On Mon, 13 Dec 2004, ad_koster wrote:
Currently we are considering to replace some of our IPSEC - connections by
OpenVPN mainly because of the wellknown NAT difficulties with IPSEC.
Good decision :-)
However after doing a number of tests we experienced problems using iptables
rules on our firewalls like:
iptables -I INPUT -p udp -s x.x.x.x --source-port 7777 -d x.x.x.x --
destination-port 7777 -m state --state NEW -j ACCEPT
Are you using this on the machine working as OpenVPN server or client?
In this setup a OpenVPN - client is behind a router doing NAT and no tunnel
is established. Most likely because the sourceport is randomly "adjusted" by
So our question is:
Does OpenVPN require the source port and destination port to be the same to
setup a tunnel ??
No. The recent 2.0 releases of OpenVPN defaults to udp port 1194 as
sourceport (and destination), unless --nobind is used, which causes
OpenVPN to pick the first free unprivileged port, like most applications.
The source port can however be changed by NAT devices, so you not check
the sourceport on your OpenVPN server. You could check that it is a
highport if you want (1024:65535).
The OpenVPN server does not depend on what source port was used, so the
problem you had was probably because of your iptables rule trying to check
the source port.
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
Openvpn-users mailing list