Haproxy with OpenVPN

Soyokaze

Be sure to check if enabling 'X-Forwarded-for' in HAProxy will help you.

newlinux

Thanks, I had that set to get the right IP in the apache logs, but I couldn't even connect to OpenVPN through haproxy which is the problem I'm trying to solve.

PiBa

I don't have this working personally (i don't need it) but think i might be able to offer some help..

What does your haproxy.cfg file look like?
I assume you have configured to with mode https/tcp .?
Do you have openvpn as the default backend? And detecting other website domains with SNI to point to the other appropriate backends?
Also some really long timeouts configured?
Do you have health-checks configured? Are the servers all reported as 'up' on the stats page?

newlinux

Below is where is the haproxy.cfg I left off with. I tried many different configs, non working.

My frontend is configured ssl/https (TCP) mode.
Openvpn is set as the default backend. And yes I'm SNI to detect other website domains to point to the appropriate backend. I do have pretty long timeout (600000) for my openvpn backend. The apache backend works fine as is.

I had health checks configured and they were always down for the openvpn when I had it set to anything that actually tests the status. The Apache backend was always up. Right now I have health check disabled for the openvpn backend.

Thanks for any help. haproxy.cfg is below.

global
        maxconn                 25
        log                     /var/run/log    local0  info
        stats socket /tmp/haproxy.socket level admin
        gid                     80
        nbproc                  1
        chroot                  /tmp/haproxy_chroot
        daemon

listen HAProxyLocalStats
        bind 127.0.0.1:2200 name localstats
        mode http
        stats enable
        stats refresh 10
        stats admin if TRUE
        stats uri /haproxy/haproxy_stats.php?haproxystats=1
        timeout client 5000
        timeout connect 5000
        timeout server 5000

frontend Frontend-Apache
        bind                    xx.xx.xx.252:443 name xx.xx.xx.252:443   
        mode                    tcp
        log                     global
        timeout client          30000
        tcp-request inspect-delay       5s
        acl                     testsni req.ssl_sni -m sub -i subdomain.mydomain.com
        tcp-request content accept if { req.ssl_hello_type 1 }

        use_backend Firestorm-Apache_https_ipv4  if  testsni 
        default_backend OpenVPNBackend_https_ipv4

backend Firestorm-Apache_https_ipv4
        mode                    tcp
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        source ipv4@ usesrc clientip
        option                  httpchk OPTIONS / 
        server                  FirestormApache xxx.xxx.xx.107:443 check-ssl check inter 1000  verify none 
backend OpenVPNBackend_https_ipv4
        mode                    tcp
        log                     global
        option                  log-health-checks
        timeout connect         600000
        timeout server          600000
        retries                 10
        source ipv4@ usesrc clientip
        server                  OpenVPN 127.0.0.1:443  

PiBa

Can you try without the "source ipv4@ usesrc clientip" 'transparent clientip' option on the backend?

Edit:
Also try increasing client timeout a bit.

newlinux

I have tried both with the clientip option on and off and no difference.  I tried increasing the client timeout to 100000.
From my openvpn logs, it doesn't even appear to be connecting to openvpn at all. I'll try turning up the logging on that.

PiBa

Any other programs listening on :443 ? (check under diagnostics\sockets..) Perhaps try configuring both backend and openvpn to listen on a different port.?
And openvpn is listening on the 127.0.0.1:443 address? (is its interface set to 'localhost'?)

newlinux

Yes,  nothing else listening on that port. Ive tried a few different ports, even setting up openvpn all over again on a different port and using that. This is why I've been perplexed and wondering if anyone else has done this on pfsense because I'm definitely missing something.  I've tried the lan, wan and and localhost as the ip for openvpn. I'll go verify what it is actually set to listen in when i get back home.

Soyokaze

Well, if I remember correctly, 'shared port' OpenVPN works by 'fail-back' to some web server in case incoming packets is not OpenVPN connection request.
So proper scheme should be:
WAN:443 => OpenVPN Server => WebServer.
So - move your HAProxy FE to some other port, check you could connect to OpenVPN, add port-share ip port to OVPN Server config.

OR

Use this guide http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate
But it will require much more work than simple port-share.

newlinux

Ive gotten openvpn port share to work, but as I  said earlier i don't want to use that because it hides the real client ip from my IPS and doesn't seem to support X-FORWARDED-FOR to send the real IP. This is why I'm trying a different method of sharing the port. I'll take alook at the link ylu reference.

Soyokaze

It is hard to keep in mind all nuances in all threads :D
I never had to use that guide, but as I can see - this exactly what you need, working OVPN as one of backends and X-Forwarded for web requests.