Cloud HAProxy Wireguard to pfsense Wireguard HAProxy

The goal is to be able to host services behind a CGNAT. I’ve setup HAProxy on pfsense if I’m on my LAN, HAProxy is working after I remove accept-proxy in the Frontend HAProxy external listener… Wireguard tunnel between the pfsense and the cloud vpc is also working. From the VPC I can ping and connect to local servers thru the terminal.

I’m testing on my mobile thru my phone. I’ve tested with Chromium, Firefox & Brave

when I try http://gitea.MYDOMAINNAME I get error

503 service unavailable
No serve is availabe to handle this request

which is expected because I’m not using port 80

when I try https://gitea.MYDOMAINNAME I get error

This site can't be reached
gitea.MYDOMAINNAME unexpectedly closed the connection
Checking the connection

I’ve also tried adding DNS = #pfsense wireguard ip to my oracle cloud VPS wireguard and then the error changed to

This site can't be reached
gitea.MYDOMAINNAME took too long to respond. 
Checking the connection

Those are the errors I’m getting and I guess HAProxy is not working properly proxying the traffic to the local haproxy thru the wireguard tunnel . So please help :slight_smile:


I’ve got Oracle clouds always free tier account and setup an ubuntu 22.04 instance there.

  • on my cloud virtual network I’ve opened ports:

    • 51820/udp

wireguard cloud part

  • in my instance I’ve installed wireguard
sudo -i
apt update && apt upgrade && apt install wireguard wireguard-tools resolvconf -y
  • created my keys
    cd /etc/wireguard umask 0077; wg genkey | tee privatekey.key | wg pubkey >
  • configured my interface
    vim /etc/wireguard/pfsense_lab
Address = # oracle_wireguard tunnel IP
MTU = 1500
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT;
PostUp = iptables -A FORWARD -o %i -j ACCEPT;
PostUp = iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -A FORWARD -i %i -j ACCEPT;
PostDown = iptables -A FORWARD -o %i -j ACCEPT;
PostDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
ListenPort = 51820
PrivateKey = REDACTED # privatekey of the oracle_wireguard

PublicKey = 76iLP1IxfvPeGmqn0GbaS7b9i5doIrcJcUhOUoNUUhA= #pfsense wireguard
PresharedKey = REDACTED # preshared key from my pfsense wireguard
AllowedIPs =
  • enabled the wireguard tunnel in systemd
    systemctl enable --now wg-quick@pfsense_lab
  • enabled the ports in the firewall
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 51820/udp
ufw enable
  • added the ip_forward for ipv4
    echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/100-ip_forward.conf

HAProxy cloud

  • after that I’ve installed haproxy
    apt install haproxy -y
  • this is my haproxy config:
    vim /etc/haproxy/haproxy.cfg
  log /dev/log  local0
  log /dev/log  local1 notice
  chroot /var/lib/haproxy
  stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
  stats timeout 30s
  user haproxy
  group haproxy
  maxconn 10000

  log   global
  mode  http
  option        httplog
  option        dontlognull
  timeout connect 10m
  timeout client  10m
  timeout server  10m
  timeout http-request 10m

# I know you can use front and backend separate but I've gone with the listener and kept all in one place
listen https
  bind *:443
  mode tcp
  option tcplog
  server default send-proxy

listen http
  bind *:80
  stats enable
  stats show-node
  stats uri /REDACTED #uri for the stats to be shown
  stats auth $USERNAME:$PASSWORD # set your own username and password for haproxy stats
  server default check
  • check to see if there are any problems with the configuration:
    haproxy -f /etc/haproxy/haproxy.cfg -c
  • start and enable haproxy on boot
    systemctl enable --now haproxy.service

If needed I can provide everything that I’ve done on the lan pfsense part also.

I have not tested this and I might be wrong, but I am not sure that HAProxy or any service on pfsense can receive packets and return them over the Wireguard tunnel from a forward like that. If no one here has any suggestions then you might want to post in the as well.

I’ve followed this guide but the dude doesn’t have a comment section so it is somewhat hard to ask him :slight_smile:

1 Like

Interesting, when I have some time I will take a look into that.

when I curl the url
curl https://gitea.REMOVED
curl: (28) Failed to connect to gitea.REMOVED port 443 after 130108 ms: Connection timed out

on my firewall logs for interface WG I’m seeing

Time Jun 22 20:25:19	
Interface WG
Rule Allow all TESTING Rule (1655650321)	
Protocol TCP:S

what I don’t understand is why I’m receiving a port 80 traffic when I route port 443 to port 443 thru the tunnel …