Hi, I've a usecase with OpenVPN and NAT with UDP where the commercial firewall changes NAT binding. Keep alive is 30s, so short enough. Also float option doesn't help because it accepts packets but doesn't do the source port change. Details find below. This behaviour is reproduceable on different installations with this firewall.
Client: IPClient..IP address client SPoClient..Source port client NAT: IPNAT..IP address NAT SPoNAT1..Source port NAT (before change) SPoNAT2..Source port NAT (after change) Server: IPServer..IP address OpenVPN server Client | NAT | Server # From client | | IPClient:SPoClient => IPServer:1194 | IPNAT:SPoNAT1 => IPServer:1194 | IPNAT:SPoNAT1 => IPServer:1194 # Answer from server | | IPClient:SPoClient <= IPServer:1194 | IPNAT:SPoNAT1 <= IPServer:1194 | IPNAT:SPoNAT1 <= IPServer:1194 # NAT changes source port NATing!!! | | IPClient:SPoClient => IPServer:1194 | IPNAT:SPoNAT2 => IPServer:1194 | IPNAT:SPoNAT2 => IPServer:1194 # Answer from server to original source port!!! | ----BLOCKED BY NAT---- | ----BLOCKED BY NAT---- | IPNAT:SPoNAT1 <= IPServer:1194 # Suggested behaviour: On authenticated source port change remember | # the change, answer to new source port from NAT/client | IPClient:SPoClient <= IPServer:1194 | IPNAT:SPoNAT2 <= IPServer:1194 | IPNAT:SPoNAT2 <= IPServer:1194 Can the suggested behaviour be easily implemented (should be easily done in socket.c)? I can try a patch if you want. Thank you. Ciao, Gerhard -- http://www.wiesinger.com/ ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
