Forwarding VMWare workstation ports with HAProxy


#1

I recently changed ISPs in order to take advantage of much higher speeds. The downside is that the new ISP has a double NAT between me and the internet, which has effectively eliminated any possibility of doing port forwarding like I did with the original service. Previously, I simply forwarded ports 443 and 902 from my DSL modem/router to the machine hosting my VMs, and everything was groovy. Now, that’s not possible.

So, I bought a cheap Linode instance, loaded it up with OpenVPN-AS and HAProxy. OpenVPN is working beautifully, and I have successfully configured HAProxy to forward SSH and HTTP. But I can’t seem to get it to properly forward the ports for VMWare server. Here’s what I have so far:

frontend vmware-frontend
mode tcp
bind 1.2.3.4:8443 ssl crt /etc/ssl/private/my.pem
default_backend vmware_backend

frontend vmwareauthd
mode tcp
bind 1.2.3.4:902 ssl crt /etc/ssl/private/my.pem
default_backend vmwareauthd_backend

backend vmware_backend
mode tcp
server theserver 172.27.232.61:4443 weight 1 maxconn 10240 check

backend vmwareauthd_backend
mode tcp
server theserver 172.27.232.61:902 weight 1 maxconn 10240 check

I’m confident that HAProxy is up for the job - but I’m struggling with how to configure it to do so. With the above configuration, I get an “HTTP error 200” - which is odd, since 200 is “OK”.

Any ideas on how I can fix this?

Thanks!


#2

I think you may be encrypting an already encrypted service.

How do you connect from your LAN to the VMware ports?
Are 172.27.232.61:4443 and 172.27.232.61:902 SSL enabled on the backend server?


#3

All servers on on my LAN, 10.138.69.0/16.

HAProxy is running on a Linode machine, and thus has a static, public
IP. This VM is running ufw, and is configure to allow access to all of
the appropriate ports.

OpenVPN Access Server is also running on the Linode VM. 172.27.232.0/24
is the subnet that OpenVPN uses to connect clients, so the server that
is running VMWare workstation is 172.27.232.61, and also 10.138.69.63 -
the former is a tun device, the latter a physical NIC.


#4

That doesn’t answer my questions though.

Do you connect from a browser, like navigating to:
https://172.27.232.61:4443/

Or is it http (no https):
http://172.27.232.61:4443/

The main question being: isn’t port 4443 on the server already SSL enabled?


#5

I connect using the VMWare Workstation application. 4443 should be encrypted already.


#6

Then the configuration is wrong. Remove all “ssl” related configuration from haproxy.

You just have to forward the TCP port 8443 to backend port 4443 without touching the traffic, that means, not reencrypting it in your load balancer.