OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: GreenMatter on July 07, 2021, 02:44:50 pm
-
There is a fair number of nginx configurations available for proxying OpenVPN data.
Did anyone here achieved similar using webgui? And if not, how to do it using text config to have it persistent across reboots, updates etc...? Use hook files?
EDIT:
As nginx http (SSL termination) and stream services can't be run both together on the same port, is there any way I can assign http services to specific interfaces or use $ssl_preread_protocol variable (but I would need to move my http servers to stream service: https://www.nginx.com/blog/running-non-ssl-protocols-over-ssl-port-nginx-1-15-2/ )?
-
OpenVPN is also TLS so this may not work. What I would try is doing something like:
Bind a stream to 443 where you can match on the hostname. Then you can decide on that what it is
vpn.example.com -> TCP/1194
Default to TCP/8443
Then bind the HTTPS port of nginx to 8443 and communicate with the proxy protocol. Then you can pass the source IP address as well.
The only thing that needs to be checked is if the OpenVPN daemon supports the proxy protocol.
In theory, also the other direction may work. You can pass the connection through OpenVPN to the nginx. However I have no idea if that can pass the client IP address this way.
-
Bind a stream to 443 where you can match on the hostname. Then you can decide on that what it is
vpn.example.com -> TCP/1194
Default to TCP/8443
Then bind the HTTPS port of nginx to 8443 and communicate with the proxy protocol. Then you can pass the source IP address as well.
Thanks. Are you talking about SNI based routing (webgui only) or maybe it's better to use ssl_preread_protocol (instead of name)? More or less something as follows:
stream {
upstream vpn {
server 127.0.0.1:1194; # vpn interface
}
upstream web {
server 172.16.1.1:8443; #interface where nginx http would be binded to
}
map $ssl_preread_protocol $upstream {
default vpn;
"TLSv1.2" web;
}
# VPN and SSL on the same port
server {
listen 443 proxy_protocol;
proxy_pass $upstream;
ssl_preread on;
proxy_protocol on;
}
}If so, would I need to use hook file?
EDIT:
When using SNI in stream, Nginx bypasses set http servers and locations and directs requests directly to upstream. And it results in connection error...
EDIT2:
Even if I set SNI upstream as http nginx interface with proxy_protocol on I receive "LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection"
EDIT3:
Alternative mentioned by @fabian: OpenVPN as "proxy". Add to OpenVPN server config:
port-share 172.16.1.1 443; #nginx http serviceAs far as I've read, it's not as performant as stream in Nginx and don't pass client's IP (checked in nginx log).
-
Hi.
imho it will not work with SNI for this (correct me if im not right, but, it seems, openvpn not added SNI yet).
so i would try with ssl_preread