Almost got it .. almost ..... apart from Nginx reverse proxy

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
SteveCliff
Posts: 9
Joined: Tue Jan 24, 2017 5:54 pm

Almost got it .. almost ..... apart from Nginx reverse proxy

Post by SteveCliff » Tue Jan 24, 2017 6:20 pm

I've never heard of Softether until today - but so far I'm really impressed :)

I've got some VMs set up working fine talking directly to each other - however in reality I want the VPN server to be fronted by an Nginx driven reverse proxy - this proxy handles all incoming conversations on 443 and bounces them to various different services and/or web sites based on URL.

I've set up a new URL and Nginx catches it and throws it to the VPN server but I can't seem to connect.

The Nginx config does a proxy_pass to https://192.168.0.200 (I.E. the IP address of the server).

I've also set up SE to listen on port 80 and offload the SSL connection at the proxy server but that doesn't work either.

Has anybody got Nginx working as a reverse proxy for SE and if so, would you be a star and post your settings please so I can try them out on mine?

Many thanks!
Steve.

Edit:
I've attached my current proxy settings below, just in case that helps!

proxy_pass https://192.168.1.200/;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;

SteveCliff
Posts: 9
Joined: Tue Jan 24, 2017 5:54 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by SteveCliff » Thu Jan 26, 2017 8:53 am

Just a thought - could it be because the certs are different ? I have a cert for the reverse proxy server from Letsencrypt but obviously that's different from the SE certs created?

SteveCliff
Posts: 9
Joined: Tue Jan 24, 2017 5:54 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by SteveCliff » Thu Jan 26, 2017 8:58 pm

Update: I tried exporting the cert from the Proxy server and importing it into SE - but still no connection :(

If anyone has *any* ideas at all I'd be grateful as I'm absolutely stuck on this :(

Really want to use SE but without this I can't.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by moatazelmasry » Fri Jan 27, 2017 10:34 am

First I think you created a port clash. Both nginx and SoftEther are now listening on Port 80.

I'd say the first thing to do it to stop SE from listening on Port 80.

As far as I understood, you want the incoming traffic to VPN to be further routed to the proxy. Right?
In this case, route all traffic coming out from 192.168.30.1/24 (Your SE DHCP subnet) to the normal external IP as any normal requesy, like so:

iptables -t nat -I PREROUTING -s 192.168.30.1/24/24 -p tcp --dport 80 -j REDIRECT --to-destination 192.168.1.200

#Even safer, but is not guaranteed to work
iptables -t nat -I OUTPUT -s 192.168.30.1/24/24 -p tcp --dport 80 -j REDIRECT --to-destination 192.168.1.200

SteveCliff
Posts: 9
Joined: Tue Jan 24, 2017 5:54 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by SteveCliff » Fri Jan 27, 2017 10:45 am

Thanks for the response - appreciate your time :)

I've got it set up so that SE isn't listening on port 80 now, just the defaults of 443/992/1194/5555
(I'd tried to offload the SSL connection at the proxy just in case that helped - it didn't)

For clarity, what I'm trying to do is (bad text based diagram coming up) ....


Client -> Internet -> Reverse Proxy

The reverse proxy then pushes to:

-> Client URL is "www.sample.com" -> sample web server 192.168.1.100
or
-> Client URL is "vpn.sample.com" -> SE server 192.168.1.200

Browsing via Chrome to the web site works fine, trying to use the SE Client to connect to vpn.sample.com fails.
Interestingly, if you browse to vpn.sample.com it comes up with a not authorised message which makes sense but the info at the bottom of that page *is* actually created by 192.168.1.200 so Nginx seems to be passing it through ok.

I'm presuming that I either need to include something else in the proxy settings in Nginx or take something out that SE doesn't like?

