Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Transport protocol (site-to-site, client, server)

By default, OpenVPN uses User Datagram Protocol (UDP) as the underlying transport protocol. Because UDP is connectionless, either side can initiate the VPN tunnel by sending packets to UDP port 1194 (default) on the other endpoint. Alternatively, OpenVPN can also use TCP as the transport. However, if TCP is used, one endpoint must take a passive role (that is, it listens to incoming TCP connections), and the other endpoint must take an active role (that is, it initiates the TCP connection to the TCP port on the passive endpoint).

Each protocol has different advantages in this context. For example, using TCP is much less prone to firewall or NAT problems in networks between the two endpoints. However, when packet losses occur, the TCP retransmissions at the tunnel level may interfere with retransmissions from the individual TCP flows inside the VPN tunnel; therefore, using UDP can result in better performance.

The following example shows and describes the related configuration options.

Configuration options related to protocol type

interfaces {
    openvpn if_name {
        protocol protocol
        local-host local_host_ip
        local-port local_port
        remote-port remote_port
    }
}
  • protocol: This argument is udp, tcp-active, or tcp-passive. If protocol is not specified or if it is specified as udp, then UDP is used. On the other hand, if TCP is used, note the following requirements.
    • As previously discussed, when TCP is used, one endpoint must be active and the other one passive.
    • On the tcp-active endpoint, the remote-host option must be set so that it can initiate the TCP connection.
    • On the tcp-passive endpoint, if the remote-host option is set, then only the specified host can initiate the TCP connection to this endpoint.
    • If TCP is used in remote access mode, the client must be tcp-active and the server must be tcp-passive.
    • When TCP combines with TLS, the active and passive roles for TCP and TLS should match. In other words, the tcp-active endpoint should also be active for TLS (similarly for passive). Note that this match is not an OpenVPN restriction, but it is enforced to avoid confusion.
  • local-host: This argument is an IP address on any of the network interfaces on this endpoint. If local-host is set, the OpenVPN process accepts only sessions coming in on the particular IP address. This acceptance applies to both UDP and TCP. If local-host is not set, OpenVPN accepts incoming sessions on any interface. This argument can be used for any of the following:
    • The server endpoint in remote access mode
    • Either endpoint when UDP is used in site-to-site mode
    • The tcp-passive endpoint when TCP is used in site-to-site mode
  • local-port: This argument is the UDP or TCP port number on which OpenVPN accepts incoming sessions. If not set, OpenVPN accepts incoming sessions on the default port of 1194. This argument can be used for any of the following:
    • The server endpoint in remote access mode
    • Either endpoint when UDP is used in site-to-site mode
    • The tcp-passive endpoint when TCP is used in site-to-site mode
  • remote-port: This argument is the UDP or TCP port number on the other endpoint to which OpenVPN initiates sessions. In other words, the other endpoint is accepting sessions on this port. If not set, OpenVPN initiates the session to the default port of 1194 on the remote endpoint. Note that, if set, the remote-port setting on one endpoint must match the local-port setting on the other, and conversely. This argument can be used for any of the following:
    • The client endpoint in remote access mode
    • Either endpoint when UDP is used in site-to-site mode
    • The tcp-active endpoint when TCP is used in site-to-site mode