OpenVPN issue in Bridge Mode

mbillings · 12-16-2011, 12:52 PM

I am unable to connect to the OpenVPN server in bridge mode. I've forwarded the ports thru my ISA server and provided a static route from the range for the OpenVPN clients that points to the untangle server. I did a tracert for that range and it is routing to the Untangle server.

I'm seeing UDP 1194 traffic passing thru my firewall as well as traffic coming from the Untangle server to my client using UDP ports in the 549xx range and ISA server is passing them. However I am unable to connect and it is timing out.

I would of thought that if untangle is responding to the request I would get some sort of log on the OpenVPN application but I am not seeing anything.

Do any of you guru's have any suggestions?

mbillings · 12-16-2011, 04:40 PM

I have gotten further now and am receiving this error.

Fri Dec 16 19:37:02 2011 TCP/UDP: Incoming packet rejected from 12.x.x.x:65073[2], expected peer address: 12.x.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)

It looks Untangle is sending a port of 65073 (which changes each time) and it is getting rejected because it is expecting port 1194.

Has anyone run across this?

Steve88W · 12-16-2011, 06:59 PM

Are the IP's of both networks different?
I had to change the IP scheme at home in order to connect.

sky-knight · 12-16-2011, 07:01 PM

The error message listed indicates a protocol issue. Meaning the UDP stream isn't connecting to Untangle.

Make sure you have your bridge plugged in the right way around. This may be a backward bridge problem.

mbillings · 12-19-2011, 05:07 AM

The bridge is the correct way, I see the traffic for 1194 when using the Packet test on the external interface. I have a feeling this is due to our ISA firewall siting in between untangle and the internet.

8:02:26.916486 IP 12.x.x.x.53236 > 10.100.252.249.1194: UDP, length 14
08:02:26.916996 IP 10.100.252.249.1194 > 12.x.x.x.53236: UDP, length 26

My requests are coming in however it looks as if ISA is changing the port.

Has anyone experienced this?

UntangleJS · 01-23-2012, 12:19 PM

Was there a resolution to this? I am seeing the same behaviour with much the same setup.
Except when I connect it does work once - then if I disconnect and try to reconnect it simply does not work any longer.

If I wait an hour or so and try again it works. This happens all of the time.

jcoffin · 01-23-2012, 01:06 PM

Quote:

Originally Posted by UntangleJS

Was there a resolution to this? I am seeing the same behaviour with much the same setup.
Except when I connect it does work once - then if I disconnect and try to reconnect it simply does not work any longer.

If I wait an hour or so and try again it works. This happens all of the time.

I would suggest starting a new thread with your details. It's almost impossible to debug your problem with no details.

12-16-2011, 12:52 PM	#1 (permalink)
mbillings Untangler Join Date: Nov 2010 Posts: 32	OpenVPN issue in Bridge Mode I am unable to connect to the OpenVPN server in bridge mode. I've forwarded the ports thru my ISA server and provided a static route from the range for the OpenVPN clients that points to the untangle server. I did a tracert for that range and it is routing to the Untangle server. I'm seeing UDP 1194 traffic passing thru my firewall as well as traffic coming from the Untangle server to my client using UDP ports in the 549xx range and ISA server is passing them. However I am unable to connect and it is timing out. I would of thought that if untangle is responding to the request I would get some sort of log on the OpenVPN application but I am not seeing anything. Do any of you guru's have any suggestions?

12-16-2011, 04:40 PM	#2 (permalink)
mbillings Untangler Join Date: Nov 2010 Posts: 32	I have gotten further now and am receiving this error. Fri Dec 16 19:37:02 2011 TCP/UDP: Incoming packet rejected from 12.x.x.x:65073[2], expected peer address: 12.x.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float) It looks Untangle is sending a port of 65073 (which changes each time) and it is getting rejected because it is expecting port 1194. Has anyone run across this? Last edited by mbillings; 12-16-2011 at 04:45 PM..

12-16-2011, 07:01 PM	#4 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,460	The error message listed indicates a protocol issue. Meaning the UDP stream isn't connecting to Untangle. Make sure you have your bridge plugged in the right way around. This may be a backward bridge problem. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

Protect

Filter

Perform

Connect

Manage

Add-Ons

12-16-2011, 06:59 PM	#3 (permalink)
Steve88W Newbie Join Date: Nov 2011 Location: Southern California Posts: 5	Are the IP's of both networks different? I had to change the IP scheme at home in order to connect.

12-19-2011, 05:07 AM	#5 (permalink)
mbillings Untangler Join Date: Nov 2010 Posts: 32	The bridge is the correct way, I see the traffic for 1194 when using the Packet test on the external interface. I have a feeling this is due to our ISA firewall siting in between untangle and the internet. 8:02:26.916486 IP 12.x.x.x.53236 > 10.100.252.249.1194: UDP, length 14 08:02:26.916996 IP 10.100.252.249.1194 > 12.x.x.x.53236: UDP, length 26 My requests are coming in however it looks as if ISA is changing the port. Has anyone experienced this?

01-23-2012, 12:19 PM	#6 (permalink)
UntangleJS Newbie Join Date: Jan 2012 Posts: 6	Was there a resolution to this? I am seeing the same behaviour with much the same setup. Except when I connect it does work once - then if I disconnect and try to reconnect it simply does not work any longer. If I wait an hour or so and try again it works. This happens all of the time.