OpenVPN client ip
Hi LQ,
i have openvpn running on my VPS, this is the vpn *.conf file i have: Code:
port 1194 Looking at logs everything goes smooth apart from this: Code:
MULTI: bad source address from client [192.168.1.28], packet dropped Code:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 Quote:
Quote:
I hope my message is clear, any help appreciated, regards ! |
May I refer you to my recent post: [HOWTO] A Quick Explanation of Routing Setup With OpenVPN Tunnels.
The iroute directive, which must appear in a client-config-dir entry whose name matches the "common name" of the connecting remote, tells OpenVPN about the existence of a remote subnet. The identity of the file in which this directive appears, is what indicates which remote supports that particular subnet. In order to successfully route any packet, OpenVPN must know about the subnet from whence it came or to whence it is going. If it does not, then it has no choice but to drop the packet. It does not attempt to consult operating-system routing tables nor any other resource. When you connect with the client whose CN= name matches the filename in the CCD subdirectory, you should see messages in the OpenVPN log which indicate that this file has been found and read. You probably do not need any directives other than iroute in this CCD-entry. But, note that there must also be a corresponding route directive, so that OpenVPN will issue a route-command to the host operating system to cause the traffic to be delivered to OpenVPN's tunX virtual device in the first place. (I seem to recall reading that this must be in the main file, but don't quote me on that.) If you have this entry, but you are still getting "bad source address from client - packet dropped," then it means that OpenVPN is not using the content of that file. It isn't recognizing it. The CN= of the remote's certificate did not exactly match the name of a file within the CCD location, and there also was no DEFAULT entry there. You see this only by the fact that the entries which indicate that a CCD entry was read are not found in the log when this remote connects. Consider all of the directives that you have chosen to place here, particularly redirect-gateway and duplicate-cn. ... P-a-r-t-i-c-u-l-a-r-l-y the latter, since you are using CCD. Remember that it is the "common name" which identifies a remote, and in this case you can't tolerate there being more than one simultaneously-connected remote by this particular name. |
Quote:
Code:
Certificate: For routing i forced C class 192.168.1.0 client's network to B class 192.168.0.0 for server network TUN0 interface, just to make sure there are no conflicts or more iptables directives. Regards |
Pardon me if I'm not going to try to diagnose this myself. :)
When you connect the client in question, you will see in the logs what its "common name" is (as seen by OpenVPN), and, if a ccd entry is successfully found and read, you will also see the effects of the iroute command. (Simply grep for the IP-address of the remote subnet ...) If you don't see that, the ccd entry was not found and OpenVPN does not know about the remote subnet. |
Yees, it looks good so far ...
Quote:
Quote:
Quote:
|
What I would be looking for in /var/log/syslog are log entries which make specific reference to the first few octets of the remote subnet ... specifically at-or-about the point where that client is (successfully) connecting to the server.
Disconnect and reconnect the client, then immediately look at the syslog. You should plainly see messages to the effect that the CCD entry has been correctly identified and processed. In the entries you have posted I do not yet see what I am looking for. (And, I am not readily in a position to re-create it.) |
All times are GMT -5. The time now is 10:20 AM. |