OpenVPN works with TCP, but not with UDP

jjge · 02-19-2008, 12:27 AM

I have an OpenVPN client and server normally connecting via TCP. However, on the firewall, I have forwarded both 1194/TCP and 1194/UDP to the OpenVPN server. I would think that replacing "proto TCP" (or TCP-server) by "proto UDP" on both sides would suffice to change from TCP to UDP. However, now I get "Connection refused" messages (and I have to drive to the site to recover). What went wrong?

jlinkels · 02-19-2008, 10:22 AM

Dunno, but while trying, make sure that you can SSH into your VPN server otherwis you are gonna drive back and forth a lot!

Once you forward to your openvpn server, you must
a) do a DNAT to your vpn server
b) allow forwarding traffic
like the example below:

Code:

#: Redirect traffic for the IMAP server to the IMAP server
$IPTABLES -A FORWARD -j ACCEPT -d $hst_imap_rnb  -p tcp --dport 143
$IPTABLES -t nat -A PREROUTING --dst $hst_ext_internet -p tcp --dport $prt_imap -j DNAT --to-destination $hst_imap_rnb

I am sure you understand the use of variables instead of hostnames etc.

Did you specify "-p udp" as well in both lines? Or left out "-p" completely which should work as well AFAIK.

Maybe your firewall blocks outgoing traffic higher than port 1024 (like my firewall does). For TCP I only allow this traffic for established,related connections, but I assume for UDP you cannot talk about established connections.

Last but not least, add a LOG statement at every DROP statement using the --log-prefix. This might look tedious at first, but it pays off when you are in positions like this.

One you have that ssh connection, use TCPDump to see up to where packets are coming. The firewall, the openvpn server, the client on the local LAN you try to reach, and backwards.

jlinkels

ledow · 02-19-2008, 11:53 AM

If the client is Windows and you are just using Windows Firewall, you will have this problem (at least I did)... the fix was to install a "real" firewall like Zonealarm in order for it to be able to accept the udp packets.

I could literally do "proto tcp" and it would work, "proto udp" and it would stop. Remove windows firewall completely and it *sometimes* worked, sometimes didn't, but mostly worked. Installed ZoneAlarm and (after some simple setup which didn't involve anything more than "allowing" the OpenVPN client to be a "server" and "client") it all worked flawlessly.

Dunno whether this works on Vista or other versions of Windows. Linux-Linux I've never had a problem unless I messed up my firewall scripts.

jlinkels · 02-19-2008, 12:40 PM

Talking about a limited field of view... the thought that another firewall than Linux could be used did not even cross my mind.

jjge · 02-19-2008, 01:15 PM

Well, actually I have no reason to suspect the firewall. I just forward udp/1194 and tcp/1194 to the OpenVPN machine, and I have no reason to doubt that it works, it worked already for several months on tcp.

However, today I went to the facility (yes, of course I control all machines in the plant via ssh, vnc, and other mechanisms, but if OpenVPN is unavailable, so are all these aids), and I found that the restart of OpenVPN had gone awry. Next week, just before I go to the plant again, I will give it another try.

rossonieri#1 · 02-19-2008, 10:21 PM

Quote:

Originally Posted by jjge

I have an OpenVPN client and server normally connecting via TCP. However, on the firewall, I have forwarded both 1194/TCP and 1194/UDP to the OpenVPN server. I would think that replacing "proto TCP" (or TCP-server) by "proto UDP" on both sides would suffice to change from TCP to UDP. However, now I get "Connection refused" messages (and I have to drive to the site to recover). What went wrong?

hi,

same as jlinkels, just for addition - AFAIK any vpn connection must use a TCP as opening session before tunneling data with UDP. so - you cant have direct straight UDP connection to open any vpn session.

HTH.

ledow · 02-21-2008, 02:46 AM

Quote:

Originally Posted by rossonieri#1

hi,

same as jlinkels, just for addition - AFAIK any vpn connection must use a TCP as opening session before tunneling data with UDP. so - you cant have direct straight UDP connection to open any vpn session.

HTH.

Er. Nope. I don't think so. Running a pure UDP OpenVPN here - TCP ports aren't even allowed. My wireless router allows nothing but port 1194, UDP (if I remember correctly) to transit over any wireless link and that's all that Zonealarm (on Windows clients) and rc.firewall (on Linux) allows on the clients or the server in question and it works perfectly.

The problem is that you need a firewall on Windows (I've only observed this behaviour on Windows clients) that does proper connection-tracking of UDP packets. Windows firewall doesn't. I can demonstrate this in two seconds - any number of exceptions etc. won't let Windows UDP OpenVPN work (where TCP works without problem and as you would expect) but switch Zonealarm back on and it all works fine (TCP or UDP). Some other freeware firewalls don't work, some do. Hardware firewalls tend to always work, but if you have any software firewall on your clients it will interfere unless it handles the UDP traffic flow properly.

I'm not saying that this is the problem here but it sounds suspiciously close. Try it yourself.

rossonieri#1 · 02-21-2008, 03:39 AM

hi ledow,

this is from a router standpoint (we being the router) :

are you sure you can directly UDP-ing a session across the internet? without using TCP first?

seems new to me.

in a LAN (single subnet) yes it will work - but on routed environment, i dont think so.

CMIIW.