Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[braveworm]

Any idea how to setup the VPN_redirect_rule as shown in the P000_001_Schematic?

I wanted to have openvpn and the https sites on the same port but can't figure out the rules and conditions.

[stefan21]

There are a lot of countries or even more and more hotels, where only tcp 80 and 443 are opened in their wifi's or LAN's.

Therefore I'm also highly interested how to configure hyproxy to seperate openvpn traffic from webtraffic. Googling around brings up this: https://community.openvpn.net/openvpn/ticket/1352

" HAProxy is perfectly capable of proxying and load balancing OpenVPN in TCP mode, and to share a single listening port with OpenVPN and HTTPS sites. I have used this configuration for years.

To distinguish OpenVPN traffic from TLS traffic, use the following combination HAProxy ACL conditions in a HAProxy frontend

!{ req.ssl_hello_type 1 } !{ req.len 0 }

To distinguish SSH traffic from TLS traffic, use the following combination of HAProxy ACL conditions in a HAProxy frontend:

!{ req.ssl_hello_type 1 } { req.len 0 }

A HAProxy backend can be used to load balance multiple servers. Use TCP mode.

A barebone example configuration is given here:

​https://gist.github.com/zukka77/a5ddb8d81ef9a82e2ff797e3a578c97e

Furthemore, PROXY protocol is protocol agnostic, and could therefore perfectly well be implemented in OpenVPN (Community version). Read more here:

​https://www.haproxy.com/blog/haproxy/proxy-protocol/

PROXY protocol support in OpenVPN would be very welcome, since it will allow OpenVPN servers to know the real IP addresses of connecting clients."

Further more:

https://gist.github.com/zukka77/a5ddb8d81ef9a82e2ff797e3a578c97e

"frontend ssl
    mode tcp
    bind 0.0.0.0:443 name frontend-ssl
    option tcplog
    log global
    tcp-request inspect-delay 3s
    tcp-request content accept  if  { req.ssl_hello_type 1 }
    use_backend main-ssl        if  { req.ssl_hello_type 1 }
    use_backend ssh             if  !{ req.ssl_hello_type 1 } { payload(0,7) -m bin 5353482d322e30 }
    use_backend openvpn         if  !{ req.ssl_hello_type 1 } !{ req.len 0 }
    use_backend ssh             if  !{ req.ssl_hello_type 1 } { req.len 0 }


backend main-ssl
    mode tcp
    server main-ssl 127.0.0.1:8443

backend openvpn
    mode tcp
    server openvpn-localhost 127.0.0.1:1194

backend ssh
    mode tcp
    server ssh-localhost 127.0.0.1:22
"

Let's try together to figure out how this can be translated in OPNsense haproxy. As pre-requisite a openvpn server is running configured to listen on port 1194 and ready to connect to roadwarriors.

In haproxy:

1. I assume it has to be a condition created including !{ req.ssl_hello_type 1 } !{ req.len 0 }
2. a rule is needed which includes the condition and directs the traffic to the vpn server via the vpn backend.
3. a real openvpn server has to be setup
4. a backend vpn is needed

As the SNI_frontend sends most of its traffic to SSL_backend, has this to be integratet in the SNI_frontend or is a new i.e. VPN_frontend needed?

At this point I need help to step further. How exactly has this to be setup? Where are the gurus to get this on the way? IMVHO a lot of people would appreciate a solution.

regards,
stefan