Haproxy Issue Connecting to Openvpn on TCP 433

Hi
I’m currently running Haproxy on a pfsense box (Actually two boxes for failover).
I have a separate box running an Openvpn appliance.
I have a couple of web servers as well.
The openvpn box listens on UDP1194 and TCP443.
The web servers listen on TCP80 and TCP443.
I have successfully managed to get TCP80 and TCP443 to go to the correct places for the web servers and using SNI I can also get to the openvpn box on TCP443.
However, I can’t get the openvpn client to connect to Openvpn on TCP443 externally.
I can connect internally via TCP443. I can also connect internally and externally on UDP1194.
So I know that openvpn is working correctly.
It seems that there is some sort of issue with Haproxy routing the vpn traffic back out again.
Are there any suggestions/examples of this exact situation that would help diagnose the issue?
Logs/diagrams would be helpful, but I’m currently not at home, so doing this on my phone.
Thanks,
Richie

2017-06-25 11:25:47 official build 0.6.70 running on samsung SM-G930F (universal8890), Android 7.0 (NRD90M) API 24, ABI arm64-v8a, (samsung/heroltexx/herolte:7.0/NRD90M/G930FXXU1DQCG:user/release-keys)
2017-06-25 11:25:47 New OpenVPN Status (USER_VPN_PASSWORD->LEVEL_WAITING_FOR_USER_INPUT):
2017-06-25 11:25:55 Building configuration…
2017-06-25 11:25:55 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2017-06-25 11:25:55 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2017-06-25 11:25:55 started Socket Thread
2017-06-25 11:25:55 Network Status: CONNECTED LTE to MOBILE goto.virginmobile.uk
2017-06-25 11:25:55 Debug state info: CONNECTED LTE to MOBILE goto.virginmobile.uk, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-06-25 11:25:55 Debug state info: CONNECTED LTE to MOBILE goto.virginmobile.uk, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-06-25 11:25:55 P:Initializing Google Breakpad!
2017-06-25 11:25:55 Current Parameter Settings:
2017-06-25 11:25:55 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf’
2017-06-25 11:25:55 mode = 0
2017-06-25 11:25:55 show_ciphers = DISABLED
2017-06-25 11:25:55 show_digests = DISABLED
2017-06-25 11:25:55 show_engines = DISABLED
2017-06-25 11:25:55 genkey = DISABLED
2017-06-25 11:25:55 Waiting 0s seconds between connection attempt
2017-06-25 11:25:55 key_pass_file = '[UNDEF]'
2017-06-25 11:25:55 show_tls_ciphers = DISABLED
2017-06-25 11:25:55 connect_retry_max = 0
2017-06-25 11:25:55 Connection profiles [0]:
2017-06-25 11:25:55 proto = tcp-client
2017-06-25 11:25:55 local = '[UNDEF]'
2017-06-25 11:25:55 local_port = '[UNDEF]'
2017-06-25 11:25:55 remote = 'vpn.domain.com
2017-06-25 11:25:55 remote_port = '443’
2017-06-25 11:25:55 remote_float = DISABLED
2017-06-25 11:25:55 bind_defined = DISABLED
2017-06-25 11:25:55 bind_local = DISABLED
2017-06-25 11:25:55 bind_ipv6_only = DISABLED
2017-06-25 11:25:55 connect_retry_seconds = 2
2017-06-25 11:25:55 connect_timeout = 4
2017-06-25 11:25:55 socks_proxy_server = '[UNDEF]'
2017-06-25 11:25:55 socks_proxy_port = '[UNDEF]'
2017-06-25 11:25:55 tun_mtu = 1500
2017-06-25 11:25:55 tun_mtu_defined = ENABLED
2017-06-25 11:25:55 link_mtu = 1500
2017-06-25 11:25:55 link_mtu_defined = DISABLED
2017-06-25 11:25:55 tun_mtu_extra = 0
2017-06-25 11:25:55 tun_mtu_extra_defined = DISABLED
