UDP reverse proxying for OpenVPN isn't working using Nginx streams

Roman Arutyunyan arut at nginx.com
Wed Apr 26 13:32:29 UTC 2017


Hi,

On Wed, Apr 26, 2017 at 08:32:08AM -0400, akb-nginx wrote:
> Hi.
> 
> I was just wondering whether UDP stream proxying on Nginx is in its infacy
> or there is something which I am doing wrong. I have this simple config: 
> 
> events { worker_connections  1024; }
> 
> worker_processes  1;
> error_log /dev/stderr debug;
> daemon off;
> 
> stream {
> server {
>     listen X.X.X.X:1194 udp;
>     proxy_pass 127.0.0.1:1195;
> }
> }
> 
> to make Nginx a reverse proxy for my OpenVPN server listening on UDP port
> 1195 on localhost. But it just doesn't work. When a client connects, Nginx
> keeps logging these lines on stderr:
> 
> 2017/04/26 12:14:43 [notice] 17125#0: using the "epoll" event method
> 2017/04/26 12:14:43 [notice] 17125#0: nginx/1.11.13
> 2017/04/26 12:14:43 [notice] 17125#0: built by gcc 4.9.2 (Debian 4.9.2-10) 
> 2017/04/26 12:14:43 [notice] 17125#0: OS: Linux 3.16.0-4-amd64
> 2017/04/26 12:14:43 [notice] 17125#0: getrlimit(RLIMIT_NOFILE): 1024:4096
> 2017/04/26 12:14:43 [notice] 17125#0: start worker processes
> 2017/04/26 12:14:43 [notice] 17125#0: start worker process 17126
> 2017/04/26 12:14:47 [info] 17126#0: *1 udp client Y.Y.Y.Y:40332 connected to
> X.X.X.X:1194
> 2017/04/26 12:14:47 [info] 17126#0: *1 udp proxy 127.0.0.1:55424 connected
> to 127.0.0.1:1195
> 2017/04/26 12:14:47 [info] 17126#0: *3 udp client Y.Y.Y.Y:40332 connected to
> X.X.X.X:1194
> 2017/04/26 12:14:47 [info] 17126#0: *3 udp proxy 127.0.0.1:48958 connected
> to 127.0.0.1:1195
> 2017/04/26 12:14:47 [info] 17126#0: *5 udp client Y.Y.Y.Y:40332 connected to
> X.X.X.X:1194
> 2017/04/26 12:14:47 [info] 17126#0: *5 udp proxy 127.0.0.1:56732 connected
> to 127.0.0.1:1195

Stream UDP proxy creates a session for every client packet.
That packet is proxied separately from other client packets with a new
proxy client port each time and a response for this packet is proxied back.

While this works fine for protocols like DNS, long sessions with multiple
client packets will not work properly.

[..]

-- 
Roman Arutyunyan


More information about the nginx mailing list