The issue
We host several services on 1 public IP:
- OpenVPN Access Server (vpn.ourdomain.com)
- OpenVPN community edition (old-vpn.ourdomain.com)
- Nginx web server(s) (subdomain.ourdomain.com)
To make this all works with our 1 and only public IP, we use an Nginx reverse proxy server. This works fine for the webservices and OpenVPN where we distributed the certificates from manually but the "pre-configured OpenVPN connect client" which can be downloaded from Openvpn AS CWS cannot connect with the included certificate. When i download the user-locked profile manually from the OpenVPN AS CWS and insert it into the connect client, i'm able to connect.
I contacted OpenVPN with this issue and they answered with this:
the Nginx reverse proxy is the reason why the connection using a server-locked (bundled) profile fails.
In your configuration, Nginx performs SSL offload and corrupt TLS verification between OpenVPN Connect client and Access Server.
You can try to publish port TCP 443 from the Access Server and stop Nginx to verify that when AS is available directly your users can connect.
After i asked if there is a work arround i got this as reply:
OpenVPN Access Server is not developed to be placed behind the reverse proxy. It should be able to handle TLS session from OpenVPN client in order to authenticate them.
If you place As behind a proxy you will loose possibility to use server-locked profiles, only user-locked and autologin profiles can be used in this case.
When i understand this correctly (with some extra research), the Nginx proxy takes care about the SSL connection which should actually handled by the OpenVPN AS.
Tried solution(s)
As i cannot immagine that this is technically impossible even when its not officially supported by OpenVPN i used my friend Google and tried the following:
1
I thought that i could "simply" fix this issue by passing the traffic for vpn.ourdomain.com encrypted to the OpenVPN AS and tried a non terminating TLS pass through (https://gist.github.com/kekru/c09dbab5e78bf76402966b13fa72b9d2). I was not able to get this working in combined with a "normal reverse proxy" for the other services so i decided to setup a test proxy server to test if this solution could potentially solve my issue.
I was able to get the non terminating TLS pass through proxy working (i could access vpn.ourdomain.com and its was an insecure connection according to the browser). Unfortunately i was still not able to connect with the connect client included certificate/configuration. When i directly expose the OpenVPN AS to vpn.ourdomain.com it works fine.
2
In an older topic (https://forums.openvpn.net/viewtopic.php?t=27291) i read something that someone have a similar issue and noticed that the OpenVPN connect client connects to the resolved IP of vpn.ourdomain.com instead of to the domain. This means that the proxy will never forward these calls to the right server. As dirty work around he (McSanz) forward all traffic with /RPC2 to the OpenVPN AS which could also be an working work around for us as we currently have no application with such a path. I tried this as well (together with and without 1)
Nginx configs
The default reverse proxy (with TLS termination) i tried is:
server {
listen 443 ssl;
server_name vpn.ourdomain.com "RPC2" "^rpc2$"; # tried with and without "RPC2" "^rpc2$"
ssl_certificate /etc/nginx/ssl/_.ourdomain.com/_.ourdomain.com.chained.crt;
ssl_certificate_key /etc/nginx/ssl/_.ourdomain.com/_.ourdomain.com.key;
ssl_client_certificate /etc/nginx/ssl/_.ourdomain.com/_.ourdomain.com.ca;
ssl_verify_client optional;
location / {
proxy_pass https://10.128.20.5:443;
# app1 reverse proxy follow
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/access_log.log;
error_log /var/log/nginx/error_log.log;
}
The non terminating TLS pass through stream i tried looks like this:
stream {
map $ssl_preread_server_name $targetBackend {
vpn.ourdomain.com openvpnas;
"^rpc2&" openvpnas;
}
upstream openvpnas {
server 10.128.20.5:443; # This is the OpenVPN AS IP
}
server {
listen 443;
proxy_connect_timeout 1s;
proxy_timeout 3s;
resolver 1.1.1.1; # No idea what this does, i tried with, without this line and with 8.8.8.8
proxy_pass $targetBackend; # i tried 10.128.20.5:443 here as wel
ssl_preread on;
}
}
Note that i needed to comment out include /etc/nginx/sites-enabled/*; in the http tag of nginx.conf and add /etc/nginx/streams-enabled/* (where the stream config is placed into) as root tag in nginx.conf to make the stream work. This means the reverse proxy does not work for all other services anymore while i test the stream function. If its possible to solve the issue with the stream config, i need to run this in paralel with the default reverse proxy functionality for the other services we host.
Questions
- Is it possible to get the pre-configured OpenVPN AS connect client working with the included configuration even if this is not officially supported by OpenVPN?
- If it is possible to get this working, is it also possible with Nginx as reverse proxy or should we replace the proxy with another application ?
- If it is possible with Nginx as reverse proxy, what do i do wrong?
After doing a lot of research and endless mailing with support it seems not be possible to run OpenVPN AS behind a (Nginx) proxy. Its not supported by OpenVPN them selves and i couldn't find a work around to get it (the server-locked profiles) working. It does work with user-locked profiles (which are needed to download and add to the client manually)
This is the outcome of the endless mailing with OpenVPN. Maybe someone has a work around/hack to get it working with this information. (answers coppied from mailings with OpenVPN):
and
The OpenVPN AS server logs are always printing this. Not sure if it adds something to this answer but maybe its useful for someone. If not, it doesn't hurt ;-) :