(Edited due to my crap text layout :) )

SteveCliff
Posts: 9
Joined: Tue Jan 24, 2017 5:54 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by SteveCliff » Fri Jan 27, 2017 11:05 am

Attached a slightly better view of what I'm trying to do (hopefully!)
You do not have the required permissions to view the files attached to this post.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by moatazelmasry » Sat Jan 28, 2017 12:58 pm

Cool Diagram. It helped me understand what you are trying to achieve. And you can not not do it like that at all :)

You get the not authorized message when you try to access vpn.example.com because you are hitting the SE service API and this is ok

nginx can't intercept actual SE traffic (because it is encrypted Duh)
Just to really understand your setup:

- nginx is installed on 192.168.1.200
- A Web server is installed on 192.168.1.100
- SE is installed on 192.168.0.200 ??????? or is it 192.168.1.200 ???
- In your DNS configurations, vpn.example.com and www.example.com both resolve to the IP of the nginx
- Based on the URL, nginx redirects the traffic either to the Web server or to SE
- There is a bridge or so between 192.168.0.0/24 and 192.169.1.0/24 that it is possible to communicate between the two subnets (In case you have two subnets and not one)

If my assumptions so far are correct here are some ideas:

1- If SE and nginx are on the same machine (192.168.1.200), then do you really need nginx for SE??
Just allow all SE ports to accept connections (1194, 500, 4500, 1701, etc..) and you are good to go.
2- If they are not on the same machine, then in nginx (or iptables) you could listen to the mentioned ports, and forward any traffic coming/going to these ports to the designated SE server
3- If nginx and SE are on the same machine, and you don't like solution (1) and still want to use nginx:
then, in SE server change the port number of OpenVPN from 1194 to 1195 (or whatever other port). Configure nginx to listen on 1194 and redirect the traffic to 1195. Leave the OpenVPN client configuration as is to communicate on 1194. This way SE is listening on port 1195, nginx is listening on 1194 and there's no port clash
This solution can not be used with L2TP protocol, because the designated ports 500, 4500, 1701 used by this protocol are constant and can not be changed

Hope this helps

SteveCliff
Posts: 9
Joined: Tue Jan 24, 2017 5:54 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by SteveCliff » Sat Jan 28, 2017 3:35 pm

moatazelmasry wrote:
> nginx can't intercept actual SE traffic (because it is encrypted Duh)
.....

I think in that one line you've just made me realise why it doesn't work then - I'd presumed that the SE traffic had normal HTTPS header traffic that Nginx could interrogate using SNI and then pass the encrypted data to something else. If it can't do that I think I'm out of luck :(

The 'problem' is that I need to be able to only use either port 80 or 443 as the port for all connecting clients as the client's firewall blocks anything else going out. Also protecting the clients is some deep packet inspection going on so I can't simply tunnel through, hence I thought SE would help :)

Because of a limitation on the cloud supplier we only have 3 public facing IP's to use - one is our main route in for web sites (the one shown in my diagram), and the second is for admin purposes - which does in theory leave a remaining one that I could hang an SE server directly off (and therefore open port 443 directly to it without going through Nginx). Hmmm .... I'll have a think about this.

I'm am still a bit confused though - if what you are saying is true (and I've no reason not to believe you!) - why does it have this paragraph in the SE docs?

"Using a Reverse Proxy
Another method of installing VPN Server on a computer in your private network space is by utilizing a proxy server. If your network uses a HTTP proxy server to transmit data out to public IP addresses from your private IP addresses then it can also be configured to route data from the Internet through itself to the listen port on the VPN Server sitting in your private network space."

I'd presumed that was what I was trying to do? I guess my lack of network knowledge is not helping :)

NB. Thankfully I can open ports internally fine, so all the admin ports etc. on the SE box can be open to specific other VM's in the cloud for management purposes etc. It's just the incoming client connection that has to be fixed to port 443 (or 80 I guess!)

Thanks again for your comments - much appreciated - I'll get my thinking brain on ....

NB. Running on the same box wouldn't help unfortunately - as SE and Nginx would then have to listen on the same port 443 ...

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by moatazelmasry » Sat Jan 28, 2017 6:19 pm

The text you mentioned about the proxy server is about connecting to the VPN server for administrative purposes. Via Port 443. Here's the actual article
https://www.softether.org/4-docs/1-manu ... oxy_Server

An L2TP header (or OpenVPN header) is a completely different story and can not be intercepted by nginx or squid in that way.

