openvpn ipaddress problem: "MULTI: bad source address from client"

arobinson74 · 09-28-2008, 11:31 PM

I am trying to setup an openvpn over UDP on the standard port. Here is the setup I am trying to get working:

tun
udp
only allow client
allow client to see 1 server subnet

I have chosen 192.168.200.0 as the VPN subnet. I want clients to see the 192.168.100.0 subnet. I do not want other machines on the client network to connect through the client. The clients will be windows (testing on a winxp virtual machine running inside of vmplayer) and the server is Debian etch Linux.

I have everything working up through connecting, but the problem is that it seems that the client is being identified by its non-vpn IP address and not the vpn IP address. For example, my VM is on my local client network as IP 192.168.0.5. Its VPN IP address is 192.168.200.6.

I try to connect to "\\192.168.100.102" (a server computer on the forwarded subnet). On the server log I get this error:

Code:

MULTI: bad source address from client [192.168.0.5], packet dropped

When I search for this error on google, all the responses that I have found relate to client-config-dir. This should not apply to be as that setting is only for allowing clients to connect through a client, right?

I found one solution where a Mac user said to use "ifconfig tun0 metric -1". Apparently this does not apply to the debian tunnel as I get this error:

Code:

SIOCSIFMETRIC: Operation not supported

I am using openvpn version 2.0.9-4etch1 on the server and OpenVPN GUI 2.0.9 in windows.

Here is my server.conf:

Code:

proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
server 192.168.200.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.100.0 255.255.255.0"
# tried with and without:
;push "redirect-gateway"
push "dhcp-option DNS 192.168.200.1"
push "dhcp-option WINS 192.168.200.1"
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 6
mute 10
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

Here are the IPTables rules I added (eth0 is the outside world, eth1 is the intranet on this server, ip forwarding is enabled):

Code:

## OpenVPN
#iptables -t nat -A POSTROUTING -s 192.168.200.0 -o eth0 -j MASQUERADE
#iptables -A INPUT -i eth0 -p udp --dport 1194 -j LOG --log-prefix "IPTABLES VPN: " --log-level 6
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
#iptables -A FORWARD -i tun0 -s 192.168.200.0/24 -d 192.168.100.0/24 -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

Here is the client.ovpn file:

Code:

client
dev tun
proto udp
remote myserver.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 6
auth-user-pass

I am a bit at a loss at this point. The openvpn documentation has not shed any light on my problem.

billymayday · 09-28-2008, 11:38 PM

Are you sure the connection is coming via the vpn? What are the routes on the client machine ("route print" in Windows)

arobinson74 · 09-28-2008, 11:50 PM

The client can't see any 192.168.100.x on the local network, and the server is remote, so yes I am sure that the traffic is over the VPN, also the error on the server is from the vnc process.

Here is the windows "route print" output:

Code:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 96 65 31 ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
0x3 ...00 ff 63 b9 e0 b7 ...... TAP-Win32 Adapter V8 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.200.5   192.168.200.6       1
     12.123.12.12  255.255.255.255      192.168.0.1     192.168.0.5       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      169.254.0.0      255.255.0.0      192.168.0.5     192.168.0.5       20
      192.168.0.0    255.255.255.0      192.168.0.5     192.168.0.5       10
      192.168.0.5  255.255.255.255        127.0.0.1       127.0.0.1       10
    192.168.0.255  255.255.255.255      192.168.0.5     192.168.0.5       10
    192.168.100.0    255.255.255.0    192.168.200.5   192.168.200.6       1
    192.168.200.1  255.255.255.255    192.168.200.5   192.168.200.6       1
    192.168.200.4  255.255.255.252    192.168.200.6   192.168.200.6       30
    192.168.200.6  255.255.255.255        127.0.0.1       127.0.0.1       30
  192.168.200.255  255.255.255.255    192.168.200.6   192.168.200.6       30
        224.0.0.0        240.0.0.0      192.168.0.5     192.168.0.5       10
        224.0.0.0        240.0.0.0    192.168.200.6   192.168.200.6       30
  255.255.255.255  255.255.255.255      192.168.0.5     192.168.0.5       1
  255.255.255.255  255.255.255.255    192.168.200.6   192.168.200.6       1
Default Gateway:     192.168.200.5
===========================================================================
Persistent Routes:
  None

Note, I substituted the real server IP for 12.123.12.12

billymayday · 09-29-2008, 12:27 AM

What I would do:

see if there's an equivalent of traceroute in Windows, and use that to see what's going on, and

fire up wireshark on the server to view the packets as they come in.

arobinson74 · 09-29-2008, 09:30 PM

I'll try traceroute. I get the same problem when I use by Ubuntu hardy computer as a client, so it is not windows specific

arobinson74 · 09-29-2008, 10:42 PM

I have not found anything useful with traceroute and wireshark is not an option as it depends on ui libraries. I am able to see the server fine (192.168.200.1), but trying anything on the 192.168.100.x subnet fails with the invalid source address.

arobinson74 · 10-02-2008, 06:26 PM

Okay, the error message isn't a problem. I switched over to 10.8.0.0 just in case, but I think what fixed it was just push "redirect-gateway"

For some reason I can RDP to 192.168.100.x computers but cannot get access to their file shares (times out). I do not know why smb traffic is not working. I can go to \\192.168.100.1 (the vpn server) just fine, but not any other computer. I am not sure if the fact that the server is a samba box with domain support and the machine is just on a workgroup (not on the domain) makes a difference or not.

At least the remote desktop works now, which is really what my users wanted.