OpenVPN TCP vs UDP

Thomas Charron twaffle at gmail.com
Thu Jul 12 17:27:00 EDT 2007 

On 7/12/07, Ben Scott <dragonhawk at gmail.com> wrote:
> On 7/12/07, Thomas Charron <twaffle at gmail.com> wrote:
> > UDP is not bidirectional by nature.
>   I'm not really sure what you think that proves.  IP is
> connectionless, too.  But most application protocols *are*
> bidirectional by nature, including just about every UDP protocol ever
> invented, including DNS, NTP, BOOT/DHCP, SNMP, etc., etc., etc.

And there is no reliably standard way to provide full UDP nat
traversal, which is why companies like Skype roll their own solution.

> > People have used it in this manner because a long time ago Linksys ...
>   Um, NAT was around long before LinkSys began selling cheap routers.

  Linksys was the first NAT manufacturer to my knowledge to
AUTOMATICALLY assume that a return UDP packet to the same port should
be forwarded to the original internal machine without requiring an
explicit rule to allow this to occur.

>   UDP is no harder (or easier) to do dynamic NAT with than TCP is.  In
> both cases, all you have to do is note the peer IP address and both
> port numbers, and create a temporary forwarding rule.

  By your own statement, explain then why NAT routers need to do
'funny things' with very basic UDP based services, like DNS.

> Because TCP is
> connection-oriented, you can also expire the rule when the connection
> is closed, which is nice.  UDP does not give you that.  Otherwise, TCP
> and UDP NAT is identical.

  RTP stream utilized in VoIP have two distinct streams sending data
via UDP which have nothing to do with each other from the networks
prspective.

>   Maybe you're thinking of stateless packet filter firewalls, a la
> Linux 2.0.  Because TCP is connection-oriented, you can cheaply block
> incoming TCP connection attempts by looking for the SYN bit.  No such
> luck with UDP.

  I understand the difference.  But a TCP packet has a logical
connection associated with it, so you can be sure where the packet
needs to go back to.  With UDP, there is a massive assumption which is
made which may be false.

  If I have two computers, for instance, internal to a NAT which uses
these rules, both trying to bittorrent a file using, say, BitComet on
the same port, it simply will not work.

  Or, a better example, If I'm at work, and my housemate is at work,
and we both try to use OpenVPN over UDP while traversing out pfSense
firewall at home, using an OpenVPN server internal to the
Firewall/NAT, it simply won't work right.

-- 
-- Thomas

More information about the gnhlug-discuss mailing list