ACL with HAProxy through OpenVPN



  • I'll start off with saying everything works as intended...

    What I need to figure out is how to configure my ACL rule for "LocalOnly" to use domain names while connected through OpenVPN
    So... All domains with out the aclLocalOnly ACL work as intended.
    All domains with the aclLocalOnly ACL hit the default backend.

    I have the orginal ACL Action as

    • aclLocalOnly
    • Source IP matches IP or Alias
    • no
    • 192.168.1.0/24

    I created a 2nd ACL Action thinking this would be like an OR statement...

    • aclLocalOnly
    • Source IP matches IP or Alias
    • no
    • 192.168.9.0/24

    Thinking this would be the DHCP IPs of the remotely connected devices as set in OpenVPN



  • @uwscia
    Sounds good, whats the issue? And what does tcpdump on the openvpn connection show? Connection accepted [S.] ?



  • I’m connected...
    But my remote devices hit the default backend when using the domain name...
    and using the local IP works.

    I’m at an impasse if this is DNS, HAProxy, OpenVPN, or Firewall Rule causing this.

    It’s as if HAProxy is using the Remote IP and not the OpenVPN IP when filtering the ACL

    How do I check each stage as I try to load the site with domain name?



  • @uwscia
    HAproxy, enable syslog logging, best to configure it to a actual syslog server, or well write its log to /var/run/log ? check if its logging your client request, and what frontend,backend are shown (enable 'detail' logging on the frontend as well)
    DNS, A simple 'ping' from a client would show what IP the client resolves for the domain name. If its a local one that would need to be checked if haproxy is listening on that IP or if perhaps the client is connecting directly to some server ip..
    OpenVPN and Firewall, well if traffic is passing and a website gets delivered to the client then probably these are fine. you might want to check if there is no port-forward NAT rule that catches and redirects traffic to some unexpected destination before it actually gets handled by haproxy though.



  • Not seeing any info for HAProxy in syslog when trying to navigate to a domain only the started stopped messages...

    Pinging domain from remote device returns external IP and 100% packetloss
    Pinging local ip works...
    I have forced local DNS enabled... but I’m checking it now.



  • So there seems to be an issue with resolving the domain name through the vpn...

    Pinging the domain returns my external ip, so haproxy is not able to resolve it... So I added added host override in DNS Resolver which when pinged return the correct internal ip...

    So there’s a DNS config needed either with OpenVPN, DNS Resolver or maybe the DHCP server...

    Any clue what I may have missed?



  • @uwscia
    I don't really understand your 'diagnostics'.

    A 'ping' will never show up in the haproxy syslog, it would only tell what ip is resolved for the name, if the ping succeeds or not doesn't even matter though it can be nice if it works just to know routing part does indeed work properly, and even then a working ping is no 100% guarantee..

    Also i'm not sure how you mean haproxy should 'resolve' anything did you put in a domain name for the backend server?.. And if the website wworks through haproxy from a external location then that part works.. If your accessing it over a vpn shouldn't make it any different for haproxy itself regarding finding the webserver. The route to it might change if the client knows to reach the domain over the vpn.

    Does a working external client show up in the syslog?
    Does haproxy stats page counts requests when received of both external and vpn clients ?

    Do you have multiple frontends on haproxy for the internal and external ip where the internal domains are pointing to?

    So in order with (tool to check it)..

    • does client resolve a local ip of pfsense when it pings the domain? (ping)
    • or at least route that traffic over the vpn? (firewallogs | tcpdump | states)
    • does haproxy listen on that ip? (diagnostics/sockets)
    • does it accept the connection? (syslogs | stats)
    • does it forward the request to the correct backend? (syslogs)


  • I was stating that HAProxy does everything properly except when it comes to resolving domain names through the VPN with a custom ACL rule that is set to the LAN subnet so I added another rule to include the VPN subnet

    But that did not resolve the issue...

    Cause everyting works accept the domains that I don’t want viewed publicly...
    They resolve but hit the default backend...
    seems HAProxy is not seeing the remote client as either LAN or VPN subnet

    I changed to rule to “match host” domain.com with out the host. and it resolved to to correct server.

    HAProxy is listening to
    127.0.0.1,80,443,1443

    openvpn ios client dns fallback is checked off
    private ip is 192.168.9.2
    server is my EXTERNAL.IP

    How do I check what IP HAProxy is using while it’s running through the ACL?



  • @uwscia
    Maybe use the haproxy-widget on the pfSense dashboard.? that can show the client-ip's currently connected if there are not to many..



  • I did manage to catch the IP, reason I didn’t notice before was HAProxy processed and dumped the session in under 2secs...

    But I refreshed a few times and found HAProxy is using my remote devices external IP.
    So I did a “what’s my ip” with vpn up,
    Showed my external IP.
    and turn off client VPN,
    Shows the devices external IP as HAProxy saw it.

    HAProxy is not seeing the OpenVPN client with the assigned subnet IP.



  • @uwscia said in ACL with HAProxy through OpenVPN:

    HAProxy is not seeing the OpenVPN client with the assigned subnet IP.

    Seems like the wrong chicken created a egg explanation cause/result.. :)

    I think you mean.:
    The openvpn client is not using the VPN to connect to the IP the domain name resolves to.

    To solve that, make dns resolve a different ip that is part of the vpn network routes that could perhaps be done with a hostname override in the dnsresolver settings, or make the vpn the default gateway for all traffic? or perhaps push routes for the public ip that needs to be directed over the vpn?


Log in to reply