Routing VPN Connections Without Multiple VPN Servers

[kozistan]

Hi! I'm looking for a way to avoid creating 30 VPN servers just for routing traffic to other VPN clients connected to Proton servers. Managing such a large number of connections is not ideal for resources or security.
 
I need to route connections from private subnets to these VPN gateways. One idea I had is using HAProxy.
Would set up proxy profiles in the clients' browsers and use a specific port to route only HTTP and HTTPS traffic to the VPN gateway connected to the Proton server.
However, I'm not sure how to proceed and would appreciate any help, tutorials, or advice.

Thanks for any feedback!

[Patrick M. Hausen]

What do you mean by 30 VPN servers? 30 firewalls in different locations? That's not an unusual size for a hub and spoke corporate topology - 30 small offices connected to the HQ.

[kozistan]

No, I have 30 Proton clients connected to different geolocations, using the standard of ProtonVPN app.
I need to route clients from the private network to these Proton connections.
Currently, I have 30 different OVPN servers, and when clients connect, I NAT their traffic and use rules to direct it to the specified gateway.
However, I’m looking for a more sophisticated solution using a proxy. Squid probably isn't suitable as it’s limited to one port, and I need multiple ports.

[Patrick M. Hausen]

What's a Proton Client? Sorry, not my area of expertise. I have absolutely no idea what you might be doing there.

[kozistan]

A ProtonVPN client would be the software used to connect to ProtonVPN's secure servers, which helps users encrypt their internet traffic, protect their privacy, and access content that might be restricted in their region.

As you can see in the screenshot, I have connections to several countries as OVPN clients, then I have the equivalent of OVPN servers, which I route through the gateways of these connections. Everything works, but I want to do it without those servers and route it differently than I have now. For example, through a proxy.

The reason is to filter user activity.

[Patrick M. Hausen]

I agree with the escaping your region part. Other than that in my opinion so called VPN providers take away your money and your privacy. I would not touch a product like this with a ten foot pole.

A VPN is when I control all ends of the connection. Hence, virtual private network.

You do you. Good luck with your use case.

[kozistan]

I think you misunderstood me; this system is already working for me, but within OPNsense, I need to route 80/443 traffic to these gateways through a proxy. Can you advise me on how to do this differently than using VPN servers where I route the traffic to these gateways?"

[kozistan]

First of all, I'm not running away anywhere, and secondly, it's for the practical reasons of my client. The only thing I care about is that I want to solve this issue differently than in the robust way I have it set up now. That's why I'm asking for another possible solution using a proxy that will be routed to the gateways of these VPN connections.

[kozistan]

so now Im kind of good way with the reverse proxy.

I've set two real servers to IP of the Proton client connection, one for 80 and second for 443 port.
I've add both Real servers into the backed config and as frontend I set listen addresses to 0.0.0.0:8081.

With this config i can see some activity on backend HAP stats once I've set the proxy on user Firefox client to port 8081, but getting "502 Bad Gateway"

Would appreciate for any advice here

[kozistan]

So it's probably not the right approach.

HAProxy is a reverse proxy, and I'm having issues with the CONNECT method based on the Wireshark output.

I tried Squid on OPNsense, but it doesn't forward to an interface or IP. I'll try to separate the tasks and install a dedicated proxy with forwarding on Debian.

Could someone confirm?

[cookiemonster]

to be honest your question is very unclear to me.
I think I understand you have OPN as a router and firewall and also acts as multiple vpn clients to different endpoints of a commercial provider. Then clients are routed from OPN with some sort of policy to go out via these different vpn tunnels. A bit strange but ok.
After that what you want to do and how is very unclear.

[kozistan]

Got it, everyone. After re-reading my message, I realized it needs Enigma to decode

It's simple in the end: I need to forward HTTP/HTTPS traffic to multiple VPN gateways.

There's no specific filter based on redirection to the correct gateway, and that's the challenge. So, I thought of using a proxy to forward traffic to the gateway interfaces. Users could then choose a browser profile with the necessary proxy settings, allowing them to use the Proton connection configured on the OPNsense firewall.

I just installed Squid on a Debian KVM with forward option, and it works as I need it to, so the challenge is resolved. After a few days of experimenting, I'm just curious if this could be done directly on OPNsense.