OpenVPN server UDP port not accessible

Nikotine · December 14, 2020, 9:16pm

I have OpenWRT 19.07.2 on a WRT1900ac, running two OpenVPN servers: one via UDP on port 1010 and a second via TCP on port 443 (to pierce through the firewall at work).
Recently I added an OpenVPN client (Mullvad) and am forcing certain traffic through it via VPN policy routing.

All this is working, except I noticed that the UDP VPN server stopped working and I cannot figure out why. I've been reviewing firewall rules but connecting to port 1010 via UDP times out...

Log of VPN starting:

Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Mon Dec 14 21:52:04 2020 daemon.warn openvpn(vpn_UDP)[15310]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: Diffie-Hellman initialized with 2048 bit key
Mon Dec 14 21:52:04 2020 daemon.notice netifd: Interface 'vpn0_udp' is enabled
Mon Dec 14 21:52:04 2020 daemon.notice netifd: Network device 'tun0' link is up
Mon Dec 14 21:52:04 2020 daemon.notice netifd: Interface 'vpn0_udp' has link connectivity
Mon Dec 14 21:52:04 2020 daemon.notice netifd: Interface 'vpn0_udp' is setting up now
Mon Dec 14 21:52:04 2020 daemon.notice netifd: Interface 'vpn0_udp' is now up
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: TUN/TAP device tun0 opened
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: TUN/TAP TX queue length set to 100
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: /sbin/ifconfig tun0 192.168.2.1 pointopoint 192.168.2.2 mtu 1500
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: /sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.2
Mon Dec 14 21:52:04 2020 daemon.warn openvpn(vpn_UDP)[15310]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: UDPv4 link local (bound): [AF_INET][undef]:1010
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: UDPv4 link remote: [AF_UNSPEC]
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: MULTI: multi_init called, r=256 v=256
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: IFCONFIG POOL: base=192.168.2.4 size=62, ipv6=0
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: IFCONFIG POOL LIST
Mon Dec 14 21:52:04 2020 daemon.notice openvpn(vpn_UDP)[15310]: Initialization Sequence Completed

This is log of OpenVPN for Android trying to connect (redacted) and timing out:

