Re: [Openvpn-users] Bad source address from client

[Steven Coutts <scoutts@xxxxxxxxxx>]

Markku Leinio wrote:

> At 22:41 9.1.2005, James Yonan wrote:
>
> > To explicitly allow packets from 10.YYY.YYY.YYY, you need to use
> > --iroute/-client-config-dir.
>
>
> The clients are behind NATs (different ones), so from where is that 
> private address coming from? I mean, the NAT is working, the client is 
> able to do anything in the net and OpenVPN correctly sees the client's 
> public IP address 193.166.XXX.XXX, but still it gets that private 
> address somewhere. That shouldn't be visible anywhere as the client 
> host is far away in the internet.
>
> Ok, is this some SMB feature? I haven't seen those messages without an 
> active network mount. Samba must be carrying the real IP address 
> somewhere inside the data. So, maybe the Samba server for some reason 
> tries to send some packets to that private 10.YYY.YYY.YYY address.
>
> If this is true, it raises another question: Why do those packets go 
> to the OpenVPN server and not to the internet (from the Samba server)?
>
> The OpenVPN server is in the same subnet as the Samba server in 
> question, having public IP addresses. If the Samba server wants to 
> send something to 10.YYY.YYY.YYY, the routing table directs those 
> packets to the border router according to the default route as that 
> network does not exist in our inside network. Still the OpenVPN server 
> sees those packets.
>
> I tried tcpdumping the traffic for those 10.YYY.YYY.YYY packets on 
> eth0 and tap0 but did not see anything even if OpenVPN logged those 
> messages at the same time.
>
> One tested client host is behind a self-made Linux netfilter NAT, and 
> one host is behind a Buffalo Airstation NAT.
>
> Thanks for your comments!
I get lots of these too, just been ignoring them because they haven't 
been causing any problems.


--
Steven Coutts B.Sc.(Hons) MBCS
scoutts@xxxxxxxxxx

PGP Public Key
<http://stevec.couttsnet.com/scoutts.asc>