Can Incoming VPN Traffic be Handled Like WAN Traffic
-
Can anyone advise if it is possible and secure to redirect all traffic arriving over an OpenVPN tunnel to various ports on the firewall itself for filtering and forwarding etc., as if that traffic arrived over a WAN?
Background:
I have a Multi-WAN setup, and my primary ISP’s provides a public IPv4 address. I am therefore able to access a number of services on the pfSense box from remote locations by connecting to the public IP address assigned to the pfSense box. To complicate things a bit, I access all these services on 443, and therefore I use HAProxy to sort all the traffic to the various services arriving on 443 (VPN, SSH etc) to access my local networks. This all works fine.However, my secondary ISP uses CGNAT, and therefore I am not able to remotely connect to these services on the pfSense box with the same set-up when the main ISP is down, as the secondary ISP doesn’t provide a public IP.
To connect from a remote location over the secondary ISP, I would like to implement a reverse proxy type situation from my pfSense box on port 443 to a VPS that has a public IP address. I would do this with an OpenVPN tunnel using TCP. Since the reverse proxy coming from the pfSense box would be connecting to the VPS on 443, and the traffic I actually want to push to the pfSense box from a remote location is also arriving at the VPS on 443, I’ll likely install HAProxy on the VPS to sort the traffic and send the appropriate traffic down the VPN tunnel to the pfSense box.
I don’t want to completely trust this VPS, and also I want to do other things on it, so I don’t want to do advanced firewalling on the VPS server (or install pfSense on it etc). I’d like to just forward all the appropriate traffic it sees down the VPN connection to the pfSense box for handling.
I am thinking I would use HAProxy again on the pfSense box to separate out which traffic arriving through the VPN tunnel should be directed to which service, and the rest blocked by the firewall just like pfSense does on the WAN port when the primary ISP is up.
To do this, I am thinking I would duplicate the HAProxy settings I have that listen/sort traffic on the WAN address, and also have HAProxy listen on the VPN interface address. If that works, I would be able to access the services remotely via the VPS. Then I would just have a default block-all rule on the pfSense-VPS reverse proxy tunnel interface since there is no reason to allow any other traffic from the VPS into my local network.
Does anyone know if this is possible, and even if it is, would it be just a secure of a situation as I have when operating on the primary ISP?
One thing that makes me skeptical if this will work is that HAProxy doesn't list my existing OpenVPN interfaces over TCP in the listen address drop-down menu. However, there is an option to choose a custom address, that might be usable to specify the VPN interface for listening...
-
@automatican said in Can Incoming VPN Traffic be Handled Like WAN Traffic:
Can anyone advise if it is possible and secure to redirect all traffic arriving over an OpenVPN tunnel to various ports on the firewall itself for filtering and forwarding etc., as if that traffic arrived over a WAN?
If you're not on CE 2.5.1+ it should be possible.
-
@viragomann Haven't yet made the leap to 2.5, still on 2.4.5p1. Is that due to one of the bugs in 2.5.1?
Do you see any overarching security concerns in in this method. I'm concerned that this setup might unwittingly allow unwanted traffic through the firewall, and anything that comes down the tunnel could be unwanted...
-
@automatican
No, if you set the firewall rules titily that won't be any other then accessing from WAN address.Didn't read your whole story before. I don't know if it is possible to let HAproxy listen on the VPN address. Missing it in the droptown let me be in doubt.
But maybe it possible to forward the whole incoming VPN traffic on port 433 to you WAN address. If that works you can go with your existing proxy settings.Not clear, why you wan run an additional reverse proxy on the VPS. I would simply forward the appropriate traffic to the vpn client.
To get it work you need to assign an interface to the vpn client instance and define your firewall rule on this one. You have to ensure that no rule on the OpenVPN tab, no floating rule and none on any other interface group tab is matching the concerned forwarded traffic from the remote site. Otherwise the connections will fail.
