Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No UDP port forwarding with OpenVPN client using AirVPN

    Scheduled Pinned Locked Moved OpenVPN
    17 Posts 2 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      e9741449
      last edited by

      Hi,

      I've configured AirVPN as an OpenVPN client in pfSense, using (mostly) this guide (https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/). I've removed a few of the suggested rules, for now, that were blocking some traffic. Also it's will be accessible using a VLAN instead of the standard LAN. LAN for normal traffic, VLAN for the VPN.

      Overall, it works well, the internet is working and I have no DNS leak.

      But I'm having an issue with port forwarding. Currently I've been testing the ports with Vuze (torrent client) port tester. TCP works without issue and UDP isn't working. I have no clue why. Port forwarding is set to forward both TCP and UDP. The ports are properly configured in AirVPN web site. In fact using Eddy, their Windows client, the ports works great ! UDP just doesn't work using the pfSense OpenVPN client.

      I'm kinda new to this whole networking thing. I've learned alot getting this set up, but I'm not sure how to go about fixing this issue.

      Why isn't UDP traffic passing through ? Any ideas or suggestions ? Any settings that might affect this ?

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Run a packet capture on the OpenVPN assigned interface. filter on the UDP port and run a test. see if the packets are even arriving.

        If not, contact AirVPN. If they are, they would be being forwarded.

        Be sure the incoming traffic does not match rules on the OpenVPN tab, but only on the assigned interface tab.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • E
          e9741449
          last edited by

          I managed to packet capture UDP traffic on the VLAN (on the expected port) but not on the VPN's WAN nor the OpenVPN client. Again, TCP traffic flows through all of these on the same port without issue :(.

          There's no active rule in the Firewall/Rules/OpenVPN. Only a disabled one reminding me how it broke the TCP port forwarding initially.

          Firewall/Rules/VLAN_13_AIRVPN only has one rule that allows traffic between the AirVPN gateway and the VLAN for any protocol.

          The only rule on the AirVPN WAN auto created by the NAT for the ports forwarded (on TCP/UDP).

          So I guess I have some kind of routing issue, but I don't know why or where. Why isn't it routed like TCP  >:( ?

          Is there somewhere I can see where the packets go to die ? Could it be a VLAN issue ?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            There's no active rule in the Firewall/Rules/OpenVPN.

            OK good.

            Firewall/Rules/VLAN_13_AIRVPN only has one rule that allows traffic between the AirVPN gateway and the VLAN for any protocol.

            I have no idea what that means. How about you post the actual rules. Probably the associated port forward as well.

            You will want that rule to pass traffic from any to the (post-NAT) inside destination/port of the port forward. It is no different than a port forward on a WAN interface in that case.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • E
              e9741449
              last edited by

              @Derelict:

              Firewall/Rules/VLAN_13_AIRVPN only has one rule that allows traffic between the AirVPN gateway and the VLAN for any protocol.

              I have no idea what that means. How about you post the actual rules. Probably the associated port forward as well.

              You will want that rule to pass traffic from any to the (post-NAT) inside destination/port of the port forward. It is no different than a port forward on a WAN interface in that case.

              Rule description: AirVPN_LAN ALLOW OUTBOUND
              Action: Pass
              Interface: VLAN_13_AIRVPN
              Adress Family: IPv4
              Protocol: Any
              Source: VLAN_13_AIRVPN net
              Destination: any
              State type: Keep
              Gateway: WAN_AIRVPN_ALKAID_VPNV4 - X.X.X.X - Interface WAN_AIRVPN

              All other field are empty.

              The port forwarding:
              Interface: WAN_AIRVPN_ALKAID
              Protocol: TCP/UDP
              Destination: WAN_AIRVPN_ALKAID address
              Destination port range: Other, AirVPN_Ports_All (alias of all configured ports with AirVPN web site, all TCP works, all UDP fails)
              Redirected IP: IP of the VM on the VLAN
              Redirected target port: AirVPN_Ports_All

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                So packet capture on the openvpn interface and see if the UDP packets are actually arriving there.

                I am surprised you are working at all with Source: VLAN_13_AIRVPN net on your outbound NAT. Must be something else going on there.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • E
                  e9741449
                  last edited by

                  @Derelict:

                  So packet capture on the openvpn interface and see if the UDP packets are actually arriving there.

                  Packet captures of a TCP test followed by a UDP test (3 different tests with 3 different captures).

                  VLAN_13_AIRVPN
                  22:10:40.480655 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 0
                  22:10:40.481246 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
                  22:10:40.535360 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 0
                  22:10:40.535608 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 24
                  22:10:40.536465 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 34
                  22:10:40.536590 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
                  22:10:40.536597 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
                  22:10:40.597699 IP 184.73.221.81.54491 > 192.168.20.125.29999: tcp 0
                  22:10:40.598305 IP 192.168.20.125.29999 > 184.73.221.81.54491: tcp 0
                  22:10:46.743043 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
                  22:10:51.739689 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
                  22:11:01.755341 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
                  22:11:16.773509 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 113

                  WAN_AIRVPN_ALKAID
                  22:15:35.104487 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 0
                  22:15:35.104888 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0
                  22:15:35.167576 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 0
                  22:15:35.167592 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 24
                  22:15:35.168101 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 34
                  22:15:35.168109 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0
                  22:15:35.168225 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0
                  22:15:35.223669 IP 184.73.221.81.11959 > 10.4.8.88.29999: tcp 0
                  22:15:35.223944 IP 10.4.8.88.29999 > 184.73.221.81.11959: tcp 0

                  OpenVPN Client
                  22:17:33.877765 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 0
                  22:17:33.878143 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0
                  22:17:33.933980 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 0
                  22:17:33.934605 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 24
                  22:17:33.934731 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 34
                  22:17:33.934738 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0
                  22:17:33.934854 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0
                  22:17:33.993946 IP 184.73.221.81.42545 > 10.4.8.88.29999: tcp 0
                  22:17:33.994196 IP 10.4.8.88.29999 > 184.73.221.81.42545: tcp 0

                  @Derelict:

                  I am surprised you are working at all with Source: VLAN_13_AIRVPN net on your outbound NAT. Must be something else going on there.

