[SOLVED] Question regarding openvpn and ccd

munkz · 11-01-2013, 09:27 PM

Hi,

I have a working openvpn install. However, I am seeing multiple packet drops related to non-routable IP addresses. I understand that I can assign a route using ccd for clients sitting behind a router.

My problem is that the clients gateway / router can change. So, in a case where a client connects at a hotspot local to them, I have no control over what their actual ip is.

An example :

Code:

openVPN-GATEWWAY <--> HOTSPOT <--> ( some public facing ip ) <--> CLIENT --( private ip space / rfc1918 )

With the above I get random packet drops like those listed below :

Code:

gerp/66.123.200.100:28693 MULTI: bad source address from client [192.168.1.125], packet dropped

Now, if I can tell openVPN, using the user config dir ( ccd ) that the client is actually sitting on a private ip behind a router doing the following :

Code:

iroute 192.168.4.0 255.255.255.0

My understanding of the above : this would open up / route to all address on the 192.168.4.0 subnet. I dont want this for many reasons. What I would rather do is have it be like :

Code:

iroute 192.168.4.21 255.255.255.255

where 192.168.4.21 is the clients ip on the connecting lan

Can I not also add the route to the client_config-directory file? Or does that have to go in the servers config?

Since* this would be dynamic, not sure how openVPN would know about the added route if its not reloaded. Reloading the whole daemon for each client connect seems like a no.

Would appreciate any input.

psycroptic · 11-03-2013, 12:16 PM

so are you wanting to restrict access by vpn clients to only 192.168.4.21? if so iptables can do it:

Code:

.
.
.
iptables -A FORWARD -s vpn.subnet.range.0/24 -d 192.168.4.21/32 -j ACCEPT
iptables -A FORWARD -s vpn.subnet.range.0/24 -d 192.168.4.0/24 -j DROP
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
.
.
.

you should still use "iroute 192.168.4.0 255.255.255.0" in openvpn server config.

munkz · 11-03-2013, 01:29 PM

HI,

Actually I am trying to configure it to map the clients "actual" ip. It not that I wish to map traffic to the client. I am seeing drops related to openvpn not having a route to a private IP range. The clients may or may not be sharing something. In this case I am only looking to address the drop of packets.

A log example :

Code:

Sat Nov  2 12:14:59 2013 us=533871 gerp/24.205.70.162:46482 MULTI: bad source address from client [192.168.5.3], packet dropped

NOw, in the above that drop could be going to any private ip range. My issue is that, what appears to be random, drops occurring for ANY ip the client connects from. This makes since to me as from the connect logs I am only seeing the physical gateway ip that the client is behind associated with the initial request and mapping. I am not sure if this some thing that I Need to push to the client or if its something that I need to set with the server.

Being that I just set up freeRADIUS and mysql to act as the part or the authentication process, I am just trying to make sure I have covered all my bases. I understand that I may confusing; however, much of this is realted to me not knowing what I dont know. I mean, if the clients default gateway is set to the vpn, the only way I would be seeing the clients actual IP as it is behind its AP I can only assume something is very wrong.