2017-06-25 11:25:55 mtu_discover_type = -1
2017-06-25 11:25:55 fragment = 0
2017-06-25 11:25:55 mssfix = 1450
2017-06-25 11:25:55 explicit_exit_notification = 0
2017-06-25 11:25:55 Connection profiles END
2017-06-25 11:25:55 remote_random = DISABLED
2017-06-25 11:25:55 ipchange = '[UNDEF]'
2017-06-25 11:25:55 dev = 'tun’
2017-06-25 11:25:55 dev_type = '[UNDEF]'
2017-06-25 11:25:55 dev_node = '[UNDEF]'
2017-06-25 11:25:55 lladdr = '[UNDEF]'
2017-06-25 11:25:55 topology = 1
2017-06-25 11:25:55 ifconfig_local = '[UNDEF]'
2017-06-25 11:25:55 ifconfig_remote_netmask = '[UNDEF]'
2017-06-25 11:25:55 ifconfig_noexec = DISABLED
2017-06-25 11:25:55 ifconfig_nowarn = ENABLED
2017-06-25 11:25:55 ifconfig_ipv6_local = '[UNDEF]'
2017-06-25 11:25:55 ifconfig_ipv6_netbits = 0
2017-06-25 11:25:55 ifconfig_ipv6_remote = '[UNDEF]'
2017-06-25 11:25:55 shaper = 0
2017-06-25 11:25:55 mtu_test = 0
2017-06-25 11:25:55 mlock = DISABLED
2017-06-25 11:25:55 keepalive_ping = 0
2017-06-25 11:25:55 keepalive_timeout = 0
2017-06-25 11:25:55 inactivity_timeout = 0
2017-06-25 11:25:55 ping_send_timeout = 0
2017-06-25 11:25:55 ping_rec_timeout = 0
2017-06-25 11:25:55 ping_rec_timeout_action = 0
2017-06-25 11:25:55 ping_timer_remote = DISABLED
2017-06-25 11:25:55 remap_sigusr1 = 0
2017-06-25 11:25:55 persist_tun = DISABLED
2017-06-25 11:25:55 persist_local_ip = DISABLED
2017-06-25 11:25:55 persist_remote_ip = DISABLED
2017-06-25 11:25:55 persist_key = DISABLED
2017-06-25 11:25:55 passtos = DISABLED
2017-06-25 11:25:55 resolve_retry_seconds = 60
2017-06-25 11:25:55 resolve_in_advance = DISABLED
2017-06-25 11:25:55 username = '[UNDEF]'
2017-06-25 11:25:55 groupname = '[UNDEF]'
2017-06-25 11:25:55 chroot_dir = '[UNDEF]'
2017-06-25 11:25:55 cd_dir = '[UNDEF]'
2017-06-25 11:25:55 writepid = '[UNDEF]'
2017-06-25 11:25:55 up_script = '[UNDEF]'
2017-06-25 11:25:55 down_script = '[UNDEF]'
2017-06-25 11:25:55 down_pre = DISABLED
2017-06-25 11:25:55 up_restart = DISABLED
2017-06-25 11:25:55 up_delay = DISABLED
2017-06-25 11:25:55 daemon = DISABLED
2017-06-25 11:25:55 inetd = 0
2017-06-25 11:25:55 log = DISABLED
2017-06-25 11:25:55 suppress_timestamps = DISABLED
2017-06-25 11:25:55 machine_readable_output = ENABLED
2017-06-25 11:25:55 nice = 0
2017-06-25 11:25:55 verbosity = 4
2017-06-25 11:25:55 mute = 0
2017-06-25 11:25:55 gremlin = 0
2017-06-25 11:25:55 status_file = '[UNDEF]'
2017-06-25 11:25:55 status_file_version = 1
2017-06-25 11:25:55 status_file_update_freq = 60
2017-06-25 11:25:55 occ = ENABLED
2017-06-25 11:25:55 rcvbuf = 100000
2017-06-25 11:25:55 sndbuf = 100000
2017-06-25 11:25:55 sockflags = 0
2017-06-25 11:25:55 fast_io = DISABLED
2017-06-25 11:25:55 comp.alg = 2
2017-06-25 11:25:55 comp.flags = 1
2017-06-25 11:25:55 route_script = '[UNDEF]'
2017-06-25 11:25:55 route_default_gateway = '[UNDEF]'
2017-06-25 11:25:55 route_default_metric = 0
2017-06-25 11:25:55 route_noexec = DISABLED
2017-06-25 11:25:55 route_delay = 0
2017-06-25 11:25:55 route_delay_window = 30
2017-06-25 11:25:55 route_delay_defined = DISABLED
2017-06-25 11:25:55 route_nopull = DISABLED
2017-06-25 11:25:55 route_gateway_via_dhcp = DISABLED
2017-06-25 11:25:55 allow_pull_fqdn = DISABLED
2017-06-25 11:25:55 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket’
2017-06-25 11:25:55 management_port = 'unix’
2017-06-25 11:25:55 management_user_pass = '[UNDEF]'
2017-06-25 11:25:55 management_log_history_cache = 250
2017-06-25 11:25:55 management_echo_buffer_size = 100
2017-06-25 11:25:55 management_write_peer_info_file = '[UNDEF]'
2017-06-25 11:25:55 management_client_user = '[UNDEF]'
2017-06-25 11:25:55 management_client_group = '[UNDEF]'
2017-06-25 11:25:55 management_flags = 4390
2017-06-25 11:25:55 shared_secret_file = '[UNDEF]'
2017-06-25 11:25:55 key_direction = 1
2017-06-25 11:25:55 ciphername = 'BF-CBC’
2017-06-25 11:25:55 ncp_enabled = ENABLED
2017-06-25 11:25:55 ncp_ciphers = 'AES-256-GCM:AES-128-GCM’
2017-06-25 11:25:55 authname = 'SHA1’
2017-06-25 11:25:55 prng_hash = 'SHA1’
2017-06-25 11:25:55 prng_nonce_secret_len = 16
2017-06-25 11:25:55 keysize = 0
2017-06-25 11:25:55 engine = DISABLED
2017-06-25 11:25:55 replay = ENABLED
2017-06-25 11:25:55 mute_replay_warnings = DISABLED
2017-06-25 11:25:55 replay_window = 64
2017-06-25 11:25:55 replay_time = 15
2017-06-25 11:25:55 packet_id_file = '[UNDEF]'
2017-06-25 11:25:55 test_crypto = DISABLED
2017-06-25 11:25:55 tls_server = DISABLED
2017-06-25 11:25:55 tls_client = ENABLED
2017-06-25 11:25:55 key_method = 2
2017-06-25 11:25:55 ca_file = '[[INLINE]]'
2017-06-25 11:25:55 ca_path = '[UNDEF]'
2017-06-25 11:25:55 dh_file = '[UNDEF]'
2017-06-25 11:25:55 cert_file = '[[INLINE]]'
2017-06-25 11:25:55 extra_certs_file = '[UNDEF]'
2017-06-25 11:25:55 priv_key_file = '[[INLINE]]'
2017-06-25 11:25:55 pkcs12_file = '[UNDEF]'
2017-06-25 11:25:55 cipher_list = '[UNDEF]'
2017-06-25 11:25:55 tls_verify = '[UNDEF]'
2017-06-25 11:25:55 tls_export_cert = '[UNDEF]'
2017-06-25 11:25:55 verify_x509_type = 0
2017-06-25 11:25:55 verify_x509_name = '[UNDEF]'
2017-06-25 11:25:55 crl_file = '[UNDEF]'
2017-06-25 11:25:55 ns_cert_type = 1
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_ku[i] = 0
2017-06-25 11:25:55 remote_cert_eku = '[UNDEF]'
2017-06-25 11:25:55 ssl_flags = 0
2017-06-25 11:25:55 tls_timeout = 2
2017-06-25 11:25:55 renegotiate_bytes = -1
2017-06-25 11:25:55 renegotiate_packets = 0
2017-06-25 11:25:55 renegotiate_seconds = 604800
2017-06-25 11:25:55 handshake_window = 60
2017-06-25 11:25:55 transition_window = 3600
2017-06-25 11:25:55 single_session = DISABLED
2017-06-25 11:25:55 push_peer_info = ENABLED
2017-06-25 11:25:55 tls_exit = DISABLED
2017-06-25 11:25:55 tls_auth_file = '[[INLINE]]'
2017-06-25 11:25:55 tls_crypt_file = '[UNDEF]'
2017-06-25 11:25:55 client = ENABLED
2017-06-25 11:25:55 pull = ENABLED
2017-06-25 11:25:55 auth_user_pass_file = 'stdin’
2017-06-25 11:25:55 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-a3a71dc0a6604559] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 29 2017
2017-06-25 11:25:55 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
2017-06-25 11:25:55 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2017-06-25 11:25:55 MANAGEMENT: CMD 'hold release’
2017-06-25 11:25:55 MANAGEMENT: CMD 'username ‘Auth’ Richie’
2017-06-25 11:25:55 MANAGEMENT: CMD 'bytecount 2’
2017-06-25 11:25:55 MANAGEMENT: CMD 'password […]'
2017-06-25 11:25:55 MANAGEMENT: CMD 'state on’
2017-06-25 11:25:55 MANAGEMENT: CMD 'proxy NONE’
