-   Linux - Networking (
-   -   openvpn ipaddress problem: "MULTI: bad source address from client" (

arobinson74 09-28-2008 11:31 PM

openvpn ipaddress problem: "MULTI: bad source address from client"
I am trying to setup an openvpn over UDP on the standard port. Here is the setup I am trying to get working:
  1. tun
  2. udp
  3. only allow client
  4. allow client to see 1 server subnet

I have chosen as the VPN subnet. I want clients to see the subnet. I do not want other machines on the client network to connect through the client. The clients will be windows (testing on a winxp virtual machine running inside of vmplayer) and the server is Debian etch Linux.

I have everything working up through connecting, but the problem is that it seems that the client is being identified by its non-vpn IP address and not the vpn IP address. For example, my VM is on my local client network as IP Its VPN IP address is

I try to connect to "\\" (a server computer on the forwarded subnet). On the server log I get this error:

MULTI: bad source address from client [], packet dropped
When I search for this error on google, all the responses that I have found relate to client-config-dir. This should not apply to be as that setting is only for allowing clients to connect through a client, right?

I found one solution where a Mac user said to use "ifconfig tun0 metric -1". Apparently this does not apply to the debian tunnel as I get this error:

SIOCSIFMETRIC: Operation not supported
I am using openvpn version 2.0.9-4etch1 on the server and OpenVPN GUI 2.0.9 in windows.

Here is my server.conf:

proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
ifconfig-pool-persist ipp.txt
push "route"
# tried with and without:
;push "redirect-gateway"
push "dhcp-option DNS"
push "dhcp-option WINS"
keepalive 10 120
max-clients 10
user nobody
group nogroup
status openvpn-status.log
verb 6
mute 10
plugin /usr/lib/openvpn/ login

Here are the IPTables rules I added (eth0 is the outside world, eth1 is the intranet on this server, ip forwarding is enabled):

## OpenVPN
#iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
#iptables -A INPUT -i eth0 -p udp --dport 1194 -j LOG --log-prefix "IPTABLES VPN: " --log-level 6
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
#iptables -A FORWARD -i tun0 -s -d -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

Here is the client.ovpn file:

dev tun
proto udp
remote 1194
resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 6

I am a bit at a loss at this point. The openvpn documentation has not shed any light on my problem.

billymayday 09-28-2008 11:38 PM

Are you sure the connection is coming via the vpn? What are the routes on the client machine ("route print" in Windows)

arobinson74 09-28-2008 11:50 PM

The client can't see any 192.168.100.x on the local network, and the server is remote, so yes I am sure that the traffic is over the VPN, also the error on the server is from the vnc process.

Here is the windows "route print" output:

Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 96 65 31 ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
0x3 ...00 ff 63 b9 e0 b7 ...... TAP-Win32 Adapter V8 - Packet Scheduler Miniport
Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
      1      1      1      20      10      10      10      1      1      30      30      30      10      30      1      1
Default Gateway:
Persistent Routes:

Note, I substituted the real server IP for

billymayday 09-29-2008 12:27 AM

What I would do:

see if there's an equivalent of traceroute in Windows, and use that to see what's going on, and

fire up wireshark on the server to view the packets as they come in.

arobinson74 09-29-2008 09:30 PM

I'll try traceroute. I get the same problem when I use by Ubuntu hardy computer as a client, so it is not windows specific

arobinson74 09-29-2008 10:42 PM

I have not found anything useful with traceroute and wireshark is not an option as it depends on ui libraries. I am able to see the server fine (, but trying anything on the 192.168.100.x subnet fails with the invalid source address.

arobinson74 10-02-2008 06:26 PM

Okay, the error message isn't a problem. I switched over to just in case, but I think what fixed it was just push "redirect-gateway"

For some reason I can RDP to 192.168.100.x computers but cannot get access to their file shares (times out). I do not know why smb traffic is not working. I can go to \\ (the vpn server) just fine, but not any other computer. I am not sure if the fact that the server is a samba box with domain support and the machine is just on a workgroup (not on the domain) makes a difference or not.

At least the remote desktop works now, which is really what my users wanted.

All times are GMT -5. The time now is 08:44 AM.