So I have a virtual server set up on amazon, which I will call OSERV, to run openvpn on 3 different ports. All of the OpenVPN servers are acting as routing gateways. 2 of the servers that are running over TCP work great, but my UDP server, while it is able to make local connections, always times out for external IPs. I will call it UDPSERV.
So when I ssh through UDPSERV to OSERV, it works fine. But when I try to ssh (or do any other type of activity) anywhere else through UDPSERV, the connection times out. I will call the external server i am testing on as EXSERV. I have been watched the log at verbosity level 6, and I see the packets being sent and received when trying to make the connection to EXSERV. So I know that works. I have also ran wireshark on the client machine, and see it sending and receiving packets just fine also when SSHing to EXSERV.
ssh root@ESERV -o ConnectTimeout=60
Connection reset by ESERV port 22
Though oddly, when I watch the log when doing activity through UDPSERV to OSERV, it doesn't seem to show it.
I have confirmed the MTU is not a problem. Interestingly enough, I can actually push >4000 bytes through as the MTU. I did attempt setting it to 500 at one point.
So I think that's everything I can say for the setup of this question. If anyone can help me figure out why this isn't working, I'd really appreciate it. Below this are all of my configurations.
[Edit] Oh yeah. I did a netcat through UDPSERV from my client to EXSERV and it worked fine.
All 3 of the openvpn server configs have the following relevant settings:
dev tun
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
comp-lzo
persist-key
persist-tun
Different settings:
Serv1:
port 80
proto tcp
server 10.8.0.0 255.255.255.0
Serv2:
port 443
proto tcp
server 10.8.1.0 255.255.255.0
UDPSERV:
port 123
proto udp
server 10.8.2.0 255.255.255.0
The amazon security settings have the following allowances:
Incoming ACCEPT: TCP22, TCP80, TCP443, UDP123
Outgoing ACCEPT: Everything
The following is my iptables setup:
#Clear everything out
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
#All connections
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#Serv1
iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
#Serv2
iptables -I FORWARD -i tun1 -o eth0 -s 10.8.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s 10.8.1.0/24 -j MASQUERADE
#UDPSERV
iptables -I FORWARD -i tun2 -o eth0 -s 10.8.2.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s 10.8.2.0/24 -j MASQUERADE
I have also tried the following settings for UDPSERV:
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 123 -j ACCEPT
iptables -I FORWARD -i tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s 10.8.2.0/24 -j MASQUERADE
The following is the openvpn log at verbosity level 6. The client connected from 45.16.1.12 . I then connected to the OSERV's ssh. I then attempted to connect to EXSERV SSH which timed out after 30-ish seconds. OpenVPN log . Please let me know if you have trouble downloading the file and I'll try a different service.
Best Answer
So it turns out the problem is that I was running on udp port 123 (the ntpd port). I guess some router out there must have special coding for that port to only allow small packets, or something. Time to find a different common udp port to run on.