No UDP port forwarding with OpenVPN client using AirVPN



  • Hi,

    I've configured AirVPN as an OpenVPN client in pfSense, using (mostly) this guide (https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/). I've removed a few of the suggested rules, for now, that were blocking some traffic. Also it's will be accessible using a VLAN instead of the standard LAN. LAN for normal traffic, VLAN for the VPN.

    Overall, it works well, the internet is working and I have no DNS leak.

    But I'm having an issue with port forwarding. Currently I've been testing the ports with Vuze (torrent client) port tester. TCP works without issue and UDP isn't working. I have no clue why. Port forwarding is set to forward both TCP and UDP. The ports are properly configured in AirVPN web site. In fact using Eddy, their Windows client, the ports works great ! UDP just doesn't work using the pfSense OpenVPN client.

    I'm kinda new to this whole networking thing. I've learned alot getting this set up, but I'm not sure how to go about fixing this issue.

    Why isn't UDP traffic passing through ? Any ideas or suggestions ? Any settings that might affect this ?

    Thanks


  • Netgate

    Run a packet capture on the OpenVPN assigned interface. filter on the UDP port and run a test. see if the packets are even arriving.

    If not, contact AirVPN. If they are, they would be being forwarded.

    Be sure the incoming traffic does not match rules on the OpenVPN tab, but only on the assigned interface tab.



  • I managed to packet capture UDP traffic on the VLAN (on the expected port) but not on the VPN's WAN nor the OpenVPN client. Again, TCP traffic flows through all of these on the same port without issue :(.

    There's no active rule in the Firewall/Rules/OpenVPN. Only a disabled one reminding me how it broke the TCP port forwarding initially.

    Firewall/Rules/VLAN_13_AIRVPN only has one rule that allows traffic between the AirVPN gateway and the VLAN for any protocol.

    The only rule on the AirVPN WAN auto created by the NAT for the ports forwarded (on TCP/UDP).

    So I guess I have some kind of routing issue, but I don't know why or where. Why isn't it routed like TCP  >:( ?

    Is there somewhere I can see where the packets go to die ? Could it be a VLAN issue ?


  • Netgate

    There's no active rule in the Firewall/Rules/OpenVPN.

    OK good.

    Firewall/Rules/VLAN_13_AIRVPN only has one rule that allows traffic between the AirVPN gateway and the VLAN for any protocol.

    I have no idea what that means. How about you post the actual rules. Probably the associated port forward as well.

    You will want that rule to pass traffic from any to the (post-NAT) inside destination/port of the port forward. It is no different than a port forward on a WAN interface in that case.



  • @Derelict:

    Firewall/Rules/VLAN_13_AIRVPN only has one rule that allows traffic between the AirVPN gateway and the VLAN for any protocol.

    I have no idea what that means. How about you post the actual rules. Probably the associated port forward as well.

    You will want that rule to pass traffic from any to the (post-NAT) inside destination/port of the port forward. It is no different than a port forward on a WAN interface in that case.

    Rule description: AirVPN_LAN ALLOW OUTBOUND
    Action: Pass
    Interface: VLAN_13_AIRVPN
    Adress Family: IPv4
    Protocol: Any
    Source: VLAN_13_AIRVPN net
    Destination: any
    State type: Keep
    Gateway: WAN_AIRVPN_ALKAID_VPNV4 - X.X.X.X - Interface WAN_AIRVPN

    All other field are empty.

    The port forwarding:
    Interface: WAN_AIRVPN_ALKAID
    Protocol: TCP/UDP
    Destination: WAN_AIRVPN_ALKAID address
    Destination port range: Other, AirVPN_Ports_All (alias of all configured ports with AirVPN web site, all TCP works, all UDP fails)
    Redirected IP: IP of the VM on the VLAN
    Redirected target port: AirVPN_Ports_All


  • Netgate

    So packet capture on the openvpn interface and see if the UDP packets are actually arriving there.

    I am surprised you are working at all with Source: VLAN_13_AIRVPN net on your outbound NAT. Must be something else going on there.



  • @Derelict:

    So packet capture on the openvpn interface and see if the UDP packets are actually arriving there.

    Packet captures of a TCP test followed by a UDP test (3 different tests with 3 different captures).

    VLAN_13_AIRVPN
    22:10:40.480655 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 0
    22:10:40.481246 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
    22:10:40.535360 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 0
    22:10:40.535608 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 24
    22:10:40.536465 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 34
    22:10:40.536590 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
    22:10:40.536597 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
    22:10:40.597699 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 0
    22:10:40.598305 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
    22:10:46.743043 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
    22:10:51.739689 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
    22:11:01.755341 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
    22:11:16.773509 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 113

    WAN_AIRVPN_ALKAID
    22:15:35.104487 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 0
    22:15:35.104888 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0
    22:15:35.167576 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 0
    22:15:35.167592 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 24
    22:15:35.168101 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 34
    22:15:35.168109 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0
    22:15:35.168225 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0
    22:15:35.223669 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 0
    22:15:35.223944 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0

    OpenVPN Client
    22:17:33.877765 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 0
    22:17:33.878143 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0
    22:17:33.933980 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 0
    22:17:33.934605 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 24
    22:17:33.934731 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 34
    22:17:33.934738 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0
    22:17:33.934854 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0
    22:17:33.993946 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 0
    22:17:33.994196 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0

    @Derelict:

    I am surprised you are working at all with Source: VLAN_13_AIRVPN net on your outbound NAT. Must be something else going on there.

