OpenVPN tunnel not connecting over NAT



  • Hello,

    I have a situation where I have an office with a UVerse dynamic IP that needs to be connected to me with a VPN tunnel.

    The UVerse router does not allow bridging, only 1:1 NAT.  I have set up an OpenVPN tunnel, but it is not connecting.  I'm not sure if the NAT is the problem or not because I've never set up an OpenVPN tunnel before.

    
    Oct 21 08:49:17	openvpn[31070]: UDPv4 link remote: xxx.xx.xx.xx:ppppp
    Oct 21 08:49:17	openvpn[31070]: UDPv4 link local (bound): 192.168.1.1
    Oct 21 08:49:17	openvpn[31070]: Preserving previous TUN/TAP instance: ovpnc1
    Oct 21 08:49:17	openvpn[31070]: LZO compression initialized
    Oct 21 08:49:17	openvpn[31070]: Re-using pre-shared static key
    Oct 21 08:49:17	openvpn[31070]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Oct 21 08:49:15	openvpn[31070]: SIGUSR1[soft,ping-restart] received, process restarting
    Oct 21 08:49:15	openvpn[31070]: Inactivity timeout (–ping-restart), restarting
    Oct 21 08:48:15	openvpn[31070]: UDPv4 link remote: xxx.xx.xx.xx:ppppp
    Oct 21 08:48:15	openvpn[31070]: UDPv4 link local (bound): 192.168.1.1
    Oct 21 08:48:15	openvpn[31070]: Preserving previous TUN/TAP instance: ovpnc1
    Oct 21 08:48:15	openvpn[31070]: LZO compression initialized
    Oct 21 08:48:15	openvpn[31070]: Re-using pre-shared static key
    Oct 21 08:48:15	openvpn[31070]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    
    

    I'm also assuming that an IPSec VPN with an IP alias wouldn't work also (the WAN address of this router holds a private IP address).



  • The states on the remote side show:

    
    udp	192.168.1.1:10790 -> xxx.xx.xx.xx:ppppp	SINGLE:NO_TRAFFIC	
    udp	192.168.1.1:62215 -> xxx.xx.xx.xx:ppppp	SINGLE:NO_TRAFFIC
    
    

    and on my side:

    
    udp	xxx.xx.xx.xx:ppppp <- yyy.yyy.yy.yy:11810	NO_TRAFFIC:SINGLE	
    udp	xxx.xx.xx.xx:ppppp <- yyy.yyy.yy.yy:10790	NO_TRAFFIC:SINGLE	
    
    

    I don't show the traffic being blocked by either firewall.  OpenVPN software clients connect just fine from behind this router.



  • Ok, so figured out that I had the OpenVPN server on my side listening on the WAN interface, not the CARP WAN interface.

    So it connects now, but no traffic flows over the tunnel.  Again I'm not seeing that the traffic is blocked.



  • If you're expecting someone to help you, can you please post your openVPN config of both sided? thank you.



  • Forgive me, here is the config for the remote side:

    
    	 <openvpn><openvpn-client><vpnid>1</vpnid>
    			<protocol>UDP</protocol>
    			<dev_mode>tun</dev_mode>
    			 <ipaddr><interface>wan</interface>
    			 <local_port><server_addr>xxx.xx.xx.xx</server_addr>
    			<server_port>ppppp</server_port>
    			 <resolve_retry><proxy_addr><proxy_port><proxy_authtype>none</proxy_authtype>
    			<proxy_user>myusername</proxy_user>
    			<proxy_passwd>mypassword</proxy_passwd>
    
    			<mode>p2p_shared_key</mode>
    			 <custom_options><shared_key>mysharedkey <shared_key><crypto>AES-128-CBC</crypto>
    			<engine>none</engine>
    			<tunnel_network>172.19.11.0/24</tunnel_network>
    			<remote_network>yyy.yyy.yyy.y/24</remote_network>
    			 <use_shaper><compression>yes</compression>
    			 <passtos></passtos></use_shaper></shared_key></shared_key></custom_options></proxy_port></proxy_addr></resolve_retry></local_port></ipaddr></openvpn-client></openvpn> 
    
    

    And here is the config for the server:

    
    		 <openvpn-server><vpnid>3</vpnid>
    			<mode>p2p_shared_key</mode>
    			<protocol>UDP</protocol>
    			<dev_mode>tun</dev_mode>
    			<ipaddr>xxx.xx.xx.xx</ipaddr>
    			<interface>vip1</interface>
    			<local_port>ppppp</local_port>
    
    			 <custom_options><shared_key>mysharedkey <shared_key><crypto>AES-128-CBC</crypto>
    			<engine>none</engine>
    			<tunnel_network>172.19.11.0/24</tunnel_network>
    			<remote_network>yyy.yyy.yyy.y/24</remote_network>
    
    			<local_network>zzz.zzz.zzz.z/24</local_network>
    			 <maxclients><compression>yes</compression>
    			<passtos></passtos>
    
    			<dynamic_ip></dynamic_ip>
    			<pool_enable>yes</pool_enable>
    			<netbios_enable></netbios_enable>
    			<netbios_ntype>0</netbios_ntype></maxclients></shared_key></shared_key></custom_options></openvpn-server> 
    
    

    I am not able to ping 172.19.11.2, and not able to ping 172.19.11.1 from the remote side.



  • I changed firewall rules on the OpenVPN interface on both sides to any/any, and now I am able to ping across to  172.19.11.1 and 172.19.11.2 from both sides, but still not to the LAN networks from either side.



  • I'm noticing on the server side that Manual outbound NAT is already enabled, do I need to do anything with this?

    Here is my outbound nat config:

    
            <nat><ipsecpassthru><enable></enable></ipsecpassthru> 
                    <advancedoutbound><rule><source>
                                            <network>yyy.yyy.yyy.y/24</network>
    
                                    <sourceport><target>xxx.xx.xx.xx</target>
                                    <targetip><targetip_subnet>0</targetip_subnet>
                                    <interface>wan</interface>
                                    <poolopts><destination><any></any></destination> 
                                    <dstport>500</dstport></poolopts></targetip></sourceport></rule> 
                            <rule><source>
                                            <network>yyy.yyy.yyy.y/24</network>
    
                                    <sourceport><target>xxx.xx.xx.xx</target>
                                    <targetip><targetip_subnet>0</targetip_subnet>
                                    <interface>wan</interface>
                                    <poolopts><destination><any></any></destination></poolopts></targetip></sourceport></rule> 
                            <rule><source>
                                            <network>127.0.0.0/8</network>
    
                                    <sourceport><target>xxx.xx.xx.xx</target>
                                    <targetip><targetip_subnet>0</targetip_subnet>
                                    <interface>wan</interface>
                                    <poolopts><destination><any></any></destination></poolopts></targetip></sourceport></rule> 
                            <rule><source>
                                            <network>127.0.0.0/8</network>
    
                                    <sourceport><target>xxx.xx.xx.xx</target>
                                    <targetip><targetip_subnet>0</targetip_subnet>
                                    <interface>wan</interface>
                                    <poolopts><destination><any></any></destination> 
                                    <natport>1024:65535</natport></poolopts></targetip></sourceport></rule> 
                            <enable></enable></advancedoutbound></nat> 
    
    


  • Switched to using TCP instead of UDP and the tunnel came up OK.


Log in to reply