Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Haproxy with OpenVPN

    Scheduled Pinned Locked Moved Cache/Proxy
    12 Posts 3 Posters 10.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newlinux
      last edited by

      Hi Everyone,

      I recently built my first pfSense router and it has been a good experience. I got OpenVPN setup rather easily, as well as various other settings. I have web server that accepts https requests on port 443, which is also the port I would like to run OpenVPN on. Now, I realize that I can use the port-share openVPN option for both of these to run on the same port, but what I found it is that with this configuration my apache web server sees all requests coming from the WAN as having the LAN IP address of my router, which doesn't work well for the IPS I have installed on apache, and monitoring logs for any irregularities.

      Has anyone used HAProxy to send requests to a web server and to OpenVPN on the same port? I tried for a while and although I was able to successfully direct requests to the web server, the requests that were supposed to go to OpenVPN did not work. My clients were not able to connect to OpenVPN. I tried too many different configs to remember, and I actually needed to step away fora minute  :'(

      If anyone has done this, I'd appreciate any tips. I'm beyond my depth as I have never used OpenVPN nor HAproxy before a week ago.

      Thank you.

      1 Reply Last reply Reply Quote 0
      • S
        Soyokaze
        last edited by

        Be sure to check if enabling 'X-Forwarded-for' in HAProxy will help you.

        Need full pfSense in a cloud? PM for details!

        1 Reply Last reply Reply Quote 0
        • N
          newlinux
          last edited by

          Thanks, I had that set to get the right IP in the apache logs, but I couldn't even connect to OpenVPN through haproxy which is the problem I'm trying to solve.

          1 Reply Last reply Reply Quote 0
          • P
            PiBa
            last edited by

            I don't have this working personally (i don't need it) but think i might be able to offer some help..

            What does your haproxy.cfg file look like?
            I assume you have configured to with mode https/tcp .?
            Do you have openvpn as the default backend? And detecting other website domains with SNI to point to the other appropriate backends?
            Also some really long timeouts configured?
            Do you have health-checks configured? Are the servers all reported as 'up' on the stats page?

            1 Reply Last reply Reply Quote 0
            • N
              newlinux
              last edited by

              Below is where is the haproxy.cfg I left off with. I tried many different configs, non working.

              My frontend is configured ssl/https (TCP) mode.
              Openvpn is set as the default backend. And yes I'm SNI to detect other website domains to point to the appropriate backend. I do have pretty long timeout (600000) for my openvpn backend. The apache backend works fine as is.

              I had health checks configured and they were always down for the openvpn when I had it set to anything that actually tests the status. The Apache backend was always up. Right now I have health check disabled for the openvpn backend.

              Thanks for any help. haproxy.cfg is below.

              global
                      maxconn                 25
                      log                     /var/run/log    local0  info
                      stats socket /tmp/haproxy.socket level admin
                      gid                     80
                      nbproc                  1
                      chroot                  /tmp/haproxy_chroot
                      daemon
              
              listen HAProxyLocalStats
                      bind 127.0.0.1:2200 name localstats
                      mode http
                      stats enable
                      stats refresh 10
                      stats admin if TRUE
                      stats uri /haproxy/haproxy_stats.php?haproxystats=1
                      timeout client 5000
                      timeout connect 5000
                      timeout server 5000
              
              frontend Frontend-Apache
                      bind                    xx.xx.xx.252:443 name xx.xx.xx.252:443   
                      mode                    tcp
                      log                     global
                      timeout client          30000
                      tcp-request inspect-delay       5s
                      acl                     testsni req.ssl_sni -m sub -i subdomain.mydomain.com
                      tcp-request content accept if { req.ssl_hello_type 1 }
              
                      use_backend Firestorm-Apache_https_ipv4  if  testsni 
                      default_backend OpenVPNBackend_https_ipv4
              
              backend Firestorm-Apache_https_ipv4
                      mode                    tcp
                      log                     global
                      timeout connect         30000
                      timeout server          30000
                      retries                 3
                      source ipv4@ usesrc clientip
                      option                  httpchk OPTIONS / 
                      server                  FirestormApache xxx.xxx.xx.107:443 check-ssl check inter 1000  verify none 
              backend OpenVPNBackend_https_ipv4
                      mode                    tcp
                      log                     global
                      option                  log-health-checks
                      timeout connect         600000
                      timeout server          600000
                      retries                 10
                      source ipv4@ usesrc clientip
                      server                  OpenVPN 127.0.0.1:443  
              
              
              1 Reply Last reply Reply Quote 0
              • P
                PiBa
                last edited by

                Can you try without the "source ipv4@ usesrc clientip" 'transparent clientip' option on the backend?

                Edit:
                Also try increasing client timeout a bit.

                1 Reply Last reply Reply Quote 0
                • N
                  newlinux
                  last edited by

                  I have tried both with the clientip option on and off and no difference.  I tried increasing the client timeout to 100000.
                  From my openvpn logs, it doesn't even appear to be connecting to openvpn at all. I'll try turning up the logging on that.

                  1 Reply Last reply Reply Quote 0
                  • P
                    PiBa
                    last edited by

                    Any other programs listening on :443 ? (check under diagnostics\sockets..) Perhaps try configuring both backend and openvpn to listen on a different port.?
                    And openvpn is listening on the 127.0.0.1:443 address? (is its interface set to 'localhost'?)

                    1 Reply Last reply Reply Quote 0
                    • N
                      newlinux
                      last edited by

                      Yes,  nothing else listening on that port. Ive tried a few different ports, even setting up openvpn all over again on a different port and using that. This is why I've been perplexed and wondering if anyone else has done this on pfsense because I'm definitely missing something.  I've tried the lan, wan and and localhost as the ip for openvpn. I'll go verify what it is actually set to listen in when i get back home.

                      1 Reply Last reply Reply Quote 0
                      • S
                        Soyokaze
                        last edited by

                        Well, if I remember correctly, 'shared port' OpenVPN works by 'fail-back' to some web server in case incoming packets is not OpenVPN connection request.
                        So proper scheme should be:
                        WAN:443 => OpenVPN Server => WebServer.
                        So - move your HAProxy FE to some other port, check you could connect to OpenVPN, add port-share ip port to OVPN Server config.

                        OR

                        Use this guide http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate
                        But it will require much more work than simple port-share.

                        Need full pfSense in a cloud? PM for details!

                        1 Reply Last reply Reply Quote 0
                        • N
                          newlinux
                          last edited by

                          Ive gotten openvpn port share to work, but as I  said earlier i don't want to use that because it hides the real client ip from my IPS and doesn't seem to support X-FORWARDED-FOR to send the real IP. This is why I'm trying a different method of sharing the port. I'll take alook at the link ylu reference.

                          1 Reply Last reply Reply Quote 0
                          • S
                            Soyokaze
                            last edited by

                            It is hard to keep in mind all nuances in all threads :D
                            I never had to use that guide, but as I can see - this exactly what you need, working OVPN as one of backends and X-Forwarded for web requests.

                            Need full pfSense in a cloud? PM for details!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.