<![CDATA[OpenVPN tunnel not connecting over NAT]]>Hello,

I have a situation where I have an office with a UVerse dynamic IP that needs to be connected to me with a VPN tunnel.

The UVerse router does not allow bridging, only 1:1 NAT.  I have set up an OpenVPN tunnel, but it is not connecting.  I'm not sure if the NAT is the problem or not because I've never set up an OpenVPN tunnel before.


Oct 21 08:49:17	openvpn[31070]: UDPv4 link remote: xxx.xx.xx.xx:ppppp
Oct 21 08:49:17	openvpn[31070]: UDPv4 link local (bound): 192.168.1.1
Oct 21 08:49:17	openvpn[31070]: Preserving previous TUN/TAP instance: ovpnc1
Oct 21 08:49:17	openvpn[31070]: LZO compression initialized
Oct 21 08:49:17	openvpn[31070]: Re-using pre-shared static key
Oct 21 08:49:17	openvpn[31070]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 21 08:49:15	openvpn[31070]: SIGUSR1[soft,ping-restart] received, process restarting
Oct 21 08:49:15	openvpn[31070]: Inactivity timeout (–ping-restart), restarting
Oct 21 08:48:15	openvpn[31070]: UDPv4 link remote: xxx.xx.xx.xx:ppppp
Oct 21 08:48:15	openvpn[31070]: UDPv4 link local (bound): 192.168.1.1
Oct 21 08:48:15	openvpn[31070]: Preserving previous TUN/TAP instance: ovpnc1
Oct 21 08:48:15	openvpn[31070]: LZO compression initialized
Oct 21 08:48:15	openvpn[31070]: Re-using pre-shared static key
Oct 21 08:48:15	openvpn[31070]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts

I'm also assuming that an IPSec VPN with an IP alias wouldn't work also (the WAN address of this router holds a private IP address).

]]>https://forum.netgate.com/topic/61933/openvpn-tunnel-not-connecting-over-natRSS for NodeWed, 11 Mar 2026 01:43:50 GMTMon, 21 Oct 2013 12:59:48 GMT60<![CDATA[Reply to OpenVPN tunnel not connecting over NAT on Mon, 06 Jan 2014 21:47:37 GMT]]>Switched to using TCP instead of UDP and the tunnel came up OK.

]]>https://forum.netgate.com/post/437568https://forum.netgate.com/post/437568Mon, 06 Jan 2014 21:47:37 GMT<![CDATA[Reply to OpenVPN tunnel not connecting over NAT on Thu, 24 Oct 2013 17:24:14 GMT]]>I'm noticing on the server side that Manual outbound NAT is already enabled, do I need to do anything with this?

Here is my outbound nat config:


        <nat><ipsecpassthru><enable></enable></ipsecpassthru> 
                <advancedoutbound><rule><source>
                                        <network>yyy.yyy.yyy.y/24</network>

                                <sourceport><target>xxx.xx.xx.xx</target>
                                <targetip><targetip_subnet>0</targetip_subnet>
                                <interface>wan</interface>
                                <poolopts><destination><any></any></destination> 
                                <dstport>500</dstport></poolopts></targetip></sourceport></rule> 
                        <rule><source>
                                        <network>yyy.yyy.yyy.y/24</network>

                                <sourceport><target>xxx.xx.xx.xx</target>
                                <targetip><targetip_subnet>0</targetip_subnet>
                                <interface>wan</interface>
                                <poolopts><destination><any></any></destination></poolopts></targetip></sourceport></rule> 
                        <rule><source>
                                        <network>127.0.0.0/8</network>

                                <sourceport><target>xxx.xx.xx.xx</target>
                                <targetip><targetip_subnet>0</targetip_subnet>
                                <interface>wan</interface>
                                <poolopts><destination><any></any></destination></poolopts></targetip></sourceport></rule> 
                        <rule><source>
                                        <network>127.0.0.0/8</network>

                                <sourceport><target>xxx.xx.xx.xx</target>
                                <targetip><targetip_subnet>0</targetip_subnet>
                                <interface>wan</interface>
                                <poolopts><destination><any></any></destination> 
                                <natport>1024:65535</natport></poolopts></targetip></sourceport></rule> 
                        <enable></enable></advancedoutbound></nat>
]]>https://forum.netgate.com/post/426568https://forum.netgate.com/post/426568Thu, 24 Oct 2013 17:24:14 GMT<![CDATA[Reply to OpenVPN tunnel not connecting over NAT on Wed, 23 Oct 2013 13:34:06 GMT]]>I changed firewall rules on the OpenVPN interface on both sides to any/any, and now I am able to ping across to  172.19.11.1 and 172.19.11.2 from both sides, but still not to the LAN networks from either side.

]]>https://forum.netgate.com/post/426355https://forum.netgate.com/post/426355Wed, 23 Oct 2013 13:34:06 GMT<![CDATA[Reply to OpenVPN tunnel not connecting over NAT on Tue, 22 Oct 2013 14:46:39 GMT]]>Forgive me, here is the config for the remote side:


	 <openvpn><openvpn-client><vpnid>1</vpnid>
			<protocol>UDP</protocol>
			<dev_mode>tun</dev_mode>
			 <ipaddr><interface>wan</interface>
			 <local_port><server_addr>xxx.xx.xx.xx</server_addr>
			<server_port>ppppp</server_port>
			 <resolve_retry><proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype>
			<proxy_user>myusername</proxy_user>
			<proxy_passwd>mypassword</proxy_passwd>

			<mode>p2p_shared_key</mode>
			 <custom_options><shared_key>mysharedkey <shared_key><crypto>AES-128-CBC</crypto>
			<engine>none</engine>
			<tunnel_network>172.19.11.0/24</tunnel_network>
			<remote_network>yyy.yyy.yyy.y/24</remote_network>
			 <use_shaper><compression>yes</compression>
			 <passtos></passtos></use_shaper></shared_key></shared_key></custom_options></proxy_port></proxy_addr></resolve_retry></local_port></ipaddr></openvpn-client></openvpn>

And here is the config for the server:


		 <openvpn-server><vpnid>3</vpnid>
			<mode>p2p_shared_key</mode>
			<protocol>UDP</protocol>
			<dev_mode>tun</dev_mode>
			<ipaddr>xxx.xx.xx.xx</ipaddr>
			<interface>vip1</interface>
			<local_port>ppppp</local_port>

			 <custom_options><shared_key>mysharedkey <shared_key><crypto>AES-128-CBC</crypto>
			<engine>none</engine>
			<tunnel_network>172.19.11.0/24</tunnel_network>
			<remote_network>yyy.yyy.yyy.y/24</remote_network>

			<local_network>zzz.zzz.zzz.z/24</local_network>
			 <maxclients><compression>yes</compression>
			<passtos></passtos>

			<dynamic_ip></dynamic_ip>
			<pool_enable>yes</pool_enable>
			<netbios_enable></netbios_enable>
			<netbios_ntype>0</netbios_ntype></maxclients></shared_key></shared_key></custom_options></openvpn-server>

I am not able to ping 172.19.11.2, and not able to ping 172.19.11.1 from the remote side.

]]>https://forum.netgate.com/post/426147https://forum.netgate.com/post/426147Tue, 22 Oct 2013 14:46:39 GMT<![CDATA[Reply to OpenVPN tunnel not connecting over NAT on Tue, 22 Oct 2013 09:50:31 GMT]]>If you're expecting someone to help you, can you please post your openVPN config of both sided? thank you.

]]>https://forum.netgate.com/post/426081https://forum.netgate.com/post/426081Tue, 22 Oct 2013 09:50:31 GMT<![CDATA[Reply to OpenVPN tunnel not connecting over NAT on Mon, 21 Oct 2013 15:18:36 GMT]]>Ok, so figured out that I had the OpenVPN server on my side listening on the WAN interface, not the CARP WAN interface.

So it connects now, but no traffic flows over the tunnel.  Again I'm not seeing that the traffic is blocked.

]]>https://forum.netgate.com/post/425955https://forum.netgate.com/post/425955Mon, 21 Oct 2013 15:18:36 GMT<![CDATA[Reply to OpenVPN tunnel not connecting over NAT on Mon, 21 Oct 2013 13:28:15 GMT]]>The states on the remote side show:


udp	192.168.1.1:10790 -> xxx.xx.xx.xx:ppppp	SINGLE:NO_TRAFFIC	
udp	192.168.1.1:62215 -> xxx.xx.xx.xx:ppppp	SINGLE:NO_TRAFFIC

and on my side:


udp	xxx.xx.xx.xx:ppppp <- yyy.yyy.yy.yy:11810	NO_TRAFFIC:SINGLE	
udp	xxx.xx.xx.xx:ppppp <- yyy.yyy.yy.yy:10790	NO_TRAFFIC:SINGLE

I don't show the traffic being blocked by either firewall.  OpenVPN software clients connect just fine from behind this router.

]]>https://forum.netgate.com/post/425925https://forum.netgate.com/post/425925Mon, 21 Oct 2013 13:28:15 GMT