[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN and NAT

  • Subject: Re: [Openvpn-users] OpenVPN and NAT
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Mon, 13 Dec 2004 21:45:19 +0100 (CET)

On Mon, 13 Dec 2004, ad_koster wrote:

Currently we are considering to replace some of our IPSEC - connections by OpenVPN mainly because of the wellknown NAT difficulties with IPSEC.

Good decision :-)

However after doing a number of tests we experienced problems using iptables
rules on our firewalls like:

iptables -I INPUT -p udp -s x.x.x.x --source-port 7777 -d x.x.x.x --
destination-port 7777 -m state --state NEW -j ACCEPT

Are you using this on the machine working as OpenVPN server or client?

In this setup a OpenVPN - client is behind a router doing NAT and no tunnel
is established. Most likely because the sourceport is randomly "adjusted" by

So our question is:

Does OpenVPN require the source port and destination port to be the same to
setup a tunnel ??

No. The recent 2.0 releases of OpenVPN defaults to udp port 1194 as sourceport (and destination), unless --nobind is used, which causes OpenVPN to pick the first free unprivileged port, like most applications.

The source port can however be changed by NAT devices, so you not check the sourceport on your OpenVPN server. You could check that it is a highport if you want (1024:65535).

The OpenVPN server does not depend on what source port was used, so the problem you had was probably because of your iptables rule trying to check the source port.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

Openvpn-users mailing list