From: Patrick L. <pat...@ii...> - 2004-02-16 05:23:35
|
On Mon, Feb 16, 2004 at 12:24:00PM +0800, Paul Culmsee wrote: > > A typical stateful firewall should allow client-initiated UDP > > connections out, and the replies back in. IOW, from what you posted > > there is no evidence of a problem. > > The reply is the issue. What I was not able to ascertain via the FAQ or > man pages however was what a UDP reply entails. > > For example, if the remote network sends say, ICMP traffic to a network > here, sure it will get encapsulated by openvpn and come through to the > public ip of the openvpn box here to be decapsulated and then forwarded > on. Hope you don't mind if I jump in here ... (FWIW) > But since we are talking about UDP, is the connection sync or async? Ie, > Are the ICMP replies sent back out as UDP traffic that needs a remote IP > address to hit.. I don't have one that port forwards the reply back to > the NAT'd vpn server at the remote end.. OpenVPN connections typically use UDP port 5000. You can set it for any particular connection in the config files at both ends, as you probably know. The protocols of the packets wrapped in UDP have nothing to do with the routing from the client to the server or back again, it depends only on how any firewalls on the way treat UDP 5000 packets. That is to say, it is UDP 5000 all the way, and in both directions. This is the beauty of OpenVPN. If you have several concurrent connections, they need to use different UDP ports. The routing of the packets works as normal. UDP has less overhead than TCP because there is less checking, so it's the best choice. In practice this doesn't matter since the packets being wrapped up in UDP take care of their own checking as required by their protocol; TCP connections will have all their normal checking done by the client and the server, oblivious to the temporary wrapping in UDP. > Or, does openvpn maintain state in the sense that if a connection is > established from remote end to local end, replies are sent back to the > NAT'd address of the remote end and therefore reliant on the stateful > firewall to hopefully deal with it? If a packet is initiated at remote client A, passes through NAT, travels across the net to server B then the NAT takes care of reply packets. The remote client has to know the IP of the server, and that's all. Packets going back will be addressed to the NAT firewall, and connection tracking within that firewall will correctly send the packets to client A. That is to say, it is up to firewalls on the way to maintain state. Replies are sent to where they appear to have come from, which is nothing special about OpenVPN really. Patrick Lesslie |