[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVpn behind a NAT.

  • Subject: Re: [Openvpn-users] OpenVpn behind a NAT.
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Mon, 16 Jul 2007 01:38:13 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID398LgPgMu0018X39

Agostino Maurotto wrote:
> Hi everyone
> i was trying to set OpenVPN to access two computer behind a university 
> nat, in fact i need to access those pc from outside in order to perform 
> some analisys from home.
> While at home i can change my nat and add any forward ports, i can't do 
> it at university so until now, i was using reverse ssh tunnel in order 
> to connect.
> I tried to set up OpenVPN as follow:
> set my pc as server, give port 4444 to server, open port 4444 on nat 
> toward my pc, generate keys for my pc and for client
> upload by sftp the keys on the client via reverse ssh, start the client 
> and try to connect.
> The client keeps giving me TLS timeout error, even if i am perfectly 
> able to ping my machine from the client itself.
> I tried to change port, and dh keys, but with no luck..
> what else can i try?
> Thanks
> Agostino

NAT isn't a problem for OpenVPN assuming the encapsulated traffic can
flow between the 2 peers.  Some networks choose to use more restrictive
firewalls that block a lot of arbitrary ports for outbound traffic,
particularly UDP ports since traffic patterns and content can be harder
to identify with this protocol.  I would check to see if your initial
packets are even arriving on the server since they might be blocked
before they leave the client's firewall.  If that's the case, you can
try more standard UDP ports (eg: DNS) or switch to a common TCP port,
such as port 443 (which is often a popular choice since many firewalls
have rules to allow outbound https traffic.)  If the initial packet does
arrive on the server, insure that the server's reply reaches your client.

As a side note, many universities have policies in place against remote
access to the network except using authorized methods.  Please be aware
of any regulations that apply to you since network staff will often
follow-up on suspicious traffic.


Attachment: signature.asc
Description: OpenPGP digital signature