[Openvpn-users] Re: Openvpn on Openbsd UDP problem

["Edward Lim" <rivest@xxxxxxxxx>]

Compiled and installed OpenVPN 2.0.5 on OpenBSD 3.7

The openbsd box is also acting as the firewall.

I have 2 lines on pf:

rdr pass on $ext_if proto udp from any to x.x.x.104 port 1194 -> 

127.0.0.1 port 1194
rdr pass on $ext_if proto tcp from any to x.x.x.104 port 1194 -> 127.0.0.1 port 1194

When I use TCP, the clients have no problem connecting.

But When I use UDP, it doesnt finish the handshake.

Server side:
Sun Apr  2 23:01:22 2006 us=694076 
202.156.228.121:1194
Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto
UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method
2,tls-server'
Sun Apr  2 23:01:22 2006 us=695593 202.156.228.121:1194
Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu
1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize
128,key-method 2,tls-client'
Sun Apr  2 23:01:22 2006 us=697906 202.156.228.121:1194 Local Options hash (VER=V4): 'f7df56b8'
Sun Apr  2 23:01:22 2006 us=699454 
202.156.228.121:1194
 Expected Remote Options hash (VER=V4): 'd79ca330'
Sun Apr  2 23:01:22 2006 us=701368 202.156.228.121:1194
 GET INST BY REAL: 202.156.228.121:1194
 [created]
Sun Apr  2 23:01:22 2006 us=702913 202.156.228.121:1194 UDPv4 READ [14] from 
202.156.228.121:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun Apr  2 23:01:22 2006 us=704505 202.156.228.121:1194 TLS: Initial packet from 
202.156.228.121:1194, sid=a661c5ed e5442acf
Sun Apr  2 23:01:22 2006 us=706549 
202.156.228.121:1194 UDPv4 WRITE [26] to 
202.156.228.121:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Sun Apr  2 23:01:23 2006 us=910282 MULTI: REAP range 16 -> 32
Sun Apr  2 23:01:24 2006 us=490515 MULTI: REAP range 32 -> 48
Sun Apr  2 23:01:24 2006 us=492376 GET INST BY REAL: 
202.156.228.121:1194 [succeeded]
Sun Apr  2 23:01:24 2006 us=494376 
202.156.228.121:1194 UDPv4 READ [14] from 
202.156.228.121:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun Apr  2 23:01:24 2006 us=501179 
202.156.228.121:1194 UDPv4 WRITE [26] to 
202.156.228.121:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Sun Apr  2 23:01:25 2006 us=710137 MULTI: REAP range 48 -> 64
Sun Apr  2 23:01:26 2006 us=210553 MULTI: REAP range 64 -> 80
Sun Apr  2 23:01:26 2006 us=212413 GET INST BY REAL: 
202.156.228.121:1194 [succeeded]
Sun Apr  2 23:01:26 2006 us=221689 
202.156.228.121:1194 UDPv4 READ [14] from 
202.156.228.121:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun Apr  2 23:01:26 2006 us=223677 
202.156.228.121:1194 UDPv4 WRITE [26] to 
202.156.228.121:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Sun Apr  2 23:01:27 2006 us=430140 MULTI: REAP range 80 -> 96
Sun Apr  2 23:01:28 2006 us=270547 MULTI: REAP range 96 -> 112
Sun Apr  2 23:01:28 2006 us=280832 GET INST BY REAL: 
202.156.228.121:1194 [succeeded]
Sun Apr  2 23:01:28 2006 us=282680 
202.156.228.121:1194 UDPv4 READ [14] from 
202.156.228.121:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun Apr  2 23:01:28 2006 us=284556 
202.156.228.121:1194 UDPv4 WRITE [26] to 
202.156.228.121:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Sun Apr  2 23:01:29 2006 us=490150 MULTI: REAP range 112 -> 128
Sun Apr  2 23:01:30 2006 us=210567 MULTI: REAP range 128 -> 144
Sun Apr  2 23:01:30 2006 us=221443 GET INST BY REAL: 
202.156.228.121:1194 [succeeded]
Sun Apr  2 23:01:30 2006 us=223276 
202.156.228.121:1194 UDPv4 READ [14] from 
202.156.228.121:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun Apr  2 23:01:30 2006 us=225458 
202.156.228.121:1194 UDPv4 WRITE [26] to 
202.156.228.121:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Sun Apr  2 23:01:31 2006 us=430142 MULTI: REAP range 144 -> 160
Sun Apr  2 23:01:32 2006 us=240538 MULTI: REAP range 160 -> 176
Sun Apr  2 23:01:32 2006 us=242410 GET INST BY REAL: 
202.156.228.121:1194 [succeeded]
Sun Apr  2 23:01:32 2006 us=251293 
202.156.228.121:1194 UDPv4 READ [14] from 
202.156.228.121:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun Apr  2 23:01:32 2006 us=253555 
202.156.228.121:1194 UDPv4 WRITE [26] to 
202.156.228.121:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
---> And keeps on printing all this writes and reads. I assume 2-way communication should be ok?

Client side:
Sun Apr 02 23:01:16 2006 us=140580 UDPv4 WRITE [14] to 58.185.90.104:1194: P_CON
TROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun Apr 02 23:01:18 2006 us=208141 UDPv4 WRITE [14] to 
58.185.90.104:1194: P_CON
TROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun Apr 02 23:01:18 2006 us=900180 TUN READ [342]
Sun Apr 02 23:01:18 2006 us=900925 FRAG_OUT len=133 type=0 seq_id=0 frag_id=0 fr
ag_size=0 flags=0x00000000
Sun Apr 02 23:01:19 2006 us=926280 UDPv4 WRITE [14] to 58.185.90.104:1194: P_CON
TROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun Apr 02 23:01:21 2006 us=989006 UDPv4 WRITE [14] to 
58.185.90.104:1194: P_CON
TROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun Apr 02 23:01:23 2006 us=898481 TUN READ [342]
Sun Apr 02 23:01:23 2006 us=899148 FRAG_OUT len=134 type=0 seq_id=0 frag_id=0 fr
ag_size=0 flags=0x00000000
Sun Apr 02 23:01:23 2006 us=900265 UDPv4 WRITE [14] to 58.185.90.104:1194: P_CON
TROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun Apr 02 23:01:25 2006 us=958137 UDPv4 WRITE [14] to 
58.185.90.104:1194: P_CON
TROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0

I don't see any reads here but when I kill the daemon on the server side, it gives a different message.

Is pf crapping on me somewhere? I've tried many things but only TCP works.

-- 
Regards,
Edward/Rivest