HAProxy and OpenVPN: Client IP forwardfor to network backend
-
I am using a pfSense firewall to manage the OpenVPN connections to the LAN and an HAProxy install to redirect different subdomains to several services on my LAN.
What I would like / need to achieve is the ability to forward the real client IP address to the services (as of now most of them get 127.0.0.1 causing issues).
First thing to keep in mind is that I configured OpenVPN on TCP/443 and I am using the "
port-share 127.0.0.1 9443;
" configuration in order to redirect to HAProxy all the non-openvpn TCP traffic.It works fine but instead of having a direct view from what reaches the firewall HAProxy is listening on TCP-9443 port for packets forwarded from OpenVPN and I am not sure if this could lead to some kind of issues later on.
That said, I configured several backend and already tried to:
- enable the "Option forwardfor" flag on the frontend interface
- enable the same option writing it down on the advanced "Backend pass thru" interface on the backend
- Tried to add the action on the backend
http-request header add
with name:X-Forwarded-For
and fmt:%[src]
On the server side (I have several services but I started working with Nextcloud) I tried to change the nginx.conf adding:
set_real_ip_from 127.0.0.1; real_ip_header X-Real-IP;
None of these solved the issue and I can still see 127.0.0.1 as %[src] IP on the nginx headers.
Do you have any clue on what am I missing? Do I need to change
%[src]
to something else?Thank you!
-
Bump up
-
@Emanuele83
When using "port-share", OpenVPN is proxying the traffic. Hence it needs to replace the source address with its own one in forwarded packets. So HAproxy sees only the source of the OpenVPN proxy, which is 127.0.0.1.
OpenVPN can write the origin source IP into a log file as its best.But why do you use port sharing at all?
If you want to use port 443 for OpenVPN necessarily, consider to use UDP for it. So you could separate the connection on port 443 for OpenVPN and HAproxy by the protocol.I don't think, that UDP 443 is still often blocked these days, since Quic uses this for web-services and it was standardized two years ago yet.
-
Hello @viragomann, thanks for your great answer. Unfortunately I had to switch OpenVPN to TCP since we found out the UDP connections to be blocked too often (we work with industries and their firewall are often over restricted). Moving to TCP helped to solve the issue but we had to share the port with the services we need to access from the web.
Do you think HAProxy can read the IP from a log file? Do you think it could work somehow? How would it sync with the TCP http request?
-
Trying to find a solution to this as well. It doesn't seem OpenVPN has an option to forward headers which basically makes it impossible to use openvpn as the primary on port 443 if you need to see client IP addresses on haproxy..
As an alternative, I wondered if it might make sense to set haproxy listening on 443 and OpenVPN as a backend on a different port. Has anyone tried this yet? Does this cause double encryption (slow down the connection too much)? Here is an example of one guy who claims to have got it working:
https://discourse.haproxy.org/t/haproxy-with-openvpn-over-tcp-443-on-pfsense/4731/2EDIT
It looks like he create a TCP frontend on 443 with a default backend going to OpenVPN:TCP:1194 and an acl that checks for SSL and sends SSL traffic to an HTTPS Backend set to localhost:9443. Then he configured localhost:9443 as a Frontend that handles the forwarded Web Traffic.
That looks like it should work, but It's a bit too complicated for me to test on my live server right now and I don't have a lab setup. Happy to help anyone else who might have a lab environment setup for testing.