I have been using NGINX as a reverse proxy for my home domain for a little over a year now. The proxy lives in an AWS EC2 instance and delivers traffic to my home IP Address and disguises all of the ugly port combinations.

I've never managed to get my OpenVPN server to work with NGINX though. When I try and connect to the server from BEHIND NGINX via my domain name, it times out and says:

TCP: connect to [AF_INET]777:777:777:777:8050 failed, will try again in 5 seconds: Connection timed out

Where `777.777.777.777` is the IP Address of my reverse proxy NOT my home IP Address which is `888.888.888.888`. Which NGINX should be stream proxying data to as defined by this block in my config file: https://gist.github.com/zimmertr/fc197a5cab1089f1468848ae7f86a3f2

Now, from what I can tell, I have configured NGINX properly. And, I know for a fact that I have configured the everything correct on the VPN/Home networking side as if I configure the OpenVPN server to use the IP Address of my home server is works fine: http://i.imgur.com/UycWpOO.png

`[OpenVPN Server] Peer Connection Initiated with [AF_INET]888.888.888.888:8051`

If that field is changed from `888.888.888.888` to `vpn.domain.com` instead, which uses the NGINX reverse proxy, then data isn't redirect to the proper IP Address. And instead OpenVPN attempts to connect to ports 8050 and 8051 on the AWS EC2 instance running NGINX.

Have I done something wrong? Is this not the intended purpose of stream proxying? Looking forward to hearing back from you guys. Thanks for the help!

EDIT: If it's not immediately obvious, I redacted my actual IPs. Which is why I used those invalid IPs.



Edited 1 time(s). Last edit at 08/13/2017 06:11PM by hanz_zimmer.

Did you find a solution?

@tmtben

Yes, I did. I actually had forgotten to forward the ports I was using for OpenVPN on my AWS Security Group.....

Great!
Would you mind sharing your nginx conf?

Here you are. :)

Let me know if you need any help.

https://github.com/zimmertr/NGINX-Reverse-Proxy-Config

Many thanks @hanz_zimmer!

Which server name do you use for your vpn connection?

I no longer have a VPN block defined in my nginx config on that GitHub repository. I rebuilt my lab on Proxmox a few weeks ago and haven't gotten around to implementing the VPN server again. If you look at the older commits on that repo you should be able to find an entry for it though. For example:

https://github.com/zimmertr/NGINX-Reverse-Proxy-Config/blob/849bb53ea7835cb5637764b5daf2ba8b352ccb33/tjzimmerman.com.conf#L158

Thanks again!

The vhost vpn.tjzimmerman.com is used for the OpenVPN AS interface admin only (port 943), not for the vpn connection (ports 8050 and 8051.

I would like to "reverse proxyfying" several vpn servers on the same host : exactly the same vpn conf, same port, only the server name is different.
But I'm not sure it's possible...

No, that is what I am doing. That is done by a different mechanism in NGINX which is why you're not seeing the proxying occur in that block.

You have to purchase NGINX Enterprise or compile the open source version of the software with stream proxying enabled. Instructions for the latter are on the README of my github repository above. After which you can define stream{} blocks in addition to http{server{}} blocks. Configuring these will allow you to proxy data over TCP and UDP streams (VPN data).

Here is my configuration: https://github.com/zimmertr/NGINX-Reverse-Proxy-Config/blob/947d581c62948e8132a06f27aeae4ef5d6ea588b/nginx.conf#L11

Here is the documentation: https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html



Edited 1 time(s). Last edit at 06/03/2018 02:12PM by hanz_zimmer.

Yes, I agree with the stream mechanism.

But are you sure your tcp forwarding is based on hostnames?

Sorry for my poor english, here is the description I'm trying to do:
https://stackoverflow.com/questions/34741571/nginx-tcp-forwarding-based-on-hostname