Forwarding VMWare workstation ports with HAProxy

building39 · July 31, 2017, 2:45pm

I recently changed ISPs in order to take advantage of much higher speeds. The downside is that the new ISP has a double NAT between me and the internet, which has effectively eliminated any possibility of doing port forwarding like I did with the original service. Previously, I simply forwarded ports 443 and 902 from my DSL modem/router to the machine hosting my VMs, and everything was groovy. Now, that’s not possible.

So, I bought a cheap Linode instance, loaded it up with OpenVPN-AS and HAProxy. OpenVPN is working beautifully, and I have successfully configured HAProxy to forward SSH and HTTP. But I can’t seem to get it to properly forward the ports for VMWare server. Here’s what I have so far:

frontend vmware-frontend
mode tcp
bind 1.2.3.4:8443 ssl crt /etc/ssl/private/my.pem
default_backend vmware_backend

frontend vmwareauthd
mode tcp
bind 1.2.3.4:902 ssl crt /etc/ssl/private/my.pem
default_backend vmwareauthd_backend

backend vmware_backend
mode tcp
server theserver 172.27.232.61:4443 weight 1 maxconn 10240 check

backend vmwareauthd_backend
mode tcp
server theserver 172.27.232.61:902 weight 1 maxconn 10240 check

I’m confident that HAProxy is up for the job - but I’m struggling with how to configure it to do so. With the above configuration, I get an “HTTP error 200” - which is odd, since 200 is “OK”.

Any ideas on how I can fix this?

Thanks!

lukastribus · July 31, 2017, 4:52pm

I think you may be encrypting an already encrypted service.

How do you connect from your LAN to the VMware ports?
Are 172.27.232.61:4443 and 172.27.232.61:902 SSL enabled on the backend server?

building39 · July 31, 2017, 6:03pm

All servers on on my LAN, 10.138.69.0/16.

HAProxy is running on a Linode machine, and thus has a static, public
IP. This VM is running ufw, and is configure to allow access to all of
the appropriate ports.

OpenVPN Access Server is also running on the Linode VM. 172.27.232.0/24
is the subnet that OpenVPN uses to connect clients, so the server that
is running VMWare workstation is 172.27.232.61, and also 10.138.69.63 -
the former is a tun device, the latter a physical NIC.

lukastribus · July 31, 2017, 6:44pm

That doesn’t answer my questions though.

Do you connect from a browser, like navigating to:
https://172.27.232.61:4443/

Or is it http (no https):
http://172.27.232.61:4443/

The main question being: isn’t port 4443 on the server already SSL enabled?

building39 · July 31, 2017, 7:15pm

I connect using the VMWare Workstation application. 4443 should be encrypted already.

lukastribus · July 31, 2017, 8:16pm

Then the configuration is wrong. Remove all “ssl” related configuration from haproxy.

You just have to forward the TCP port 8443 to backend port 4443 without touching the traffic, that means, not reencrypting it in your load balancer.

Topic		Replies	Views
Forwarding VMware ESXi 6.7.0 with HAProxy Help!	1	3197	March 18, 2019
My first haprox setup is wrong Help!	2	3138	August 21, 2018
HAProxy with OpenVPN over tcp/443 on pfSense Help!	1	6170	January 19, 2020
HAProxy behind NAT Help!	2	473	February 2, 2024
HAProxy forwarding HTTPS OK, TCP not OK. Please help! Help!	12	12926	June 6, 2019

Forwarding VMWare workstation ports with HAProxy

Related topics