I have OpenVPN Server on a Raspberry Pi connected to my home broadband but it's behind a carrier-grade NAT. What's the best way of remote UDP port forwarding to get UDP working on OpenVPN when the server is behind a NAT? The first thing I tried is port forwarding on the router but doesn't work due to the CGNAT.
The main reason for this VPN is so I can route internet traffic through my home broadband connection when out and about such as when on public WiFi.
I have a VPS and currently using $ ssh -R :1194:localhost:1194 ubuntu@myvps
on the Raspberry Pi with GatewayPorts yes
in the SSH server config to port forward. This works when the OpenVPN server protocol is configured so it's on TCP but not UDP.
I tried socat
VPN server side: $ socat tcp4-listen:1190,reuseaddr,fork UDP:localhost:1194
VPS side: $ socat udp4-listen:1194,reuseaddr,fork tcp:localhost:1190
and $ ssh -R :1190:localhost:1190 ubuntu@myvps
but the OpenVPN client just times out after a minute of trying to connect and got:
pi ovpn-server[81373]: ues/127.0.0.1:35092 tls-crypt unwrap error: packet replay
pi ovpn-server[81373]: ues/127.0.0.1:35092 TLS Error: tls-crypt unwrapping failed from [AF_INET]127.0.0.1:35092
pi ovpn-server[81373]: ues/127.0.0.1:35092 tls-crypt unwrap error: bad packet ID (may be a replay): [ #3 / time = (1628117978) Wed Aug 4 23:59:38 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
several times in the OpenVPN server log.
I then tried SSF - Secure Socket Funneling
OpenVPN side: $ ./ssf -V :1194:127.0.0.1:1194 -g myvps
VPS side: $ ./ssfd -g
and it works but it's slower than TCP and the ssf
process uses high CPU on my Pi when there's VPN activity. I suspect this is something to do with the encryption SSF uses and isn't efficient.
Is there a better way of UDP remote port forwarding so I can get the fastest possible connection? The tunnel doesn't necessarily need encryption because OpenVPN uses encryption anyway.