2017-06-25 11:25:56 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2017-06-25 11:25:56 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:25:56 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:25:56 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:25:56 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:25:56 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2017-06-25 11:25:56 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2017-06-25 11:25:56 LZO compression initializing
2017-06-25 11:25:56 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
2017-06-25 11:25:56 MANAGEMENT: >STATE:1498386356,RESOLVE,
2017-06-25 11:25:56 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2017-06-25 11:25:56 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client’
2017-06-25 11:25:56 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server’
2017-06-25 11:25:56 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx xxx.xxx:443
2017-06-25 11:25:56 Socket Buffers: R=[3145728->200000] S=[1572864->200000]
2017-06-25 11:25:56 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx:443 [nonblock]
2017-06-25 11:25:56 MANAGEMENT: >STATE:1498386356,TCP_CONNECT,
2017-06-25 11:25:56 MANAGEMENT: CMD 'needok ‘PROTECTFD’ ok’
2017-06-25 11:25:57 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
2017-06-25 11:25:57 MANAGEMENT: CMD 'needok ‘PROTECTFD’ ok’
2017-06-25 11:25:57 TCP_CLIENT link local: (not bound)
2017-06-25 11:25:57 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
2017-06-25 11:25:57 MANAGEMENT: >STATE:1498386357,WAIT,
2017-06-25 11:25:57 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:25:57 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:25:57 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,
2017-06-25 11:25:57 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,
2017-06-25 11:25:57 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-06-25 11:25:57 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-06-25 11:25:57 Connection reset, restarting [0]
2017-06-25 11:25:57 Waiting 2s seconds between connection attempt
2017-06-25 11:25:57 TCP/UDP: Closing socket
2017-06-25 11:25:57 SIGUSR1[soft,connection-reset] received, process restarting
2017-06-25 11:25:57 MANAGEMENT: >STATE:1498386357,RECONNECTING,connection-reset,
2017-06-25 11:26:02 MANAGEMENT: CMD 'hold release’
2017-06-25 11:26:02 MANAGEMENT: CMD 'proxy NONE’
2017-06-25 11:26:02 MANAGEMENT: CMD 'bytecount 2’
2017-06-25 11:26:02 MANAGEMENT: CMD 'state on’
2017-06-25 11:26:03 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2017-06-25 11:26:03 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2017-06-25 11:26:03 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:26:03 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:26:03 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2017-06-25 11:26:03 LZO compression initializing
2017-06-25 11:26:03 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
2017-06-25 11:26:03 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2017-06-25 11:26:03 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client’
2017-06-25 11:26:03 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server’
2017-06-25 11:26:03 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): init_instance,
2017-06-25 11:26:03 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): init_instance,
