Welcome! Log In Create A New Profile

Advanced

Nginx as a Reverse Proxy for OpenVPN (TCP 443)

Posted by inzanez 
Nginx as a Reverse Proxy for OpenVPN (TCP 443)
July 28, 2015 10:15AM
Hi

I've just set up an OpenVPN internally using TCP 443 as a port. Now I wondered if it were possible to use Nginx as a reverse proxy to connect to the OpenVPN, as I can't connect OpenVPN to the internet.

If it's possible: Anything special to configure, or would a normal SSL site forwarding to the OpenVPN Server suffice?

Regards
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
July 28, 2015 10:33AM
nginx supports tcp proxy, http://nginx.org/en/docs/stream/ngx_stream_core_module.html

Which could work for this setup.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
July 28, 2015 10:37AM
Hm, okey :-) I will try that and give feedback!

Many thanks
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
September 01, 2015 05:41AM
So, finally can give feedback. Stream works very well for the OpenVPN (using TCP).
Only thing I had to change was
proxy_conenct_timeout
proxy_timeout

Set both values to 300s, otherwise the OpenVPN client keeps disconnecting.

So the config looks as follows now:

stream{
upstream backend {
hash $remote_addr consistent;

server 10.50.40.1:8443;
}

server {
listen 10.50.39.123:443 so_keealive=on;
proxy_connect_timeout 300s;
proxy_timeout 300s;
proxy_pass backend;
}
}

Only thing I wonder now:
Can I still use the same instance of NGINX to also handle HTTPS requests on 443 (apart from the stream module handling stream)? I have no clue how NGINX would be able to tell them apart, but,...maybe that works. Would save me another proxy cluster :-)
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
September 01, 2015 06:30AM
inzanez Wrote:
-------------------------------------------------------
> So, finally can give feedback. Stream works very well for the OpenVPN

Good !

> Only thing I wonder now:
> Can I still use the same instance of NGINX to also handle HTTPS
> requests on 443 (apart from the stream module handling stream)? I have
> no clue how NGINX would be able to tell them apart, but,...maybe that
> works. Would save me another proxy cluster :-)

stream {} and http {} are two different blocks which can be in one file where nginx can handle both, so yes.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
September 01, 2015 06:48AM
wow, ok...that's amazing!

Thanks for the answer :-)
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
October 31, 2016 01:59AM
Hi Inzanez,

I'm interresting with your use-case.

I'm looking for a solution to proxy vpn traffic:
- on the same host, I want to run several openvpn servers using the same port (443/tcp)
- I want to access each vpn servers by hostname

Do you think it's possible?

Thanks,
Ben
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
October 31, 2016 09:43AM
Sure, get our Windows version and look at \conf\nginx-sslh-v1.0.conf

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
November 01, 2016 03:22PM
Thanks, I'll have a look...
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
November 01, 2016 03:25PM
Does SSLH support some sort of SNI then?
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
November 01, 2016 04:31PM
inzanez Wrote:
-------------------------------------------------------
> Does SSLH support some sort of SNI then?

Yes (ssl_preread)

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
November 11, 2016 06:55PM
I'm still trying to access several vpn servers by hostname using the same port on the same host.

I looked at the \conf\nginx-sslh-v1.0.conf file for Windows version and here:
http://stackoverflow.com/questions/34741571/nginx-tcp-forwarding-based-on-hostname/40135151

But I don't manage to make it work :-(

Does anybody have an example?
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
November 12, 2016 06:07PM
tmtben Wrote:
-------------------------------------------------------
> I'm still trying to access several vpn servers by hostname using the
> same port on the same host.
>
> I looked at the \conf\nginx-sslh-v1.0.conf file for Windows version
> and here:
> http://stackoverflow.com/questions/34741571/nginx-tcp-forwarding-based
> -on-hostname/40135151
>
> But I don't manage to make it work :-(
>
> Does anybody have an example?

That example works fine, the problem must be that a vpn request is not sending a vpn (ssl) SNI hostname, check the logfiles because the SNI names are in there when detected.

If this is the case ssl_preread may need a patch to handle vpn names.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
May 29, 2018 05:46PM
> That example works fine, the problem must be that a vpn request is not
> sending a vpn (ssl) SNI hostname, check the logfiles because the SNI
> names are in there when detected.
>
> If this is the case ssl_preread may need a patch to handle vpn names.

My nginx logs (using ssl_preread) do not show sni names for vpn traffic.
But I'm not sure my vpn is well setup...
Re: Nginx as a Reverse Proxy for OpenVPN (TCP 443)
July 29, 2019 10:30AM
I would advise you to use Figleaf, as far as I know, it doesn't conflict with other apps. Here's their blog https://figleafapp.com/blog/. Good luck!
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 69
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready