Proxy requests through VPN connection


#1

Trying to use tyk to proxy to upstream server that is accessed via VPN link.

I have set up the VPN connection and it works well when i log into my Tyk gateway docker container and access the upstream remote. But when i use Tyk, it fails.

http: proxy error: x509: cannot validate certificate for 196.xxx.xxx.xxx because it doesn't contain any IP SANs

The upstream expects a certain VPN client IP, but i notice that the IP being used is the docker container IP.

How do i achieve proxying a request through a VPN with the VPN client IP attached to the Tyk gateway server.


#2

You can reissue the certs to include an IP SAN for the host’s IP - at the moment it fails as a protection against MITM unless the IP is explicitly stated in the ip SAN it doesn’t meet the spec for a valid SSL cert.


#3

Sound like it would work but for me is not a possibility because the issuer wont reissue it. Is there a way to mask the IP or perhaps is something to do with routing configs.

How can i possibly achieve this without reissuing the certificate? Also it there a way to debug the connection , because i feel there must be more information i can check apart from the dashboard log error i posted.

Would this work ro be related to this challenge


#4

So, I was able to accomplish my goal by adding proxy_ssl_insecure_skip_verify to gateway config and adding a transformation replacing the X-FORWARDED-FOR header IP with the correct one.

Adding routes and messing with iptables within my docker container did not work because of TCP handshake protocol

Is this solution ok or am i tempting fate by using the X-FORWARDED-FOR header. I am pretty new Tyk so i don’t fully know the implications of this. The upstream host seemingly uses that for IP identification.


#5

Nice! honestly it seems like a bit of a hack but im not sure i have a better solution