2017-06-25 11:26:03 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-06-25 11:26:03 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-06-25 11:26:03 Waiting 2s seconds between connection attempt
2017-06-25 11:26:03 TCP/UDP: Preserving recently used remote address: [AF_INET6]64:ff9b::5602:7fed:443
2017-06-25 11:26:03 Socket Buffers: R=[3145728->200000] S=[1572864->200000]
2017-06-25 11:26:03 Attempting to establish TCP connection with [AF_INET6]64:ff9b::5602:7fed:443 [nonblock]
2017-06-25 11:26:03 MANAGEMENT: >STATE:1498386363,TCP_CONNECT,
2017-06-25 11:26:03 MANAGEMENT: CMD 'needok ‘PROTECTFD’ ok’
2017-06-25 11:26:03 TCP: connect to [AF_INET6]64:ff9b::5602:7fed:443 failed: Network is unreachable
2017-06-25 11:26:03 SIGUSR1[connection failed(soft),init_instance] received, process restarting
2017-06-25 11:26:03 MANAGEMENT: >STATE:1498386363,RECONNECTING,init_instance,
2017-06-25 11:26:08 MANAGEMENT: CMD 'hold release’
2017-06-25 11:26:08 MANAGEMENT: CMD 'proxy NONE’
2017-06-25 11:26:08 MANAGEMENT: CMD 'bytecount 2’
2017-06-25 11:26:08 MANAGEMENT: CMD 'state on’
2017-06-25 11:26:09 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2017-06-25 11:26:09 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:26:09 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:26:09 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2017-06-25 11:26:09 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:26:09 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:26:09 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2017-06-25 11:26:09 LZO compression initializing
2017-06-25 11:26:09 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
2017-06-25 11:26:09 MANAGEMENT: >STATE:1498386369,RESOLVE,
2017-06-25 11:26:09 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2017-06-25 11:26:09 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client’
2017-06-25 11:26:09 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server’
2017-06-25 11:26:09 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443
2017-06-25 11:26:09 Socket Buffers: R=[3145728->200000] S=[1572864->200000]
2017-06-25 11:26:09 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
2017-06-25 11:26:09 MANAGEMENT: >STATE:1498386369,TCP_CONNECT,
2017-06-25 11:26:09 MANAGEMENT: CMD 'needok ‘PROTECTFD’ ok’
2017-06-25 11:26:10 TCP connection established with [AF_INET]86.2.127.237:443
2017-06-25 11:26:10 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:26:10 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,
2017-06-25 11:26:10 MANAGEMENT: CMD 'needok ‘PROTECTFD’ ok’
2017-06-25 11:26:10 TCP_CLIENT link local: (not bound)
2017-06-25 11:26:10 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
2017-06-25 11:26:10 MANAGEMENT: >STATE:1498386370,WAIT,
2017-06-25 11:26:10 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,
2017-06-25 11:26:10 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,
2017-06-25 11:26:10 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-06-25 11:26:10 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2017-06-25 11:26:10 Waiting 2s seconds between connection attempt
2017-06-25 11:26:10 Connection reset, restarting [0]
2017-06-25 11:26:10 TCP/UDP: Closing socket
2017-06-25 11:26:10 SIGUSR1[soft,connection-reset] received, process restarting
2017-06-25 11:26:10 MANAGEMENT: >STATE:1498386370,RECONNECTING,connection-reset,

