OpenVPN : Working with TCP but not with UDP

networkingopenvpnudpvpn

I am trying to connect Raspberry Pi as a client to OpenVPN server(Ubuntu 14.04.3).
Following is my server and client side configuration

# server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 5

# client.ovpn
client
dev tun
proto udp
remote 10.1.2.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert pi2.crt
key pi2.key
ns-cert-type server
log-append openvpn.log
verb 5

On client side, I get this log "Initialization Sequence Completed." But I can't ping from client to server by ping 10.8.0.1 or vice-versa.

If I change proto tcp on both ends, then it works perfectly fine.

To troubleshoot the problem, I did following things.

  1. Tested if my network is capable of handling UDP traffic by

    on server
    nc -l -u 1194

    on client
    nc -u 10.1.2.12 1194

    I was able to communicate to server from client and vice-versa.

  2. Lower the mtu by adding following configuration in both ends

    tun-mtu 1000
    fragment 900
    mssfix

  3. Changed UDP port to some higher value, like 25000

But still I am not able solve this issue. Any help will be appreciated.
Client-Server logs

Best Answer

From OpenVPN manual:

--topology mode
Configure virtual addressing topology when running in --dev tun mode.
This directive has no meaning in --dev tap mode, which always uses a
subnet topology.

If you set this directive on the server, the --server and --server-bridge
directives will automatically push your chosen topology setting to
clients as well. This directive can also be manually pushed to clients.
Like the --dev directive, this directive must always be compatible
between client and server.

mode can be one of:

**net30** -- Use a point-to-point topology, by allocating one /30 subnet
per client. This is designed to allow point-to-point semantics when some
or all of the connecting clients might be Windows systems. This is the
default on OpenVPN 2.0.

From your client's OpenVPN logs: Line 308:

Mon Aug 29 20:33:54 2016 us=826190 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5

Hint: you're "pinging" wrong addresses.

Hint2: What's firewall state?

Hint3: Did you enabled IPv4 forwarding by: echo 1 > /proc/sys/net/ipv4/ip_forward ?

Related Topic