HTTP Redirection behind OpenVPN not working
-
Hi all,
I've been working with this issue but couldn't figure out so far, hence, I'd like to get some help.
I've configured OpenVPN on pfSense and it works with no issues. In the LAN (behind the pfSense), I have built Apache2 web server. It does HTTP to HTTPS redirection. Interesting situation is this:
- When I connect the web server from a host in the LAN (no VPN required), redirection works.
- When I connect the web server via VPN connection, nothing happens. When I test with
curl
command, it eventually times out.
pfSense firewall rule under OpenVPN has one line rule - allowing all IPv4 from any to any.
I'm willing to provide any further information if required. But I really want to fix this badly. Hope I can get some news. Cheers.
Version: 2.4.4-RELEASE-p3
It's a VM running on XCP-ng hypervisor. Hardware checksum offload disabled.
-
I'm in doubt that the issue has something to do with HTTP to HTTPS redirection. What do you get when you type https in front of you address, so that there is no redirection necessary?
Is it a public host name so that it can be resolved by a public DNS server or a private one?
Have you "redirect gateway" checked in the OpenVPN server settings?
Do you provide a DNS server to the OpenVPN clients which is capable to resolve the host name?
-
Hi @viragomann,
I don't think there is an issue with redirection config since I can confirm its function when the session was initiated from a host in LAN. The DNS is private and DNS server information is not provided by the OpenVPN server. I am testing this with my local DNS entry. DNS is resolved into the correct IP address, which is also confirmed.
I cannot force the gateway redirection as the Internet traffic should take a different route. However, there is definitely a route exist between OpenVPN client and the web server as ping is working.
When I initiate connection directly with https, things are working. So, redirection is not happening especially when traffic is initiated from the OpenVPN client. Hope I explained clearly. Thanks.
Eoin
-
@viragomann said in HTTP Redirection behind OpenVPN not working:
I'm in doubt that the issue has something to do with HTTP to HTTPS redirection. What do you get when you type https in front of you address, so that there is no redirection necessary?
Is it a public host name so that it can be resolved by a public DNS server or a private one?
Have you "redirect gateway" checked in the OpenVPN server settings?
Do you provide a DNS server to the OpenVPN clients which is capable to resolve the host name?
Hi @viragomann
By doing packet capture, I found there's no return packet when destination port is 80. What is strange is, when I request to HTTPS (port 443), all good.
Eoin
-
Seems to be an issue with the destination servers firewall or the web servers configuration, so that it does only accept HTTPS when access comes from outside its own LAN network.
-
I've double checked but I don't think this is a configuration or firewall issue. Below is the Apache 2 configuration.
<VirtualHost *:80> ServerName myserver.local.net Redirect permanent / https://myserver.local.net/ </VirtualHost> <VirtualHost *:443> ServerName myserver.local.net SSLEngine On SSLCertificateFile /usr/local/etc/ssl/certs/myserver.local.net.crt SSLCertificateKeyFile /usr/local/etc/ssl/private/myserver.local.net.key SSLCertificateChainFile /usr/local/etc/ssl/certs/myserver.local.net.ca-bundle SSLCACertificateFile /usr/local/etc/ssl/certs/internal+CA.crt <If "%{REMOTE_ADDR} != '172.28.1.21'"> SSLVerifyClient require </If> ErrorLog ${APACHE_LOG_DIR}/myserver-error.log CustomLog ${APACHE_LOG_DIR}/myserver-access.log combined ProxyPass "/v1/availability/" "http://localhost:8081/v1/availability/" ProxyPassReverse "/v1/availability/" "http://localhost:8081/v1/availability/" </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
The host currently has no firewall rules configured as below.
eoin@myserver:~$ sudo iptables -L [sudo] password for eoin: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
pfSense has only one rule on OpenVPN tab, which is allowing any. Are there any further things I have to check?
EOin
-
@eoin said in HTTP Redirection behind OpenVPN not working:
<If "%{REMOTE_ADDR} != '172.28.1.21'"> SSLVerifyClient require </If>
So the server requires a client certificate if the source IP is another one than 172.28.1.21.
I guess, the OpenVPN client has another IP. So does it provide a cert? -
Hi,
Let me clarify again. Like I said, if I initiate a session directly to HTTPS from VPN client, there's no issue at all, working as I expected perfectly. The problem here is, when I initiate a session from my VPN client to HTTP, the redirection is not happening. I can see packets are going but no return packets. This can be confirmed on pfSense packet capture.
I've tested from another host in the LAN and redirection works. That's why I am wondering if I missed something on pfSense. Hope I explained the situation clearly. Thanks a lot.
Eoin