[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] How best to handle a foreign site

  • Subject: Re: [Openvpn-users] How best to handle a foreign site
  • From: Patrick Lesslie <patricklesslie@xxxxxxxxxxxx>
  • Date: Mon, 16 Feb 2004 16:19:50 +1100

On Mon, Feb 16, 2004 at 12:24:00PM +0800, Paul Culmsee wrote:
> > A typical stateful firewall should allow client-initiated UDP
> > connections out, and the replies back in. IOW, from what you posted
> > there is no evidence of a problem.
> The reply is the issue. What I was not able to ascertain via the FAQ or
> man pages however was what a UDP reply entails.
> For example, if the remote network sends say, ICMP traffic to a network
> here, sure it will get encapsulated by openvpn and come through to the
> public ip of the openvpn box here to be decapsulated and then forwarded
> on.

Hope you don't mind if I jump in here ... (FWIW)

> But since we are talking about UDP, is the connection sync or async? Ie,
> Are the ICMP replies sent back out as UDP traffic that needs a remote IP
> address to hit.. I don't have one that port forwards the reply back to
> the NAT'd vpn server at the remote end..
OpenVPN connections typically use UDP port 5000.  You can set it
for any particular connection in the config files at both ends,
as you probably know.  The protocols of the packets wrapped in
UDP have nothing to do with the routing from the client to the
server or back again, it depends only on how any firewalls on the
way treat UDP 5000 packets.  That is to say, it is UDP 5000 all
the way, and in both directions.  This is the beauty of OpenVPN.

If you have several concurrent connections, they need to use
different UDP ports.

The routing of the packets works as normal.  UDP has less overhead
than TCP because there is less checking, so it's the best choice.
In practice this doesn't matter since the packets being wrapped up
in UDP take care of their own checking as required by their protocol;
TCP connections will have all their normal checking done by the
client and the server, oblivious to the temporary wrapping in UDP.

> Or, does openvpn maintain state in the sense that if a connection is
> established from remote end to local end, replies are sent back to the
> NAT'd address of the remote end and therefore reliant on the stateful
> firewall to hopefully deal with it?

If a packet is initiated at remote client A, passes through NAT, travels
across the net to server B then the NAT takes care of reply packets.  
The remote client has to know the IP of the server, and that's all.
Packets going back will be addressed to the NAT firewall, and
connection tracking within that firewall will correctly send the
packets to client A.  That is to say, it is up to firewalls on the
way to maintain state.  Replies are sent to where they appear to have
come from, which is nothing special about OpenVPN really.

Patrick Lesslie

SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
Openvpn-users mailing list