2020-12-14 22:05:30 officiële build 0.7.21 draait op samsung SM-N975F (exynos9825), Android 10 (QP1A.190711.020) API 29, ABI arm64-v8a, (samsung/d2seea/d2s:10/QP1A.190711.020/N975FXXS6DTK8:user/release-keys)
2020-12-14 22:05:30 Configuratie bouwen…
2020-12-14 22:05:31 started Socket Thread
2020-12-14 22:05:31 Netwerk status: CONNECTED LTE to MOBILE internet.proximus.be
2020-12-14 22:05:31 Debug state info: CONNECTED LTE to MOBILE internet.proximus.be, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2020-12-14 22:05:31 Debug state info: CONNECTED LTE to MOBILE internet.proximus.be, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2020-12-14 22:05:31 P:WARNING: linker: Warning: "/data/app/de.blinkt.openvpn-AydL3fjRNadc_Vb5Q_NpAg==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2020-12-14 22:05:31 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2020-12-14 22:05:31 Current Parameter Settings:
2020-12-14 22:05:31   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2020-12-14 22:05:31   mode = 0
2020-12-14 22:05:31   show_ciphers = DISABLED
2020-12-14 22:05:31   show_digests = DISABLED
2020-12-14 22:05:31   show_engines = DISABLED
2020-12-14 22:05:31   genkey = DISABLED
2020-12-14 22:05:31   genkey_filename = '[UNDEF]'
2020-12-14 22:05:31   key_pass_file = '[UNDEF]'
2020-12-14 22:05:31   show_tls_ciphers = DISABLED
2020-12-14 22:05:31   connect_retry_max = 0
2020-12-14 22:05:31 Connection profiles [0]:
2020-12-14 22:05:31   proto = udp
2020-12-14 22:05:31   local = '[UNDEF]'
2020-12-14 22:05:31   local_port = '[UNDEF]'
2020-12-14 22:05:31   remote = '****.no-ip.org'
2020-12-14 22:05:31   remote_port = '1010'
2020-12-14 22:05:31   remote_float = DISABLED
2020-12-14 22:05:31   bind_defined = DISABLED
2020-12-14 22:05:31   bind_local = DISABLED
2020-12-14 22:05:31   bind_ipv6_only = DISABLED
2020-12-14 22:05:31   connect_retry_seconds = 2
2020-12-14 22:05:31   connect_timeout = 10
2020-12-14 22:05:31   socks_proxy_server = '[UNDEF]'
2020-12-14 22:05:31   socks_proxy_port = '[UNDEF]'
2020-12-14 22:05:31   tun_mtu = 1500
2020-12-14 22:05:31   tun_mtu_defined = ENABLED
2020-12-14 22:05:31   link_mtu = 1500
2020-12-14 22:05:31   link_mtu_defined = DISABLED
2020-12-14 22:05:31   tun_mtu_extra = 0
2020-12-14 22:05:31   tun_mtu_extra_defined = DISABLED
2020-12-14 22:05:31   mtu_discover_type = -1
2020-12-14 22:05:31   fragment = 0
2020-12-14 22:05:31   mssfix = 1450
2020-12-14 22:05:31   explicit_exit_notification = 0
2020-12-14 22:05:31   tls_auth_file = '[UNDEF]'
2020-12-14 22:05:31   key_direction = not set
2020-12-14 22:05:31   tls_crypt_file = '[UNDEF]'
2020-12-14 22:05:31   tls_crypt_v2_file = '[UNDEF]'
2020-12-14 22:05:31 Connection profiles END
2020-12-14 22:05:31   remote_random = DISABLED
2020-12-14 22:05:31   ipchange = '[UNDEF]'
2020-12-14 22:05:31   dev = 'tun'
2020-12-14 22:05:31   dev_type = '[UNDEF]'
2020-12-14 22:05:31   dev_node = '[UNDEF]'
2020-12-14 22:05:31   lladdr = '[UNDEF]'
2020-12-14 22:05:31   topology = 1
2020-12-14 22:05:31   ifconfig_local = '[UNDEF]'
2020-12-14 22:05:31   ifconfig_remote_netmask = '[UNDEF]'
2020-12-14 22:05:31   ifconfig_noexec = DISABLED
2020-12-14 22:05:31   ifconfig_nowarn = ENABLED
2020-12-14 22:05:31   ifconfig_ipv6_local = '[UNDEF]'
2020-12-14 22:05:31   ifconfig_ipv6_netbits = 0
2020-12-14 22:05:31   ifconfig_ipv6_remote = '[UNDEF]'
2020-12-14 22:05:31   shaper = 0
2020-12-14 22:05:31   mtu_test = 0
2020-12-14 22:05:31   mlock = DISABLED
2020-12-14 22:05:31   keepalive_ping = 0
