Help forwarding UDP

chrisv · March 15, 2021, 12:46am

Hi, I have a server running OpenVPN (192.168.88.2) and am having issues connecting via UDP. I can get TCP forwarded and opened on the firewall just fine.

When the OpenVPN client and the server are on the same network (192.168.88.x in this case) UDP and TCP work fine. But when the client is outside, I can only establish a TCP connection.

Any suggestions on what I can change?

Here’s a list of my NAT rules:

 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix="" 

 1    ;;; HAIRPIN
      chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 log=no log-prefix=""

 2    ;;; web sever 443
      chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=443 protocol=tcp dst-address=!192.168.88.1 dst-address-type=local dst-port=443 log=no log-prefix="" 

 3    ;;; OpenVPN udp
      chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=1194 protocol=udp dst-address=!192.168.88.1 dst-address-type=local dst-port=1194 log=no log-prefix="" 

 4    ;;; OpenVPN tcp
      chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=9443 protocol=tcp dst-address=!192.168.88.1 dst-address-type=local dst-port=9443 log=no log-prefix=""

chrisv · March 26, 2021, 1:39am

Any ideas? I’ve tried disabling the hairpin and just adding it as a normal firewall exception, but still no luck. UDP still doesn’t seem to get through.

Cablenut9 · March 26, 2021, 3:18am

Mikrotik doesn’t support UDP on OpenVPN unless you use buggy v7, so either switch to some other protocol or try upgrading to 7.1beta5.

chrisv · March 26, 2021, 6:43am

Thank you very much for the reply!

Just to confirm, other services that might use UDP should get passed through just fine with the rules I have set up, correct? Assuming I change the port # to whatever it needs to be.

Or does UDP not work at all on v6?

loloski · March 27, 2021, 1:03pm

Hey,

It was very clear in the manual that OpenVPN implementation in Mikrotik supports only in TCP mode, I think this is also the case for the latest stable 6.48.1

https://wiki.mikrotik.com/wiki/OpenVPN

chrisv · March 29, 2021, 10:37am

I’m not trying to run OpenVPN on the Mikrotik router itself, nor do I want to.

I’m running open VPN on a separate server on my network (192.168.88.2, as mentioned in the first post). I just want to get the UDP packets from the public internet to that server.

Does the router somehow discriminate against UDP packets meant for an OpenVPN server? Does it not support forwarding UDP at all? Or is there simply an error in the rules I have set up?

loloski · March 29, 2021, 2:23pm

Try this

add action=dst-nat chain=dstnat dst-address=your_public_ip dst-port=1194
protocol=udp to-addresses=192.168.88.2 to-ports=1194

chrisv · March 31, 2021, 1:41am

I tried disabling all rules and having only my first rule (masquerade) and that one, and UDP still doesn’t routed correctly. If I change it from UDP to TCP it works fine. =/