[lug] openvpn & linksys router question

David L. Anselmi anselmi at anselmi.us
Sat Jul 8 22:09:16 MDT 2006


Bear Giles wrote:
[...]
> Both systems are running openvpn. In this particular case it's P-t-P so 
> there's not really a 'server' and 'client'.  I've also been 
> experimenting with a true client/server model, but that just introduces 
> some additional complications.

Oh, OK.  To me client/server should be easier.  Not the openvpn part of 
it, but the rest of the networking (routes, firewall rules, etc) since 
almost every networking situation I see is client/server.

[...]
> BTW, the vpn traffic is UDP packets with identical source and destination ports.

Are you sure?  That would be one duplex socket.  But two simplex sockets 
would work the same way (each box sends to 1194 from a random port). 
But even if only 1194 is used for source and destination, the Linksys 
probably NATs the outgoing packets and changes the source port.

[...]
> It's P-t-P so either side should be able to initiate the connection.  
> I'm not seeing that, only one side is able to initiate the connection.

How do you know only the office can initiate?  (I believe you, just 
don't have a P-t-P setup to see for myself.)  Can you isolate the 
initiation so that it always happens on one side or the other (e.g., 
start one, wait for it to give up on initiating, then start the other)?

If only the office can initiate I'd guess that is the source of your 
problem.

Another possibility is that the NAT entry on the Linksys is timing out. 
  Regardless, maybe the Linksys is changing the source port on outbound 
packets unless it can associate them with an inbound one.

What happens when a packet to 1194, that should be from 1194, isn't? 
That's why client/server (where you know the client port is ephemeral) 
seems easier to me, you don't have to experiment to determine the 
behavior in unspecified cases.

If this is an odd interaction between P-t-P and NAT it would be worth 
Googling for and pointing out to Jim Yonan.  Maybe he can put in a 
workaround, or at least update the docs (which seem sparse on P-t-P) to 
say "don't do that".

Dave

P.S. It might be helpful to watch the traffic at the eth interface of 
each device while you investigate "who's initiating" and what gets to 
each side.  But you'd probably want to see that in Ethereal rather than 
tcpdump.  And don't assume too much, like source port will always be 1194.



More information about the LUG mailing list