OpenVPN support

[runningman84]

It would be cool if caddy could detect openvpn traffic on https sites and forward them to a openvpn server.

We could place open vpn I'm front but this would hide the ip address in caddy.

[mholt]

Can you explain more what this means? I'm not exactly sure what the technical requirements are for this.

[runningman84]

OK I have a vps which hosts multiple websites. This vps has only one ip it would be great if I caddy would have a similar port share feature: https://doc.pfsense.org/index.php/Sharing_a_Port_with_OpenVPN_and_a_Web_Server Using caddy in front of openvpn would keep the correct ip address in my websites.

[lbguilherme]

@runningman84 This feature of OpenVPN seems totally unrelated to which web server is used and seems to require nothing from the web server. It works by placing OpenVPN to listen on 443/tcp. It will handle any vpn traffic and when it sees HTTPS traffic, it will forward it to another ip/port which is where caddy would be listening. Just use bind to listen on localhost with some other port and it should work.

[runningman84]

That's right but using this feature in openvpn means that the webserver think all requests come from localhost. It is quite difficult to block ips or malicious request if everything seem to come from the same ip...

[lbguilherme]

Does OpenVPN set the X-Forwarded-For header?

On Sun, 21 Aug 2016 13:56 runningman84, notifications@github.com wrote:

That's right but using this feature in openvpn means that the webserver think all requests come from localhost. It is quite difficult to block ips or malicious request if everything seem to come from the same ip...

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/mholt/caddy/issues/1054#issuecomment-241268655, or mute the thread https://github.com/notifications/unsubscribe-auth/AAhYitKDXjpVU66PY6S-Xj3SlviQHHc7ks5qiINEgaJpZM4JpCHH .

[runningman84]

not it does not it basically acts like a tcp proxy...

[lbguilherme]

Then I believe there is nothing Caddy can do about it. All it can see is that requests are coming from OpenVPN, that's the source IP. Is there a way the real client ip can be informed somehow?

[runningman84]

Caddy could implement a similar port share feature like OpenVPN which would mean that OpenVPN would loose the real ip address which might not be a big deal.

Current setup openvpn -> caddy

New setup caddy -> openvpn

[zacheryph]

I don't know for sure but I'm wondering if this would even work given the nature of VPN traffic. OpenVPN might not like (even work?) / be able to handle the encrypted VPN traffic coming from localhost for another host.

Also, not that I don't expect my web server to be stable but I kind of expect a VPN to be even more stable? (if that makes sense.) VPN is more like infrastructure, HTTP more a service. Having your VPN traffic depend on a web server seems odd. You would reset VPN traffic every time you restart Caddy. Heaven forbid you went to restart caddy with a bad config you lock yourself out of VPN as well.

[mholt]

Hey @runningman84, thanks for the suggestion and explanation. Feel free to continue discussing this idea, but I am going to close this since I don't think this will be a feature in Caddy -- at least not anytime in the foreseeable future -- because of the complexity and edge cases here. Maybe an alternative server type plugin could do this but I don't think I'd recommend doing this on top of HTTP.

[maciekish]

I would love this to be able to host OpenVPN on a shared ip and :443.