    Should I change it for something else ? My understading currently stops at that rule. I'd be happy to try anything.


  • Netgate

    22:10:46.743043 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
    22:10:51.739689 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
    22:11:01.755341 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
    22:11:16.773509 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 113

    That is outbound UDP. Inbound would be sourced from 182.73.221.81 dest 192.168.20.125. No UDP is actually arriving from the VPN provider.

    Looking again it does not look like you are routing the UDP out the OpenVPN.



  • @Derelict:

    22:10:46.743043 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
    22:10:51.739689 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
    22:11:01.755341 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
    22:11:16.773509 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 113

    That is outbound UDP. Inbound would be sourced from 182.73.221.81 dest 192.168.20.125. No UDP is actually arriving from the VPN provider.

    That's what I understand too, UDP doesn't get routed, but I don't understand why. Is there a rule missing or wrong ? A problem with the VLAN ?

    I'm not sure what to do at this point, I've reached the end of my networking knowledge. I know UDP is stateless but I don't understand why it's not being routed to the VPN like TCP traffic is.

    Is there a way to check if a rule prevents it ?


  • Netgate

    The traffic will show in a packet capture even if it is blocked by a rule.

    If you are capturing on the OpenVPN interface and the traffic is not arriving from the VPN provider, you need to check the configuration there.

    pfSense cannot do anything with traffic that isn't sent to it.



  • @Derelict:

    The traffic will show in a packet capture even if it is blocked by a rule.

    If you are capturing on the OpenVPN interface and the traffic is not arriving from the VPN provider, you need to check the configuration there.

    pfSense cannot do anything with traffic that isn't sent to it.

    That make perfect sense, I understand that. The UDP doesn't processed by the NAT ?

    I don't understand what's wrong, if nothing was working I'd feel better but only UDP doesn't work and the configured rules don't discriminated against it. I'm not sure what to investigate, where to search.

    To help me understand and remember the whole setup, I've deleted all settings related to the VPN and reconfigured it. Same result (no UDP, working TCP), but it did remind me on one thing I didn't mention before that is very relevant to this discussion: Firewall/NAT/Outbound. I've entered 2 mappings for interface WAN_AIRVPN_ALKAID (attached): One for 127.0.01 (is it necessary? not sure) and one for the VLAN adresses (192.168.20.0/24). Both for any port and any protocol. Is something else needed there ?

    Considering this is basically the same setup used by my "normal" internet. Is there some issue with UDP and VLAN I should be aware of ?

    I might have to try it without a VLAN… That will require so work to try that (passing the cable)...




  • @e9741449:

    I might have to try it without a VLAN… That will require so work to try that (passing the cable)...

    Well… not a VLAN issue. Same behavior using a dedicated LAN port.  :'(


  • Netgate

    If it is not arriving on the OpenVPN interface from the ISP/VPN Provider there is NOTHING on the firewall you can do to fix it. They are not sending the traffic to you in the first place. Fix that.

    Outbound NAT has nothing to do with inbound port forwards.

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • @Derelict:

    If it is not arriving on the OpenVPN interface from the ISP/VPN Provider there is NOTHING on the firewall you can do to fix it. They are not sending the traffic to you in the first place. Fix that.

    Outbound NAT has nothing to do with inbound port forwards.

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    As far as I can tell, like you can see from my packet capture, the issue is with outbound UDP. Outbound packets never reach the VPN's WAN only the LAN/VLAN (and die there, never being router to the WAN).


  • Netgate

    Then your policy routing/rules are wrong on VLAN_13_AIRVPN.

    What you posted before looks right but if it was right it would be working.

    How about screen shots instead of what you sent before.

    Any logged firewall blocks when you try it?



  • Here are, attached, the NAT rules for the VPN and the port forwarding rule. Tell me if you want to see something else.

    I haven't seen anything about the 192.168.20.125 in Status/System/Logs/System/General, Status/System/Logs/System/Routing and Status/System/Logs/Firewall/Dynamic View. Is this where I'm suppose to look ? Must I change something log wise ?




  • I found a way to test udp using Packet Sender (https://packetsender.com/) on the local computer and a remote computer (outside my network). One computer sends a udp packet and the other receives it and reply.

    I found 2 things:
    Remote computer -> pfSense -> Local computer (192.168.20.125): It works ! The port forwarding actually works ! I even get a reply (no clue how that's possible) since…
    Local computer (192.168.20.125) -> pfSense -> Remote computer: Fails, pfSense never seeds the packet to the VPN.

    So, it's not a port forwarding issue. I'm guessing it's a NAT issue or a routing issue (is there a difference ?).

    Not quite sure what to do about that... Not even sure this is related to OpenVPN... Should I start an other threat ?