No UDP port forwarding with OpenVPN client using AirVPN
-
Hi,
I've configured AirVPN as an OpenVPN client in pfSense, using (mostly) this guide (https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/). I've removed a few of the suggested rules, for now, that were blocking some traffic. Also it's will be accessible using a VLAN instead of the standard LAN. LAN for normal traffic, VLAN for the VPN.
Overall, it works well, the internet is working and I have no DNS leak.
But I'm having an issue with port forwarding. Currently I've been testing the ports with Vuze (torrent client) port tester. TCP works without issue and UDP isn't working. I have no clue why. Port forwarding is set to forward both TCP and UDP. The ports are properly configured in AirVPN web site. In fact using Eddy, their Windows client, the ports works great ! UDP just doesn't work using the pfSense OpenVPN client.
I'm kinda new to this whole networking thing. I've learned alot getting this set up, but I'm not sure how to go about fixing this issue.
Why isn't UDP traffic passing through ? Any ideas or suggestions ? Any settings that might affect this ?
Thanks
-
Run a packet capture on the OpenVPN assigned interface. filter on the UDP port and run a test. see if the packets are even arriving.
If not, contact AirVPN. If they are, they would be being forwarded.
Be sure the incoming traffic does not match rules on the OpenVPN tab, but only on the assigned interface tab.
-
I managed to packet capture UDP traffic on the VLAN (on the expected port) but not on the VPN's WAN nor the OpenVPN client. Again, TCP traffic flows through all of these on the same port without issue :(.
There's no active rule in the Firewall/Rules/OpenVPN. Only a disabled one reminding me how it broke the TCP port forwarding initially.
Firewall/Rules/VLAN_13_AIRVPN only has one rule that allows traffic between the AirVPN gateway and the VLAN for any protocol.
The only rule on the AirVPN WAN auto created by the NAT for the ports forwarded (on TCP/UDP).
So I guess I have some kind of routing issue, but I don't know why or where. Why isn't it routed like TCP >:( ?
Is there somewhere I can see where the packets go to die ? Could it be a VLAN issue ?
-
There's no active rule in the Firewall/Rules/OpenVPN.
OK good.
Firewall/Rules/VLAN_13_AIRVPN only has one rule that allows traffic between the AirVPN gateway and the VLAN for any protocol.
I have no idea what that means. How about you post the actual rules. Probably the associated port forward as well.
You will want that rule to pass traffic from any to the (post-NAT) inside destination/port of the port forward. It is no different than a port forward on a WAN interface in that case.
-
Firewall/Rules/VLAN_13_AIRVPN only has one rule that allows traffic between the AirVPN gateway and the VLAN for any protocol.
I have no idea what that means. How about you post the actual rules. Probably the associated port forward as well.
You will want that rule to pass traffic from any to the (post-NAT) inside destination/port of the port forward. It is no different than a port forward on a WAN interface in that case.
Rule description: AirVPN_LAN ALLOW OUTBOUND
Action: Pass
Interface: VLAN_13_AIRVPN
Adress Family: IPv4
Protocol: Any
Source: VLAN_13_AIRVPN net
Destination: any
State type: Keep
Gateway: WAN_AIRVPN_ALKAID_VPNV4 - X.X.X.X - Interface WAN_AIRVPNAll other field are empty.
The port forwarding:
Interface: WAN_AIRVPN_ALKAID
Protocol: TCP/UDP
Destination: WAN_AIRVPN_ALKAID address
Destination port range: Other, AirVPN_Ports_All (alias of all configured ports with AirVPN web site, all TCP works, all UDP fails)
Redirected IP: IP of the VM on the VLAN
Redirected target port: AirVPN_Ports_All -
So packet capture on the openvpn interface and see if the UDP packets are actually arriving there.
I am surprised you are working at all with Source: VLAN_13_AIRVPN net on your outbound NAT. Must be something else going on there.
-
So packet capture on the openvpn interface and see if the UDP packets are actually arriving there.
Packet captures of a TCP test followed by a UDP test (3 different tests with 3 different captures).
VLAN_13_AIRVPN
22:10:40.480655 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 0
22:10:40.481246 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
22:10:40.535360 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 0
22:10:40.535608 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 24
22:10:40.536465 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 34
22:10:40.536590 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
22:10:40.536597 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
22:10:40.597699 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 0
22:10:40.598305 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
22:10:46.743043 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:10:51.739689 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:11:01.755341 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:11:16.773509 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 113WAN_AIRVPN_ALKAID
22:15:35.104487 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 0
22:15:35.104888 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0
22:15:35.167576 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 0
22:15:35.167592 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 24
22:15:35.168101 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 34
22:15:35.168109 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0
22:15:35.168225 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0
22:15:35.223669 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 0
22:15:35.223944 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0OpenVPN Client
22:17:33.877765 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 0
22:17:33.878143 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0
22:17:33.933980 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 0
22:17:33.934605 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 24
22:17:33.934731 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 34
22:17:33.934738 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0
22:17:33.934854 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0
22:17:33.993946 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 0
22:17:33.994196 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0I am surprised you are working at all with Source: VLAN_13_AIRVPN net on your outbound NAT. Must be something else going on there.
