Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-19-2008, 01:27 AM
|
#1
|
Member
Registered: Jun 2003
Location: Kalkar, Germany
Distribution: Slackware
Posts: 108
Rep:
|
OpenVPN works with TCP, but not with UDP
I have an OpenVPN client and server normally connecting via TCP. However, on the firewall, I have forwarded both 1194/TCP and 1194/UDP to the OpenVPN server. I would think that replacing "proto TCP" (or TCP-server) by "proto UDP" on both sides would suffice to change from TCP to UDP. However, now I get "Connection refused" messages (and I have to drive to the site to recover). What went wrong?
|
|
|
02-19-2008, 11:22 AM
|
#2
|
LQ Guru
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196
|
Dunno, but while trying, make sure that you can SSH into your VPN server otherwis you are gonna drive back and forth a lot!
Once you forward to your openvpn server, you must
a) do a DNAT to your vpn server
b) allow forwarding traffic
like the example below:
Code:
#: Redirect traffic for the IMAP server to the IMAP server
$IPTABLES -A FORWARD -j ACCEPT -d $hst_imap_rnb -p tcp --dport 143
$IPTABLES -t nat -A PREROUTING --dst $hst_ext_internet -p tcp --dport $prt_imap -j DNAT --to-destination $hst_imap_rnb
I am sure you understand the use of variables instead of hostnames etc.
Did you specify "-p udp" as well in both lines? Or left out "-p" completely which should work as well AFAIK.
Maybe your firewall blocks outgoing traffic higher than port 1024 (like my firewall does). For TCP I only allow this traffic for established,related connections, but I assume for UDP you cannot talk about established connections.
Last but not least, add a LOG statement at every DROP statement using the --log-prefix. This might look tedious at first, but it pays off when you are in positions like this.
One you have that ssh connection, use TCPDump to see up to where packets are coming. The firewall, the openvpn server, the client on the local LAN you try to reach, and backwards.
jlinkels
|
|
|
02-19-2008, 12:53 PM
|
#3
|
Member
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241
Rep:
|
If the client is Windows and you are just using Windows Firewall, you will have this problem (at least I did)... the fix was to install a "real" firewall like Zonealarm in order for it to be able to accept the udp packets.
I could literally do "proto tcp" and it would work, "proto udp" and it would stop. Remove windows firewall completely and it *sometimes* worked, sometimes didn't, but mostly worked. Installed ZoneAlarm and (after some simple setup which didn't involve anything more than "allowing" the OpenVPN client to be a "server" and "client") it all worked flawlessly.
Dunno whether this works on Vista or other versions of Windows. Linux-Linux I've never had a problem unless I messed up my firewall scripts.
|
|
|
02-19-2008, 01:40 PM
|
#4
|
LQ Guru
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196
|
Talking about a limited field of view... the thought that another firewall than Linux could be used did not even cross my mind.
|
|
|
02-19-2008, 02:15 PM
|
#5
|
Member
Registered: Jun 2003
Location: Kalkar, Germany
Distribution: Slackware
Posts: 108
Original Poster
Rep:
|
Well, actually I have no reason to suspect the firewall. I just forward udp/1194 and tcp/1194 to the OpenVPN machine, and I have no reason to doubt that it works, it worked already for several months on tcp.
However, today I went to the facility (yes, of course I control all machines in the plant via ssh, vnc, and other mechanisms, but if OpenVPN is unavailable, so are all these aids), and I found that the restart of OpenVPN had gone awry. Next week, just before I go to the plant again, I will give it another try.
|
|
|
02-19-2008, 11:21 PM
|
#6
|
Member
Registered: Jun 2007
Posts: 359
Rep:
|
Quote:
Originally Posted by jjge
I have an OpenVPN client and server normally connecting via TCP. However, on the firewall, I have forwarded both 1194/TCP and 1194/UDP to the OpenVPN server. I would think that replacing "proto TCP" (or TCP-server) by "proto UDP" on both sides would suffice to change from TCP to UDP. However, now I get "Connection refused" messages (and I have to drive to the site to recover). What went wrong?
|
hi,
same as jlinkels, just for addition - AFAIK any vpn connection must use a TCP as opening session before tunneling data with UDP. so - you cant have direct straight UDP connection to open any vpn session.
HTH.
|
|
|
02-21-2008, 03:46 AM
|
#7
|
Member
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241
Rep:
|
Quote:
Originally Posted by rossonieri#1
hi,
same as jlinkels, just for addition - AFAIK any vpn connection must use a TCP as opening session before tunneling data with UDP. so - you cant have direct straight UDP connection to open any vpn session.
HTH.
|
Er. Nope. I don't think so. Running a pure UDP OpenVPN here - TCP ports aren't even allowed. My wireless router allows nothing but port 1194, UDP (if I remember correctly) to transit over any wireless link and that's all that Zonealarm (on Windows clients) and rc.firewall (on Linux) allows on the clients or the server in question and it works perfectly.
The problem is that you need a firewall on Windows (I've only observed this behaviour on Windows clients) that does proper connection-tracking of UDP packets. Windows firewall doesn't. I can demonstrate this in two seconds - any number of exceptions etc. won't let Windows UDP OpenVPN work (where TCP works without problem and as you would expect) but switch Zonealarm back on and it all works fine (TCP or UDP). Some other freeware firewalls don't work, some do. Hardware firewalls tend to always work, but if you have any software firewall on your clients it will interfere unless it handles the UDP traffic flow properly.
I'm not saying that this is the problem here but it sounds suspiciously close. Try it yourself.
|
|
|
02-21-2008, 04:39 AM
|
#8
|
Member
Registered: Jun 2007
Posts: 359
Rep:
|
hi ledow,
this is from a router standpoint (we being the router) :
are you sure you can directly UDP-ing a session across the internet? without using TCP first?
seems new to me.
in a LAN (single subnet) yes it will work - but on routed environment, i dont think so.
CMIIW.
|
|
|
All times are GMT -5. The time now is 10:45 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|