2

I want to setup a VPN server with OpenVPN, so client PCs can access each other like they were in the same physical network.

One problem I encountered is, that I cannot connect via UDP. When I change server+client configuration to use TCP connections, clients can successfully connect to the server. I read TCP over TCP is bad and incurs a lot of overhead.

The server is behind a router with a public IP and the server's IP is configured to be in the DMZ of the router.

Is there a way I can test where the connection fails when using UDP? At the client's router, at the client's ISP, at my router, somewhere else? Is such a setup even possible with UDP or do I have to resort to TCP?

If I missed essential details, let me know and I'll be happy to add them.

knittl
  • 312
  • 3
  • 11
  • Are you using an SSH tunnel to test this ? – Lucas Kauffman Mar 04 '12 at 20:24
  • @LucasKauffman: no, I'm simply running `openvpn server.conf` on the server and `openvpn client.conf` on the client – knittl Mar 04 '12 at 20:26
  • What do your error logs say ? – Lucas Kauffman Mar 04 '12 at 20:27
  • @LucasKauffman: Something along the lines of "Key exchange failed after 60 seconds" on the client, I don't think the server made any output. I can check again tomorrow (~12 hrs) – knittl Mar 04 '12 at 20:30
  • Do you have any firewall rules running to prevent UDP packets? – Lucas Kauffman Mar 04 '12 at 20:42
  • My server is in the DMZ of the router (so it should allow any traffic, right?). I don't know about the client. Is there a way to find out? Remember … the client could be anywhere (airport wifi, mcdonalds, umts, etc.) – knittl Mar 04 '12 at 20:46
  • What's your Server and Client conf? – ott-- Mar 04 '12 at 21:05
  • @ott: It's the default [example config](http://openvpn.net/index.php/open-source/documentation/howto.html#examples) provided by OpenVPN in `/usr/share/doc/openvpn/examples/sample-config-files`. I only updated the values for certificates and the server IP/DNS. And the exact same config works, when I change from `proto udp` to `proto tcp`. – knittl Mar 04 '12 at 21:11

2 Answers2

2

Sounds like a firewall is blocking traffic. I'd recommend using a udp sniffer..for linux, try tcpdump (which despite its name does also udp).

öde
  • 167
  • 4
0

Being in the DMZ does not mean you have full access from the Internet or anywhere else on the network. Many filewalls only permit the required ports into and out of the DMZ. If your ports aren't on the allowed list then they will not arrive at your server.

UDP failures are not as easy to investigate as TCP failures.

  • An ICMP monitor may indicate where the packet was rejected. It will fail if the packet was dropped.
  • Firewall logs at either end may indicate the traffic is being dropped. Temporary logging rules can indicate if the traffic is arriving at the firewall.
  • A tool like tcpdump can be used to determine what traffic is being sent and/or arriving.
BillThor
  • 27,737
  • 3
  • 37
  • 69