OpenVPN UDP Problem

Hi,

I have a problem with my OpenVPN connection.
When i configure my tunnel with protocol tcp, all
works fine. When I change the protocol to udp, the
tunnel not work. My OS is Debian sarge. The Version
of my OpenVPN is

OpenVPN 2.0 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Jul 6 2005
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <(E-Mail Removed)>

The firewall settings on my server for testing the tunnel are not
activated !


Please help !
Thanks.

Florian wrote:
> Hi,
>
> I have a problem with my OpenVPN connection.
> When i configure my tunnel with protocol tcp, all
> works fine. When I change the protocol to udp, the
> tunnel not work. My OS is Debian sarge. The Version
> of my OpenVPN is

Have you some firewall/router between your client and your server
that could interact (blocking udp or fragment ?)


>
> OpenVPN 2.0 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Jul 6 2005
> Developed by James Yonan
> Copyright (C) 2002-2005 OpenVPN Solutions LLC <(E-Mail Removed)>
>
> The firewall settings on my server for testing the tunnel are not
> activated !
>
>
> Please help !
> Thanks.
>

I have one router between my server and my internet connection.
I just analyzed with a sniffer (tcpdump) my internet traffic. When a OpenVPN
Client open a session to my OpenVPN Server I see the udp packets
from the OpenVPN Client but my OpenVPN server is not answering.
The udp traffic come in but it still going no traffic out !


Philippe WEILL wrote:

>
>
> Florian wrote:
>> Hi,
>>
>> I have a problem with my OpenVPN connection.
>> When i configure my tunnel with protocol tcp, all
>> works fine. When I change the protocol to udp, the
>> tunnel not work. My OS is Debian sarge. The Version
>> of my OpenVPN is
>
> Have you some firewall/router between your client and your server
> that could interact (blocking udp or fragment ?)
>
>
>>
>> OpenVPN 2.0 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Jul 6 2005
>> Developed by James Yonan
>> Copyright (C) 2002-2005 OpenVPN Solutions LLC <(E-Mail Removed)>
>>
>> The firewall settings on my server for testing the tunnel are not
>> activated !
>>
>>
>> Please help !
>> Thanks.
>>

Florian <florian-(E-Mail Removed)> wrote:
> I have a problem with my OpenVPN connection. When i configure my tunnel
> with protocol tcp, all works fine. When I change the protocol to udp,
> the tunnel not work.

> I have one router between my server and my internet connection.
> I just analyzed with a sniffer (tcpdump) my internet traffic. When a OpenVPN
> Client open a session to my OpenVPN Server I see the udp packets
> from the OpenVPN Client but my OpenVPN server is not answering.
> The udp traffic come in but it still going no traffic out !

1. You have configured the corresponding UDP service and ports at *both*
ends, haven't you...?

2. You say you've sniffed the traffic. You need to do this on the client
and the server. Can you confirm that OpenVPN packets are arriving at the
server from the client? What about traffic the other way?

Chris

chris-(E-Mail Removed) wrote:

> Florian <florian-(E-Mail Removed)> wrote:
>> I have a problem with my OpenVPN connection. When i configure my tunnel
>> with protocol tcp, all works fine. When I change the protocol to udp,
>> the tunnel not work.
>
>> I have one router between my server and my internet connection.
>> I just analyzed with a sniffer (tcpdump) my internet traffic. When a
>> OpenVPN Client open a session to my OpenVPN Server I see the udp packets
>> from the OpenVPN Client but my OpenVPN server is not answering.
>> The udp traffic come in but it still going no traffic out !
>
> 1. You have configured the corresponding UDP service and ports at *both*
> ends, haven't you...?
>
> 2. You say you've sniffed the traffic. You need to do this on the client
> and the server. Can you confirm that OpenVPN packets are arriving at the
> server from the client? What about traffic the other way?
>
> Chris

My sniffer output and the client Config

16:20:26.260485 IP 192.168.177.103.openvpn > 192.168.100.1.openvpn: UDP,
length 42
16:20:28.622131 IP 192.168.177.103.openvpn > 192.168.100.1.openvpn: UDP,
length 42
16:20:34.867149 IP 192.168.177.103.openvpn > 192.168.100.1.openvpn: UDP,
length 42

#################### Client Config #########################
client
tls-client
dev tap

proto udp
remote 192.168.100.1 1194
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert OpenVPN-Client2.crt
key OpenVPN-Client2.key
tls-auth ta.key 1

comp-lzo
verb 3
#################### Client Config #########################

Sniffer output on the OpenVPN Server

16:18:12.002325 IP 192.168.177.103.1194 > 172.20.20.2.1194: UDP, length 42
16:18:14.071972 IP 192.168.177.103.1194 > 172.20.20.2.1194: UDP, length 42


IP 172.20.20.2 was NATed (internal Server IP who run OpenVPN)


#################### Server Config #########################
mode server
tls-server
port 1194
proto udp

dev tap
client-to-client

ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/OpenVPN-Server.crt
key easy-rsa/keys/OpenVPN-Server.key
tls-auth ta.key 0

dh easy-rsa/keys/dh1024.pem

ifconfig 172.20.21.1 255.255.255.224

# Routing Information
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"

# Client Config
client-config-dir ccd
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 6

#################### Server Config #########################


The Client packets arriving at the OpenVPN Server.

Florian wrote:
<traces and config snipped>

PLesae don't take offence at a dumb quesion - you did restart the
server after chaging the config, didn't you? I don't see anything
glaringly wrong with the config, though I could be missing
something.

tls-server and tls-client are options I have never used. Maybe
you should try without these?

Check that the server is listening on UDP port 1194 with this
command: netstat -panu

Also check the server log - that may give a good clue.

Hope this is some help

The Cog

After changing the config I have restarted the OpenVPN Server.
The socket from the OpenVPN Server is also open.

Output : netstat -panu
udp 0 0 0.0.0.0:1194 0.0.0.0:* 11262/openvpn

tls-client and tls-server in this case are required options.
Without this options the OpenVPN server may not run.
May it be that a Kernel option is wrong or not (correctly) set ?
Could it be that there are other options then iptables in the debian system,
to control the udp Packets ?

Option : uname -a
Linux kruemel 2.6.8-2-686 #1 Thu May 19 17:53:30 JST 2005 i686 GNU/Linux

I'm confused. I also can't find any clues in the Log Files.
Here is a Status Log File Output from my OpenVPN Server.
The suspicious in this case is that this configuration does work with tcp,
but not with udp ! Why could this be possible ?

OpenVPN CLIENT LIST
Updated,Fri Jul 22 22:25:24 2005
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

Here is the syslog file output

OpenVPN 2.0 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Jul 6 2005
Jul 22 22:14:10 kruemel ovpn-OpenVPN-Server[11253]: Diffie-Hellman
initialized with 1024 bit key
Jul 22 22:14:10 kruemel ovpn-OpenVPN-Server[11253]: Control Channel
Authentication: using 'ta.key' as a OpenVPN static key file
Jul 22 22:14:10 kruemel ovpn-OpenVPN-Server[11253]: Outgoing Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 22 22:14:10 kruemel ovpn-OpenVPN-Server[11253]: Incoming Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 22 22:14:10 kruemel ovpn-OpenVPN-Server[11253]: TLS-Auth MTU parms
[ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jul 22 22:14:11 kruemel ovpn-OpenVPN-Server[11253]: TUN/TAP device tap0
opened
Jul 22 22:14:11 kruemel ovpn-OpenVPN-Server[11253]: TUN/TAP TX queue length
set to 100
Jul 22 22:14:11 kruemel ovpn-OpenVPN-Server[11253]: /sbin/ifconfig tap0
172.20.21.1 netmask 255.255.255.224 mtu 1500 broadcast 172.20.21.31
Jul 22 22:14:11 kruemel ovpn-OpenVPN-Server[11253]: Data Channel MTU parms
[ L:1574 D:1450 EF:42 EB:23 ET:32 EL:0 AF:3/1 ]
Jul 22 22:14:11 kruemel ovpn-OpenVPN-Server[11262]: GID set to nogroup
Jul 22 22:14:11 kruemel ovpn-OpenVPN-Server[11262]: UID set to nobody
Jul 22 22:14:11 kruemel ovpn-OpenVPN-Server[11262]: Socket Buffers:
R=[110592->131072] S=[110592->131072]
Jul 22 22:14:11 kruemel ovpn-OpenVPN-Server[11262]: UDPv4 link local
(bound): [undef]:1194
Jul 22 22:14:11 kruemel ovpn-OpenVPN-Server[11262]: UDPv4 link remote:
[undef]
Jul 22 22:14:11 kruemel ovpn-OpenVPN-Server[11262]: MULTI: multi_init
called, r=256 v=256
Jul 22 22:14:11 kruemel ovpn-OpenVPN-Server[11262]: Initialization Sequence
Completed
Jul 22 22:14:21 kruemel kernel: tap0: no IPv6 routers present

kruemel is the name of my server ;-)

Cantankerous Old Git wrote:

> Florian wrote:
> <traces and config snipped>
>
> PLesae don't take offence at a dumb quesion - you did restart the
> server after chaging the config, didn't you? I don't see anything
> glaringly wrong with the config, though I could be missing
> something.
>
> tls-server and tls-client are options I have never used. Maybe
> you should try without these?
>
> Check that the server is listening on UDP port 1194 with this
> command: netstat -panu
>
> Also check the server log - that may give a good clue.
>
> Hope this is some help
>
> The Cog

> My sniffer output and the client Config
> Sniffer output on the OpenVPN Server
> The Client packets arriving at the OpenVPN Server.

Although I've not used the OpenVPN 2 client/server stuff it all looks
good to me. Especially as you said it worked with TCP but not UDP.

Does the server log admit that it recognises the packets?
Chris

Florian <florian-(E-Mail Removed)> wrote:
> After changing the config I have restarted the OpenVPN Server.
> The socket from the OpenVPN Server is also open.

> Option : uname -a
> Linux kruemel 2.6.8-2-686 #1 Thu May 19 17:53:30 JST 2005 i686 GNU/Linux

A couple of vague possibilities. I saw this once on my own setup, a
couple of months ago. (It had slipped my mind, hence the delay in
responding to you.)

First, try *rebooting* the server; don't just restart the OpenVPN
subsystem.

I'm running various combinations of 2.4.22, 2.6.8, and 2.6.10. Try
dropping back to an earlier kernel on the server - 2.4.x if you can.

Chris