2020-12-14 22:05:31   keepalive_timeout = 0
2020-12-14 22:05:31   inactivity_timeout = 0
2020-12-14 22:05:31   ping_send_timeout = 0
2020-12-14 22:05:31   ping_rec_timeout = 0
2020-12-14 22:05:31   ping_rec_timeout_action = 0
2020-12-14 22:05:31   ping_timer_remote = DISABLED
2020-12-14 22:05:31   remap_sigusr1 = 0
2020-12-14 22:05:31   persist_tun = ENABLED
2020-12-14 22:05:31   persist_local_ip = DISABLED
2020-12-14 22:05:31   persist_remote_ip = DISABLED
2020-12-14 22:05:31   persist_key = DISABLED
2020-12-14 22:05:31   passtos = DISABLED
2020-12-14 22:05:31   resolve_retry_seconds = 60
2020-12-14 22:05:31   resolve_in_advance = ENABLED
2020-12-14 22:05:31   username = '[UNDEF]'
2020-12-14 22:05:31   groupname = '[UNDEF]'
2020-12-14 22:05:31   chroot_dir = '[UNDEF]'
2020-12-14 22:05:31   cd_dir = '[UNDEF]'
2020-12-14 22:05:31   writepid = '[UNDEF]'
2020-12-14 22:05:31   up_script = '[UNDEF]'
2020-12-14 22:05:31   down_script = '[UNDEF]'
2020-12-14 22:05:31   down_pre = DISABLED
2020-12-14 22:05:31   up_restart = DISABLED
2020-12-14 22:05:31   up_delay = DISABLED
2020-12-14 22:05:31   daemon = DISABLED
2020-12-14 22:05:31   inetd = 0
2020-12-14 22:05:31   log = DISABLED
2020-12-14 22:05:31   suppress_timestamps = DISABLED
2020-12-14 22:05:31   machine_readable_output = ENABLED
2020-12-14 22:05:31   nice = 0
2020-12-14 22:05:31   verbosity = 4
2020-12-14 22:05:31   mute = 0
2020-12-14 22:05:31   gremlin = 0
2020-12-14 22:05:31   status_file = '[UNDEF]'
2020-12-14 22:05:31   status_file_version = 1
2020-12-14 22:05:31   status_file_update_freq = 60
2020-12-14 22:05:31   occ = ENABLED
2020-12-14 22:05:31   rcvbuf = 0
2020-12-14 22:05:31   sndbuf = 0
2020-12-14 22:05:31   sockflags = 0
2020-12-14 22:05:31   fast_io = DISABLED
2020-12-14 22:05:31   comp.alg = 2
2020-12-14 22:05:31   comp.flags = 1
2020-12-14 22:05:31   route_script = '[UNDEF]'
2020-12-14 22:05:31   route_default_gateway = '[UNDEF]'
2020-12-14 22:05:31   route_default_metric = 0
2020-12-14 22:05:31   route_noexec = DISABLED
2020-12-14 22:05:31   route_delay = 0
2020-12-14 22:05:31   route_delay_window = 30
2020-12-14 22:05:31   route_delay_defined = DISABLED
2020-12-14 22:05:31   route_nopull = DISABLED
2020-12-14 22:05:31   route_gateway_via_dhcp = DISABLED
2020-12-14 22:05:31   allow_pull_fqdn = DISABLED
2020-12-14 22:05:31   route 0.0.0.0/0.0.0.0/vpn_gateway/default (not set)
2020-12-14 22:05:31   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2020-12-14 22:05:31   management_port = 'unix'
2020-12-14 22:05:31   management_user_pass = '[UNDEF]'
2020-12-14 22:05:31   management_log_history_cache = 250
2020-12-14 22:05:31   management_echo_buffer_size = 100
2020-12-14 22:05:31   management_write_peer_info_file = '[UNDEF]'
2020-12-14 22:05:31   management_client_user = '[UNDEF]'
2020-12-14 22:05:31   management_client_group = '[UNDEF]'
2020-12-14 22:05:31   management_flags = 16678
2020-12-14 22:05:31   shared_secret_file = '[UNDEF]'
2020-12-14 22:05:31   key_direction = not set
2020-12-14 22:05:31   ciphername = 'AES-256-CBC'
2020-12-14 22:05:31   ncp_enabled = ENABLED
2020-12-14 22:05:31   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
2020-12-14 22:05:31   authname = 'SHA512'
2020-12-14 22:05:31   prng_hash = 'SHA1'
2020-12-14 22:05:31   prng_nonce_secret_len = 16
2020-12-14 22:05:31   keysize = 0
2020-12-14 22:05:31   engine = DISABLED
2020-12-14 22:05:31   replay = ENABLED
2020-12-14 22:05:31   mute_replay_warnings = DISABLED
2020-12-14 22:05:31   replay_window = 64
