Run multiple SSL enabled services behind single IP on Edgerouter

Until recently I had a routed /29 on my home connection, but got “downgraded” to 2 public IPs.
Since I run multiple SSL enabled services (RDS gateway, SSTP VPN and a couple of websites, including this one), I had to figure a way.
I stumbled across the reverse proxy HAProxy, which seemed perfect for the job. I COULD run it on a VM, but I’d rather run it on the Edgerouter itself.
Since the Edgerouter is based on Debian 7 (Wheezy), its possible to install Debian packages on it.
There isnt a “native” Wheezy package, but the Debian “backports” system makes it possible.
Basic Linux skills like editing and copying files etc are required for this.

Lets get started !
First we need to add the Wheezy and Wheezy Backports repositories to the system, this is the supported way, don’t just edit /etc/apt/sources.lst.

SSH into the Edgerouter
configure

set system package repository wheezy components “main contrib non-free”
set system package repository wheezy distribution wheezy
set system package repository wheezy url http://http.us.debian.org/debian
set system package repository wheezy-backports components main
set system package repository wheezy-backports distribution wheezy-backports
set system package repository wheezy-backports url http://http.us.debian.org/debian

commit
save

Now we need to install HAProxy
su to root :

sudo su –
apt-get update
apt-get -t wheezy-backports install haproxy

Haproxy uses the configuration file in /etc/haproxy/haproxy.cfg , make a backup of this one.

We’re gonna use most of the configuration found here on reddit , with 2 exceptions.
In this line :
frontend ssl_relay 0.0.0.0:443
Change 0.0.0.0 to the public IP address you plan to use for the incoming requests.

Also, in the “backend ssl_rd” section, we need to add a timeout value, since it defaults to a very short timeout, causing the RD sessions to drop every few minutes.
I tend to be logged in for pretty long, so I set it to 12 hours, so the start of the “backend ssl_rd” looks like this :

backend ssl_rd
timeout server 12h

Of course you’ll need to edit the SNI’s and backend IP addresses etc, look around HAProxy howto’s if thats unclear. I managed to get the reddit one to work in less than half an hour of playing around.

Create new haproxy.cfg with Vi.
For some reason my Edgerouter has a “funny” autoindent setting in Vi, so I had to turn that off, to be able to paste in the configuration.

set noai

Paste the edited configuration, save the file.

service haproxy restart

That should be pretty much it, make sure the rule you have to “protect router” from Internet allows traffic to port 443, or whatever ports you plan to use with HAProxy.
The file /var/log/haproxy.log contains entries from HAProxy,  put this line in haproxy.cfg to get more info :
log /dev/log    local6
Also, make a backup of haproxy.cfg , I’m pretty sure it will get overwritten by Ubiquiti firmware updates.

Just to clarify, after updating to 1.9.1, haproxy is no longer installed, so you will have to run these steps :
apt-get update
apt-get -t wheezy-backports install haproxy

After that, restore the haproxy.cfg and do

service haproxy restart

 

Ubiquiti Edgerouter Azure Site-to-Site VPN configuration (Route Based)

Here is a working configuration for the newer Route Based Azure S2S, tested on Edgerouter Lite with firmware 1.8.5 and ARM.


set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure proposal 1
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec esp-group esp-azure compression disable
set vpn ipsec ike-group ike-azure
set vpn ipsec ike-group ike-azure lifetime 10800
set vpn ipsec ike-group ike-azure proposal 1
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ike-group ike-azure key-exchange ikev2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec logging log-modes all
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer <AzurePublicIP>
set vpn ipsec site-to-site peer <AzurePublicIP> local-address any
set vpn ipsec site-to-site peer <AzurePublicIP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <AzurePublicIP> authentication pre-shared-secret <YourPSK>
set vpn ipsec site-to-site peer <AzurePublicIP> connection-type initiate
set vpn ipsec site-to-site peer <AzurePublicIP> default-esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> ike-group ike-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 local prefix <YourLocalPrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 remote prefix <YourRemotePrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-public-networks disable
set vpn ipsec auto-firewall-nat-exclude enable

Ubiquiti Edgerouter Azure Site-to-Site VPN configuration (Policy Based)

I’ve been using Jesper Jensen’s example configuration  with some minor changes for firmware 1.8.0.
Its been tested with Azure ARM (doesn’t seem to be working with classic)
This setup is for the “old” policy based S2S.


set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure proposal 1
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec esp-group esp-azure compression disable
set vpn ipsec esp-group esp-azure lifetime 3600
set vpn ipsec ike-group ike-azure
set vpn ipsec ike-group ike-azure lifetime 28800
set vpn ipsec ike-group ike-azure proposal 1
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec logging log-modes ike
set vpn ipsec nat-traversal enable
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec site-to-site peer <AzurePublicIP>
set vpn ipsec site-to-site peer <AzurePublicIP> local-address any
set vpn ipsec site-to-site peer <AzurePublicIP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <AzurePublicIP> authentication pre-shared-secret <YourPSK>
set vpn ipsec site-to-site peer <AzurePublicIP> connection-type initiate
set vpn ipsec site-to-site peer <AzurePublicIP> default-esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> ike-group ike-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 local prefix <YourLocalPrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 remote prefix <YourRemotePrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-public-networks disable

The set vpn ipsec auto-firewall-nat-exclude enable seems to help with traffic not being passed through from on-prem to Azure, its equivalent of setting the
“Automatically open firewall and exclude from NAT” option from GUI.