Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Haproxy with OpenVPN

    Scheduled Pinned Locked Moved Cache/Proxy
    12 Posts 3 Posters 10.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Soyokaze
      last edited by

      Be sure to check if enabling 'X-Forwarded-for' in HAProxy will help you.

      Need full pfSense in a cloud? PM for details!

      1 Reply Last reply Reply Quote 0
      • N
        newlinux
        last edited by

        Thanks, I had that set to get the right IP in the apache logs, but I couldn't even connect to OpenVPN through haproxy which is the problem I'm trying to solve.

        1 Reply Last reply Reply Quote 0
        • P
          PiBa
          last edited by

          I don't have this working personally (i don't need it) but think i might be able to offer some help..

          What does your haproxy.cfg file look like?
          I assume you have configured to with mode https/tcp .?
          Do you have openvpn as the default backend? And detecting other website domains with SNI to point to the other appropriate backends?
          Also some really long timeouts configured?
          Do you have health-checks configured? Are the servers all reported as 'up' on the stats page?

          1 Reply Last reply Reply Quote 0
          • N
            newlinux
            last edited by

            Below is where is the haproxy.cfg I left off with. I tried many different configs, non working.

            My frontend is configured ssl/https (TCP) mode.
            Openvpn is set as the default backend. And yes I'm SNI to detect other website domains to point to the appropriate backend. I do have pretty long timeout (600000) for my openvpn backend. The apache backend works fine as is.

            I had health checks configured and they were always down for the openvpn when I had it set to anything that actually tests the status. The Apache backend was always up. Right now I have health check disabled for the openvpn backend.

            Thanks for any help. haproxy.cfg is below.

            global
                    maxconn                 25
                    log                     /var/run/log    local0  info
                    stats socket /tmp/haproxy.socket level admin
                    gid                     80
                    nbproc                  1
                    chroot                  /tmp/haproxy_chroot
                    daemon
            
            listen HAProxyLocalStats
                    bind 127.0.0.1:2200 name localstats
                    mode http
                    stats enable
                    stats refresh 10
                    stats admin if TRUE
                    stats uri /haproxy/haproxy_stats.php?haproxystats=1
                    timeout client 5000
                    timeout connect 5000
                    timeout server 5000
            
            frontend Frontend-Apache
                    bind                    xx.xx.xx.252:443 name xx.xx.xx.252:443   
                    mode                    tcp
                    log                     global
                    timeout client          30000
                    tcp-request inspect-delay       5s
                    acl                     testsni req.ssl_sni -m sub -i subdomain.mydomain.com
                    tcp-request content accept if { req.ssl_hello_type 1 }
            
                    use_backend Firestorm-Apache_https_ipv4  if  testsni 
                    default_backend OpenVPNBackend_https_ipv4
            
            backend Firestorm-Apache_https_ipv4
                    mode                    tcp
                    log                     global
                    timeout connect         30000
                    timeout server          30000
                    retries                 3
                    source ipv4@ usesrc clientip
                    option                  httpchk OPTIONS / 
                    server                  FirestormApache xxx.xxx.xx.107:443 check-ssl check inter 1000  verify none 
            backend OpenVPNBackend_https_ipv4
                    mode                    tcp
                    log                     global
                    option                  log-health-checks
                    timeout connect         600000
                    timeout server          600000
                    retries                 10
                    source ipv4@ usesrc clientip
                    server                  OpenVPN 127.0.0.1:443  
            
            
            1 Reply Last reply Reply Quote 0
            • P
              PiBa
              last edited by

              Can you try without the "source ipv4@ usesrc clientip" 'transparent clientip' option on the backend?

              Edit:
              Also try increasing client timeout a bit.

              1 Reply Last reply Reply Quote 0
              • N
                newlinux
                last edited by

                I have tried both with the clientip option on and off and no difference.  I tried increasing the client timeout to 100000.
                From my openvpn logs, it doesn't even appear to be connecting to openvpn at all. I'll try turning up the logging on that.

                1 Reply Last reply Reply Quote 0
                • P
                  PiBa
                  last edited by

                  Any other programs listening on :443 ? (check under diagnostics\sockets..) Perhaps try configuring both backend and openvpn to listen on a different port.?
                  And openvpn is listening on the 127.0.0.1:443 address? (is its interface set to 'localhost'?)

                  1 Reply Last reply Reply Quote 0
                  • N
                    newlinux
                    last edited by

                    Yes,  nothing else listening on that port. Ive tried a few different ports, even setting up openvpn all over again on a different port and using that. This is why I've been perplexed and wondering if anyone else has done this on pfsense because I'm definitely missing something.  I've tried the lan, wan and and localhost as the ip for openvpn. I'll go verify what it is actually set to listen in when i get back home.

                    1 Reply Last reply Reply Quote 0
                    • S
                      Soyokaze
                      last edited by

                      Well, if I remember correctly, 'shared port' OpenVPN works by 'fail-back' to some web server in case incoming packets is not OpenVPN connection request.
                      So proper scheme should be:
                      WAN:443 => OpenVPN Server => WebServer.
                      So - move your HAProxy FE to some other port, check you could connect to OpenVPN, add port-share ip port to OVPN Server config.

                      OR

                      Use this guide http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate
                      But it will require much more work than simple port-share.

                      Need full pfSense in a cloud? PM for details!

                      1 Reply Last reply Reply Quote 0
                      • N
                        newlinux
                        last edited by

                        Ive gotten openvpn port share to work, but as I  said earlier i don't want to use that because it hides the real client ip from my IPS and doesn't seem to support X-FORWARDED-FOR to send the real IP. This is why I'm trying a different method of sharing the port. I'll take alook at the link ylu reference.

                        1 Reply Last reply Reply Quote 0
                        • S
                          Soyokaze
                          last edited by

                          It is hard to keep in mind all nuances in all threads :D
                          I never had to use that guide, but as I can see - this exactly what you need, working OVPN as one of backends and X-Forwarded for web requests.

                          Need full pfSense in a cloud? PM for details!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.