LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-01-2013, 10:27 PM   #1
munkz
Member
 
Registered: Aug 2013
Location: A couch
Distribution: linux
Posts: 69

Rep: Reputation: 2
Question regarding openvpn and ccd


Hi,

I have a working openvpn install. However, I am seeing multiple packet drops related to non-routable IP addresses. I understand that I can assign a route using ccd for clients sitting behind a router.

My problem is that the clients gateway / router can change. So, in a case where a client connects at a hotspot local to them, I have no control over what their actual ip is.

An example :
Code:
openVPN-GATEWWAY <--> HOTSPOT <--> ( some public facing ip ) <--> CLIENT --( private ip space / rfc1918 )
With the above I get random packet drops like those listed below :
Code:
gerp/66.123.200.100:28693 MULTI: bad source address from client [192.168.1.125], packet dropped
Now, if I can tell openVPN, using the user config dir ( ccd ) that the client is actually sitting on a private ip behind a router doing the following :

Code:
iroute 192.168.4.0 255.255.255.0
My understanding of the above : this would open up / route to all address on the 192.168.4.0 subnet. I dont want this for many reasons. What I would rather do is have it be like :

Code:
iroute 192.168.4.21 255.255.255.255
where 192.168.4.21 is the clients ip on the connecting lan

Can I not also add the route to the client_config-directory file? Or does that have to go in the servers config?

Since* this would be dynamic, not sure how openVPN would know about the added route if its not reloaded. Reloading the whole daemon for each client connect seems like a no.

Would appreciate any input.
 
Old 11-03-2013, 01:16 PM   #2
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Rep: Reputation: Disabled
so are you wanting to restrict access by vpn clients to only 192.168.4.21? if so iptables can do it:

Code:
.
.
.
iptables -A FORWARD -s vpn.subnet.range.0/24 -d 192.168.4.21/32 -j ACCEPT
iptables -A FORWARD -s vpn.subnet.range.0/24 -d 192.168.4.0/24 -j DROP
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
.
.
.
you should still use "iroute 192.168.4.0 255.255.255.0" in openvpn server config.

Last edited by psycroptic; 11-03-2013 at 01:18 PM.
 
1 members found this post helpful.
Old 11-03-2013, 02:29 PM   #3
munkz
Member
 
Registered: Aug 2013
Location: A couch
Distribution: linux
Posts: 69

Original Poster
Rep: Reputation: 2
HI,

Actually I am trying to configure it to map the clients "actual" ip. It not that I wish to map traffic to the client. I am seeing drops related to openvpn not having a route to a private IP range. The clients may or may not be sharing something. In this case I am only looking to address the drop of packets.

A log example :

Code:
Sat Nov  2 12:14:59 2013 us=533871 gerp/24.205.70.162:46482 MULTI: bad source address from client [192.168.5.3], packet dropped
NOw, in the above that drop could be going to any private ip range. My issue is that, what appears to be random, drops occurring for ANY ip the client connects from. This makes since to me as from the connect logs I am only seeing the physical gateway ip that the client is behind associated with the initial request and mapping. I am not sure if this some thing that I Need to push to the client or if its something that I need to set with the server.

Being that I just set up freeRADIUS and mysql to act as the part or the authentication process, I am just trying to make sure I have covered all my bases. I understand that I may confusing; however, much of this is realted to me not knowing what I dont know. I mean, if the clients default gateway is set to the vpn, the only way I would be seeing the clients actual IP as it is behind its AP I can only assume something is very wrong.
 
  


Reply

Tags
openvpn, route, vpnclient


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN question Vcepelin Linux - Software 1 08-04-2010 09:22 PM
openvpn question cizzi Linux - Software 2 12-12-2009 07:32 AM
OpenVPN question izghitu Linux - Software 1 02-15-2008 07:56 PM
OpenVpn question hasnain110 Linux - Networking 5 11-25-2007 09:50 AM
OpenVPN Question : connecting 5-6 comps with OpenVPN duryodhan Linux - Networking 7 02-15-2007 11:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration