OpenVPN tunnel not connecting over NAT
-
Hello,
I have a situation where I have an office with a UVerse dynamic IP that needs to be connected to me with a VPN tunnel.
The UVerse router does not allow bridging, only 1:1 NAT. I have set up an OpenVPN tunnel, but it is not connecting. I'm not sure if the NAT is the problem or not because I've never set up an OpenVPN tunnel before.
Oct 21 08:49:17 openvpn[31070]: UDPv4 link remote: xxx.xx.xx.xx:ppppp Oct 21 08:49:17 openvpn[31070]: UDPv4 link local (bound): 192.168.1.1 Oct 21 08:49:17 openvpn[31070]: Preserving previous TUN/TAP instance: ovpnc1 Oct 21 08:49:17 openvpn[31070]: LZO compression initialized Oct 21 08:49:17 openvpn[31070]: Re-using pre-shared static key Oct 21 08:49:17 openvpn[31070]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts Oct 21 08:49:15 openvpn[31070]: SIGUSR1[soft,ping-restart] received, process restarting Oct 21 08:49:15 openvpn[31070]: Inactivity timeout (–ping-restart), restarting Oct 21 08:48:15 openvpn[31070]: UDPv4 link remote: xxx.xx.xx.xx:ppppp Oct 21 08:48:15 openvpn[31070]: UDPv4 link local (bound): 192.168.1.1 Oct 21 08:48:15 openvpn[31070]: Preserving previous TUN/TAP instance: ovpnc1 Oct 21 08:48:15 openvpn[31070]: LZO compression initialized Oct 21 08:48:15 openvpn[31070]: Re-using pre-shared static key Oct 21 08:48:15 openvpn[31070]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
I'm also assuming that an IPSec VPN with an IP alias wouldn't work also (the WAN address of this router holds a private IP address).
-
The states on the remote side show:
udp 192.168.1.1:10790 -> xxx.xx.xx.xx:ppppp SINGLE:NO_TRAFFIC udp 192.168.1.1:62215 -> xxx.xx.xx.xx:ppppp SINGLE:NO_TRAFFIC
and on my side:
udp xxx.xx.xx.xx:ppppp <- yyy.yyy.yy.yy:11810 NO_TRAFFIC:SINGLE udp xxx.xx.xx.xx:ppppp <- yyy.yyy.yy.yy:10790 NO_TRAFFIC:SINGLE
I don't show the traffic being blocked by either firewall. OpenVPN software clients connect just fine from behind this router.
-
Ok, so figured out that I had the OpenVPN server on my side listening on the WAN interface, not the CARP WAN interface.
So it connects now, but no traffic flows over the tunnel. Again I'm not seeing that the traffic is blocked.
-
If you're expecting someone to help you, can you please post your openVPN config of both sided? thank you.
-
Forgive me, here is the config for the remote side:
<openvpn><openvpn-client><vpnid>1</vpnid> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr><interface>wan</interface> <local_port><server_addr>xxx.xx.xx.xx</server_addr> <server_port>ppppp</server_port> <resolve_retry><proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype> <proxy_user>myusername</proxy_user> <proxy_passwd>mypassword</proxy_passwd> <mode>p2p_shared_key</mode> <custom_options><shared_key>mysharedkey <shared_key><crypto>AES-128-CBC</crypto> <engine>none</engine> <tunnel_network>172.19.11.0/24</tunnel_network> <remote_network>yyy.yyy.yyy.y/24</remote_network> <use_shaper><compression>yes</compression> <passtos></passtos></use_shaper></shared_key></shared_key></custom_options></proxy_port></proxy_addr></resolve_retry></local_port></ipaddr></openvpn-client></openvpn>
And here is the config for the server:
<openvpn-server><vpnid>3</vpnid> <mode>p2p_shared_key</mode> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr>xxx.xx.xx.xx</ipaddr> <interface>vip1</interface> <local_port>ppppp</local_port> <custom_options><shared_key>mysharedkey <shared_key><crypto>AES-128-CBC</crypto> <engine>none</engine> <tunnel_network>172.19.11.0/24</tunnel_network> <remote_network>yyy.yyy.yyy.y/24</remote_network> <local_network>zzz.zzz.zzz.z/24</local_network> <maxclients><compression>yes</compression> <passtos></passtos> <dynamic_ip></dynamic_ip> <pool_enable>yes</pool_enable> <netbios_enable></netbios_enable> <netbios_ntype>0</netbios_ntype></maxclients></shared_key></shared_key></custom_options></openvpn-server>
I am not able to ping 172.19.11.2, and not able to ping 172.19.11.1 from the remote side.
-
I changed firewall rules on the OpenVPN interface on both sides to any/any, and now I am able to ping across to 172.19.11.1 and 172.19.11.2 from both sides, but still not to the LAN networks from either side.
-
I'm noticing on the server side that Manual outbound NAT is already enabled, do I need to do anything with this?
Here is my outbound nat config:
<nat><ipsecpassthru><enable></enable></ipsecpassthru> <advancedoutbound><rule><source> <network>yyy.yyy.yyy.y/24</network> <sourceport><target>xxx.xx.xx.xx</target> <targetip><targetip_subnet>0</targetip_subnet> <interface>wan</interface> <poolopts><destination><any></any></destination> <dstport>500</dstport></poolopts></targetip></sourceport></rule> <rule><source> <network>yyy.yyy.yyy.y/24</network> <sourceport><target>xxx.xx.xx.xx</target> <targetip><targetip_subnet>0</targetip_subnet> <interface>wan</interface> <poolopts><destination><any></any></destination></poolopts></targetip></sourceport></rule> <rule><source> <network>127.0.0.0/8</network> <sourceport><target>xxx.xx.xx.xx</target> <targetip><targetip_subnet>0</targetip_subnet> <interface>wan</interface> <poolopts><destination><any></any></destination></poolopts></targetip></sourceport></rule> <rule><source> <network>127.0.0.0/8</network> <sourceport><target>xxx.xx.xx.xx</target> <targetip><targetip_subnet>0</targetip_subnet> <interface>wan</interface> <poolopts><destination><any></any></destination> <natport>1024:65535</natport></poolopts></targetip></sourceport></rule> <enable></enable></advancedoutbound></nat>
-
Switched to using TCP instead of UDP and the tunnel came up OK.