Server 2016, TAP, UDP - no traffic through tunnel, TCP - works

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
lucvdv
OpenVpn Newbie
Posts: 7
Joined: Fri Jun 15, 2018 7:18 am

Server 2016, TAP, UDP - no traffic through tunnel, TCP - works

Post by lucvdv » Fri Jun 15, 2018 8:13 am

I have to upgrade a stone age VPN setup (in use for about 15 years) to a new server running Server 2016 and the latest version of OpenVPN.

It is going over UDP, and has a single TAP adapter joining incoming tunnels into a /26 network segment.
To minimize the work at remote sites (about 30, spread across the country) I would like to keep the configuration as close to the old as possible.

I am currently testing it by connecting from my laptop, Windows 10 running a recent version of OpenVPN.
The configuration file on my laptop allows me to connect to the old server as well as the new, just changing the remote IP and port.
It works perfectly with the old server.

The new server configuration differs only from the old one in the tunnel IP range and port number.

When I try to connect to the new server everything looks OK, the connection is established and the client gets the correct IP address etc. pushed for its own TAP, it says it's connected, the TAP interface goes from 'media disconnected' to working status, but there it stops.
I don't get ANY traffic through the tunnel. Can't even ping the server's TAP IP from the client.
When I raise the log level to verbosity 6 it shows there *is* something alive, there is constant traffic between client and server.

And when I change just one more line at both sides, from "proto udp" to "proto tcp", it starts working.

This is the configuration file at the server side. Does anyone see something that could explain it not working over UDP?
This configuration here works, but just changing the second line to 'proto udp' (and the same at the client) makes it stop getting any traffic through the tunnel.

Server config

port 1202
proto tcp
dev tap
dev-node VPN-UDP
ca OpenVPN-CA.ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.255.255.128 255.255.255.192
ifconfig 10.255.255.129 255.255.255.192
ip-win32 dynamic
keepalive 20 120
cipher AES-128-CBC
#comp-lzo
max-clients 50
persist-key
persist-tun
ifconfig-pool-persist ipp-udp-1202.txt
status C:\\Logs\\OpenVPN\\1202-udp-status.log
log C:\\Logs\\OpenVPN\\1202-udp-log.log
verb 6
mute 30


comp-lzo is normally enabled, I just disabled it here to see if that made a difference. It didn't.
Last edited by lucvdv on Fri Jun 15, 2018 8:42 am, edited 1 time in total.

lucvdv
OpenVpn Newbie
Posts: 7
Joined: Fri Jun 15, 2018 7:18 am

Re: Server 2016, TAP, UDP - no traffic through tunnel, TCP - works

Post by lucvdv » Fri Jun 15, 2018 8:27 am

Posted by mistake and can't delete post, deleted content instead. Sorry.
Last edited by lucvdv on Fri Jun 15, 2018 8:50 am, edited 1 time in total.

lucvdv
OpenVpn Newbie
Posts: 7
Joined: Fri Jun 15, 2018 7:18 am

Re: Server 2016, TAP, UDP - no traffic through tunnel, TCP - works

Post by lucvdv » Fri Jun 15, 2018 8:40 am

Sorry, posted reply instead of correction by mistake, and can't seem to delete or even edit it.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Server 2016, TAP, UDP - no traffic through tunnel, TCP - works

Post by TinCanTech » Fri Jun 15, 2018 10:50 am

There is a time limit for editing posts.

Just post what ever it is you wanted to post and I'll ask a mod to delete the empty comments for you.

lucvdv
OpenVpn Newbie
Posts: 7
Joined: Fri Jun 15, 2018 7:18 am

Re: Server 2016, TAP, UDP - no traffic through tunnel, TCP - works

Post by lucvdv » Fri Jun 15, 2018 1:04 pm

Everything I wanted to post is in the original question.

lucvdv
OpenVpn Newbie
Posts: 7
Joined: Fri Jun 15, 2018 7:18 am

Re: Server 2016, TAP, UDP - no traffic through tunnel, TCP - works

Post by lucvdv » Fri Jun 15, 2018 1:15 pm

I just discovered something else.

I assumed that you could have two configuration files, one TCP and one UDP listening on the same port number, without one interfering with the other.

I created a copy of the configuration in the question above and edited it so there now is one for UDP and one for TCP. Of course I did make them use different IP ranges (10.255.255.128/26 and 10.255.255.192/26).

When I start the OpenVPN service with both files in place, neither version of the tunnels works.
When I start it with the UDP version in place and the TCP version renamed, it doesn't work either.
Only when I start it with the TCP version in place and the UDP version renamed, the TCP tunnels work.

So just having a configuration that tries to use UDP running in another instance of OpenVPN.exe, breaks a working configuration that uses TCP on the same port number.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Server 2016, TAP, UDP - no traffic through tunnel, TCP - works

Post by TinCanTech » Fri Jun 15, 2018 1:27 pm

If you have configured something wrong with openvpn then your logs will show errors.

lucvdv
OpenVpn Newbie
Posts: 7
Joined: Fri Jun 15, 2018 7:18 am

Re: Server 2016, TAP, UDP - no traffic through tunnel, TCP - works

Post by lucvdv » Wed Jul 04, 2018 11:31 am

I already mentioned in the original question that I had raised the log level to 6. If it had shown errors I would have included those, but it didn't. The tunnel WAS established, there just wasn't going any traffic through it. All it took to make it work was changing the protocol from UDP to TCP at both sides.

I have everything working now, by just dropping UDP as transport completely, but I had to modify about 30 clients spread all over the country to do it. I did that in an intermediate phase where they all had two tunnels at a time, one UDP to the old server and one TCP to the new, so I could change tunnel configurations remotely without too much risk of locking myself out.

The old tunnels used UDP, and were passing through the same firewalls etc., so that's not where it sat.
But those were running a very old version of OpenVPN, and on server 2003 instead of Server 2016.

Post Reply