Re: [Openvpn-users] Bad source address from client

[James Yonan <jim@xxxxxxxxx>]

On Sun, 9 Jan 2005, Markku Leinio wrote:

> Hi folks. I have been using dev tap with my VPN very successfully a couple 
> of months but have now been testing dev tun instead. Everything is great 
> otherwise, but I get the following messages in the log in the server side:
> 
> Sun Jan  9 18:10:41 2005 Markku_Leinio/193.166.XXX.XXX:1663 MULTI: bad 
> source address from client [10.YYY.YYY.YYY], packet dropped

That error occurs when OpenVPN gets a packet from a client for which it 
has no return route back to the client.  It's a security feature that 
prevents other machines on the client LAN from using the VPN unless they 
are explicity allowed to.  --dev tap mode is more permissive (because of 
the semantics of ethernet bridging) and does not enforce any source 
address checking unless you use a --learn-address script.

To explicitly allow packets from 10.YYY.YYY.YYY, you need to use 
--iroute/-client-config-dir.

James

> It starts when I mount the network drive in my XP client ("net use x: 
> \\inside.server\share"), and repeats while I use the share. Note that the 
> 10.YYY address in brackets is the client assigned private IP address even 
> though the client is behind a NAT router! So the address is neither the 
> NAT-assigned public address nor the VPN tunnel IP address.
> 
> What does this message mean, and how is the client private IP address 
> visible to the OpenVPN server?
> 
> This situation has been tested with two different end systems, in different 
> NAT systems (and the NAT in question is not done in the VPN server but in 
> the source network). NAT is working and also the client's public IP address 
> is correctly shown in the log above (XXX address). In dev tap mode (no 
> other changes in the configuration) there are absolutely no problems 
> whatsoever. And this problem is only visible in the server logs, the share 
> is working fine.
> 
> Configurations follow:
> 
> Server side (OpenVPN 2.0rc6, Debian GNU/Linux, kernel 2.4.27):
> ----------------------------------------------
> dev tun
> port 2294
> server 192.168.88.0 255.255.255.0
> push "route vpn.server.address 255.255.255.255 net_gateway"
> push "route one.inside.network 255.255.255.0"
> push "route another.inside.network 255.255.255.0"
> push "explicit-exit-notify 2"
> keepalive 10 60
> ca root.crt
> dh dh1024.pem
> cert vpn-server.crt
> key vpn-server.key
> crl-verify crl.pem
> duplicate-cn
> user nobody
> group nogroup
> persist-key
> persist-tun
> comp-lzo
> verb 3
> 
> Client side (OpenVPN 2.0rc6, Windows XP Pro SP2):
> ---------------------------------
> remote vpn.server.address
> dev tun
> port 2294
> client
> ca   "c:\\Program Files\\OpenVPN\\config\\root.crt"
> cert "c:\\Program Files\\OpenVPN\\config\\vpn-username.crt"
> key  "c:\\Program Files\\OpenVPN\\config\\vpn-username.key"
> comp-lzo
> nobind
> verb 3
> redirect-gateway
> tls-remote "x509.address.of.vpn.server"
> 
> 
> -- 
> Markku Leiniö, Turku, Finland    
> 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users