OpenVPN TCP works UDP does not

NOYB

Pardon me, but this just cannot work. You cannot have the same server IP for TCP and UDP. Use IPv4 Tunnel Network: 192.168.2.0/24 for TCP and IPv4 Tunnel Network: 192.168.3.0/24 for UDP or whatever and you won't have any problem.

Trying this right now. Still same problem. Both can connect but only one can see the LAN.

doktornotor

Reboot to clear up the routing/states/whatnot mess.

jimp

You can't have the same tunnel network for two different VPNs.

NOYB

Okay have different tunnel network for each VPN. 192.168.2.0/24 for TCP OVPN1 and 192.168.3.0/24 for UDP OVPN2.

Trouble now is that only network 192.168.2.0/24 will work. On either VPN. 192.168.3.0/24, or any others, will not work either VPN. Though LAN client can see VPN client. But VPN client cannot see LAN client. Now this is seeming like a firewall issue. But I don't see anything that would pass the one network and not the others.

Routing table:
192.168.2.0/24 192.168.2.1 UGS 0 0 1500 ovpns1
192.168.2.1 link#9 UH 0 0 1500 ovpns1

192.168.3.0/24 192.168.3.1 UGS 0 0 1500 ovpns2
192.168.3.1 link#10 UH 0 0 1500 ovpns2

marvosa

Post your server1.conf and server2.conf. Post screen shot of firewall rules.

Also, the first thing I would do change your LAN and tunnel IP scopes…. those ranges are too common on the client-side.

NOYB

As mentioned previously, the server1.conf and server2.conf are identical. With exception of protocol (one is tcp-server, and the other is udp), and 2 vs. 1 being added to many of the items. Both work with 198.168.2.0/24. Neither work with 192.168.3.0/24.

Doesn't matter how common those ranges are. They are not used by anything else in this network, on either end. And oh by the way, others where also tried. 192.168.4.0/24, 192.168.33.0/24, 192.168.102.0/24.

The only applicable firewall rule at this point should be the one in OpenVPN tab. And it is the default rule. Haven't change it. It is wide open for anything IPv4. Even tried adding a wide open float rule with quick option enabled.

doktornotor

@NOYB:

As mentioned previously, the server1.conf and server2.conf are identical. With exception of protocol (one is tcp-server, and the other is udp), and 2 vs. 1 being added to many of the items. Both work with 198.168.2.0/24. Neither work with 192.168.3.0/24.

What? You did AGAIN create those two with identical subnets? Sigh. It will NOT work. You MUST have different ones for TCP and UDP. You cannot create two ifaces with the same IP and expect routing to work… Please, post the configs so that we stop wasting time here.

NOYB

No did not recreate them with same network. Just flipped them back and forth for diagnosis.

There was nothing in the configs that would solve this. Had already verified that was not the cause.

Think I've traced it down to LAN client windows firewall. Yup that was it. Verified and fixed. Thanks all for your guidance and suggestions. You were a big help.

marvosa

I understand you said your configs are identical… but I always ask because you can't build a support model based on assumptions. I never assume anything without looking at the config... post them, so we can establish a base, rule out the config and move on. Right now, all we have are assumptions and we end up working backwards if any of them turn out to be incorrect.

Doesn't matter how common those ranges are

if you can control your clients' network maybe, but all it takes is one person on a linksys or netgear router at home to connect and your routing is broken. Now you spend days troubleshooting something that could've been avoided from the beginning in your network design.

The only applicable firewall rule at this point should be the one in OpenVPN tab

yes that's the one, post a screen shot so we can move on…. otherwise we have to assume "wide open" means any/any (|||||) but may not be... and this thread goes on for weeks instead of a couple days.

This will be confirmed when you post your configs, but it's been said the configs are identical except for the protocol, but technically they shouldn't be... they should be listening on different ports and have different tunnel networks.

kejianshi

Hmmmm. I would do a few things differently.

I would create 1 openvpn thread on 10.23.10.0/24 and the second on 10.23.11.0/24 or so… (just to get away from the 192.168s)
Then I would check my firewall rules to be sure the rules had been generated properly to PASS those subnets to ANY. Check the subnets match above.
Then I would create the outbound NAT rules to allow the LAN and for both openvpn subnets. (I stopped using auto outbound NAT on WAN).

Now try it on manual. Be warned that manual outbound NAT is picky. Has to be done correctly, but it never leaves me wondering "what went wrong"?

If that doesn't work, having a snapshot of you NAT rules, Firewall rules, Outbound NAT rules, and openvpn config would help people help you.

P.S. The reason I quit using Automatic Outbound NAT is because it kept rewriting SIP packets and was killing my servers.
And I'm a control freak... Thus the pfsense.