2020-12-14 22:05:31   replay_time = 15
2020-12-14 22:05:31   packet_id_file = '[UNDEF]'
2020-12-14 22:05:31   test_crypto = DISABLED
2020-12-14 22:05:31   tls_server = DISABLED
2020-12-14 22:05:31   tls_client = ENABLED
2020-12-14 22:05:31   ca_file = '[UNDEF]'
2020-12-14 22:05:31   ca_path = '[UNDEF]'
2020-12-14 22:05:31   dh_file = '[UNDEF]'
2020-12-14 22:05:31   cert_file = '[UNDEF]'
2020-12-14 22:05:31   extra_certs_file = '[UNDEF]'
2020-12-14 22:05:31   priv_key_file = '[UNDEF]'
2020-12-14 22:05:31   pkcs12_file = '[INLINE]'
2020-12-14 22:05:31   cipher_list = '[UNDEF]'
2020-12-14 22:05:31   cipher_list_tls13 = '[UNDEF]'
2020-12-14 22:05:31   tls_cert_profile = '[UNDEF]'
2020-12-14 22:05:31   tls_verify = '[UNDEF]'
2020-12-14 22:05:31   tls_export_cert = '[UNDEF]'
2020-12-14 22:05:31   verify_x509_type = 0
2020-12-14 22:05:31   verify_x509_name = '[UNDEF]'
2020-12-14 22:05:31   crl_file = '[UNDEF]'
2020-12-14 22:05:31   ns_cert_type = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 65535
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_ku[i] = 0
2020-12-14 22:05:31   remote_cert_eku = 'TLS Web Server Authentication'
2020-12-14 22:05:31   ssl_flags = 0
2020-12-14 22:05:31   tls_timeout = 2
2020-12-14 22:05:31   renegotiate_bytes = -1
2020-12-14 22:05:31   renegotiate_packets = 0
2020-12-14 22:05:31   renegotiate_seconds = 3600
2020-12-14 22:05:31   handshake_window = 60
2020-12-14 22:05:31   transition_window = 3600
2020-12-14 22:05:31   single_session = DISABLED
2020-12-14 22:05:31   push_peer_info = DISABLED
2020-12-14 22:05:31   tls_exit = DISABLED
2020-12-14 22:05:31   tls_crypt_v2_metadata = '[UNDEF]'
2020-12-14 22:05:31   server_network = 0.0.0.0
2020-12-14 22:05:31   server_netmask = 0.0.0.0
2020-12-14 22:05:31   server_network_ipv6 = ::
2020-12-14 22:05:31   server_netbits_ipv6 = 0
2020-12-14 22:05:31   server_bridge_ip = 0.0.0.0
2020-12-14 22:05:31   server_bridge_netmask = 0.0.0.0
2020-12-14 22:05:31   server_bridge_pool_start = 0.0.0.0
2020-12-14 22:05:31   server_bridge_pool_end = 0.0.0.0
2020-12-14 22:05:31   ifconfig_pool_defined = DISABLED
2020-12-14 22:05:31   ifconfig_pool_start = 0.0.0.0
2020-12-14 22:05:31   ifconfig_pool_end = 0.0.0.0
2020-12-14 22:05:31   ifconfig_pool_netmask = 0.0.0.0
2020-12-14 22:05:31   ifconfig_pool_persist_filename = '[UNDEF]'
2020-12-14 22:05:31   ifconfig_pool_persist_refresh_freq = 600
2020-12-14 22:05:31   ifconfig_ipv6_pool_defined = DISABLED
2020-12-14 22:05:31   ifconfig_ipv6_pool_base = ::
2020-12-14 22:05:31   ifconfig_ipv6_pool_netbits = 0
2020-12-14 22:05:31   n_bcast_buf = 256
2020-12-14 22:05:31   tcp_queue_limit = 64
2020-12-14 22:05:31   real_hash_size = 256
2020-12-14 22:05:31   virtual_hash_size = 256
2020-12-14 22:05:31   client_connect_script = '[UNDEF]'
2020-12-14 22:05:31   learn_address_script = '[UNDEF]'
2020-12-14 22:05:31   client_disconnect_script = '[UNDEF]'
2020-12-14 22:05:31   client_config_dir = '[UNDEF]'
2020-12-14 22:05:31   ccd_exclusive = DISABLED
2020-12-14 22:05:31   tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2020-12-14 22:05:31   push_ifconfig_defined = DISABLED
2020-12-14 22:05:31   push_ifconfig_local = 0.0.0.0
2020-12-14 22:05:31   push_ifconfig_remote_netmask = 0.0.0.0
2020-12-14 22:05:31   push_ifconfig_ipv6_defined = DISABLED
2020-12-14 22:05:31   push_ifconfig_ipv6_local = ::/0
2020-12-14 22:05:31   push_ifconfig_ipv6_remote = ::
2020-12-14 22:05:31   enable_c2c = DISABLED
2020-12-14 22:05:31   duplicate_cn = DISABLED
2020-12-14 22:05:31   cf_max = 0
