OpenVPN TCP works UDP does not

NOYB · Jul 3, 2013, 7:29 AM

Have two OpenVPN’s configure. Both are configured the same with exception of protocol. One is TCP and the other UDP.

Both establish VPN connection as expected, and both can access the internet (but of course internet is via the client physical network not the VPN). But only TCP can access the LAN. UDP sees nothing, only itself and internet. Nothing on the LAN.

WAN Firewall is open for IPv4 TCP/UDP.
LAN Firewall is open for IPv4 *
OpenVPN Firewall is open for IPv4 *

Server Mode: Remote Access (SSL/TLS + User Auth)
Protocol: UDP
Device Mode: TUN
IPv4 Tunnel Network: 192.168.2.0/24
IPv4 Local Netwok: 192.168.1.0.24
Compress tunnel packets using LZO
Allow communication between clients connected to this server.
Allow connected clients to retain connection if their IP changes.
Allocate only one IP per client (topology subnet)
Provide default domain name

jimp · Jul 3, 2013, 12:17 PM

Compare the actual config files in /var/etc/openvpn - odds are there is something subtly different.
That, or firewall rules.

NOYB · Jul 3, 2013, 3:48 PM

Only difference in /var/etc/openvpn/ server1.conf and server2.conf is the protocol. One has tcp-server and the other udp (no hyphen server). And the number 2 vs. 1 added to many items.

Not seeing anything in firewalls that should block one protocol and not the other.

NOYB · Jul 3, 2013, 5:11 PM

Okay. Got it working. Seems to be something related to order of enablement.

Disabled server1 (tcp), and server2 (udp) started working.
Re-enabled server1 and it then would not work. But server2 still worked.
Disabled server2 and then re-enabled server1 again and it then would work.
and so on…

The both were always able to establish a VPN connection though. What wouldn't work was access to LAN at other side of VPN.

doktornotor · Jul 3, 2013, 5:16 PM

Pardon me, but this just cannot work. You cannot have the same server IP for TCP and UDP. Use IPv4 Tunnel Network: 192.168.2.0/24 for TCP and IPv4 Tunnel Network: 192.168.3.0/24 for UDP or whatever and you won't have any problem.

NOYB · Jul 3, 2013, 5:43 PM

@doktornotor:

Pardon me, but this just cannot work. You cannot have the same server IP for TCP and UDP. Use IPv4 Tunnel Network: 192.168.2.0/24 for TCP and IPv4 Tunnel Network: 192.168.3.0/24 for UDP or whatever and you won't have any problem.

Trying this right now. Still same problem. Both can connect but only one can see the LAN.

doktornotor · Jul 3, 2013, 5:44 PM

Reboot to clear up the routing/states/whatnot mess.

jimp · Jul 3, 2013, 6:01 PM

You can't have the same tunnel network for two different VPNs.

NOYB · Jul 3, 2013, 7:03 PM

Okay have different tunnel network for each VPN. 192.168.2.0/24 for TCP OVPN1 and 192.168.3.0/24 for UDP OVPN2.

Trouble now is that only network 192.168.2.0/24 will work. On either VPN. 192.168.3.0/24, or any others, will not work either VPN. Though LAN client can see VPN client. But VPN client cannot see LAN client. Now this is seeming like a firewall issue. But I don't see anything that would pass the one network and not the others.

Routing table:
192.168.2.0/24 192.168.2.1 UGS 0 0 1500 ovpns1
192.168.2.1 link#9 UH 0 0 1500 ovpns1

192.168.3.0/24 192.168.3.1 UGS 0 0 1500 ovpns2
192.168.3.1 link#10 UH 0 0 1500 ovpns2

marvosa · Jul 3, 2013, 7:12 PM

Post your server1.conf and server2.conf. Post screen shot of firewall rules.

Also, the first thing I would do change your LAN and tunnel IP scopes…. those ranges are too common on the client-side.

NOYB · Jul 3, 2013, 7:54 PM

As mentioned previously, the server1.conf and server2.conf are identical. With exception of protocol (one is tcp-server, and the other is udp), and 2 vs. 1 being added to many of the items. Both work with 198.168.2.0/24. Neither work with 192.168.3.0/24.

Doesn't matter how common those ranges are. They are not used by anything else in this network, on either end. And oh by the way, others where also tried. 192.168.4.0/24, 192.168.33.0/24, 192.168.102.0/24.

The only applicable firewall rule at this point should be the one in OpenVPN tab. And it is the default rule. Haven't change it. It is wide open for anything IPv4. Even tried adding a wide open float rule with quick option enabled.

doktornotor · Jul 3, 2013, 8:31 PM

@NOYB:

As mentioned previously, the server1.conf and server2.conf are identical. With exception of protocol (one is tcp-server, and the other is udp), and 2 vs. 1 being added to many of the items. Both work with 198.168.2.0/24. Neither work with 192.168.3.0/24.

What? You did AGAIN create those two with identical subnets? Sigh. It will NOT work. You MUST have different ones for TCP and UDP. You cannot create two ifaces with the same IP and expect routing to work… Please, post the configs so that we stop wasting time here.

NOYB · Jul 3, 2013, 9:01 PM

No did not recreate them with same network. Just flipped them back and forth for diagnosis.

There was nothing in the configs that would solve this. Had already verified that was not the cause.

Think I've traced it down to LAN client windows firewall. Yup that was it. Verified and fixed. Thanks all for your guidance and suggestions. You were a big help.

marvosa · Jul 3, 2013, 9:04 PM

I understand you said your configs are identical… but I always ask because you can't build a support model based on assumptions. I never assume anything without looking at the config... post them, so we can establish a base, rule out the config and move on. Right now, all we have are assumptions and we end up working backwards if any of them turn out to be incorrect.

Doesn't matter how common those ranges are

if you can control your clients' network maybe, but all it takes is one person on a linksys or netgear router at home to connect and your routing is broken. Now you spend days troubleshooting something that could've been avoided from the beginning in your network design.

The only applicable firewall rule at this point should be the one in OpenVPN tab

yes that's the one, post a screen shot so we can move on…. otherwise we have to assume "wide open" means any/any (|||||) but may not be... and this thread goes on for weeks instead of a couple days.

This will be confirmed when you post your configs, but it's been said the configs are identical except for the protocol, but technically they shouldn't be... they should be listening on different ports and have different tunnel networks.

kejianshi · Jul 4, 2013, 12:37 AM

Hmmmm. I would do a few things differently.

I would create 1 openvpn thread on 10.23.10.0/24 and the second on 10.23.11.0/24 or so… (just to get away from the 192.168s)
Then I would check my firewall rules to be sure the rules had been generated properly to PASS those subnets to ANY. Check the subnets match above.
Then I would create the outbound NAT rules to allow the LAN and for both openvpn subnets. (I stopped using auto outbound NAT on WAN).

Now try it on manual. Be warned that manual outbound NAT is picky. Has to be done correctly, but it never leaves me wondering "what went wrong"?

If that doesn't work, having a snapshot of you NAT rules, Firewall rules, Outbound NAT rules, and openvpn config would help people help you.

P.S. The reason I quit using Automatic Outbound NAT is because it kept rewriting SIP packets and was killing my servers.
And I'm a control freak... Thus the pfsense.