PfSense: reverse proxy all the things. Part 2: Install HA-Proxy and configure frontend and backend for OpenVPN

In this part we’re installing HA-Proxy on PfSense and configuring it to handle the VPN created in the previous part.
Other Parts in this series:
PfSense: reverse proxy all the things. Part 1: OpenVPN on tcp port 443
PfSense: reverse proxy all the things. Part 3: Configure HA-Proxy for SSL traffic
PfSense: reverse proxy all the things. Part 4: Install AMCE for automatic SSL certificates
– PfSense: reverse proxy all the things. Part 5: Configure HA-Proxy for SSL-Offloading

Part 2: Install HA-Proxy and configure frontend and backend for OpenVPN

Install HA-Proxy

To install the HA-Proxy in PfSense goto: System -> Package Manager -> Available Packages.
search for ‘haproxy’ and install it. while you’re on that page also search for ‘openvpn-client-export’ and also install that ( we need it later to export our VPN config)
Once installed you should see them in your ‘Installed Packages’

Configure HA-Proxy

We need to configure a backend for the VPN endpoint so we can route VPN traffic through the Reverse-Proxy.
Goto: Services -> HAProxy – > Backend and ‘Add’ a new backend with options:

Name: 4-OpenVPN (I use prefix 4- in the backends indicating this is IPv4 traffic since I’m also using HA-Proxy to reverse proxy IPv6 traffic)
Server list: add a new entry with Name: 127.0.0.1 Address: 127.0.0.1 Port: 443
Health Checking: none

Scroll down and ‘Save’ the settings. you should now see the first backend configured for the VPN traffic.

Now comes the fun part… the first frontend.
In HAProxy goto ‘Frontend’ and ‘Add’ a new Frontend with options:
Name: WAN_Reverse_HTTPS_Proxy
External address: – Listen Address: WAN address(IPv4) Port: 443
Type: TCP
Default Backend: 4-OpenVPN (important that the correct entry is selected here. to route traffic correct)

For now we have no entries for ACL’s configured except for the default backend!!

You can scroll down and ‘Save’ the config the click apply to apply the configuration.

Enable the Proxy

GoTo the ‘Setting’ Tab of HAProxy.
not much todo here just ‘Enable’ the HAproxy and ‘Save’ the config then click apply to apply the configuration.

The proxy should be running now and when a request come in at tcp port 443 on WAN, since there is nothing additionally configured the HA-Proxy will route the TCP ( running in TCP mode to do this) traffic to the default backend. In our case that’s the OpenVPN server running on 127.0.0.1 port 443 ( that why we needed a backend on 127.0.0.1:443 )

Configure Firewall to allow traffic on port 443

Last step in this port is to configure the firewall for incomming traffic on port 443 so we can use the VPN.

GoTo: Firewall -> Rules -> WAN and ‘Add’ a new rule

Export OpenVPN Client config and test VPN server

If you haven’t installed the OpenVPN-client-export from the packages you’re missing this entry, go to packages and install it..
GoTo: VPN-> OpenVPN -> Client Export.
Remote Access Server: should be the server we created in part1 running on TCP4:443
Host Name Resolution: Other
Host Name: Enter your WAN IP here ( by default it will select ‘Interface IP Address’ in the Remote Access Server, you need to change that to ‘Other’ since the server is running on 127.0.0.1 we can use that connect from an external address
Once you entered the WAN IP you can scroll down to export the configuration for your client ( I usually use on of the ‘Inline Configurations’

Next step is to import that config on the client and test your connection. OpenVPN should now work.

In the next part we’ll configure SSL passthrough for backends that are running with valid public SSL certificates, see you there.