LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-28-2008, 11:31 PM   #1
arobinson74
Member
 
Registered: Nov 2002
Location: Lone Tree, CO
Distribution: Xubuntu Gutsy
Posts: 174

Rep: Reputation: 30
openvpn ipaddress problem: "MULTI: bad source address from client"


I am trying to setup an openvpn over UDP on the standard port. Here is the setup I am trying to get working:
  1. tun
  2. udp
  3. only allow client
  4. allow client to see 1 server subnet

I have chosen 192.168.200.0 as the VPN subnet. I want clients to see the 192.168.100.0 subnet. I do not want other machines on the client network to connect through the client. The clients will be windows (testing on a winxp virtual machine running inside of vmplayer) and the server is Debian etch Linux.

I have everything working up through connecting, but the problem is that it seems that the client is being identified by its non-vpn IP address and not the vpn IP address. For example, my VM is on my local client network as IP 192.168.0.5. Its VPN IP address is 192.168.200.6.

I try to connect to "\\192.168.100.102" (a server computer on the forwarded subnet). On the server log I get this error:
Code:
MULTI: bad source address from client [192.168.0.5], packet dropped
When I search for this error on google, all the responses that I have found relate to client-config-dir. This should not apply to be as that setting is only for allowing clients to connect through a client, right?

I found one solution where a Mac user said to use "ifconfig tun0 metric -1". Apparently this does not apply to the debian tunnel as I get this error:
Code:
SIOCSIFMETRIC: Operation not supported
I am using openvpn version 2.0.9-4etch1 on the server and OpenVPN GUI 2.0.9 in windows.

Here is my server.conf:
Code:
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
server 192.168.200.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.100.0 255.255.255.0"
# tried with and without:
;push "redirect-gateway"
push "dhcp-option DNS 192.168.200.1"
push "dhcp-option WINS 192.168.200.1"
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 6
mute 10
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
Here are the IPTables rules I added (eth0 is the outside world, eth1 is the intranet on this server, ip forwarding is enabled):
Code:
## OpenVPN
#iptables -t nat -A POSTROUTING -s 192.168.200.0 -o eth0 -j MASQUERADE
#iptables -A INPUT -i eth0 -p udp --dport 1194 -j LOG --log-prefix "IPTABLES VPN: " --log-level 6
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
#iptables -A FORWARD -i tun0 -s 192.168.200.0/24 -d 192.168.100.0/24 -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
Here is the client.ovpn file:
Code:
client
dev tun
proto udp
remote myserver.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 6
auth-user-pass
I am a bit at a loss at this point. The openvpn documentation has not shed any light on my problem.
 
Old 09-28-2008, 11:38 PM   #2
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Are you sure the connection is coming via the vpn? What are the routes on the client machine ("route print" in Windows)
 
Old 09-28-2008, 11:50 PM   #3
arobinson74
Member
 
Registered: Nov 2002
Location: Lone Tree, CO
Distribution: Xubuntu Gutsy
Posts: 174

Original Poster
Rep: Reputation: 30
The client can't see any 192.168.100.x on the local network, and the server is remote, so yes I am sure that the traffic is over the VPN, also the error on the server is from the vnc process.

Here is the windows "route print" output:
Code:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 96 65 31 ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
0x3 ...00 ff 63 b9 e0 b7 ...... TAP-Win32 Adapter V8 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.200.5   192.168.200.6       1
     12.123.12.12  255.255.255.255      192.168.0.1     192.168.0.5       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      169.254.0.0      255.255.0.0      192.168.0.5     192.168.0.5       20
      192.168.0.0    255.255.255.0      192.168.0.5     192.168.0.5       10
      192.168.0.5  255.255.255.255        127.0.0.1       127.0.0.1       10
    192.168.0.255  255.255.255.255      192.168.0.5     192.168.0.5       10
    192.168.100.0    255.255.255.0    192.168.200.5   192.168.200.6       1
    192.168.200.1  255.255.255.255    192.168.200.5   192.168.200.6       1
    192.168.200.4  255.255.255.252    192.168.200.6   192.168.200.6       30
    192.168.200.6  255.255.255.255        127.0.0.1       127.0.0.1       30
  192.168.200.255  255.255.255.255    192.168.200.6   192.168.200.6       30
        224.0.0.0        240.0.0.0      192.168.0.5     192.168.0.5       10
        224.0.0.0        240.0.0.0    192.168.200.6   192.168.200.6       30
  255.255.255.255  255.255.255.255      192.168.0.5     192.168.0.5       1
  255.255.255.255  255.255.255.255    192.168.200.6   192.168.200.6       1
Default Gateway:     192.168.200.5
===========================================================================
Persistent Routes:
  None
Note, I substituted the real server IP for 12.123.12.12
 
Old 09-29-2008, 12:27 AM   #4
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
What I would do:

see if there's an equivalent of traceroute in Windows, and use that to see what's going on, and

fire up wireshark on the server to view the packets as they come in.
 
Old 09-29-2008, 09:30 PM   #5
arobinson74
Member
 
Registered: Nov 2002
Location: Lone Tree, CO
Distribution: Xubuntu Gutsy
Posts: 174

Original Poster
Rep: Reputation: 30
I'll try traceroute. I get the same problem when I use by Ubuntu hardy computer as a client, so it is not windows specific
 
Old 09-29-2008, 10:42 PM   #6
arobinson74
Member
 
Registered: Nov 2002
Location: Lone Tree, CO
Distribution: Xubuntu Gutsy
Posts: 174

Original Poster
Rep: Reputation: 30
I have not found anything useful with traceroute and wireshark is not an option as it depends on ui libraries. I am able to see the server fine (192.168.200.1), but trying anything on the 192.168.100.x subnet fails with the invalid source address.
 
Old 10-02-2008, 06:26 PM   #7
arobinson74
Member
 
Registered: Nov 2002
Location: Lone Tree, CO
Distribution: Xubuntu Gutsy
Posts: 174

Original Poster
Rep: Reputation: 30
Okay, the error message isn't a problem. I switched over to 10.8.0.0 just in case, but I think what fixed it was just push "redirect-gateway"

For some reason I can RDP to 192.168.100.x computers but cannot get access to their file shares (times out). I do not know why smb traffic is not working. I can go to \\192.168.100.1 (the vpn server) just fine, but not any other computer. I am not sure if the fact that the server is a samba box with domain support and the machine is just on a workgroup (not on the domain) makes a difference or not.

At least the remote desktop works now, which is really what my users wanted.
 
  


Reply

Tags
openvpn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
bash script: using "select" to show multi-word options? (like "option 1"/"o zidane_tribal Programming 6 03-21-2013 10:35 AM
Who's sending this mail to "Bad destination mailbox address" ssfrstlstnm Linux - Server 10 06-20-2008 10:14 PM
Mousepad can't print: "client-error-bad-request" quincy_the_penquin Linux - Desktop 0 09-19-2007 02:58 PM
"client-error-bad-request" with kdeprint 144419855310001 Linux - Networking 2 11-17-2006 08:48 AM
"/usr/tux/backup/login: Bad Address" dri95 Linux - Security 0 02-26-2002 07:30 AM


All times are GMT -5. The time now is 01:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration