|
|
richard wrote: > I got same troubles with netgear and another router. the link is breaken > on each ISP's IP change. openvpn@UDP is unable to remount the link. I've > hacked a little perl script to reconnect with a diffrent local port, > which works fun. But in my case, that happens only with ONE ISP: France > télécom ( yeah I know, they s**k a lot). I also had that problem with a Netgear DG834G ADSL/wireless router, when using Virgin UK as my ISP, and I found a solution. The exact problem was: when using OpenVPN over UDP, if the ISP changed my IP address, then I'd see no more OpenVPN traffic. I'm guessing that's a fault in the router's NAT implemention. The NAT will maintain an address translation for OpenVPN's UDP (local-ip, local-port, remote-ip, remote-port) quad, translating to a different local-ip on outgoing packets. When the router's ADSL-side IP address changes, that mapping is invalid, and the result is all outgoing traffic matching that quad to be blocked. The router _should_ drop the mapping in that case, and let it become reestablished with the new ADSL-side IP. The blocking could be due to the outgoing firewall on the router, or it could be the ISP is blocking traffic from an IP source address that no longer matches my ADSL-side IP (which is generally a good thing for an ISP to do). Either way, when my ADSL-side IP address changed, OpenVPN traffic was blocked - permanently as long as I was trying to send any. Solution: when this happens, change the local UDP port, so that a new NAT mapping is established. How: a combination of "nobind", "ping" and "ping-restart" causes a different local port to be used automatically if traffic isn't getting through. I found this to be reliable: proto udp remote 11.22.33.44 # server's IP rport 5000 # Note: no "lport" option. # Must be short enough to keep any stateful (SPI/NAT) firewall open, # but not so short that 1000 clients would overwhelm the server. # Then OpenVPN documentation suggests 15. This seems like a lot with # 1000 clients, but it might be necessary for some firewalls. ping 15 # My Linksys ADSL router sometimes blocks the (local-IP, local-port, # remote-IP, remote-port) quad that's being used by the VPN. It does # this whenever the ADSL link is renegotiated to have a different IP. # # When this happens, the IP/port quad _cannot_ be used any more: all # outgoing traffic using it is blocked by the router! I see how this # occurs, and it's likely that some other SPI/NAT routers will do the same. # # Given that remote IP and port are fixed, the only way to ensure the # VPN continues is to switch to a different local port. This is # achieved using "ping-restart" and "nobind" together. nobind ping-restart 60 -- Jamie ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-08/msg00013.html on line 243 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-08/msg00013.html on line 243 |