OPENvpn udp protocol setup problem

[Mistermoonlight]

My main purpose is to surf safely on public hotspots by using my router and tunelling the browsing through openvpn setup on my router (using "Direct clients to redirect Internet traffic" option).

I have setup openvpn server on my router using RMerlin firmware 270.24 following Rmerlin suggested openvpn tutorial on the web. I was able to configure the setup for a windows xp laptop openvpn client and the tunnelling is working correctly with the router when using the TCP protocol for openvpn server on the router.

But if i try to change to UDP protocol (everything else is not changed), it is not working at all. I can see an error message on openvpngui (xp laptop) that the packet on port 1194 for example is rejected. Openvpn is setup with firewall option set to "automatic". It is like that when the protocol is UDP, this firewall option does not setup a rule correctly so the packet on port 1194 is rejected by the router?

Any clue

I am also using static key (Extra HMAC authorization) to add more security (and not just tls alone), and i want to know if i can add password authorization on top of this (so if i setup the openvpn client on an office computer, a password would be asked also before allowing connection to my router)?

Thanks

 

[RMerlin]

Don't forget to also change the protocol in your client.

 

[sabot105mm]

My main purpose is to surf safely on public hotspots by using my router and tunelling the browsing through openvpn setup on my router (using "Direct clients to redirect Internet traffic" option).

I have setup openvpn server on my router using RMerlin firmware 270.24 following Rmerlin suggested openvpn tutorial on the web. I was able to configure the setup for a windows xp laptop openvpn client and the tunnelling is working correctly with the router when using the TCP protocol for openvpn server on the router.

But if i try to change to UDP protocol (everything else is not changed), it is not working at all. I can see an error message on openvpngui (xp laptop) that the packet on port 1194 for example is rejected. Openvpn is setup with firewall option set to "automatic". It is like that when the protocol is UDP, this firewall option does not setup a rule correctly so the packet on port 1194 is rejected by the router?

Any clue

I am also using static key (Extra HMAC authorization) to add more security (and not just tls alone), and i want to know if i can add password authorization on top of this (so if i setup the openvpn client on an office computer, a password would be asked also before allowing connection to my router)?

Thanks

I will suggest for the tls-auth setting on the server side, change it to "incoming 0" and for the client write tls-auth ta.key 1 in the config file. Also make sure you are not connecting to the VPN from the same subnet, because openvpn expects a public ip

 

[Mistermoonlight]

RMerlin said:

Don't forget to also change the protocol in your client.

Sure i have changed both side to the same protocol and not just the server.
TCP is ok, UDP is not working at all.

Sabot105mm said:

I will suggest for the tls-auth setting on the server side, change it to "incoming 0" and for the client write tls-auth ta.key 1 in the config file. Also make sure you are not connecting to the VPN from the same subnet, because openvpn expects a public ip

The setup i have is already configured with a static key with the server set for "incoming 0" and client ta.key 1. This is working perfectly well in TCP but not in UDP. Like i said above, it is like the firewall is blocking the access for port 1194 according to the message type i am getting at the client side.

Is there any check i could make in the router firewall to check for a specific rule i should see when the openvpn server is configured correctly for UDP?

I do not understand what you are saying with "Also make sure you are not connecting to the VPN from the same subnet, because openvpn expects a public ip", the router lan is setup to an unusual private ip subnet to avoid any possible conflict while tunnelling on the client. I don't understand what you mean between a public ip and a different subnet?

 

[Mistermoonlight]

To help understand the problem, here is the exact error message i am receiving at laptop client side while using udp protocol (but not with tcp) (xxx.xxx was my public address i removed for privacy) with a configured openvpn server on my router:

Thu Mar 07 01:42:35 2013 us=202000 TCP/UDP: Incoming packet rejected from 192.168.177.1:1194[2], expected peer address: xxx.xxx.xx.xxx:1194 (allow this incoming source address/port by removing --remote or adding --float)

 

[rlcronin]

To help understand the problem, here is the exact error message i am receiving at laptop client side while using udp protocol (but not with tcp) (xxx.xxx was my public address i removed for privacy) with a configured openvpn server on my router:

Thu Mar 07 01:42:35 2013 us=202000 TCP/UDP: Incoming packet rejected from 192.168.177.1:1194[2], expected peer address: xxx.xxx.xx.xxx:1194 (allow this incoming source address/port by removing --remote or adding --float)

You're evidently testing it from inside your LAN. Either use the float option on the client side or test this from outside your LAN.
--
bc

 

[Mistermoonlight]

rlcronin said:

You're evidently testing it from inside your LAN. Either use the float option on the client side or test this from outside your LAN.

Yes you got it . While i do not get this issue with tcp while testing from my lan , i will test udp outside of my lan to see if this issue is removed(or by using another router to simulate a different lan for the client). Thanks for the suggestion.

 

[Mistermoonlight]

rlcronin said:

You're evidently testing it from inside your LAN. Either use the float option on the client side or test this from outside your LAN.

Yes that's it. After changing my setup using 2 cascaded routers and connect the openvpn laptop client to the other router which connects to internet on it's wan and the openvpn server (asus router) wan connected to the lan of the other router, both protocols udp/tcp are working correctly without changing anything else in my configs.

So simple that i would have not find it myself i guess .


I have setup two openvpn server on my asus, one with tcp 443 to be compatible better with most public hotspot (this https is never blocked) and the other one in udp 1194 for performance reason when it is not blocked.

Thanks again RMerlin for adding these features in your custom asus firmware
Thanks !!!!!!!!

 

[shooter40sw]

rlcronin said:



Yes that's it. After changing my setup using 2 cascaded routers and connect the openvpn laptop client to the other router which connects to internet on it's wan and the openvpn server (asus router) wan connected to the lan of the other router, both protocols udp/tcp are working correctly without changing anything else in my configs.

So simple that i would have not find it myself i guess .


I have setup two openvpn server on my asus, one with tcp 443 to be compatible better with most public hotspot (this https is never blocked) and the other one in udp 1194 for performance reason when it is not blocked.

Thanks again RMerlin for adding these features in your custom asus firmware
Thanks !!!!!!!!

Hi, I m having a similar problem, with the UDP mine connects but it does not tunnel the traffic through the router, when I configure TCP procotocl it works great it connects, from inside and outside the LAN and tunnels all traffic through the tunnel, but when I use the UDP protocoal, after making all the changes it can connect perfectly from outside the LAN but it does not tunnel traffic at all, Im on my lan but I want to tunnel all traffic for the same reasons wifi hotspots, hope you have figured this out! thanks

 

[rlcronin]

For what its worth, here's my settings. They seem to work ...

http://goo.gl/CsB3v
--
bc

 

[shooter40sw]

For what its worth, here's my settings. They seem to work ...

http://goo.gl/CsB3v
--
bc

Thanks! I have it the same way but changed the UDP port to a different one, I reboot the router it´s working with the tunnel on UDP now too, I connect from an Android phone and an Ipad I did not notice any difference in performance from UDP or TCP... but thanks again, what I dont have is the custom settings that you have, but all else is the same..

 

[rlcronin]

Thanks! I have it the same way but changed the UDP port to a different one, I reboot the router it´s working with the tunnel on UDP now too, I connect from an Android phone and an Ipad I did not notice any difference in performance from UDP or TCP... but thanks again, what I dont have is the custom settings that you have, but all else is the same..

The custom settings aren't relevant, just an attempt to cut down on some not-that-useful system log entries. Glad its working for you now.
--
bc