OpenVPN Support Forum

Posted: **Wed Jul 20, 2022 12:17 pm**

I had a Net-to-Net OpenVPN setup which was working fine. Until recently when my mobile operator provider change and UDP started to fail for some reason, likely MTU size. But at that time I did not have a chance to test it.

As a quick fix I had to change the protocol from UDP to TCP and that solved it. But the communication became unidirectional that is from the client net I can access the nodes on the server net. But not the other way around. Right now I cannot change anything on the client side since that node is on a different location (think of it on the moon). So the only way to play around is to change config on the server side. I want to be able to reach client net from the server net. Or particular nodes on the client net.

I have tried to add the following on the server side config without any success

client-to-client
mode server

My configs look like this. Any chance to get this working on TCP and without changing anything on the client side?

Client side net is 192.168.1.0 and has this config

client

dev tun
remote myhost.com
port 12345
proto tcp-client

ifconfig 10.1.0.2 10.1.0.1

tls-client
cipher AES-256-CBC
auth SHA512
persist-tun
persist-key
verb 3

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END RSA PRIVATE KEY-----
</key>

Server side has 192.168.0.0 net and this config

server

dev tun

ifconfig 10.1.0.1 10.1.0.2
route 192.168.1.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
push "route 10.1.0.0 255.255.255.0"

tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem

cipher AES-256-CBC
auth SHA512
port 12345

#client-to-client
#mode server
#duplicate-cn

proto tcp-server

user nobody
group nobody
persist-tun
persist-key

verb 3

daemon somenamehere

keepalive 10 300

Posted: **Wed Jul 20, 2022 1:16 pm**

bortek wrote: ↑
Wed Jul 20, 2022 12:17 pm
I had to change the protocol from UDP to TCP and that solved it. But the communication became unidirectional

Changing protocol has no such effect, therefore you must have changed something else.

Posted: **Fri Jul 22, 2022 2:17 pm**

Hi bortek,

See --ifconfig in the manual. It's a subtle thing: when you specify "ifconfig local-endpoint remote-endpoint" as you did, what you have is not a client-server in openvpn terms, it is a --mode p2p peer connection.

As a result all your client-specific or server-specific options won't work. --mode server can't work when you have implicitly told openvpn that it is a p2p instance.

TCP for OpenVPN is generally anywhere from a bad idea to a VERY bad idea. If a change in your ISP resulted in UDP OpenVPN failures, the problem is in your ISP. Complain to them and look for better providers.

I could also mention, using the networks you have chosen will limit you in the future. Every off-the-shelf router will use one of those networks. Most routers will allow you to change the LAN network address; again as with the ISP, if yours does not allow this, it is garbage. Get rid of it. Also, --cipher is deprecated if you do try to make your VPN into a client/server. (It's still appropriate for p2p, I think.)

regards, rob0

Posted: **Fri Aug 12, 2022 7:37 pm**

you are right. I have changed it back to the other ISP (which was working bi-directional) and also changed protocol back to UDP but the communication is still unidirectional. There is something else going here. Any idea what could it be ?

OpenVPN Support Forum

TCP client-server mode - Connect to client Net

TCP client-server mode - Connect to client Net

Re: TCP client-server mode - Connect to client Net

Re: TCP client-server mode - Connect to client Net

Re: TCP client-server mode - Connect to client Net