OpenVPN endpoint and HAProxy

I have some publicly available web servers in a DMZ network in my home lab. I use pfSense as my router. Now, since my ISP initially didn’t provide for any port forwarding I set up a droplet at Digital Ocean that basically acted as a NAT firewall. My pfSense at home acts as an OpenVPN client and keeps a persistent connection open to the DO droplet (as the OpenVPN server). So the droplet tunnels all the NAT’ed traffic down the OpenVPN connection. Then pfSense, using the port number, decides which server to direct the query to.

Now the question. I want to use subdomains instead of port numbers to distinguish which server to send the traffic to. So I want to use HAProxy. Unfortunately, in the “Listen Address” box in the External Address section of the Frontend configuration, I can’t pick the “virtual” interface for the VPN connection like I can in firewall rules. Anyone know how to do this? Perhaps by figuring out what address the OpenVPN server has assigned to the client (the pfSense side) and picking “custom address”?

OK, I’m going to answer my own question. YES, manually putting the address of the OpenVPN endpoint in as the Listen Address for the frontend seemed to work just fine. I was hesitant to do this at first without asking because I was afraid I’d break all web access to my domain and have to scramble to restore. But it was quite painless in the end.

1 Like