OpenVPN behind Traefik via an IngressRouteTCP

Traefik Traefik v2
1

Hello everyone,

I'm trying to set up an OpenVPN behind Traefik via an IngressRouteTCP on my k3s cluster, but I can't reach it.
By calling directly the service IP on the TCP port 9443 or through the kubectl port-forward command, it works.
But with traefik, in Debug mode, I get this error message:

time="2019-11-12T22:03:39+01:00" level=debug msg="Handling connection from 192.168.1.17:56241"
time="2019-11-12T22:03:39+01:00" level=debug msg="Error while terminating connection: close tcp 10.42.0.1:35402->10.42.0.122:9443: shutdown: transport endpoint is not connected"

Here is my IngressRouteTCP :

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: openvpn-iop-ingressroute
spec:
  entryPoints:
    - tcp
  routes:
  - match: HostSNI(`*`)
    services:
    - name: openvpn
      port: 9443
  tls:
    secretName: openvpn-iop-secret

Here is my piece of configuration :

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

  [entryPoints.tcp]
    address = ":9443"

  [tcp.routers]
    [tcp.routers.main]
      entryPoints = ["tcp"]

The certificates used by the secret and the OpenVPN backend are issued by the same local authority.

I use Traefik v2, and already have exposed services on the HTTP & HTTPS endpoints, using certificates also issued by the same authority, and it's ok.
So I don't understand why this TCP route doesn't work the same.

Can someone tell me what I'm doing wrong ?

Thank's a lot in advance :slight_smile:

Oznup

2

Hi @Oznup, can you remove the tls section completely in your IngressRouteTCP ?
As OpenVPN does not support SNI (ref. https://forums.openvpn.net/viewtopic.php?t=12359),
then it means that Traefik cannot terminate TLS for this service.

Instead, by removing the TLS section , it means that Traefik will pass TCP packets "as it" without picking inside, and will let OpenVPN terminate it.

1 Like