Haproxy with OpenVPN

  • Hi Everyone,

    I recently built my first pfSense router and it has been a good experience. I got OpenVPN setup rather easily, as well as various other settings. I have web server that accepts https requests on port 443, which is also the port I would like to run OpenVPN on. Now, I realize that I can use the port-share openVPN option for both of these to run on the same port, but what I found it is that with this configuration my apache web server sees all requests coming from the WAN as having the LAN IP address of my router, which doesn't work well for the IPS I have installed on apache, and monitoring logs for any irregularities.

    Has anyone used HAProxy to send requests to a web server and to OpenVPN on the same port? I tried for a while and although I was able to successfully direct requests to the web server, the requests that were supposed to go to OpenVPN did not work. My clients were not able to connect to OpenVPN. I tried too many different configs to remember, and I actually needed to step away fora minute  :'(

    If anyone has done this, I'd appreciate any tips. I'm beyond my depth as I have never used OpenVPN nor HAproxy before a week ago.

    Thank you.

  • Be sure to check if enabling 'X-Forwarded-for' in HAProxy will help you.

  • Thanks, I had that set to get the right IP in the apache logs, but I couldn't even connect to OpenVPN through haproxy which is the problem I'm trying to solve.

  • I don't have this working personally (i don't need it) but think i might be able to offer some help..

    What does your haproxy.cfg file look like?
    I assume you have configured to with mode https/tcp .?
    Do you have openvpn as the default backend? And detecting other website domains with SNI to point to the other appropriate backends?
    Also some really long timeouts configured?
    Do you have health-checks configured? Are the servers all reported as 'up' on the stats page?

  • Below is where is the haproxy.cfg I left off with. I tried many different configs, non working.

    My frontend is configured ssl/https (TCP) mode.
    Openvpn is set as the default backend. And yes I'm SNI to detect other website domains to point to the appropriate backend. I do have pretty long timeout (600000) for my openvpn backend. The apache backend works fine as is.

    I had health checks configured and they were always down for the openvpn when I had it set to anything that actually tests the status. The Apache backend was always up. Right now I have health check disabled for the openvpn backend.

    Thanks for any help. haproxy.cfg is below.

            maxconn                 25
            log                     /var/run/log    local0  info
            stats socket /tmp/haproxy.socket level admin
            gid                     80
            nbproc                  1
            chroot                  /tmp/haproxy_chroot
    listen HAProxyLocalStats
            bind name localstats
            mode http
            stats enable
            stats refresh 10
            stats admin if TRUE
            stats uri /haproxy/haproxy_stats.php?haproxystats=1
            timeout client 5000
            timeout connect 5000
            timeout server 5000
    frontend Frontend-Apache
            bind                    xx.xx.xx.252:443 name xx.xx.xx.252:443   
            mode                    tcp
            log                     global
            timeout client          30000
            tcp-request inspect-delay       5s
            acl                     testsni req.ssl_sni -m sub -i subdomain.mydomain.com
            tcp-request content accept if { req.ssl_hello_type 1 }
            use_backend Firestorm-Apache_https_ipv4  if  testsni 
            default_backend OpenVPNBackend_https_ipv4
    backend Firestorm-Apache_https_ipv4
            mode                    tcp
            log                     global
            timeout connect         30000
            timeout server          30000
            retries                 3
            source ipv4@ usesrc clientip
            option                  httpchk OPTIONS / 
            server                  FirestormApache xxx.xxx.xx.107:443 check-ssl check inter 1000  verify none 
    backend OpenVPNBackend_https_ipv4
            mode                    tcp
            log                     global
            option                  log-health-checks
            timeout connect         600000
            timeout server          600000
            retries                 10
            source ipv4@ usesrc clientip
            server                  OpenVPN  

  • Can you try without the "source ipv4@ usesrc clientip" 'transparent clientip' option on the backend?

    Also try increasing client timeout a bit.

  • I have tried both with the clientip option on and off and no difference.  I tried increasing the client timeout to 100000.
    From my openvpn logs, it doesn't even appear to be connecting to openvpn at all. I'll try turning up the logging on that.

  • Any other programs listening on :443 ? (check under diagnostics\sockets..) Perhaps try configuring both backend and openvpn to listen on a different port.?
    And openvpn is listening on the address? (is its interface set to 'localhost'?)

  • Yes,  nothing else listening on that port. Ive tried a few different ports, even setting up openvpn all over again on a different port and using that. This is why I've been perplexed and wondering if anyone else has done this on pfsense because I'm definitely missing something.  I've tried the lan, wan and and localhost as the ip for openvpn. I'll go verify what it is actually set to listen in when i get back home.

  • Well, if I remember correctly, 'shared port' OpenVPN works by 'fail-back' to some web server in case incoming packets is not OpenVPN connection request.
    So proper scheme should be:
    WAN:443 => OpenVPN Server => WebServer.
    So - move your HAProxy FE to some other port, check you could connect to OpenVPN, add port-share ip port to OVPN Server config.


    Use this guide http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate
    But it will require much more work than simple port-share.

  • Ive gotten openvpn port share to work, but as I  said earlier i don't want to use that because it hides the real client ip from my IPS and doesn't seem to support X-FORWARDED-FOR to send the real IP. This is why I'm trying a different method of sharing the port. I'll take alook at the link ylu reference.

  • It is hard to keep in mind all nuances in all threads :D
    I never had to use that guide, but as I can see - this exactly what you need, working OVPN as one of backends and X-Forwarded for web requests.

Log in to reply