Please share the haproxy configuration and the output of haproxy -vv.

Configuration:
vpn.domain.com = the external URL of my vpn
SVRVMOPENVPN01443 = my OpenVPN server
SVRVMWEB01, SVRVMWEB02 = web servers (ports 80 and 443)
10.2.0.90: DMZ side of pfSense CARP.

10.2.* = DMZ
192.168.* internal LAN

External IP -> ISP’s router/cable modem -> pfSense cluster -> internal network
External IP -> ISP’s router/cable modem -> OpenVPN server -> internal network

OpenVPN server in in DMZ like pfSense cluster with links on both DMZ and internal network

Working:
External IP -> ISP’s router/cable modem -> OpenVPN (UDP1194) -> internal network (VPN assigned ip)
Internal IP -> OpenVPN internal IP on UDP1194 AND TCP443) -> internal network (VPN assigned ip)

NOT Working:
External IP -> ISP’s router/cable modem -> OpenVPN (TCP443) -> internal network (VPN assigned ip)

Automaticaly generated, dont edit manually.

Generated on: 2017-06-24 20:33

global
maxconn 1000
log /var/run/log local0 info
stats socket /tmp/haproxy.socket level admin
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
log-send-hostname HaproxyMasterNode
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend PORT80
bind 10.2.0.90:80 name 10.2.0.90:80
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl VPN80ACL hdr(host) -i vpn.domain.com
use_backend VPNPool_http_ipvANY if VPN80ACL
default_backend SVRWEB80Pool_http_ipvANY

frontend PORT443
bind 10.2.0.90:443 name 10.2.0.90:443
mode tcp
log global
option log-separate-errors
option tcplog
timeout client 30000
tcp-request inspect-delay 5s
acl VPN443ACL req.ssl_sni -i vpn.domain.com
tcp-request content accept if { req.ssl_hello_type 1 }

use_backend SVRWEB443Pool_https_ipv4  if  !VPN443ACL 
default_backend VPNPool_https_ipv4

backend VPNPool_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server SVRVMOPENVPN01443 10.2.0.93:443 ssl check inter 1000 verify none

backend SVRWEB80Pool_http_ipvANY
mode http
log global
stats enable
stats uri /haproxy?stats
stats realm .
balance roundrobin
timeout connect 30000
timeout server 30000
retries 3
server SVRVMWEB01 192.168.12.31:80 check inter 1000
server SVRVMWEB02 192.168.12.32:80 check inter 1000

backend SVRWEB443Pool_https_ipv4
mode tcp
log global
balance roundrobin
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
option httpchk OPTIONS /
server SVRVMWEB01 192.168.12.31:443 check-ssl check inter 1000 verify none
server SVRVMWEB02 192.168.12.32:443 check-ssl check inter 1000 verify none

backend VPNPool_https_ipv4
mode tcp
log global
timeout connect 30000
timeout server 30000
retries 3
server SVRVMOPENVPN01443 10.2.0.93:443 check-ssl check inter 1000 verify none

haproxy -vv:
HA-Proxy version 1.7.2 2017/01/13
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

Build options :
TARGET = freebsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fstack-protector -fno-strict-aliasing -DFREEBSD_PORTS
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with OpenSSL version : OpenSSL 1.0.1s-freebsd 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.1s-freebsd 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY

Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.

Available filters :
[SPOE] spoe
[TRACE] trace
[COMP] compression

Afaik the OpenVPN client does not send SNI, therefor VPN443ACL will never work.

You should match your actual webserver domains (going to SVRWEB443Pool_https_ipv4), not negate the vpn domain.

Ok, it means a bit more work, but I will try it and get back to you.

Thanks,
Richie

Hi,
I had to turn off Transparent ClientIP on the VPN Back End config, but I can now connect externally over TCP433.
Thanks.
I can actually also connect via my work desktop through TCP443, I get the correct OpenVPN IP address, but unable to ping server names/fqdn of my network, so may still need to do some further work there.

Thanks,
Richie

All sorted now - I had to run the client as admin to enable DNS refresh

Thanks for your help
Richie