I'm trying to get my ERL to serve as an OpenVPN server. I'm pretty sure I have the configuration correct, but tcpdump is showing responder packets being sourced from the wrong UDP port.
Edit: Apologies for not including originally. I'm running v1.8.5
Thanks in advance for any help!
X.X.X.X is the remote IP
Y.Y.Y.Y is the ERL IP
10:49:50.619225 IP X.X.X.X.54629 > Y.Y.Y.Y.1194: UDP, length 14
10:49:50.620111 IP Y.Y.Y.Y.1024 > X.X.X.X.54629: UDP, length 22
show conntrack doesn't show any connections to or from port 1024.
show nat doesn't show any connections translating to or from port 1024.
ps aux shows the proper command line for the configuration:
/usr/sbin/openvpn --daemon --verb 3 --writepid /var/run/openvpn-vtun0.pid --status /var/run/openvpn/status/vtun0.status 30 --dev-type tun --dev vtun0 --mode server --tls-server --topology subnet --keepalive 10 60 --lport 1194 --proto udp6 --ca /config/auth/cacert.pem --cert /config/auth/server-cert.pem --key /config/auth/server-key.key --dh /config/auth/dhp.pem --management /tmp/openvpn-mgmt-intf unix --push dhcp-option DNS 192.168.223.1 --server 192.168.223.0 255.255.255.0 --client-config-dir /var/run/openvpn/ccd/vtun0 --push redirect-gateway --comp-lzo
Relevant config:
firewall {
all-ping enable
broadcast-ping disable
group {
}
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 ICMP"
protocol ipv6-icmp
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop Invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 ICMP"
protocol ipv6-icmp
}
rule 40 {
action accept
description "Allow DHCPv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
rule 90 {
action accept
description OpenVPN
destination {
port 1194
}
protocol udp
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 1 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 2 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 1 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 2 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 12 {
action accept
description OpenVPN
destination {
port 1194
}
log disable
protocol tcp_udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
dhcpv6-pd {
pd 1 {
interface eth1 {
service slaac
}
prefix-length 64
}
rapid-commit enable
}
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.21.1/24
description Local
duplex auto
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 600
other-config-flag false
prefix ::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
speed auto
}
openvpn vtun0 {
local-port 1194
mode server
openvpn-option "--push redirect-gateway"
openvpn-option --comp-lzo
protocol udp6
server {
name-server 192.168.223.1
subnet 192.168.223.0/24
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/server-cert.pem
dh-file /config/auth/dhp.pem
key-file /config/auth/server-key.key
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 8 {
description "Outside OpenVPN"
forward-to {
address 192.168.21.1
port 1194
}
original-port 1194
protocol tcp_udp
}
wan-interface eth0
}
protocols {
static {
interface-route6 ::/0 {
next-hop-interface eth0 {
}
}
}
}