Tunnel for UDP

I have hosts A (Linux), B (OpenWrt) and a C1, C2, .... (connected to B).
I need to establish UDP connections from A to C1, C2... via B.

I thought udptunnel may do it, but no longer sure given the options:

Usage: udptunnel -s TCP-port [-r] [-v] UDP-addr/UDP-port[/ttl]
    or udptunnel -c TCP-addr[/TCP-port] [-r] [-v] UDP-addr/UDP-port[/ttl]
     -s: Server mode.  Wait for TCP connections on the port.
     -c: Client mode.  Connect to the given address.
     -r: RTP mode.  Connect/listen on ports N and N+1 for both UDP and TCP.
         Port numbers must be even.
     -v: Verbose mode.  Specify -v multiple times for increased verbosity.

Could someone suggest another approach please?

How about a VPN? WireGuard is simple to setup on all platforms (OpenWrt, big-distro linux, Mac/Win/iOS/Android) and very performant.


That makes sense.
Let me see if I have the pieces correct.

The wg config on A is:

PrivateKey = <private_key_for_host_A>
Address =
ListenPort = 51820
PreUp = 
PostUp =  iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; 
PreDown = 
PostDown = 

PublicKey = <public_key_for_host_B>
AllowedIPs =

the subnet being where the C devices live.

I add ip route add dev wg0 on A.
How do I make sure B will route from to correctly?

I've never needed to do iptables for any of my wg installs, so I can't speak to this part..

It's super easy if you can make the OpenWrt side the listening peer (i.e. the 'server')... in that case, on the B (linux box) side, you'd have a peer config that would have allowed ips of and route allowed IPs enabled.

I can't make B the host because it's behind NAT.

ok... I figured there was a reason.

With that in mind, I don't think you need to do NAT on the linux box, just establish a route of via

If the traffic is originating from anything other than, you'll need to establish either masquerading on the OpenWrt side or setup a route for that subnet so that the OpenWrt side returns the data properly.

You do not have to set a static route.
If you add to the allowed ips then it will usually automatically create a route via the tunnel ( openwrt and ddwrt are exceptions there you need to enable route allowed ips).

On the opewrt side you need to open up the firewall to allow traffic, easiest is to add the wg interface to the lan zone.

1 Like

On the 'listening'/'server' side, the allowed IPs should be just a single /32 address. So the that system needs a route to the other site.

Are the C devices connected to router B's LAN? If you can run Wireguard directly on C so it makes a direct connection to A, you don't need to do any configuration on B, it is just part of the Internet path.

It should be noted here that Wireguard encapsulates the private traffic into UDP packets, so if for example the ISP at B blocks all UDP (unusual but it does happen), Wireguard is not going to work.

Not really, here's an example of a typical WireGuard site-to-site setup:


Ok... makes sense. Thanks for that.

1 Like

As per the site-to-site setup instructions, all I had to do was modify the AllowedIPs field. Now I can reach the C devices with ICMP and UDP packets. Many thanks all around!

However not all is in order.

12:02:37.056788 IP > UDP, length 48
12:02:37.496367 IP > UDP, length 37
12:02:37.496835 IP > UDP, length 70
12:02:37.983403 IP > UDP, length 2
12:02:38.488380 IP > Flags [S], seq 391410959, win 5744, options [mss 1380], length 0
12:02:38.489329 IP > ICMP host unreachable - admin prohibited, length 52
12:02:41.383427 IP > Flags [S], seq 391410959, win 5744, options [mss 1380], length 0
12:02:41.383986 IP > ICMP host unreachable - admin prohibited, length 52 is device A. is B. is a C device.
The code on host A reports that connection to C is established, that authentication succeeded, but then says "No response from C".

I realize this is getting into the specifics of some code you know nothing about, but my question is whether the packet at 12:02:41.383986 could be indicative of a network issue rather than a software issue?

EDIT1. More clues. A and B can ping each other successfully, but B cannot establish a connection to a random port on A. netcat on B reports that "host is unreachable" which is odd and different from host A rejecting packets that actually arrive.
Here's the dump from host B while A is trying to talk to C:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wgclient, link-type RAW (Raw IP), capture size 262144 bytes
12:27:44.651564 IP > device-C.3939: UDP, length 48
12:27:44.931613 IP device-C.3939 > UDP, length 37
12:27:45.092508 IP > device-C.3939: UDP, length 70
12:27:45.428258 IP device-C.3939 > UDP, length 2
12:27:45.935051 IP device-C.55284 > Flags [S], seq 2653498802, win 5744, options [mss 1380], length 0
12:27:46.090593 IP > device-C: ICMP host unreachable - admin prohibited, length 52
12:27:48.821844 IP device-C.55284 > Flags [S], seq 2653498802, win 5744, options [mss 1380], length 0
12:27:48.978880 IP > device-C: ICMP host unreachable - admin prohibited, length 52

Found it. Firewall issue on A. iptable rule order.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.