Opened 10 months ago

Last modified 4 months ago

#1352 assigned Feature Wish

Support for proxy-protocol on server

Reported by: plinss Owned by: OpenVPN Inc.
Priority: minor Milestone:
Component: Access Server Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

It's often useful to run an OpenVPN server on port 443 to be able to allow clients to exit restrictive firewalls.

Many servers run additional services on port 443. I know OpenVPN has the share-port option, and it's helpful, but integrating OpenVPN can still be difficult.

Many people run proxies upstream on port 443 and then distribute the traffic accordingly, however this strips the connection origin information unless transparent proxying is set up, which can also be difficult as it requires modifying the firewall configuration for return data.

Proxy-protocol preserves the connection source information and is supported by several proxy applications, such as HAProxy and Nginx. See https://www.haproxy.com/blog/haproxy/proxy-protocol/

It would be extremely useful and greatly simplify setting up OpenVPN behind a proxy if it could support proxy-protocol on the server.

Change History (3)

comment:1 Changed 10 months ago by Gert Döring

Owner: jamesyonan deleted
Status: newassigned

If you want features for OpenVPN AcessServer?, which is a commercial product, please contact OpenVPN Inc via your normal support or sales channels.

If this is about the Community version, this might be doable, but since the OpenVPN protocol itself is not https, I doubt HAProxy or nginx could reasonably proxy it in the first place.

comment:2 Changed 5 months ago by Antonio

Owner: set to OpenVPN Inc.

comment:3 Changed 4 months ago by Zepman

HAProxy is perfectly capable of proxying and load balancing OpenVPN in TCP mode, and to share a single listening port with OpenVPN and HTTPS sites. I have used this configuration for years.

To distinguish OpenVPN traffic from TLS traffic, use the following combination HAProxy ACL conditions in a HAProxy frontend

!{ req.ssl_hello_type 1 } !{ req.len 0 }

To distinguish SSH traffic from TLS traffic, use the following combination of HAProxy ACL conditions in a HAProxy frontend:

!{ req.ssl_hello_type 1 } { req.len 0 }

A HAProxy backend can be used to load balance multiple servers. Use TCP mode.

A barebone example configuration is given here:

https://gist.github.com/zukka77/a5ddb8d81ef9a82e2ff797e3a578c97e

Furthemore, PROXY protocol is protocol agnostic, and could therefore perfectly well be implemented in OpenVPN (Community version). Read more here:

https://www.haproxy.com/blog/haproxy/proxy-protocol/

PROXY protocol support in OpenVPN would be very welcome, since it will allow OpenVPN servers to know the real IP addresses of connecting clients.

Last edited 4 months ago by Zepman (previous) (diff)
Note: See TracTickets for help on using tickets.