Incoming connections while using OpenVPN

Sorry, I'm not quite sure what you mean.

My router's default route sends traffic over an OpenVPN client, but I've been trying to allow incoming connections from my regular WAN at the same time. The routing policy in the OUTPUT chain makes sure that when a client in WAN connects to my VPN server port on my router, the routers replies get sent back to the WAN and not over the VPN client which is the default route. At first I thought the policy wasn't working, but it seems it is, it's a problem with OpenVPN itself, not the routing policy.

Sorry if I've misunderstood what you're asking.


I should note that at this point I can actually connect to the VPN server port from WAN, but the server refuses the connection saying "tls-crypt unwrap error: bad packet ID (may be a replay)"

Anyone have any idea what's causing this? The VPN server is using UDP and tls-crypt. After some searching it seems that switching to TCP may be a solution, but I would rather not do that unless absolutely necessary to avoid it showing up in port scans and other security issues.

Edit: I've switched my VPN server to TCP for now and everything is working, but if anyone knows why the server isn't working with UDP please do let me know, as I prefer UDP for security reasons.

Your rule in PBR, containing, WAN, and OUTPUT chain is senseless. You are asking trivial questions, and trying to do what I've suggested only when nothing works. UDP is not trackable, so it shouldn't be used in PBR (however it can be used in port forwarding).

Oh right, that box is actually blank, the is just an example shown by the web UI for vpn-policy-routing. The documentation does say that those values are definitely just examples and not default values. Sorry for the confusion.

Oh so UDP can't be used with policy routing? In that case I'll have to stick to TCP, at least I can access the VPN server while using a VPN client this way.


Yes, TCP only.

1 Like

Ah, I wasn't aware of that, thanks.

My OpenVPN server should still be fairly secure running over TCP, right? I know it might show up in port scans, but with tls-crypt the server should still be fairly well protected against exploits of vulnerabilities in OpenVPN, right?


Yes, I think, security doesn't depend on protocol.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.