3

I use an OVH VPS as a VPN for DDoS Protection. While testing using UDP for the client > server tunnel, i noticed that when an attack triggers OVH's VAC mitigation (cannot be disabled), the traffic between the server and client is disrupted. Meaning OVH's VAC system was treating my client's UDP traffic as an attacker and blocking it. I know this is the issue because of a post from a different OVH customer on the OVH website.

Keeping that in mind, i switched the tunnel to TCP. But now, when the client connects to a game, i see he is using UDP to connect to the actual game. As predicted, launching a load test (simulated DDoS attack) on the server, witch disconnected my client from the game but not the actual VPN server.

TL;DR: Need to make my OpenVPN server use ONLY TCP for gaming connections, DNS seems okay. Although my client's tunnel is established in TCP, the server connects to the game through UDP. How do i make the server only use TCP in gaming connections?

Edit: Maybe an iptables rule to reject forwarded UDP traffic or encourage TCP?

Improve this question

2 Answers 2

Reset to default
2

You can try this on the command line:

openvpn --proto tcp-client client.ovpn


Alternatively, you set the protocol to tcp-client and the protocol to tcp per route in your profile (if it has any) In the example below, you would make sure the proto tcp-client is there and you would change remote 1.2.3.4 1194 udp to remote 1.2.3.4 1194 tcp

client
dev tun
proto tcp-client
remote examplevpn.net 443
remote 1.2.3.4 1194 udp
remote 1.2.3.4 443 tcp

auth-user-pass

resolv-retry infinite
nobind
persist-tun
persist-key
persist-remote-ip

cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
remote-cert-tls server
verify-x509-name us-il name-prefix
key-direction 1
comp-lzo no
verb 3

;ca ca.crt
Improve this answer
2
  • didnt work. Im looking to make all the clients traffic (except DNS of course) TCP traffic
    – Ecstasy
    Commented Aug 3, 2019 at 6:04
  • This just yields Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: proto-server (2.5.1).
    – Philipp Ludwig
    Commented Oct 13, 2023 at 13:46
0

Your title doesn't match your question; your OpenVPN tunnel is already using TCP, but the tunnelled data itself is outside OpenVPN's control and even outside your control.

If the game has been written to use UDP, it will use UDP, and more importantly, the game servers expect clients to be using UDP. So if you convert the packets to TCP before they leave the VPN server, the game servers won't know what to do with them.

Your only option in general is to block UDP entirely. If the game supports TCP as an alternative, it'll have no choice but to use it. If the game requires UDP, it won't work at all.

Improve this answer
3
  • The game can use TCP or UDP. Ive seen connections, even coming from my VPN that were TCP at times. I just want to make it entirely TCP when it comes to came connections.
    – Ecstasy
    Commented Jul 26, 2019 at 6:45
  • Do you know that it supports TCP as an alternative to UDP, instead of just using both for different purposes (TCP for login, UDP for gameplay)?
    – grawity_u1686
    Commented Jul 26, 2019 at 7:00
  • The game is Grand Theft Auto 5, and ive seen mostly UDP connections, but there are also a lot of TCP connections. It seems to be a speed thing because when i see more high-end connections (people who own Google Fiber, Specrtum, Comcast Business, etc) tend to get TCP connections
    – Ecstasy
    Commented Jul 26, 2019 at 7:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .