• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAproxy Add OpenVPN Server to Existing Setup

Scheduled Pinned Locked Moved Cache/Proxy
6 Posts 2 Posters 1.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    Brailyn
    last edited by Apr 30, 2020, 1:08 AM

    Is it possible to add OVPN over TCP to this following HAproxy config?

    I always thought this wasn't possible, but this thread has shed light on a solution...

    @PiBa perhaps you could help me out with this?

    # Automaticaly generated, dont edit manually.
    # Generated on: 2020-04-19 10:44
    global
    	maxconn			100
    	log			/var/run/log	local0	info
    	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
    	gid			80
    	nbproc			1
    	nbthread			1
    	hard-stop-after		15m
    	chroot				/tmp/haproxy_chroot
    	daemon
    	server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:444 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats show-legends
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend Frontend2-SNI
    	bind			public-ip:443 name public-ip:443   
    	mode			tcp
    	log			global
    	maxconn			20
    	timeout client		30000
    	errorfile			503 /var/etc/haproxy/errorfile_Frontend2-SNI_503_ExampleErrorfile
    	tcp-request inspect-delay	5s
    	acl			ucrmsni1	req.ssl_sni -i ucrm.domainx.com
    	acl			unmssni1	req.ssl_sni -i unms.domainx.com
    	acl			cloudsni1	req.ssl_sni -i cloud.domainx.com
    	acl			portfoliosni1	req.ssl_sni -i domainx.com
    	acl			dsmsni1	req.ssl_sni -i dsm.domainx.com
    	acl			dbsni1	req.ssl_sni -i db.domainysolutions.com
    	tcp-request content accept if { req.ssl_hello_type 1 }
    	use_backend ucrm_ipv4  if  ucrmsni1 
    	use_backend unms_ipv4  if  unmssni1 
    	use_backend cloud_ipv4  if  cloudsni1 
    	use_backend portfolio_ipv4  if  portfoliosni1 
    	use_backend dsm_ipv4  if  dsmsni1 
    	use_backend db_ipv4  if  dbsni1 
    	default_backend Frontend3offload_ipv4
    
    frontend Frontend1-http
    	bind			public-ip:80 name public-ip:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	maxconn			20
    	timeout client		30000
    	acl			dbACL	var(txn.txnhost) -m str -i db.domainysolutions.com
    	acl			domainyACL	var(txn.txnhost) -m str -i domainysolutions.com
    	acl			domainyACL	var(txn.txnhost) -m str -i www.domainysolutions.com
    	acl			unmsACL	var(txn.txnhost) -m str -i unms.domainx.com
    	http-request set-var(txn.txnhost) hdr(host)
    	http-request redirect scheme https  if  !domainyACL !dbACL !unmsACL 
    	use_backend domainy-http_ipv4  if  domainyACL 
    	use_backend db-http_ipv4  if  dbACL 
    	use_backend unms-http_ipv4  if  unmsACL 
    
    backend ucrm_ipv4
    	mode			tcp
    	id			10113
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			ucrm 10.0.0.5:443 id 10114 check-ssl check inter 1000  weight 1 verify none 
    
    backend unms_ipv4
    	mode			tcp
    	id			10115
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk HEAD / 
    	server			unms 10.0.0.13:443 id 10116 check-ssl check inter 1000  weight 1 verify none 
    
    backend cloud_ipv4
    	mode			tcp
    	id			10105
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			cloud 10.0.0.14:443 id 10106 check-ssl check inter 1000  weight 1 verify none 
    
    backend portfolio_ipv4
    	mode			tcp
    	id			10109
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			portfolio 10.0.0.45:443 id 10110 check-ssl check inter 1000  weight 1 verify none 
    
    backend dsm_ipv4
    	mode			tcp
    	id			10101
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    
    backend db_ipv4
    	mode			tcp
    	id			10117
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			db 10.0.0.51:443 id 10118 check-ssl check inter 1000  weight 1 verify none 
    
    backend Frontend3offload_ipv4
    	mode			tcp
    	id			10103
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    
    backend domainy-http_ipv4
    	mode			http
    	id			10111
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			domainy 10.0.0.50:80 id 10112 check inter 1000  weight 1 
    
    backend db-http_ipv4
    	mode			http
    	id			10119
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			db 10.0.0.51:80 id 10120 check inter 1000  weight 1 
    
    backend unms-http_ipv4
    	mode			http
    	id			10100
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			unms 10.0.0.13:80 id 10116 check inter 1000  weight 1
    
    P 1 Reply Last reply Apr 30, 2020, 6:32 PM Reply Quote 0
    • P
      PiBa @Brailyn
      last edited by Apr 30, 2020, 6:32 PM

      @Brailyn
      What happens if you configure the openvpn-server ip:port in your 'Frontend3offload_ipv4' backend? Maybe thats all thats needed.?.

      1 Reply Last reply Reply Quote 0
      • B
        Brailyn
        last edited by Apr 30, 2020, 6:51 PM

        I added as the only server in Frontend3offload_ipv4 set to type tcp and disabled health check and valid certificate check and no luck... Please take a look at these two configs below:

        frontend Frontend3-offload
        	bind			127.0.0.1:1443 name 127.0.0.1:1443  no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl crt-list /var/etc/haproxy/Frontend3-offload.crt_list crt-ignore-err all  
        	bind /tmp/haproxy_chroot/Frontend3-offload.socket name unixsocket uid 80 accept-proxy  no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl crt-list /var/etc/haproxy/Frontend3-offload.crt_list crt-ignore-err all 
        	mode			tcp
        	log			global
        	maxconn			20
        	timeout client		30000
        	default_backend openvpn_ipvANY
        

        and

        backend openvpn_ipvANY
        	mode			tcp
        	id			121
        	log			global
        	timeout connect		30000
        	timeout server		30000
        	retries			3
        	server			openvpn-server 127.0.0.1:1195 id 122 
        
        P 1 Reply Last reply Apr 30, 2020, 7:00 PM Reply Quote 0
        • P
          PiBa @Brailyn
          last edited by PiBa Apr 30, 2020, 7:03 PM Apr 30, 2020, 7:00 PM

          @Brailyn
          Wrong, try again ;)..
          You have now created a new backend, which i didnt ask for.

          You should have added the server 127.0.0.1:1195 to the already existing backend 'Frontend3offload'

          so change:

          backend Frontend3offload_ipv4
          	mode			tcp
          	id			10103
          	log			global
          	timeout connect		30000
          	timeout server		30000
          	retries			3
          

          To:

          backend Frontend3offload_ipv4
          	mode			tcp
          	id			10103
          	log			global
          	timeout connect		30000
          	timeout server		30000
          	retries			3
          	server			openvpn-server 127.0.0.1:1195 id 122 
          
          1 Reply Last reply Reply Quote 0
          • B
            Brailyn
            last edited by May 3, 2020, 3:41 AM

            That works after I set my OVPN to listen on LAN. Is there any way I can keep my frontend3 for offloading HTTPS and make this server the default in that front end?

            Very similar to your tutorial here where OpenVPN would be the default on frontend3-offloading.

            P 1 Reply Last reply May 5, 2020, 5:23 PM Reply Quote 0
            • P
              PiBa @Brailyn
              last edited by May 5, 2020, 5:23 PM

              @Brailyn
              The frontend3-offloading uses type HTTP, this cannot pass openvpn traffic which doesn't use http..
              You can still have a 'offloading' frontend of-course. But the backend that sends traffic there would not be the default backend for the frontend2-SNI. There would be a acl check for on or more SNI-name's like myFirstOffloadedSite.domain.tld mySecondOffloadedSite.domain.tld and then a action use-backend:frontend3-offloading when that acl matches. Then that frontend3 can handle the certificates and further splitting of host headers so first site and second site get actually handled by first- backend and second-backend.

              As for how the backend is named and what it does, that indeed is probably a little strange, but you can change the names of-course.. I was just telling with minimal changes how to achieve the initial goal while seeing that you where not actually using the that default backend at the time.

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received