-
@viragomann Thanks, I've been thinking more about it, and I can't think of any reason, other than software limitation, or my own knowledge, that this shouldn't work. I just wanted to check my logic before doing something that could be a bad idea.
I see a lot of articles with people doing this type of thing, but they always seem to be establishing the reverse VPN connection from a specific client inside the pfSense firewall, or using a reverse SSH connection that already specifies the port behavior, or establishing the VPN connection on a different port on the VPS than the VPS traffic to be forwarded down the VPN, and then using IP Tables on the VPS to forward all traffic down the VPN, and allowing all the traffic through the firewall that comes through the VPN connection. So I couldn't' find anything about having all the traffic on 443, and having the firewall itself manage the traffic coming down the VPN connection regardless of how it got there, which made me think it might be a bad idea. So seems like I will have to try it out and see.
@viragomann said in Can Incoming VPN Traffic be Handled Like WAN Traffic:
Not clear, why you wan run an additional reverse proxy on the VPS. I would simply forward the appropriate traffic to the vpn client.
I believe you are asking why I am considering using HAProxy on the VPS instead of just using something like IP Tables on the VPS. I need some way to direct the various types of traffic arriving on the VPS port 443. I haven't messed with IP Tables prior, but am open to learning.
Do you think IP Tables could be used to sort out which traffic arriving on the VPS 443 actually needs to be forwarded to a service on the VPS (SSH into the VPS, and the VPN connection to the VPS from the pfSense box itself, etc), and which traffic arriving on 443 needs to be forwarded down the tunnel to the pfSense box?
For now, I am thinking I can achieve this with HAProxy on the VPS by:
-
Set up a DynDNS URL that directs traffic to 443 on the VPS
-
Have the pfSense box VPN Client request the connection to the VPS via this URL
-
Have HAProxy examine the incoming VPS 443 traffic for this specific URL, and forward that traffic to a backend that directs to the port on the VPS actually running the VPN service
-
Have HAProxy forward all other 443 traffic down the VPN connection
All the examples I've seen using IP Tables have the VPN connection from the pfSense box coming in on a different port to the VPS than the traffic to be routed down the VPN tunnel, making the IP Tables configuration more obvious. (i.e. route all traffic coming in on 443 down the VPN connection).
Happy to take any advice, and do things simpler if it achieves the same goals, but there is definitely a learning curve on this one.
-
-
@automatican
So you intend to run all services on the VPS on port 443?? If so, yeah that can only be handled by a proxy, but why want you do that at all??
There might be a reason to run an access VPN server on 443 and also SSH for access limitations in some public wifi networks, but from your home you can use separated ports for each service.Yes, in an iptables forwarding rule the port as well as the protocol can be specified.
-
@viragomann said in Can Incoming VPN Traffic be Handled Like WAN Traffic:
So you intend to run all services on the VPS on port 443?? If so, yeah that can only be handled by a proxy, but why want you do that at all??
443 seems to be the safest bet for access through most networks, but you are likely correct, that I could probably access the VPS from the pfSense box on most ports, assuming the secondary ISP isn't doing anything unusual.
However, I may need to SSH into the VPS from locations other than where I run the pfSense box, and I would likely do that via 443. I would also access the VPS from those remote locations over 443 for the traffic I would like routed down the VPN tunnel to the pfSense box. So I think this would still have the multiple types of traffic on VPS 443 issue to forward properly that HAProxy can likely handle well.
I could probably avoid that by first accessing the pfSense box remotely through the VPS over the VPN tunnel, and then once that connection was established, run another SSH tunnel back up to the VPS from the pfSense box, butt that seems a little convoluted vs just running HAProxy on the VPS to sort it all out.
-
@automatican
Seems pretty freaky to me. There are some additional ports, which might be usable for outgoing connections on most networks like 25, 80, 110, 143, 465, 587, 993, 995.Anyway, to have the site2site VPN on 443 maks no sense at all. You ISP should not block any outgoing port. Some may block specific P2P ports though.