2020-12-14 22:05:31   cf_per = 0
2020-12-14 22:05:31   max_clients = 1024
2020-12-14 22:05:31   max_routes_per_client = 256
2020-12-14 22:05:31   auth_user_pass_verify_script = '[UNDEF]'
2020-12-14 22:05:31   auth_user_pass_verify_script_via_file = DISABLED
2020-12-14 22:05:31   auth_token_generate = DISABLED
2020-12-14 22:05:31   auth_token_lifetime = 0
2020-12-14 22:05:31   auth_token_secret_file = '[UNDEF]'
2020-12-14 22:05:31   port_share_host = '[UNDEF]'
2020-12-14 22:05:31   port_share_port = '[UNDEF]'
2020-12-14 22:05:31   vlan_tagging = DISABLED
2020-12-14 22:05:31   vlan_accept = all
2020-12-14 22:05:31   vlan_pvid = 1
2020-12-14 22:05:31   client = ENABLED
2020-12-14 22:05:31   pull = ENABLED
2020-12-14 22:05:31   auth_user_pass_file = '[UNDEF]'
2020-12-14 22:05:31 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.20-0-g46ce6652] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 24 2020
2020-12-14 22:05:31 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
2020-12-14 22:05:31 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2020-12-14 22:05:31 MANAGEMENT: CMD 'version 3'
2020-12-14 22:05:31 0s seconden aan het wachten tussen verbindingspoging
2020-12-14 22:05:31 MANAGEMENT: CMD 'hold release'
2020-12-14 22:05:31 MANAGEMENT: CMD 'proxy NONE'
2020-12-14 22:05:31 MANAGEMENT: CMD 'bytecount 2'
2020-12-14 22:05:31 MANAGEMENT: CMD 'state on'
2020-12-14 22:05:32 MANAGEMENT: CMD 'password [...]'
2020-12-14 22:05:32 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-12-14 22:05:32 LZO compression initializing
2020-12-14 22:05:32 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2020-12-14 22:05:32 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2020-12-14 22:05:32 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2020-12-14 22:05:32 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2020-12-14 22:05:32 TCP/UDP: Preserving recently used remote address: [AF_INET]*****:1010
2020-12-14 22:05:32 Socket Buffers: R=[262144->262144] S=[262144->262144]
2020-12-14 22:05:32 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2020-12-14 22:05:32 UDP link local: (not bound)
2020-12-14 22:05:32 UDP link remote: [AF_INET]****:1010
2020-12-14 22:05:32 MANAGEMENT: >STATE:1607979932,WAIT,,,,,,
2020-12-14 22:05:42 Server poll timeout, restarting
2020-12-14 22:05:42 TCP/UDP: Closing socket
2020-12-14 22:05:42 SIGUSR1[soft,server_poll] received, process restarting
2020-12-14 22:05:42 MANAGEMENT: >STATE:1607979942,RECONNECTING,server_poll,,,,,
2020-12-14 22:05:42 MANAGEMENT: CMD 'hold release'
2020-12-14 22:05:42 0s seconden aan het wachten tussen verbindingspoging
2020-12-14 22:05:42 MANAGEMENT: CMD 'proxy NONE'
2020-12-14 22:05:42 MANAGEMENT: CMD 'bytecount 2'
2020-12-14 22:05:42 MANAGEMENT: CMD 'state on'
2020-12-14 22:05:43 LZO compression initializing
2020-12-14 22:05:43 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2020-12-14 22:05:43 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2020-12-14 22:05:43 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2020-12-14 22:05:43 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2020-12-14 22:05:43 TCP/UDP: Preserving recently used remote address: [AF_INET]*****:1010
2020-12-14 22:05:43 Socket Buffers: R=[262144->262144] S=[262144->262144]
2020-12-14 22:05:43 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2020-12-14 22:05:43 UDP link local: (not bound)
2020-12-14 22:05:43 UDP link remote: [AF_INET]******:1010
2020-12-14 22:05:43 MANAGEMENT: >STATE:1607979943,WAIT,,,,,,

