[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

[Openvpn-users] TCP vs. UDP in connection problem

Subject: [Openvpn-users] TCP vs. UDP in connection problem
From: "Peter Bako" <pbako@xxxxxxxxxx>
Date: Tue, 31 May 2005 16:17:08 -0700
Importance: Normal

I've been spending the last few days troubleshooting an odd connection
problem to my OpenVPN 2 server, which I eventually narrowed down to a
problem with the local firewalls at the various client sites that I have
tested from. In short without any kind of a firewall the connection goes
through like a champ, but with the firewall in place the connection would
fail on occation. My initial though, probably as yours, was to check over
my firewall rules and verify that have full in and out bound connection on
the UDP port 1194 - yet still the problem remains.

So just as a test I changed both my client and server to use TCP (still port
1194) instead of UDP, with no other changes to anything, including the local
firewalls, and lo and behold things work from all sites!

Now I understand the performace issues with TCP vs. UDP for tunneled
packets, so I really would prefer to stick with UDP but for the moment
things are working and that is the most critical thing. However I would
very much like to understand why this is, so I turn to the collective wisdom
of this group.

All of my firewalls are based on OpenBSD, version 3.4 to 3.6. One is a
filtering bridge and the other two are standard firewalls with a NAT'd range
behind them. The funny thing is that with the bridged location, if I
temporarily disable the firewall rules, the connection (UDP) goes through,
but if I do the same at the firewalled locations it still fails (other
things do process, so the un-filtered NAT process is not interrupted).

I used the following basic rules at all locations:

pass in quick on $ExtIF inet proto udp from any to any port 1194
pass out quick on $ExtIF inet proto udp from any to any port 1194
pass in quick on $IntIF inet proto udp from any to any port 1194
pass out quick on $IntIF inet proto udp from any to any port 1194

This should allow full in/out-bound access to UDP 1194, yet still it does
not work.

Anyone have any idea about this, or the UDP vs. TCP issue?

Thanks,
Peter

-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Prev by Date: Re: [Openvpn-users] Re: Question about chroot?
Previous by thread: Re: [Openvpn-users] Re: Question about chroot?
Index(es):
- Date
- Thread