Odd UDP behavior and Firewall Logs for ovpn



  • I am in the process of building a large site2site VPN network. We have a test rolled out for 3 remote clients and 1 server. It works well, however the way its logging is extremely confusing and makes reading the logs much less intuitive. I am curious if I am even reading them correctly.

    A simplified view of my net is this,…

    OVPN Client (WAN int)-----> (WAN int) OVPN Server (LAN int)------> (unencrypted corporate WAN network) -------> (Data Center with services such as DNS, NTP, SMTP, ETC) ---------> Internet

    If I have an established site2site UDP tunnel between my OVPN cient and OVPN server, should I need to create WAN interface rules on the OVPN server to allow access to things like DNS, NTP, etc in my data center? I would assume these rules would need to be added to the OVPN interface, however, if I don't add rules on the WAN interface to allow DNS and NTP to pass through, the logs show the WAN interface blocks the traffic. If I add rules on the WAN interface to allow NTP and DNS, it shows successful traffic passing thru as though it came through the ovpns1 interface.

    I don't understand how to read these log. Specifically it appears that UDP traffic such as DNS and NTP are not coming through the tunnel. Other traffic like SMTP and WWW are coming though the tunnel without needing WAN interface rules.

    Hopefully this makes sense to someone. I am at a stopping point until I can figure out if everything is passing thru the tunnel as I designed it to do.