Should I change it for something else ? My understading currently stops at that rule. I'd be happy to try anything.
-
22:10:46.743043 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:10:51.739689 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:11:01.755341 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:11:16.773509 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 113That is outbound UDP. Inbound would be sourced from 182.73.221.81 dest 192.168.20.125. No UDP is actually arriving from the VPN provider.
Looking again it does not look like you are routing the UDP out the OpenVPN.
-
22:10:46.743043 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:10:51.739689 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:11:01.755341 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:11:16.773509 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 113That is outbound UDP. Inbound would be sourced from 182.73.221.81 dest 192.168.20.125. No UDP is actually arriving from the VPN provider.
That's what I understand too, UDP doesn't get routed, but I don't understand why. Is there a rule missing or wrong ? A problem with the VLAN ?
I'm not sure what to do at this point, I've reached the end of my networking knowledge. I know UDP is stateless but I don't understand why it's not being routed to the VPN like TCP traffic is.
Is there a way to check if a rule prevents it ?
-
The traffic will show in a packet capture even if it is blocked by a rule.
If you are capturing on the OpenVPN interface and the traffic is not arriving from the VPN provider, you need to check the configuration there.
pfSense cannot do anything with traffic that isn't sent to it.
-
The traffic will show in a packet capture even if it is blocked by a rule.
If you are capturing on the OpenVPN interface and the traffic is not arriving from the VPN provider, you need to check the configuration there.
pfSense cannot do anything with traffic that isn't sent to it.
That make perfect sense, I understand that. The UDP doesn't processed by the NAT ?
I don't understand what's wrong, if nothing was working I'd feel better but only UDP doesn't work and the configured rules don't discriminated against it. I'm not sure what to investigate, where to search.
To help me understand and remember the whole setup, I've deleted all settings related to the VPN and reconfigured it. Same result (no UDP, working TCP), but it did remind me on one thing I didn't mention before that is very relevant to this discussion: Firewall/NAT/Outbound. I've entered 2 mappings for interface WAN_AIRVPN_ALKAID (attached): One for 127.0.01 (is it necessary? not sure) and one for the VLAN adresses (192.168.20.0/24). Both for any port and any protocol. Is something else needed there ?
Considering this is basically the same setup used by my "normal" internet. Is there some issue with UDP and VLAN I should be aware of ?
I might have to try it without a VLAN… That will require so work to try that (passing the cable)...
-
I might have to try it without a VLAN… That will require so work to try that (passing the cable)...
Well… not a VLAN issue. Same behavior using a dedicated LAN port. :'(
-
If it is not arriving on the OpenVPN interface from the ISP/VPN Provider there is NOTHING on the firewall you can do to fix it. They are not sending the traffic to you in the first place. Fix that.
Outbound NAT has nothing to do with inbound port forwards.
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
If it is not arriving on the OpenVPN interface from the ISP/VPN Provider there is NOTHING on the firewall you can do to fix it. They are not sending the traffic to you in the first place. Fix that.
Outbound NAT has nothing to do with inbound port forwards.
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
As far as I can tell, like you can see from my packet capture, the issue is with outbound UDP. Outbound packets never reach the VPN's WAN only the LAN/VLAN (and die there, never being router to the WAN).
-
Then your policy routing/rules are wrong on VLAN_13_AIRVPN.
What you posted before looks right but if it was right it would be working.
How about screen shots instead of what you sent before.
Any logged firewall blocks when you try it?
-
Here are, attached, the NAT rules for the VPN and the port forwarding rule. Tell me if you want to see something else.
I haven't seen anything about the 192.168.20.125 in Status/System/Logs/System/General, Status/System/Logs/System/Routing and Status/System/Logs/Firewall/Dynamic View. Is this where I'm suppose to look ? Must I change something log wise ?
-
I found a way to test udp using Packet Sender (https://packetsender.com/) on the local computer and a remote computer (outside my network). One computer sends a udp packet and the other receives it and reply.
I found 2 things:
Remote computer -> pfSense -> Local computer (192.168.20.125): It works ! The port forwarding actually works ! I even get a reply (no clue how that's possible) since…
Local computer (192.168.20.125) -> pfSense -> Remote computer: Fails, pfSense never seeds the packet to the VPN.So, it's not a port forwarding issue. I'm guessing it's a NAT issue or a routing issue (is there a difference ?).
Not quite sure what to do about that... Not even sure this is related to OpenVPN... Should I start an other threat ?