Support for proxy-protocol on server

[plinss]

It's often useful to run an OpenVPN server on port 443 to be able to allow clients to exit restrictive firewalls.

Many servers run additional services on port 443. I know OpenVPN has the share-port option, and it's helpful, but integrating OpenVPN can still be difficult.

Many people run proxies upstream on port 443 and then distribute the traffic accordingly, however this strips the connection origin information unless transparent proxying is set up, which can also be difficult as it requires modifying the firewall configuration for return data.

Proxy-protocol preserves the connection source information and is supported by several proxy applications, such as HAProxy and Nginx. See ​https://www.haproxy.com/blog/haproxy/proxy-protocol/

It would be extremely useful and greatly simplify setting up OpenVPN behind a proxy if it could support proxy-protocol on the server.

[Gert Döring]

If you want features for OpenVPN AcessServer?, which is a commercial product, please contact OpenVPN Inc via your normal support or sales channels.

If this is about the Community version, this might be doable, but since the OpenVPN protocol itself is not https, I doubt HAProxy or nginx could reasonably proxy it in the first place.

[Zepman]

HAProxy is perfectly capable of proxying and load balancing OpenVPN in TCP mode.

To distinguish OpenVPN traffic from TLS traffic, use the following combination HAProxy ACL conditions in a HAProxy frontend

!{ req.ssl_hello_type 1 } !{ req.len 0 }

To distinguish SSH traffic from TLS traffic, use the following combination of HAProxy ACL conditions in a HAProxy frontend:

!{ req.ssl_hello_type 1 } { req.len 0 }

A HAProxy backend can be used to load balance multiple servers. Use TCP mode.

Furthemore, PROXY protocol is protocol agnostic, and could therefore perfectly well be implemented in OpenVPN (Community version). Read more here:

​https://www.haproxy.com/blog/haproxy/proxy-protocol/