HAproxy Add OpenVPN Server to Existing Setup

Brailyn

Is it possible to add OVPN over TCP to this following HAproxy config?

I always thought this wasn't possible, but this thread has shed light on a solution...

@PiBa perhaps you could help me out with this?

# Automaticaly generated, dont edit manually.
# Generated on: 2020-04-19 10:44
global
	maxconn			100
	log			/var/run/log	local0	info
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:444 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend Frontend2-SNI
	bind			public-ip:443 name public-ip:443   
	mode			tcp
	log			global
	maxconn			20
	timeout client		30000
	errorfile			503 /var/etc/haproxy/errorfile_Frontend2-SNI_503_ExampleErrorfile
	tcp-request inspect-delay	5s
	acl			ucrmsni1	req.ssl_sni -i ucrm.domainx.com
	acl			unmssni1	req.ssl_sni -i unms.domainx.com
	acl			cloudsni1	req.ssl_sni -i cloud.domainx.com
	acl			portfoliosni1	req.ssl_sni -i domainx.com
	acl			dsmsni1	req.ssl_sni -i dsm.domainx.com
	acl			dbsni1	req.ssl_sni -i db.domainysolutions.com
	tcp-request content accept if { req.ssl_hello_type 1 }
	use_backend ucrm_ipv4  if  ucrmsni1 
	use_backend unms_ipv4  if  unmssni1 
	use_backend cloud_ipv4  if  cloudsni1 
	use_backend portfolio_ipv4  if  portfoliosni1 
	use_backend dsm_ipv4  if  dsmsni1 
	use_backend db_ipv4  if  dbsni1 
	default_backend Frontend3offload_ipv4

frontend Frontend1-http
	bind			public-ip:80 name public-ip:80   
	mode			http
	log			global
	option			http-keep-alive
	maxconn			20
	timeout client		30000
	acl			dbACL	var(txn.txnhost) -m str -i db.domainysolutions.com
	acl			domainyACL	var(txn.txnhost) -m str -i domainysolutions.com
	acl			domainyACL	var(txn.txnhost) -m str -i www.domainysolutions.com
	acl			unmsACL	var(txn.txnhost) -m str -i unms.domainx.com
	http-request set-var(txn.txnhost) hdr(host)
	http-request redirect scheme https  if  !domainyACL !dbACL !unmsACL 
	use_backend domainy-http_ipv4  if  domainyACL 
	use_backend db-http_ipv4  if  dbACL 
	use_backend unms-http_ipv4  if  unmsACL 

backend ucrm_ipv4
	mode			tcp
	id			10113
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			ucrm 10.0.0.5:443 id 10114 check-ssl check inter 1000  weight 1 verify none 

backend unms_ipv4
	mode			tcp
	id			10115
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk HEAD / 
	server			unms 10.0.0.13:443 id 10116 check-ssl check inter 1000  weight 1 verify none 

backend cloud_ipv4
	mode			tcp
	id			10105
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			cloud 10.0.0.14:443 id 10106 check-ssl check inter 1000  weight 1 verify none 

backend portfolio_ipv4
	mode			tcp
	id			10109
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			portfolio 10.0.0.45:443 id 10110 check-ssl check inter 1000  weight 1 verify none 

backend dsm_ipv4
	mode			tcp
	id			10101
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip

backend db_ipv4
	mode			tcp
	id			10117
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			db 10.0.0.51:443 id 10118 check-ssl check inter 1000  weight 1 verify none 

backend Frontend3offload_ipv4
	mode			tcp
	id			10103
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3

backend domainy-http_ipv4
	mode			http
	id			10111
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			domainy 10.0.0.50:80 id 10112 check inter 1000  weight 1 

backend db-http_ipv4
	mode			http
	id			10119
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			db 10.0.0.51:80 id 10120 check inter 1000  weight 1 

backend unms-http_ipv4
	mode			http
	id			10100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			unms 10.0.0.13:80 id 10116 check inter 1000  weight 1

PiBa

@Brailyn
What happens if you configure the openvpn-server ip:port in your 'Frontend3offload_ipv4' backend? Maybe thats all thats needed.?.

Brailyn

I added as the only server in Frontend3offload_ipv4 set to type tcp and disabled health check and valid certificate check and no luck... Please take a look at these two configs below:

frontend Frontend3-offload
	bind			127.0.0.1:1443 name 127.0.0.1:1443  no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl crt-list /var/etc/haproxy/Frontend3-offload.crt_list crt-ignore-err all  
	bind /tmp/haproxy_chroot/Frontend3-offload.socket name unixsocket uid 80 accept-proxy  no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl crt-list /var/etc/haproxy/Frontend3-offload.crt_list crt-ignore-err all 
	mode			tcp
	log			global
	maxconn			20
	timeout client		30000
	default_backend openvpn_ipvANY

and

backend openvpn_ipvANY
	mode			tcp
	id			121
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			openvpn-server 127.0.0.1:1195 id 122 

PiBa

@Brailyn
Wrong, try again ;)..
You have now created a new backend, which i didnt ask for.

You should have added the server 127.0.0.1:1195 to the already existing backend 'Frontend3offload'

so change:

backend Frontend3offload_ipv4
	mode			tcp
	id			10103
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3

To:

backend Frontend3offload_ipv4
	mode			tcp
	id			10103
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			openvpn-server 127.0.0.1:1195 id 122 

Brailyn

That works after I set my OVPN to listen on LAN. Is there any way I can keep my frontend3 for offloading HTTPS and make this server the default in that front end?

Very similar to your tutorial here where OpenVPN would be the default on frontend3-offloading.

PiBa

@Brailyn
The frontend3-offloading uses type HTTP, this cannot pass openvpn traffic which doesn't use http..
You can still have a 'offloading' frontend of-course. But the backend that sends traffic there would not be the default backend for the frontend2-SNI. There would be a acl check for on or more SNI-name's like myFirstOffloadedSite.domain.tld mySecondOffloadedSite.domain.tld and then a action use-backend:frontend3-offloading when that acl matches. Then that frontend3 can handle the certificates and further splitting of host headers so first site and second site get actually handled by first- backend and second-backend.

As for how the backend is named and what it does, that indeed is probably a little strange, but you can change the names of-course.. I was just telling with minimal changes how to achieve the initial goal while seeing that you where not actually using the that default backend at the time.