Here you see that OpenVPN is listening to port 1010.

root@WRT1900AC:~# lsof -i -P -n | grep openvpn
openvpn   9128    root    5u  IPv4 1145791      0t0  UDP *:38032
openvpn  12554    root    7u  IPv4  976361      0t0  TCP *:443 (LISTEN)
openvpn  25986    root    7u  IPv4  635393      0t0  UDP *:1010

Relevant configs:
/ect/config/openvpn (redacted):

config openvpn 'vpn_TCP'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option verb '3'
	option tls_server '1'
	option comp_lzo 'adaptive'
	list push 'comp-lzo adaptive'
	list push 'redirect-gateway def1'
	option enabled '1'
	option server '192.168.3.0 255.255.255.0'
	option dev 'tun1'
	option cipher 'AES-256-CBC'
	option auth 'SHA512'
	option ca '/etc/easy-rsa/pki/ca.crt'
	option dh '/etc/easy-rsa/pki/dh.pem'
	option cert '/etc/easy-rsa/pki/issued/******.crt'
	option key '/etc/easy-rsa/pki/private/*******.key'
	option status '/tmp/openvpntcp.log'
	option port '443'
	option proto 'tcp-server'

config openvpn 'vpn_UDP'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option verb '3'
	option tls_server '1'
	option comp_lzo 'adaptive'
	list push 'comp-lzo adaptive'
	list push 'redirect-gateway def1'
	option enabled '1'
	option server '192.168.2.0 255.255.255.0'
	option proto 'udp'
	option dev 'tun0'
	option cipher 'AES-256-CBC'
	option auth 'SHA512'
	option ca '/etc/easy-rsa/pki/ca.crt'
	option dh '/etc/easy-rsa/pki/dh.pem'
	option cert '/etc/easy-rsa/pki/issued/*******.crt'
	option key '/etc/easy-rsa/pki/private/*******.key'
	option status '/tmp/openvpnudp.log'
	option port '1010'

config openvpn 'ovpn_mullvad_se_sto'
	option config '/etc/openvpn/ovpn_mullvad_se_sto.ovpn'
	option enabled '1'

/etc/config/network (part):

config interface 'vpn0_udp'
	option ifname 'tun0'
	option proto 'none'

 config interface 'vpn1_tcp'
	option proto 'none'
	option ifname 'tun1'

config interface 'VPN_MULLVAD'
	option ifname 'tun2'
	option proto 'none'

/etc/config/firewall (part):

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option dest_port '1010'
	option src 'wan'
	option name 'Allow-OpenVPN-Inbound-UDP'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option target 'ACCEPT'
	option name 'Allow-OpenVPN-Inbound-TCP'
	option src 'wan'
	option dest_port '443'
	list proto 'tcp'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option syn_flood '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'
	option masq '1'
	option mtu_fix '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'vpn0_udp vpn1_tcp'
	option name 'vpnserver'
	option mtu_fix '1'
	option forward 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'vpnserver'

config forwarding
	option src 'lan'
	option dest 'vpnserver'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'vpnserver'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'REJECT'

config zone
	option name 'vpnclient'
	option network 'VPN_MULLVAD'
	option input 'REJECT'
	option masq '1'
	option forward 'REJECT'
	option output 'ACCEPT'
	option mtu_fix '1'

config forwarding
	option dest 'vpnclient'
	option src 'lan'

config forwarding
	option dest 'vpnclient'
	option src 'vpnserver'

Things I tried/investigated:

changed the UDP OpenVPN port, no luck
change from TCP on port 443, which is working, to UDP on that port, stops working
using Wireshark and monitoring the respective ports on eth1. I see the TCP traffic come in on port 443, but port 1010 UDP stays quiet.
verify that my ISP isn't blocking anything. My OpenWRT router is in the DMZ of the ISP's router. I checked which ports the ISP blocks and 1010 isn't one of them (https://www2.telenet.be/nl/klantenservice/welke-internetpoorten-blokkeert-telenet)
disabled the vpn client (mullvad), stopped vpn policy routing...

trendy · December 14, 2020, 10:16pm

Does the phone resolve to the correct IP of noip?
If you don't see any traffic coming to the router, there is obviously another issue, before the traffic reaches the router. Are you sure you captured the correct interface, protocol, and port in the case of udp?

Nikotine · December 15, 2020, 12:57am

Hi Trendy,
Yes, the no-ip ddns resolves to the correct ip.

I monitored eth1 (WAN) in Wireshark with this command:

ssh root@192.168.1.1 tcpdump -i eth1 -U -s0 -w - 'not port 22' | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

In Wireshark I use the filter "tcp.port==443 && ip.addr==[ip from mobile provider]" and I see the data roll in for the working vpn server (TCP 443).
To test the UDP 1010 server, I use "udp.port==1010 && ip.addr==[ip from mobile provider]", or just the port to be sure... but to no avail.

All there's left is an issue with my ISP, I guess?

Nikotine · December 15, 2020, 1:23am

Just did something I should've done immediately... Rebooted my ISP's router, that fixed it.
All that time spent thinking I misconfigured Openwrt...

trendy · December 15, 2020, 10:52am

As future advice, it would be better to filter with just the protocol and port, in case the packet comes from a different interface.

system · December 25, 2020, 10:52am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.