I'd say with the constraints of your client, those requirements are impossible to achieve.

an easy solution is to ask for an additional IP address, allocate it to a new machine specifically for SE. Then configure SoftEther OpenVPN to communicate on port 443 instead of 1194. If you do this, then also configure the vpncmd to use someother port other than 443, in order to avoid port clash.

Another solution is to allow port 1194 (for OpenVPN) through your firewall

One more solution is to use SoftEther VPN own protocol. This works great on port 443. Again you also need to request an additional IP/Machine for SoftEther for this solution to work

Cheers

SteveCliff
Posts: 9
Joined: Tue Jan 24, 2017 5:54 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by SteveCliff » Sat Jan 28, 2017 9:24 pm

Ok - I think I've done it ...... not implemented it in the main environment but my test bed seems to work fine. The answer for me I think was adding in a tool that is able to bounce TCP streams around based on URL. I didn't think that SNI worked outside of the encrypted stream but apparently it's there - and HAProxy allows me to manipulate it!

So ...... the diagram is now as attached ... phew!

In reality, there is the possibility that we could actually replace Nginx with HAProxy but we have around 100 web sites routed through Nginx at the minute so I need to be very very careful how it's implemented if I do :)

I most likely wouldn't have got here without your help though moatazelmasry - thank you very much!
You do not have the required permissions to view the files attached to this post.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by moatazelmasry » Sun Jan 29, 2017 2:27 pm

Glad you didn't take my word for granted. I also learnt something :)
Cheers

SteveCliff
Posts: 9
Joined: Tue Jan 24, 2017 5:54 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by SteveCliff » Sun Jan 29, 2017 6:01 pm

I think I need a night off .... trying to get my head around DHCP and what routing I need at the minute - argh! Brain ache :)
Will look at it fresh tomorrow :)

thisjun
Posts: 2247
Joined: Mon Feb 24, 2014 11:03 am

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by thisjun » Wed Feb 15, 2017 7:33 am

Can you open a port except 443?

Can you show the server log?

lschweiss
Posts: 3
Joined: Fri Apr 13, 2018 2:44 pm

Re: Almost got it .. almost ..... apart from Nginx reverse proxy

Post by lschweiss » Fri Apr 13, 2018 2:48 pm

I found this thread Googling for how to this almost exactly the same. Any sharing of HA proxy config would be awesome.

Cheers!
-Chip

deeztek
Posts: 4
Joined: Sun Oct 22, 2017 9:12 pm

Re: Almost got it .. almost ..... apart from Nginx reverse p

Post by deeztek » Wed Oct 17, 2018 5:24 pm

This is exactly what I'm wanting to accomplish. Can you share your HAProxy config?

thanks a lot
SteveCliff wrote:
Sat Jan 28, 2017 9:24 pm
Ok - I think I've done it ...... not implemented it in the main environment but my test bed seems to work fine. The answer for me I think was adding in a tool that is able to bounce TCP streams around based on URL. I didn't think that SNI worked outside of the encrypted stream but apparently it's there - and HAProxy allows me to manipulate it!

So ...... the diagram is now as attached ... phew!

In reality, there is the possibility that we could actually replace Nginx with HAProxy but we have around 100 web sites routed through Nginx at the minute so I need to be very very careful how it's implemented if I do :)

I most likely wouldn't have got here without your help though moatazelmasry - thank you very much!

SteveCliff
Posts: 9
Joined: Tue Jan 24, 2017 5:54 pm

Re: Almost got it .. almost ..... apart from Nginx reverse proxy

Post by SteveCliff » Wed Oct 17, 2018 6:15 pm

I'm really sorry but it's been so long ago that I can't find the details of what I did :(
In the end we didn't put this into production (due to business reasons not technical ones) but it definitely worked!

Again, sorry!

deeztek
Posts: 4
Joined: Sun Oct 22, 2017 9:12 pm

Re: Almost got it .. almost ..... apart from Nginx reverse proxy

Post by deeztek » Fri Nov 09, 2018 7:17 pm

I got it working using HAProxy. I was able to direct traffic to the SoftEther VPN server or the Nginx Reverse Proxy based on the SNI. I wrote a guide located here if anyone is interested:

https://www.deeztek.com/documentation/g ... ether-vpn/

Thanks

Post Reply