Re: [Openvpn-users] relaying an UDP tunnel (with socat?)

Sun, 20 Sep 2015 11:47:18 -0700 

Hi,

On Sun, Sep 20, 2015 at 08:33:20PM +0200, Marc Haber wrote:
> $ socat -dd -T 86400 UDP4-RECVFROM:1194,fork UDP4-DATAGRAM:my-openvpn-box:1194
> 
> This unfortunately does not work as expected. socat seems to change
> the UDP source port of the relayed packets every once in a while. The
> OpenVPN serve does not like that.

Fascinating.  Seems socat dies after a while, and when re-starting, it
gets a new port number...

I have a solution for you, but you won't like it :-) - run git master
on the server, which has TLS floating, iow, if a client in good standing
starts sending packets from a new source address or new source port, 
the server will do TLS check on the packet, and if the packet verifies,
will just seamlessly move over to the new source ip+port combination.

And yes, that means "bleeding edge!" - but the edge is somewhat blunt on 
this one, the change is in the tree since half a year, and I've been 
running it on production servers ever since.

(My test for this feature was: run an openvpn client behind a pf(4) NAT
box, and occasionally flush state while a ping was running through the
openvpn tun.  If the next ping comes from the inside, no(!) loss... of
course if the packets are coming from the outside, there will be loss
until the client sends the next packet *out* to update the server side)


Another option would be to just run a SOCKS proxy on the intermediate
box - you can use "--proto udp4 --socks-proxy $server $port" from
within OpenVPN.  "--proto udp6" *should* work, though I have not found
a SOCKS server yet that can actually do UDP+IPv6...  (ssh -D can do
IPv6, but only TCP...)

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: pgpHdyTumk2CJ.pgp
Description: PGP signature

------------------------------------------------------------------------------

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to