Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAproxy Add OpenVPN Server to Existing Setup

    Cache/Proxy
    2
    6
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Brailyn
      last edited by

      Is it possible to add OVPN over TCP to this following HAproxy config?

      I always thought this wasn't possible, but this thread has shed light on a solution...

      @PiBa perhaps you could help me out with this?

      # Automaticaly generated, dont edit manually.
      # Generated on: 2020-04-19 10:44
      global
      	maxconn			100
      	log			/var/run/log	local0	info
      	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
      	gid			80
      	nbproc			1
      	nbthread			1
      	hard-stop-after		15m
      	chroot				/tmp/haproxy_chroot
      	daemon
      	server-state-file /tmp/haproxy_server_state
      
      listen HAProxyLocalStats
      	bind 127.0.0.1:444 name localstats
      	mode http
      	stats enable
      	stats admin if TRUE
      	stats show-legends
      	stats uri /haproxy/haproxy_stats.php?haproxystats=1
      	timeout client 5000
      	timeout connect 5000
      	timeout server 5000
      
      frontend Frontend2-SNI
      	bind			public-ip:443 name public-ip:443   
      	mode			tcp
      	log			global
      	maxconn			20
      	timeout client		30000
      	errorfile			503 /var/etc/haproxy/errorfile_Frontend2-SNI_503_ExampleErrorfile
      	tcp-request inspect-delay	5s
      	acl			ucrmsni1	req.ssl_sni -i ucrm.domainx.com
      	acl			unmssni1	req.ssl_sni -i unms.domainx.com
      	acl			cloudsni1	req.ssl_sni -i cloud.domainx.com
      	acl			portfoliosni1	req.ssl_sni -i domainx.com
      	acl			dsmsni1	req.ssl_sni -i dsm.domainx.com
      	acl			dbsni1	req.ssl_sni -i db.domainysolutions.com
      	tcp-request content accept if { req.ssl_hello_type 1 }
      	use_backend ucrm_ipv4  if  ucrmsni1 
      	use_backend unms_ipv4  if  unmssni1 
      	use_backend cloud_ipv4  if  cloudsni1 
      	use_backend portfolio_ipv4  if  portfoliosni1 
      	use_backend dsm_ipv4  if  dsmsni1 
      	use_backend db_ipv4  if  dbsni1 
      	default_backend Frontend3offload_ipv4
      
      frontend Frontend1-http
      	bind			public-ip:80 name public-ip:80   
      	mode			http
      	log			global
      	option			http-keep-alive
      	maxconn			20
      	timeout client		30000
      	acl			dbACL	var(txn.txnhost) -m str -i db.domainysolutions.com
      	acl			domainyACL	var(txn.txnhost) -m str -i domainysolutions.com
      	acl			domainyACL	var(txn.txnhost) -m str -i www.domainysolutions.com
      	acl			unmsACL	var(txn.txnhost) -m str -i unms.domainx.com
      	http-request set-var(txn.txnhost) hdr(host)
      	http-request redirect scheme https  if  !domainyACL !dbACL !unmsACL 
      	use_backend domainy-http_ipv4  if  domainyACL 
      	use_backend db-http_ipv4  if  dbACL 
      	use_backend unms-http_ipv4  if  unmsACL 
      
      backend ucrm_ipv4
      	mode			tcp
      	id			10113
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      	option			httpchk OPTIONS / 
      	server			ucrm 10.0.0.5:443 id 10114 check-ssl check inter 1000  weight 1 verify none 
      
      backend unms_ipv4
      	mode			tcp
      	id			10115
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      	option			httpchk HEAD / 
      	server			unms 10.0.0.13:443 id 10116 check-ssl check inter 1000  weight 1 verify none 
      
      backend cloud_ipv4
      	mode			tcp
      	id			10105
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	option			httpchk OPTIONS / 
      	server			cloud 10.0.0.14:443 id 10106 check-ssl check inter 1000  weight 1 verify none 
      
      backend portfolio_ipv4
      	mode			tcp
      	id			10109
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	option			httpchk OPTIONS / 
      	server			portfolio 10.0.0.45:443 id 10110 check-ssl check inter 1000  weight 1 verify none 
      
      backend dsm_ipv4
      	mode			tcp
      	id			10101
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      
      backend db_ipv4
      	mode			tcp
      	id			10117
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      	option			httpchk OPTIONS / 
      	server			db 10.0.0.51:443 id 10118 check-ssl check inter 1000  weight 1 verify none 
      
      backend Frontend3offload_ipv4
      	mode			tcp
      	id			10103
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      
      backend domainy-http_ipv4
      	mode			http
      	id			10111
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	option			httpchk OPTIONS / 
      	server			domainy 10.0.0.50:80 id 10112 check inter 1000  weight 1 
      
      backend db-http_ipv4
      	mode			http
      	id			10119
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      	option			httpchk OPTIONS / 
      	server			db 10.0.0.51:80 id 10120 check inter 1000  weight 1 
      
      backend unms-http_ipv4
      	mode			http
      	id			10100
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      	option			httpchk OPTIONS / 
      	server			unms 10.0.0.13:80 id 10116 check inter 1000  weight 1
      
      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @Brailyn
        last edited by

        @Brailyn
        What happens if you configure the openvpn-server ip:port in your 'Frontend3offload_ipv4' backend? Maybe thats all thats needed.?.

        1 Reply Last reply Reply Quote 0
        • B
          Brailyn
          last edited by

          I added as the only server in Frontend3offload_ipv4 set to type tcp and disabled health check and valid certificate check and no luck... Please take a look at these two configs below:

          frontend Frontend3-offload
          	bind			127.0.0.1:1443 name 127.0.0.1:1443  no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl crt-list /var/etc/haproxy/Frontend3-offload.crt_list crt-ignore-err all  
          	bind /tmp/haproxy_chroot/Frontend3-offload.socket name unixsocket uid 80 accept-proxy  no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl crt-list /var/etc/haproxy/Frontend3-offload.crt_list crt-ignore-err all 
          	mode			tcp
          	log			global
          	maxconn			20
          	timeout client		30000
          	default_backend openvpn_ipvANY
          

          and

          backend openvpn_ipvANY
          	mode			tcp
          	id			121
          	log			global
          	timeout connect		30000
          	timeout server		30000
          	retries			3
          	server			openvpn-server 127.0.0.1:1195 id 122 
          
          P 1 Reply Last reply Reply Quote 0
          • P
            PiBa @Brailyn
            last edited by PiBa

            @Brailyn
            Wrong, try again ;)..
            You have now created a new backend, which i didnt ask for.

            You should have added the server 127.0.0.1:1195 to the already existing backend 'Frontend3offload'

            so change:

            backend Frontend3offload_ipv4
            	mode			tcp
            	id			10103
            	log			global
            	timeout connect		30000
            	timeout server		30000
            	retries			3
            

            To:

            backend Frontend3offload_ipv4
            	mode			tcp
            	id			10103
            	log			global
            	timeout connect		30000
            	timeout server		30000
            	retries			3
            	server			openvpn-server 127.0.0.1:1195 id 122 
            
            1 Reply Last reply Reply Quote 0
            • B
              Brailyn
              last edited by

              That works after I set my OVPN to listen on LAN. Is there any way I can keep my frontend3 for offloading HTTPS and make this server the default in that front end?

              Very similar to your tutorial here where OpenVPN would be the default on frontend3-offloading.

              P 1 Reply Last reply Reply Quote 0
              • P
                PiBa @Brailyn
                last edited by

                @Brailyn
                The frontend3-offloading uses type HTTP, this cannot pass openvpn traffic which doesn't use http..
                You can still have a 'offloading' frontend of-course. But the backend that sends traffic there would not be the default backend for the frontend2-SNI. There would be a acl check for on or more SNI-name's like myFirstOffloadedSite.domain.tld mySecondOffloadedSite.domain.tld and then a action use-backend:frontend3-offloading when that acl matches. Then that frontend3 can handle the certificates and further splitting of host headers so first site and second site get actually handled by first- backend and second-backend.

                As for how the backend is named and what it does, that indeed is probably a little strange, but you can change the names of-course.. I was just telling with minimal changes how to achieve the initial goal while seeing that you where not actually using the that default backend at the time.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.