How to Test UDP Port Connectivity with Netcat and Nmap: Troubleshooting Guide


2 views

When testing UDP port connectivity between internet-facing servers, traditional TCP-based approaches won't work. UDP's connectionless nature makes port scanning fundamentally different from TCP scanning. Many administrators encounter unexpected results when using tools like netcat and nmap for UDP port verification.

Nmap's default behavior with UDP ports can be misleading. Unlike TCP, where a response clearly indicates an open port, UDP requires special handling:

# Basic UDP scan that might not reveal open ports
nmap -sU -p 1194 remote.server.com

This might show the port as "open|filtered" because UDP typically doesn't respond to probes. The server might be accepting traffic while nmap reports uncertainty.

Here's a better methodology using both netcat and nmap:

# On the receiving server (listening on UDP 1194)
nc -ul -p 1194 -v

# On the sending server (test connectivity)
echo "test" | nc -u remote.server.com 1194 -w 1

Then check the receiving server's console for the "test" message. This confirms actual data transmission.

For more thorough scanning, use these nmap options:

# Version detection with increased retries
nmap -sUV -T4 --version-intensity 2 -p 1194 remote.server.com

# Service-specific probe (for OpenVPN in this case)
nmap -sU --script openvpn-info -p 1194 remote.server.com

Even with iptables disabled, check for:

  • Cloud provider security groups (AWS, GCP, Azure)
  • Host-based firewalls (firewalld, ufw)
  • Network ACLs

Consider these additional utilities:

# Using hping3 for UDP
hping3 -2 -c 3 -p 1194 remote.server.com

# Using socat for persistent testing
socat - udp:remote.server.com:1194

When testing UDP 1194 for OpenVPN, specifically verify:

# Check if OpenVPN is responding to initial handshake
openssl s_client -connect remote.server.com:1194 -showcerts

Remember that successful UDP communication requires both endpoints to be properly configured - a silent failure on one end doesn't necessarily mean the port is closed.

When testing UDP port connectivity between two internet-facing servers, many developers encounter unexpected behavior even with firewall rules disabled. This article explores common pitfalls and provides practical solutions.

Unlike TCP, UDP is connectionless, making port scanning fundamentally different. Nmap's default behavior with UDP ports:

nmap -sU -p 1194 remote.server.com

Often reports "open|filtered" because:

  • UDP doesn't send acknowledgment packets
  • Closed ports may return ICMP unreachable (type 3, code 3)
  • Firewalls might silently drop packets without response

Instead of relying solely on Nmap, implement these verification techniques:

1. Netcat UDP Testing

On receiving server (listener):

nc -ul -p 1194 -v

On sending server:

echo "test" | nc -u remote.server.com 1194 -v

2. Packet Capture Verification

Run tcpdump simultaneously:

tcpdump -i eth0 udp port 1194 -vv

3. Alternative Tools

Consider using specialized UDP tools:

# socat example
socat UDP4-LISTEN:1194,fork -

# hping3 example
hping3 -2 -s 53 -p 1194 remote.server.com

Even with iptables disabled, check:

  • Cloud provider security groups (AWS/Azure/GCP)
  • Network ACLs
  • Intermediate routers/firewalls
  • SELinux policies
  • AppArmor profiles

For OpenVPN (UDP 1194) specifically:

# Temporary OpenVPN server test config
proto udp
port 1194
dev tun
secret test.key

Generate static key:

openvpn --genkey --secret test.key

Then test connectivity before implementing full tunnel configuration.

For persistent issues:

  1. Run simultaneous packet captures on both ends
  2. Check kernel logs (dmesg) for dropped packets
  3. Test with different MTU sizes
  4. Verify routing tables on both servers