Task
tcp+udp openvpn
Nick Howitt wrote:
By default OpenVPN runs on both udp:1194 and tcp:1194 in ClearOS. This is a bit of an odd concept. When you download your OpenVPN config file it is for UDP only. Longer term it is probably the intention to remove the tcp configuration but it is not really safe to do mid-release. You may as well close the firewall to tcp:1194
can you please explain how to enable BOTH tcp and udp connections to one clearos openvpn server? i have clearos-ovpn network working on udp and trying to connect from routeros 6.48 which only can use tcp and upon connection i receive RST from clearos. see screenshot
In OpenVPN
Share this post:
Responses (16)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Have a look at the OpenVPN parameter "client-to-client" but I don't know if it works between different instances of OpenVPN. Also note for routing, you need routes in both directions. You are showing the routes in the Mikrotik, but do the devices in the 10.10.x.0/24 subnets have routes back to 10.9.0.0/24? -
Accepted Answer
Nick Howitt wrote:
routerOS received routes from clearOS when connecting to openvpn - on screenshot.
I guess what you now need is lots of routes in the Mikrotik config to force traffic to 10.10.x.0/24 via 10.9.0.1. Similarly in the other tunnels you may need a route to force traffic to 10.9.0.0/24 via 10.8.0.1. You could "push" these routes from the server or hardcode them into the clients.
i'm having difficulties with understanding how to route traffic between 10.8.0.0 and 10.9.0.0 subnets
can different protocols (tcp & udp) be the troubling point? maybe clearOS cannot route packets from udp to tcp and back? or the openvpn itself... -
Accepted Answer
Different instances of OpenVPN must have different subnets or OpenVPN will not know which interface to route the traffic out to.
I guess what you now need is lots of routes in the Mikrotik config to force traffic to 10.10.x.0/24 via 10.9.0.1. Similarly in the other tunnels you may need a route to force traffic to 10.9.0.0/24 via 10.8.0.1. You could "push" these routes from the server or hardcode them into the clients. -
Accepted Answer
Nick Howitt wrote:
Note that the ifconfig-pool-persist and status parameters should be different with each conf file. Also note that your OpenVPN is old and I don't know how compatible it is with current clients.
yes they are different.but something still wrong. see screenshots - why there aren't routes for 10.9.0.0 subnet? aren't those settings must form them like similar settings form routes for 10.8.0.0 subnet?
do i really need to setup different subnet on different openvpn instances (tcp & udp) ? because routing to both subnets brings me some headache -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
of cause. but i did it through web-interface then suddenly found in iptables much more rules some of which causing troubles like dropping all incoming tcp SYN packets... epic default settings i think ))
Have you opened the incoming firewall to tcp:1194?
Please note that ClearOS 5.2 is antique and should not be used in production. It has not had any updates for years and should be considered as insecure. It certainly has not been patched for Spectre or the recent SSH vulnerability.
may be actually that is the case...
now i successfully established tcp ovpn tunnel but i still cannot ping any host behind it continuing to dig through RTFM and other logs--smoking procedures -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
yes, thanks. i was a bit lost in this forum at first.
I've deleted your posts to the other thread.
AFAIK the OpenVPN tcp config should be running automatically. What version of ClearOS are you running? What does "ls /etc/openvpn/*.conf" show?
clearOS enterprise 5.2
/etc/openvpn/clients.conf /etc/openvpn/server.conf
i've added server.conf just yet. in it i've changed "proto udp" to "proto tcp" and 10.8.0.0 to 10.9.0.0
when i manually starting openvpn with server.conf - i've seen the correct SYN ACK on routerOS. but tunnel doesn't forming. now going to dig logs for some clues.
thanks for answer. i may be in need for further help anytime soon... -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »