.xx.252:443 mode tcp log global timeout client 30000 tcp-request inspect-delay 5s acl testsni req.ssl_sni -m sub -i subdomain.mydomain.com tcp-request content accept if { req.ssl_hello_type 1 } use_backend Firestorm-Apache_https_ipv4 if testsni default_backend OpenVPNBackend_https_ipv4 backend Firestorm-Apache_https_ipv4 mode tcp log global timeout connect 30000 timeout server 30000 retries 3 source ipv4@ usesrc clientip option httpchk OPTIONS / server FirestormApache xxx.xxx.xx.107:443 check-ssl check inter 1000 verify none backend OpenVPNBackend_https_ipv4 mode tcp log global option log-health-checks timeout connect 600000 timeout server 600000 retries 10 source ipv4@ usesrc clientip server OpenVPN 127.0.0.1:443
-
Can you try without the "source ipv4@ usesrc clientip" 'transparent clientip' option on the backend?
Edit:
Also try increasing client timeout a bit.
-
I have tried both with the clientip option on and off and no difference. I tried increasing the client timeout to 100000.
From my openvpn logs, it doesn't even appear to be connecting to openvpn at all. I'll try turning up the logging on that.
-
Any other programs listening on :443 ? (check under diagnostics\sockets..) Perhaps try configuring both backend and openvpn to listen on a different port.?
And openvpn is listening on the 127.0.0.1:443 address? (is its interface set to 'localhost'?)
-
Yes, nothing else listening on that port. Ive tried a few different ports, even setting up openvpn all over again on a different port and using that. This is why I've been perplexed and wondering if anyone else has done this on pfsense because I'm definitely missing something. I've tried the lan, wan and and localhost as the ip for openvpn. I'll go verify what it is actually set to listen in when i get back home.
-
Well, if I remember correctly, 'shared port' OpenVPN works by 'fail-back' to some web server in case incoming packets is not OpenVPN connection request.
So proper scheme should be:
WAN:443 => OpenVPN Server => WebServer.
So - move your HAProxy FE to some other port, check you could connect to OpenVPN, add port-share ip port to OVPN Server config.OR
Use this guide http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate
But it will require much more work than simple port-share.
-
Ive gotten openvpn port share to work, but as I said earlier i don't want to use that because it hides the real client ip from my IPS and doesn't seem to support X-FORWARDED-FOR to send the real IP. This is why I'm trying a different method of sharing the port. I'll take alook at the link ylu reference.
-
It is hard to keep in mind all nuances in all threads :D
I never had to use that guide, but as I can see - this exactly what you need, working OVPN as one of backends and X-Forwarded for web requests.