UDP reverse proxying for OpenVPN isn't working using Nginx streams

akb-nginx nginx-forum at forum.nginx.org
Wed Apr 26 12:32:08 UTC 2017 

Hi.

I was just wondering whether UDP stream proxying on Nginx is in its infacy
or there is something which I am doing wrong. I have this simple config: 

events { worker_connections  1024; }

worker_processes  1;
error_log /dev/stderr debug;
daemon off;

stream {
server {
    listen X.X.X.X:1194 udp;
    proxy_pass 127.0.0.1:1195;
}
}

to make Nginx a reverse proxy for my OpenVPN server listening on UDP port
1195 on localhost. But it just doesn't work. When a client connects, Nginx
keeps logging these lines on stderr:

2017/04/26 12:14:43 [notice] 17125#0: using the "epoll" event method
2017/04/26 12:14:43 [notice] 17125#0: nginx/1.11.13
2017/04/26 12:14:43 [notice] 17125#0: built by gcc 4.9.2 (Debian 4.9.2-10) 
2017/04/26 12:14:43 [notice] 17125#0: OS: Linux 3.16.0-4-amd64
2017/04/26 12:14:43 [notice] 17125#0: getrlimit(RLIMIT_NOFILE): 1024:4096
2017/04/26 12:14:43 [notice] 17125#0: start worker processes
2017/04/26 12:14:43 [notice] 17125#0: start worker process 17126
2017/04/26 12:14:47 [info] 17126#0: *1 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *1 udp proxy 127.0.0.1:55424 connected
to 127.0.0.1:1195
2017/04/26 12:14:47 [info] 17126#0: *3 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *3 udp proxy 127.0.0.1:48958 connected
to 127.0.0.1:1195
2017/04/26 12:14:47 [info] 17126#0: *5 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *5 udp proxy 127.0.0.1:56732 connected
to 127.0.0.1:1195
2017/04/26 12:14:47 [info] 17126#0: *7 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *7 udp proxy 127.0.0.1:60363 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *9 udp client Y.Y.Y.Y:56226 connected to
X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *9 udp proxy 127.0.0.1:52499 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *11 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *11 udp proxy 127.0.0.1:48850 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *13 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *13 udp proxy 127.0.0.1:60125 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *15 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *15 udp proxy 127.0.0.1:54133 connected
to 127.0.0.1:1195
2017/04/26 12:14:52 [info] 17126#0: *17 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:52 [info] 17126#0: *17 udp proxy 127.0.0.1:50184 connected
to 127.0.0.1:1195
2017/04/26 12:14:52 [info] 17126#0: *19 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:52 [info] 17126#0: *19 udp proxy 127.0.0.1:48836 connected
to 127.0.0.1:1195
2017/04/26 12:14:53 [info] 17126#0: *21 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:53 [info] 17126#0: *21 udp proxy 127.0.0.1:42665 connected
to 127.0.0.1:1195
2017/04/26 12:14:56 [info] 17126#0: *23 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
.......................
.......................

Whereas the OpenVPN client is stuck on:

Wed Apr 26 12:14:50 2017 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)]
[LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
Wed Apr 26 12:14:50 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO
2.08
Wed Apr 26 12:14:50 2017 Control Channel Authentication: tls-auth using
INLINE static key file
Wed Apr 26 12:14:50 2017 Outgoing Control Channel Authentication: Using 160
bit message hash 'SHA1' for HMAC authentication
Wed Apr 26 12:14:50 2017 Incoming Control Channel Authentication: Using 160
bit message hash 'SHA1' for HMAC authentication
Wed Apr 26 12:14:50 2017 Socket Buffers: R=[212992->212992]
S=[212992->212992]
Wed Apr 26 12:14:50 2017 UDPv4 link local: [undef]
Wed Apr 26 12:14:50 2017 UDPv4 link remote: [AF_INET]X.X.X.X:1194
Wed Apr 26 12:14:50 2017 TLS: Initial packet from [AF_INET]X.X.X.X:1194,
sid=afcea479 758711e0

Even there trivial setups work as expected:

pen X.X.X.X:1194 127.0.0.1:1195  -U

OR

nc -u -l -p 1194 -c "nc -u 127.0.0.1 1195"

But I fail to understand why isn't Nginx working. By the way, if everything
is replaced with TCP in both nginx and OpenVPN file, it works. Also UDP
proxying for DNS:

listen X.X.X.X:53 udp; 
proxy_pass 8.8.8.8:53;

works. The Nginx version is: 1.11.13. Will really appreciate any advice on
this.

Thanks & Regards.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273875,273875#msg-273875

More information about the nginx mailing list