HTTP Redirection behind OpenVPN not working

A Former User

Hi all,

I've been working with this issue but couldn't figure out so far, hence, I'd like to get some help.

I've configured OpenVPN on pfSense and it works with no issues. In the LAN (behind the pfSense), I have built Apache2 web server. It does HTTP to HTTPS redirection. Interesting situation is this:

1. When I connect the web server from a host in the LAN (no VPN required), redirection works.
2. When I connect the web server via VPN connection, nothing happens. When I test with curl command, it eventually times out.

pfSense firewall rule under OpenVPN has one line rule - allowing all IPv4 from any to any.

I'm willing to provide any further information if required. But I really want to fix this badly. Hope I can get some news. Cheers.

Version: 2.4.4-RELEASE-p3

It's a VM running on XCP-ng hypervisor. Hardware checksum offload disabled.

viragomann

I'm in doubt that the issue has something to do with HTTP to HTTPS redirection. What do you get when you type https in front of you address, so that there is no redirection necessary?

Is it a public host name so that it can be resolved by a public DNS server or a private one?

Have you "redirect gateway" checked in the OpenVPN server settings?

Do you provide a DNS server to the OpenVPN clients which is capable to resolve the host name?

A Former User

Hi @viragomann,

I don't think there is an issue with redirection config since I can confirm its function when the session was initiated from a host in LAN. The DNS is private and DNS server information is not provided by the OpenVPN server. I am testing this with my local DNS entry. DNS is resolved into the correct IP address, which is also confirmed.

I cannot force the gateway redirection as the Internet traffic should take a different route. However, there is definitely a route exist between OpenVPN client and the web server as ping is working.

When I initiate connection directly with https, things are working. So, redirection is not happening especially when traffic is initiated from the OpenVPN client. Hope I explained clearly. Thanks.

Eoin

A Former User

@viragomann said in HTTP Redirection behind OpenVPN not working:

I'm in doubt that the issue has something to do with HTTP to HTTPS redirection. What do you get when you type https in front of you address, so that there is no redirection necessary?

Is it a public host name so that it can be resolved by a public DNS server or a private one?

Have you "redirect gateway" checked in the OpenVPN server settings?

Do you provide a DNS server to the OpenVPN clients which is capable to resolve the host name?

Hi @viragomann

By doing packet capture, I found there's no return packet when destination port is 80. What is strange is, when I request to HTTPS (port 443), all good.

Eoin

viragomann

Seems to be an issue with the destination servers firewall or the web servers configuration, so that it does only accept HTTPS when access comes from outside its own LAN network.

A Former User

@viragomann

I've double checked but I don't think this is a configuration or firewall issue. Below is the Apache 2 configuration.

<VirtualHost *:80>
    ServerName myserver.local.net
    Redirect permanent / https://myserver.local.net/
</VirtualHost>

<VirtualHost *:443>
    ServerName myserver.local.net

    SSLEngine On
    SSLCertificateFile /usr/local/etc/ssl/certs/myserver.local.net.crt
    SSLCertificateKeyFile /usr/local/etc/ssl/private/myserver.local.net.key
    SSLCertificateChainFile /usr/local/etc/ssl/certs/myserver.local.net.ca-bundle

    SSLCACertificateFile /usr/local/etc/ssl/certs/internal+CA.crt

    <If "%{REMOTE_ADDR} != '172.28.1.21'">
        SSLVerifyClient require
    </If>

    ErrorLog ${APACHE_LOG_DIR}/myserver-error.log
    CustomLog ${APACHE_LOG_DIR}/myserver-access.log combined

    ProxyPass "/v1/availability/" "http://localhost:8081/v1/availability/"
    ProxyPassReverse "/v1/availability/" "http://localhost:8081/v1/availability/"
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

The host currently has no firewall rules configured as below.

eoin@myserver:~$ sudo iptables -L
[sudo] password for eoin: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

pfSense has only one rule on OpenVPN tab, which is allowing any. Are there any further things I have to check?

EOin

viragomann

@eoin said in HTTP Redirection behind OpenVPN not working:

<If "%{REMOTE_ADDR} != '172.28.1.21'">
    SSLVerifyClient require
</If>

So the server requires a client certificate if the source IP is another one than 172.28.1.21.
I guess, the OpenVPN client has another IP. So does it provide a cert?

A Former User

@viragomann

Hi,

Let me clarify again. Like I said, if I initiate a session directly to HTTPS from VPN client, there's no issue at all, working as I expected perfectly. The problem here is, when I initiate a session from my VPN client to HTTP, the redirection is not happening. I can see packets are going but no return packets. This can be confirmed on pfSense packet capture.

I've tested from another host in the LAN and redirection works. That's why I am wondering if I missed something on pfSense. Hope I explained the situation clearly. Thanks a lot.

Eoin