OpenVPN and CGNAT - rewrite OpenVPN Configuration on the fly?

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
scooter133
OpenVpn Newbie
Posts: 2
Joined: Thu May 12, 2022 12:33 am

OpenVPN and CGNAT - rewrite OpenVPN Configuration on the fly?

Post by scooter133 » Thu May 12, 2022 12:34 am

We use OpenVPN on our Ubiquiti UDM Pro to connect remote sites to our central office. We’ve implemented Dynamic DNS to make sure we get IP address updates from our remote offices when the carrier changes them, but OpenVPN requires that we specify the incoming port that were we expect incoming packets.

One of our sites is using Starlink and they use CGNAT, so instead of the incoming port being 1194, it’s some random port above 20000 and it changes frequently. What we do now is use tcpdump to try to find incoming packets from the remote site's IP and destination port and look at what source port is being used. Then we go into the UI Web Interface and update the OpenVPN confirmation to use the actual remote port we are seeing. This brings the VPN up.

We are looking for a way to automatically do this. Find the incoming source port and update the OpenVPN configuration.

Can we use Boot Chicken like the Conditional DNS Script to alter the OpenVPN configuration of the incoming IP for the Local Port??
I'm not a script or OpenVPN guy by any means. Assistance on this would be Great.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN and CGNAT - rewrite OpenVPN Configuration on the fly?

Post by TinCanTech » Fri May 13, 2022 8:47 pm

scooter133 wrote:
Thu May 12, 2022 12:34 am
One of our sites is using Starlink and they use CGNAT, so instead of the incoming port being 1194, it’s some random port above 20000 and it changes frequently. What we do now is use tcpdump to try to find incoming packets from the remote site's IP and destination port and look at what source port is being used. Then we go into the UI Web Interface and update the OpenVPN confirmation to use the actual remote port we are seeing. This brings the VPN up.
Which version of OpenVPN is that ?

scooter133
OpenVpn Newbie
Posts: 2
Joined: Thu May 12, 2022 12:33 am

Re: OpenVPN and CGNAT - rewrite OpenVPN Configuration on the fly?

Post by scooter133 » Fri May 13, 2022 9:11 pm

Sorry this is a Ubiquiti UDM-Pro. It has OpenVPN Built-in its firmware.

# openvpn --version
OpenVPN 2.5.2 aarch64-buildroot-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 9 2022
library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_doc=no enable_docs=no enable_documentation=no enable_fast_install=yes enable_fragment=yes enable_gtk_doc=no enable_gtk_doc_html=no enable_iproute2=no enable_ipv6=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_nls=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=no enable_strict=no enable_strict_options=no enable_systemd=no enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_fop=no with_gnu_ld=yes with_mem_check=no with_sysroot=no with_xmlto=no

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN and CGNAT - rewrite OpenVPN Configuration on the fly?

Post by TinCanTech » Fri May 13, 2022 11:41 pm

scooter133 wrote:
Fri May 13, 2022 9:11 pm
openvpn --version
OpenVPN 2.5.2 aarch64-buildroot-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 9 2022
library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Originally developed by James Yonan
OK.
TinCanTech wrote:
Fri May 13, 2022 8:47 pm
scooter133 wrote:
Thu May 12, 2022 12:34 am
One of our sites is using Starlink and they use CGNAT, so instead of the incoming port being 1194, it’s some random port above 20000 and it changes frequently. What we do now is use tcpdump to try to find incoming packets from the remote site's IP and destination port and look at what source port is being used. Then we go into the UI Web Interface and update the OpenVPN confirmation to use the actual remote port we are seeing. This brings the VPN up.
Which version of OpenVPN is that ?
Can you explain where the CGNAT is functioning, server or client ?

It sounds like you are trying to filter on client source port ?

Post Reply