                  Should I change it for something else ? My understading currently stops at that rule. I'd be happy to try anything.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    22:10:46.743043 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
                    22:10:51.739689 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
                    22:11:01.755341 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
                    22:11:16.773509 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 113

                    That is outbound UDP. Inbound would be sourced from 182.73.221.81 dest 192.168.20.125. No UDP is actually arriving from the VPN provider.

                    Looking again it does not look like you are routing the UDP out the OpenVPN.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • E
                      e9741449
                      last edited by

                      @Derelict:

                      22:10:46.743043 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
                      22:10:51.739689 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
                      22:11:01.755341 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
                      22:11:16.773509 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 113

                      That is outbound UDP. Inbound would be sourced from 182.73.221.81 dest 192.168.20.125. No UDP is actually arriving from the VPN provider.

                      That's what I understand too, UDP doesn't get routed, but I don't understand why. Is there a rule missing or wrong ? A problem with the VLAN ?

                      I'm not sure what to do at this point, I've reached the end of my networking knowledge. I know UDP is stateless but I don't understand why it's not being routed to the VPN like TCP traffic is.

                      Is there a way to check if a rule prevents it ?

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        The traffic will show in a packet capture even if it is blocked by a rule.

                        If you are capturing on the OpenVPN interface and the traffic is not arriving from the VPN provider, you need to check the configuration there.

                        pfSense cannot do anything with traffic that isn't sent to it.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • E
                          e9741449
                          last edited by

                          @Derelict:

                          The traffic will show in a packet capture even if it is blocked by a rule.

                          If you are capturing on the OpenVPN interface and the traffic is not arriving from the VPN provider, you need to check the configuration there.

                          pfSense cannot do anything with traffic that isn't sent to it.

                          That make perfect sense, I understand that. The UDP doesn't processed by the NAT ?

                          I don't understand what's wrong, if nothing was working I'd feel better but only UDP doesn't work and the configured rules don't discriminated against it. I'm not sure what to investigate, where to search.

                          To help me understand and remember the whole setup, I've deleted all settings related to the VPN and reconfigured it. Same result (no UDP, working TCP), but it did remind me on one thing I didn't mention before that is very relevant to this discussion: Firewall/NAT/Outbound. I've entered 2 mappings for interface WAN_AIRVPN_ALKAID (attached): One for 127.0.01 (is it necessary? not sure) and one for the VLAN adresses (192.168.20.0/24). Both for any port and any protocol. Is something else needed there ?

                          Considering this is basically the same setup used by my "normal" internet. Is there some issue with UDP and VLAN I should be aware of ?

                          I might have to try it without a VLAN… That will require so work to try that (passing the cable)...

                          Capture.jpg
                          Capture.jpg_thumb

                          1 Reply Last reply Reply Quote 0
                          • E
                            e9741449
                            last edited by

                            @e9741449:

                            I might have to try it without a VLAN… That will require so work to try that (passing the cable)...

                            Well… not a VLAN issue. Same behavior using a dedicated LAN port.  :'(

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              If it is not arriving on the OpenVPN interface from the ISP/VPN Provider there is NOTHING on the firewall you can do to fix it. They are not sending the traffic to you in the first place. Fix that.

                              Outbound NAT has nothing to do with inbound port forwards.

                              https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • E
                                e9741449
                                last edited by

                                @Derelict:

                                If it is not arriving on the OpenVPN interface from the ISP/VPN Provider there is NOTHING on the firewall you can do to fix it. They are not sending the traffic to you in the first place. Fix that.

                                Outbound NAT has nothing to do with inbound port forwards.

                                https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                                As far as I can tell, like you can see from my packet capture, the issue is with outbound UDP. Outbound packets never reach the VPN's WAN only the LAN/VLAN (and die there, never being router to the WAN).

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Then your policy routing/rules are wrong on VLAN_13_AIRVPN.

                                  What you posted before looks right but if it was right it would be working.

                                  How about screen shots instead of what you sent before.

                                  Any logged firewall blocks when you try it?

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    e9741449
                                    last edited by

                                    Here are, attached, the NAT rules for the VPN and the port forwarding rule. Tell me if you want to see something else.

                                    I haven't seen anything about the 192.168.20.125 in Status/System/Logs/System/General, Status/System/Logs/System/Routing and Status/System/Logs/Firewall/Dynamic View. Is this where I'm suppose to look ? Must I change something log wise ?

                                    Configs.jpg
                                    Configs.jpg_thumb

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      e9741449
                                      last edited by

                                      I found a way to test udp using Packet Sender (https://packetsender.com/) on the local computer and a remote computer (outside my network). One computer sends a udp packet and the other receives it and reply.

                                      I found 2 things:
                                      Remote computer -> pfSense -> Local computer (192.168.20.125): It works ! The port forwarding actually works ! I even get a reply (no clue how that's possible) since…
                                      Local computer (192.168.20.125) -> pfSense -> Remote computer: Fails, pfSense never seeds the packet to the VPN.

                                      So, it's not a port forwarding issue. I'm guessing it's a NAT issue or a routing issue (is there a difference ?).

                                      Not quite sure what to do about that... Not even sure this is related to OpenVPN... Should I start an other threat ?

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.