[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN and NAT

  • Subject: Re: [Openvpn-users] OpenVPN and NAT
  • From: Martijn Lievaart <m@xxxxxxx>
  • Date: Mon, 13 Dec 2004 22:09:12 +0100

Mathias Sundman wrote:

On Mon, 13 Dec 2004, ad_koster wrote:

Does OpenVPN require the source port and destination port to be the same to
setup a tunnel ??

No. The recent 2.0 releases of OpenVPN defaults to udp port 1194 as sourceport (and destination), unless --nobind is used, which causes OpenVPN to pick the first free unprivileged port, like most applications.

The source port can however be changed by NAT devices, so you not check the sourceport on your OpenVPN server. You could check that it is a highport if you want (1024:65535).

The OpenVPN server does not depend on what source port was used, so the problem you had was probably because of your iptables rule trying to check the source port.

We encountered exactly the same problem. Different devices do NAT in a whole lot of different ways and some even use some fixed high range as source for udp-natting. Even on the most reasonable of NAT setups, the sourceport cannot be guarenteed because the source(ip:port)-dest(ip:port) (where source is the outside ip adres) may be in use from another user. The NAT implementation is then required to pick another source port.


____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users