[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Server rejecting tunneled data.

  • Subject: [Openvpn-users] Server rejecting tunneled data.
  • From: "R. H. Kavli" <kavli@xxxxxxxxxxx>
  • Date: Sun, 06 Aug 2006 21:29:49 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guys,

I've used OpenVPN for more than a year now and it has worked like a dream.

The problem I've suddenly got is that the server is puking on the
packets it's getting from all clients:

MULTI: bad source address from client [10.128.1.22], packet dropped

I've googled for this problem and also read the FAQ, but I can't find
any link to my environment. The usual problem with this is when the
client packets are originating from a network behind the VPN and the
server don't have this network in its routing table. This is not the
case here.

Server is an Gentoo box on 10.72.4.0/24. VPN is 10.128.1.0/24.
OpenVPN is currently 2.0.7, but the problem occured when it was running
2.0.6. Built without thread support.

Let's have a look at the log-files from before the problem occured and
after the problem occured. There is an interesting difference there:

- --- How it normally looks

Wed Jul 26 20:03:39 2006 83.248.240.27:40565 [bollox_motorum] Peer
Connection Initiated with 83.248.240.27:40565
Wed Jul 26 20:03:39 2006 MULTI: new connection by client
'bollox_motorum' will cause previous active sessions by this client to
be dropped.  Remember to use the --duplicate-cn option if you want
multiple clients using the same certificate or username to concurrently
connect.
Wed Jul 26 20:03:39 2006 MULTI: Learn: 10.128.1.22 ->
bollox_motorum/83.248.240.27:40565
Wed Jul 26 20:03:39 2006 MULTI: primary virtual IP for
bollox_motorum/83.248.240.27:40565: 10.128.1.22
Wed Jul 26 20:03:40 2006 bollox_motorum/83.248.240.27:40565 PUSH:
Received control message: 'PUSH_REQUEST'
Wed Jul 26 20:03:40 2006 bollox_motorum/83.248.240.27:40565 SENT CONTROL
[bollox motorum]: 'PUSH_REPLY,route 10.72.4.0 255.255.255.0,dhcp-option
DNS 10.72.4.10,dhcp-option WINS 10.72.4.10,route 10.128.1.0
255.255.255.0,ping 10,ping-restart 120,ifconfig 10.128.1.22 10.128.1.21'
(status=1)
Wed Jul 26 20:07:41 2006 petra_motorum/195.204.240.249:45039 TLS:
tls_process: killed expiring key
Wed Jul 26 20:07:42 2006 petra_motorum/195.204.240.249:45039 TLS: soft
reset sec=0 bytes=113103/0 pkts=1160/0

- --- How it currently looks

Sun Aug  6 12:52:50 2006 us=271786 83.248.240.27:32874 [bollox_motorum]
Peer Connection Initiated with 83.248.240.27:32874
Sun Aug  6 12:52:50 2006 us=272443 MULTI: new connection by client
'bollox_motorum' will cause previous active sessions by this client to
be dropped.  Remember to use the --duplicate-cn option if you want
multiple clients using the same certificate or username to concurrently
connect.
Sun Aug  6 12:52:50 2006 us=272620 MULTI: primary virtual IP for
bollox_motorum/83.248.240.27:32874: 10.128.1.22
Sun Aug  6 12:52:51 2006 us=274115 bollox_motorum/83.248.240.27:32874
PUSH: Received control message: 'PUSH_REQUEST'
Sun Aug  6 12:52:51 2006 us=274336 bollox_motorum/83.248.240.27:32874
SENT CONTROL [bollox_motorum]: 'PUSH_REPLY,route 10.72.4.0
255.255.255.0,dhcp-option DNS 10.72.4.10,dhcp-option WINS
10.72.4.10,route 10.128.1.1,ping 10,ping-restart 120,ifconfig
10.128.1.22 10.128.1.21' (status=1)
Sun Aug  6 12:52:52 2006 us=671572 bollox_motorum/83.248.240.27:32874
MULTI: bad source address from client [10.128.1.22], packet dropped
Sun Aug  6 12:52:53 2006 us=684483 bollox_motorum/83.248.240.27:32874
MULTI: bad source address from client [10.128.1.22], packet dropped
Sun Aug  6 12:52:54 2006 us=684227 bollox_motorum/83.248.240.27:32874
MULTI: bad source address from client [10.128.1.22], packet dropped

(Note the lack of 'Learn' after 'Peer Connection Initiated')

- --- Server routing table

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.128.1.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.72.4.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.128.1.0      10.128.1.2      255.255.255.0   UG    0      0        0 tun0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         10.72.4.1       0.0.0.0         UG    0      0        0 eth0

Bad source address is nothing unusual, really. It happens from time to
time when the client moves around to other networks, but previously it
would always do a new 'Learn' and then be happy with it.

I haven't dissected the OpenVPN code yet, and I've hoped not to, since
I'm bogged down with other work. Hope someone have a clue about what is
going on here and how I can get my VPN back on the rails and also how to
prevent it from happening in the future.

 -- Ronny H. Kavli
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE1kMt61CBKBnFCCIRAov1AKCUgZvwQh5J//1Yu1tLpuK4snDURACdGXC/
bUXiExKy7JkoVHM+ZglPzAk=
=wmPr
-----END PGP SIGNATURE-----
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00078.html on line 279

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00078.html on line 279