LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-19-2008, 01:27 AM   #1
jjge
Member
 
Registered: Jun 2003
Location: Kalkar, Germany
Distribution: Slackware
Posts: 108

Rep: Reputation: 16
OpenVPN works with TCP, but not with UDP


I have an OpenVPN client and server normally connecting via TCP. However, on the firewall, I have forwarded both 1194/TCP and 1194/UDP to the OpenVPN server. I would think that replacing "proto TCP" (or TCP-server) by "proto UDP" on both sides would suffice to change from TCP to UDP. However, now I get "Connection refused" messages (and I have to drive to the site to recover). What went wrong?
 
Old 02-19-2008, 11:22 AM   #2
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196

Rep: Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044
Dunno, but while trying, make sure that you can SSH into your VPN server otherwis you are gonna drive back and forth a lot!

Once you forward to your openvpn server, you must
a) do a DNAT to your vpn server
b) allow forwarding traffic
like the example below:
Code:
#: Redirect traffic for the IMAP server to the IMAP server
$IPTABLES -A FORWARD -j ACCEPT -d $hst_imap_rnb  -p tcp --dport 143
$IPTABLES -t nat -A PREROUTING --dst $hst_ext_internet -p tcp --dport $prt_imap -j DNAT --to-destination $hst_imap_rnb
I am sure you understand the use of variables instead of hostnames etc.

Did you specify "-p udp" as well in both lines? Or left out "-p" completely which should work as well AFAIK.

Maybe your firewall blocks outgoing traffic higher than port 1024 (like my firewall does). For TCP I only allow this traffic for established,related connections, but I assume for UDP you cannot talk about established connections.

Last but not least, add a LOG statement at every DROP statement using the --log-prefix. This might look tedious at first, but it pays off when you are in positions like this.

One you have that ssh connection, use TCPDump to see up to where packets are coming. The firewall, the openvpn server, the client on the local LAN you try to reach, and backwards.

jlinkels
 
Old 02-19-2008, 12:53 PM   #3
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
If the client is Windows and you are just using Windows Firewall, you will have this problem (at least I did)... the fix was to install a "real" firewall like Zonealarm in order for it to be able to accept the udp packets.

I could literally do "proto tcp" and it would work, "proto udp" and it would stop. Remove windows firewall completely and it *sometimes* worked, sometimes didn't, but mostly worked. Installed ZoneAlarm and (after some simple setup which didn't involve anything more than "allowing" the OpenVPN client to be a "server" and "client") it all worked flawlessly.

Dunno whether this works on Vista or other versions of Windows. Linux-Linux I've never had a problem unless I messed up my firewall scripts.
 
Old 02-19-2008, 01:40 PM   #4
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196

Rep: Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044
Talking about a limited field of view... the thought that another firewall than Linux could be used did not even cross my mind.
 
Old 02-19-2008, 02:15 PM   #5
jjge
Member
 
Registered: Jun 2003
Location: Kalkar, Germany
Distribution: Slackware
Posts: 108

Original Poster
Rep: Reputation: 16
Well, actually I have no reason to suspect the firewall. I just forward udp/1194 and tcp/1194 to the OpenVPN machine, and I have no reason to doubt that it works, it worked already for several months on tcp.

However, today I went to the facility (yes, of course I control all machines in the plant via ssh, vnc, and other mechanisms, but if OpenVPN is unavailable, so are all these aids), and I found that the restart of OpenVPN had gone awry. Next week, just before I go to the plant again, I will give it another try.
 
Old 02-19-2008, 11:21 PM   #6
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
Quote:
Originally Posted by jjge View Post
I have an OpenVPN client and server normally connecting via TCP. However, on the firewall, I have forwarded both 1194/TCP and 1194/UDP to the OpenVPN server. I would think that replacing "proto TCP" (or TCP-server) by "proto UDP" on both sides would suffice to change from TCP to UDP. However, now I get "Connection refused" messages (and I have to drive to the site to recover). What went wrong?
hi,

same as jlinkels, just for addition - AFAIK any vpn connection must use a TCP as opening session before tunneling data with UDP. so - you cant have direct straight UDP connection to open any vpn session.

HTH.
 
Old 02-21-2008, 03:46 AM   #7
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
Quote:
Originally Posted by rossonieri#1 View Post
hi,

same as jlinkels, just for addition - AFAIK any vpn connection must use a TCP as opening session before tunneling data with UDP. so - you cant have direct straight UDP connection to open any vpn session.

HTH.
Er. Nope. I don't think so. Running a pure UDP OpenVPN here - TCP ports aren't even allowed. My wireless router allows nothing but port 1194, UDP (if I remember correctly) to transit over any wireless link and that's all that Zonealarm (on Windows clients) and rc.firewall (on Linux) allows on the clients or the server in question and it works perfectly.

The problem is that you need a firewall on Windows (I've only observed this behaviour on Windows clients) that does proper connection-tracking of UDP packets. Windows firewall doesn't. I can demonstrate this in two seconds - any number of exceptions etc. won't let Windows UDP OpenVPN work (where TCP works without problem and as you would expect) but switch Zonealarm back on and it all works fine (TCP or UDP). Some other freeware firewalls don't work, some do. Hardware firewalls tend to always work, but if you have any software firewall on your clients it will interfere unless it handles the UDP traffic flow properly.

I'm not saying that this is the problem here but it sounds suspiciously close. Try it yourself.
 
Old 02-21-2008, 04:39 AM   #8
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi ledow,

this is from a router standpoint (we being the router) :

are you sure you can directly UDP-ing a session across the internet? without using TCP first?

seems new to me.

in a LAN (single subnet) yes it will work - but on routed environment, i dont think so.

CMIIW.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
About TCP / UDP shipon_97 Linux - Newbie 5 06-24-2012 07:22 PM
TCP and UDP aatwell Programming 4 11-07-2007 09:47 AM
tcp/udp and c++ Kroenecker Programming 1 05-10-2005 12:56 PM
TCP vs. UDP mikeshn Linux - Networking 5 05-17-2003 05:14 PM
TCP forward works, why not UDP?? Pcghost Linux - Networking 4 02-19-2003 11:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration