RTSP (IP CAM) traffic over OpenVPN Connection



  • I honestly don't know if this is the correct place to post, but I'm having problems streaming an RTSP (IP Cam) over my VPN.

    Network Setup:

    • Netgate MBT-4220
    • Cisco Catalyst 2960-X (24 ports, port 2 = uplink to PfSense witch trunking on VLAN 1,5,6. Port 5 is switch access to VLAN 5, port 11 is switch access to Vlan 6).

    Networks:

    • WAN - Public IP
    • Wired_LAN - no vlan tag - 172.25.0.0/22
    • OpenVPN Tun Server - 172.25.4.0/24 (routes pushed for 172.25.0.0/16 and another /16 that is outside of this troubleshooting)
    • CAM - Vlan tag 5 - 172.25.5.0/24
    • WiFi_LAN - Vlan tag 6 - 172.25.6.0/24

    I've got outbound NAT rules for the Wired_LAN, and WiFi_LAN networks.

    I have a limited outbound NAT for TCP/UDP ports 53 and 123 only to WAN on the CAM network.

    I've got some basic firewalls setup, where WiFi devices cannot communicate with the Wired network, with the exception of a few devices. WiFi/CAM networks cannot access ports 22, 80, or 443 of the firewall, and VPN network has access to anything just as the Wired_LAN clients do.

    CAM network has the following rules.

    • Block IPv6 *
    • Block IPv4/IPv6 TCP/UDP to Firewall port 80
    • Block IPv4/IPv6 TCP/UDP to Firewall port 22
    • Block IPv4/IPv6 TCP/UDP to Firewall port 443
    • Allow IPv4 TCP/UDP to any port 53 (DNS)
    • Allow IPv4 TCP/UDP to any port 123 (NTP)
    • Block IPv4/IPv6 to WAN_GATEWAY
    • Allow IPv4 any to any

    I can stream the camera (172.25.5.10) RTSP to any client on the LAN or WiFi network no problems.

    When I VPN into my network (iPhone using OpenVPN client if that matters), from packet captures it looks as if the RTP stream initializes, but all I get is a black screen. I can connect to the HTTP port of the camera, and even ping it just fine.

    I've done quite a few packet caputers, and I can't make any sense of the data, most of what I'm reading is that RTSP streams use random ports when sending data back to the destination, and maybe something within the firewall is blocking it?

    From WireShark I have quite a few retransmission errors on the stream from 172.25.5.10 (CAM) to 172.25.4.2 (iPhone VPN client):

    12 1.440549 172.25.5.10 172.25.4.2 TCP 731 [TCP Retransmission] 554 → 63463 [PSH, ACK] Seq=185 Ack=273 Win=30032 Len=665 TSval=3730549 TSecr=1351962386
    13 1.730555 172.25.5.10 172.25.4.2 TCP 731 [TCP Retransmission] 554 → 63463 [PSH, ACK] Seq=185 Ack=273 Win=30032 Len=665 TSval=3730578 TSecr=1351962386

    I might have gone over too much details here, and maybe I missed out some info that is needed. Let me know if I can update. Thanks for any help or ideas!



  • Well, today I think I figured it out.

    Tested with existing config over cellular:

    1. T-Mobile - Didn't Work
    2. Verizon - Worked

    I suspect maybe this is an MTU size issue of OpenVPN? Is there a way to lower the MTU on the OpenVPN server under pfSense? I know there is a way in the client, but wondering if I can force a lower MTU on the server itself.


Log in to reply