OpenVPN behind Traefik via an IngressRouteTCP

Hello everyone,

I'm trying to set up an OpenVPN behind Traefik via an IngressRouteTCP on my k3s cluster, but I can't reach it.
By calling directly the service IP on the TCP port 9443 or through the kubectl port-forward command, it works.
But with traefik, in Debug mode, I get this error message:

time="2019-11-12T22:03:39+01:00" level=debug msg="Handling connection from"
time="2019-11-12T22:03:39+01:00" level=debug msg="Error while terminating connection: close tcp> shutdown: transport endpoint is not connected"

Here is my IngressRouteTCP :

kind: IngressRouteTCP
  name: openvpn-iop-ingressroute
    - tcp
  - match: HostSNI(`*`)
    - name: openvpn
      port: 9443
    secretName: openvpn-iop-secret

Here is my piece of configuration :

    address = ":80"

    address = ":443"

    address = ":9443"

      entryPoints = ["tcp"]

The certificates used by the secret and the OpenVPN backend are issued by the same local authority.

I use Traefik v2, and already have exposed services on the HTTP & HTTPS endpoints, using certificates also issued by the same authority, and it's ok.
So I don't understand why this TCP route doesn't work the same.

Can someone tell me what I'm doing wrong ?

Thank's a lot in advance :slight_smile:


Hi @Oznup, can you remove the tls section completely in your IngressRouteTCP ?
As OpenVPN does not support SNI (ref.,
then it means that Traefik cannot terminate TLS for this service.

Instead, by removing the TLS section , it means that Traefik will pass TCP packets "as it" without picking inside, and will let OpenVPN terminate it.

1 Like