OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: actionhenkt on October 20, 2019, 02:56:40 pm

Title: [solved] haproxy using openvpn and https
Post by: actionhenkt on October 20, 2019, 02:56:40 pm

Hi,

Im trying to setup openvpn and https on port 443 using haproxy. The vpn part is working but im not able to get https working using the opnsense interface to configure haproxy. Im getting SSL errors when trying to connect "unable to provide secure connection". Im using letsencrypt certificates on the https frontend and "real servers".

I have currently set up haproxy like this:

vpn -> tcp frontend(shared) -> tcp backend -> openvpn server

web -> tcp frontend(shared with vpn) -> tcp backend -> "realserver loop" ssl enabled -> https frontend ssl offloading enabled -> website ssl enabled

Would this be the correct way to set it up ? Is there a way to use the haproxy.conf directly to edit the configuration ? I checked haproxy.conf on the firewall, the configurator seems to be generating random names for acl's, can i just overwrite it with my own ?

Thanks!

Title: Re: haproxy using openvpn and https
Post by: dieterarn on October 21, 2019, 04:54:10 am

this is a very interesting config - if you figure out how to set it up please share...

Title: Re: haproxy using openvpn and https
Post by: actionhenkt on October 21, 2019, 11:22:38 pm

Hello,

I figured out how to set up openvpn + https in tcp mode. Below are the printscreens of my configuration.

Openvpn being the VPN
bw is the https website


For SNI to work you need seperate certificates for each domain/subdomain. If you also want to get source ip's to use in an ACL blocklist/whitelist you will have to set up a bind option on the "frontend-main-https" with an accept-proxy option in the "Bind option passthrough" field, the backend will need a per server option send-proxy. Im not sure which field it is in the haproxy interface of opnsense but Im guessing its the "Default for server" field, have not tried it yet.


Backends overview:
(https://i.imgur.com/6pHTTQ7.png)

Frontends overview:
(https://i.imgur.com/WvjGHkk.png)

Real servers overview:
(https://i.imgur.com/L08SQFF.png)

Backends:

bw:
(https://i.imgur.com/73oRdpy.png)

loop:
(https://i.imgur.com/hb9wzTY.png)

openvpn:
(https://i.imgur.com/y2LRxFZ.png)

Real servers:

bw:
(https://i.imgur.com/EF497Pe.png)

loop:
(https://i.imgur.com/24AA2R4.png)

openvpn:
(https://i.imgur.com/GDmksgD.png)

Frontends:

frontend-tcp:
(https://i.imgur.com/uohzI2o.png)

frontend-main-https:
(https://i.imgur.com/DDV9BEC.png)

Conditions:

cond-bw:
(https://i.imgur.com/m9dmjVY.png)

cond-host-matches-bw:
(https://i.imgur.com/1Y4RIkd.png)

cond-if-https:
(https://i.imgur.com/9sYHDdy.png)

cond-if-not-https:
(https://i.imgur.com/eaXkFnR.png)

Rules:

rules-host-matches-bw:
(https://i.imgur.com/mEdE2y6.png)

rule-if-https:
(https://i.imgur.com/1ixcWzJ.png)

rule-if-not-https:
(https://i.imgur.com/TvEnUn6.png)

rule-to-loop-server:
(https://i.imgur.com/xwRxWIk.png)

Title: Re: [solved] haproxy using openvpn and https
Post by: La Binouze on December 29, 2021, 11:22:18 am

Hi actionhenkt,

I would be interrested by sharing your configuration screenshots.
In the last answer topic you wrote, we can not view anymore the screenshots.

Would you please share again your config ?

thank you and happy end 2021 year !

La Binouze

Title: Re: [solved] haproxy using openvpn and https
Post by: seed on January 25, 2022, 12:56:19 pm

Another, in my opinion simpler, solution would be openvpns "port-share" function.
adding for example:

Code: [Select]

port-share 10.10.10.10:8080
to your konfiguration would redirect any traffic that openvpn is not capable of dealing with to the very ip/port.
When you use port-share openvpn should run on port 443:tcp. Im using this configuration since over 2 years.

Maybe it helps.

Title: Re: [solved] haproxy using openvpn and https
Post by: seed on January 25, 2022, 12:57:40 pm

Another, in my opinion simpler, solution would be openvpns "port-share" function.
adding for example:

Code: [Select]

port-share 10.10.10.10:8080
to your konfiguration would redirect any traffic that openvpn is not capable of dealing with to the very ip/port.
When you use port-share openvpn should run on port 443:tcp. Im using this configuration since over 2 years.

Maybe it helps.

Quote

--port-share host port [dir]
    When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh.dir specifies an optional directory where a temporary file with name N containing content C will be dynamically generated for each proxy connection, where N is the source IP:port of the client connection and C is the source IP:port of the connection to the proxy receiver. This directory can be used as a dictionary by the proxy receiver to determine the origin of the connection. Each generated file will be automatically deleted when the proxied connection is torn down.

Title: Re: [solved] haproxy using openvpn and https
Post by: stanthewizzard on September 30, 2022, 07:46:41 am

It works but not perfectly
Sometime with ms exchange I have error because of a false cert (the one frome openvpn instead of the one of exchange).
Issue is only with openvpn with opnsense (no issue if vpn is on debian for ex)