OpenVPN and SSL NAT



  • Hi

    This is probably a simple question, i have OpenVPN configured on port 443 which i can't really change as this allows me to access my lab when at work behind a proxy.
    I have 2 servers located in my DMZ network where I need to forward traffic on port 443.
    How would i achieve this?

    thanks,


  • LAYER 8 Global Moderator

    How exactly do you plan on forwarding 443 to two different boxes behind?  You going to use reverse proxy?  Do you have more than 1 public IP?

    I don't think you can use reverse proxy and openvpn??  You can have openvpn hand over the traffic to your box behind with the port share feature
    https://doc.pfsense.org/index.php/Sharing_a_Port_with_OpenVPN_and_a_Web_Server

    Not sure how you would do it with multiple servers on the same port?



  • Yes I only have one public IP and this is exactly the solution I got to. Offloading the 443 traffic to a reverse proxy which with would then forward the 443 traffic to either of the 2 servers.
    Just wanted confirmation before i headed off down this route (and make sure there was no easier solution).

    Now i just need to figure out which reverse proxy solution, maybe another pfsense router with squid but might stick to Windows Web Application Proxy. NGINX might be too much of a steep learning curve for a proof of concept lab that I'm working on.

    thanks very much.



  • Hi,

    what about running OpenVPN on different port on LAN interface.
    Doing port forwarding from your public IP address port 443 to your LAN IP-address with your custom OpenVPN Port.
    And to make sure that it does not conflict with your webservers make sure that port forwarding only kicks in when the request comes from a specific source IP. As this IP is your companies IP address I assume they have a static IP adress or probably a range of public IP addresses. If you only allow these source to do the Portforwarding described above it could work.

    Of course this will not give you a solution when you are in a hotel and want to make use of your 443 OpenVPN.

    PS:
    What about using OpenVPN on port 53 UDP - if this is allowed in your company to cummincate to the outside.



  • I see what you mean, never thought of binding openvpn to a different interface and forwarding.
    But the problem is, I work from different sites (not just the company i'm contracted to) and when i'm sat behind the proxy, i can only get out over 80/443.

    thanks though, food for thought.


  • LAYER 8 Global Moderator

    Are these servers listening on 443 in your dmz needed to be open to the public.. If not once you vpn you would have access with no need for forwarding.

    Keep in mind when you setup a reverse proxy behind your edge router/nat/firewall device like pfsense you need to make sure you don't run into a asynchronous routing issue.  This reverse proxy you use would most likely be best if on a transit network connecting it to pfsense, and then your servers behind that.  So not only does this reverse proxy need to proxy it also needs to route.

    Cleaner solution would be for sure to have another public IP to work with for your openvpn you want on 443.  Can you run one of these servers on a different port, say 8443 that you forward to 443 behind? And then let the port sharing of openvpn forward to the other server?


Log in to reply