Opened 3 years ago

Closed 3 years ago

#509 closed Feature Wish (wontfix)

FTP does not work on OpenVPN with NAT (Windows).

Reported by: gava100 Owned by:
Priority: minor Milestone: release 2.3.5
Component: Generic / unclassified Version: OpenVPN 2.3.5 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: nat ftp
Cc:

Description

FTP (Active mode) does not work with OpenVPN with NAT on Windows.

Although the address is properly replaced on the IP Header, the content of the FTP PORT command is not taking FTP to fail.

FTP Command:
PORT 20,20,0,105,193,117 <- The followin address is not replaced by OpenVpn? NAT.

On Linux one can use ip_conntrack_ftp but on windows there isn't such solution.

Change History (8)

comment:1 Changed 3 years ago by krzee

  • Resolution set to notabug
  • Status changed from new to closed

Openvpn does not replace addresses for any applications, that is unrelated to what a vpn is. openvpn simply gives a tunnel which packets may be routed over. it is your job to configure applications such as ftp, not openvpn's.

comment:2 Changed 3 years ago by cron2

  • Type changed from Bug / Defect to Feature Wish

Actually, krzee is not right here - of course there is "openvpn --client-nat"...

OTOH, this is really a special-case thing which should only be used in very special cases - normally it should not be necessary to do NAT on an OpenVPN client, and thus, the NAT implementation is fairly limited. As you have noticed, it will translate IP headers, but it will not translate IP addresses contained in protocol payloads - not for FTP, not for SIP, not for anything else.

This is not a bug, more a feature-wish - "bug" being "we claim it works", but we know it does not because it is not an implemented feature.

I'm not reopening it, though. IPv4 protocols that require NAT helpers are really slowly going away (like, active FTP - use passive instead, or sftp, which is more secure anyway), and the maintenance effort to keep these very rarely used bits of code alive and well-functioning is not something we can sustain. So, we're not implementing it and I'd even go so far that we would not accept patches to implement this. Sorry.

comment:3 follow-up: Changed 3 years ago by cron2

Oh, our factoids database turns up this one here (thanks, krzee) -
http://www.nanodocumet.com/?p=14 - how to make the windows built-in NAT work for arbitrary connections. Maybe that can be applied to OpenVPN tap interfaces as well, in which case the more full-featured windows NAT should handle FTP just fine.

(I'm not exactly sure about the scenario that you're using, and whether you use OpenVPN's built-in --client-nat or Windows NAT, and if the latter, how you enable it - so out of curiousity, it would be nice to hear a bit more about what you try to do)

comment:4 in reply to: ↑ 3 Changed 3 years ago by gava100

Hi, thanks for the prompt reply and updates.

In fact, I use openvpn with NAT to provide remote maintenance for some medical equipments in hospitals.

The problem though is that there are some old devices (ultrasound and magnetic resonance equipments) in which the only way to transfer files between them is via Active FTP.

So far, openvpn with NAT attends very well our needs. The exception though is the FTP. :-(

Anyway, I'll try to link that you sent and see if it can solve our problem.

Once again, thanks for the feedback.

Replying to cron2:

Oh, our factoids database turns up this one here (thanks, krzee) -
http://www.nanodocumet.com/?p=14 - how to make the windows built-in NAT work for arbitrary connections. Maybe that can be applied to OpenVPN tap interfaces as well, in which case the more full-featured windows NAT should handle FTP just fine.

(I'm not exactly sure about the scenario that you're using, and whether you use OpenVPN's built-in --client-nat or Windows NAT, and if the latter, how you enable it - so out of curiousity, it would be nice to hear a bit more about what you try to do)

comment:5 Changed 3 years ago by volleynbike

Hi,

We also use the client-nat feature for similar application and have found similar difficulty with active ftp. We have no control over the proprietary software that must run over this connection which is hard coded for active ftp. We tried using the howto mentioned above, but it does not function in Win7 -- so Windows NAT is not an option.

Please consider looking at this as a useful feature. It would certainly help us also.

comment:6 Changed 3 years ago by krzee

  • Priority changed from major to minor
  • Resolution notabug deleted
  • Status changed from closed to reopened

comment:7 Changed 3 years ago by krzee

Sorry for assuming that NAT was being done in the OS. This is a bug, like cron2 said.

comment:8 Changed 3 years ago by krzee

  • Resolution set to wontfix
  • Status changed from reopened to closed

After reading this again I see that NAT seems to be working correctly.

from Cron:
"As you have noticed, it will translate IP headers, but it will not translate IP addresses contained in protocol payloads - not for FTP, not for SIP, not for anything else."

It looks like some NAT devices actually do that, but for sure this is a feature request and not a bug (as cron said). For SIP one would use STUN/TURN to achieve it.

Passive mode might help you, or using an OS with a more fully featured NAT.

http://enterprisedt.com/products/edtftpjssl/doc/manual/html/howtoftpthroughafilewall.html

Note: See TracTickets for help on using tickets.