[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Incorrect tcp and udp checksums on packets from gateway to vpn clients (solved)


  • Subject: [Openvpn-users] Incorrect tcp and udp checksums on packets from gateway to vpn clients (solved)
  • From: Georg Graf <g.graf@xxxxxxxx>
  • Date: Mon, 2 Apr 2007 17:31:00 +0200

Hello everyone,

This relates to OpenVPN with FreeBSD and is (mostly) solved, see below:
Maybe its something for the FAQ ...

I've got a quite simple and vanilla config here. There is an office 
network (10.10.10.0/24), and a DSL Internet Uplink. Ovpn clients connect 
to the external IP, port 1194 udp, of the Firewall (FreeBSD 6.2 RELEASE 
/ i386). Ovpn is configured to use the tap Interface. The setup works 
very nicely.

Smtp and imap services are running on the inside Part of the Firewall, 
which is also the openvpn Server, at 10.10.10.1. Machines on the "wired" 
office part of the LAN can connect to these services, but ovpn clients 
cannot. They can ping 10.10.10.1 but tcp and udp do not work.

To be more specific, TCP packets sent by the firewall to the vpn clients 
have corrupted checksums, thats what tcpdump tells me. Unfortunately I 
have no Idea whether it's an OpenVPN or FreeBSD Bug, but certainly it is 
one.

This tcpdump explains my Problem:

| # tcpdump -vvv -i tap0 -X -s 1600 host vpn72 
| tcpdump: WARNING: tap0: no IPv4 address assigned 
| tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 1600 bytes

This is the SYN Packet from the client, wanting to initiate the SMTP Session:

| 16:06:52.939044 IP (tos 0x0, ttl 128, id 18184, offset 0, flags
| [DF], proto: TCP (6), length: 48) vpn72.office.celix.at.1331 >
| koyote.office.celix.at.smtp: S, cksum 0x40f1 (correct),
---------------------------------------------> ^^^^^^^^^
| 3099401284:3099401284(0) win 16384 <mss 1336,nop,nop,sackOK>
| 
| 	0x0000:  4500 0030 4708 4000 8006 8b63 0a0a 0a48  E..0G.@....c...H
| 	0x0010:  0a0a 0a01 0533 0019 b8bd 1c44 0000 0000  .....3.....D....
| 	0x0020:  7002 4000 40f1 0000 0204 0538 0101 0402  p.@.@......8....

This is the answer of the Mailserver:

| 16:06:52.939153 IP (tos 0x0, ttl 64, id 169, offset 0, flags
| [DF], proto: TCP (6), length: 48) koyote.office.celix.at.smtp >
| vpn72.office.celix.at.1331: S, cksum 0x287f (incorrect (->
---------------------------------------------> ^^^^^^^^^
| 0x26cb), 2634202519:2634202519(0) ack 3099401285 win 65535 <mss
| 1460,sackOK,eol>
| 
| 	0x0000:  4500 0030 00a9 4000 4006 11c3 0a0a 0a01  E..0..@.@.......
| 	0x0010:  0a0a 0a48 0019 0533 9d02 bd97 b8bd 1c45  ...H...3.......E
| 	0x0020:  7012 ffff 287f 0000 0204 05b4 0402 0000  p...(...........

How should I proceed to resolve this? As I said, all other IP
Traffic works. No, it does not. ARP is also not forwarded through
the bridge from one vpn client to the other.

Whats the matter with FreeBSD's bridging? Maybe I should use
ng_bridge?

But here is the solution to my original question: ifconfig the
Hardware Network Card which is part of the bridge with "-txcsum".
In fact, you'll only have the problem if the physical network
card which is part of the bridge does hardware checksumming. This
forces the kernel to generate checksums for the packets.
Otherwise Packets enter the bridge without a set checksum, which
the client then drops. See
<http://lists.freebsd.org/pipermail/freebsd-net/2005-May/007199.html>

What should I try to get the arp (for client to client traffic)
working?

Thank you all,
   George

Relevant Parts of my config:

Ifconfig of Server Machine:
| em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
|         options=b<RXCSUM,TXCSUM,VLAN_MTU>
|         inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
|         ether 00:0e:0c:a1:ae:cd
|         media: Ethernet autoselect (1000baseTX <full-duplex>)
|         status: active
| fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
|         options=8<VLAN_MTU>
|         inet 81.223.15.210 netmask 0xfffffff0 broadcast 81.223.15.223
|         inet 81.223.15.211 netmask 0xffffffff broadcast 81.223.15.211
|         inet 81.223.15.212 netmask 0xffffffff broadcast 81.223.15.212
|         ether 00:90:27:f6:a8:fe
|         media: Ethernet autoselect (100baseTX <full-duplex>)
|         status: active
| plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
| lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
|         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
|         inet6 ::1 prefixlen 128 
|         inet 127.0.0.1 netmask 0xff000000 
| tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
|         ether 00:bd:9c:60:02:00
|         Opened by PID 34700

sockstat |grep -i vpn
| nobody   openvpn    34705 3  dgram  -> /var/run/logpriv
| nobody   openvpn    34705 6  udp4   81.223.15.212:1194    *:*

Server Config:
| mode server
| float
| local 81.223.15.212
| push "dhcp-option DNS 10.10.10.15"
| push "dhcp-option DOMAIN office.celix.at"
| push "ip-win32 dynamic"
| crl-verify crl.pem
| port 1194
| proto udp
| dev tap
| ca ca.crt
| cert server.crt
| key server.key  # This file should be kept secret
| dh dh2048.pem
| ifconfig-pool-persist ipp.txt
| server-bridge 10.10.10.70 255.255.255.0 10.10.10.71 10.10.10.89
| keepalive 10 120
| comp-lzo
| max-clients 15
| user nobody
| group nobody
| persist-key
| persist-tun
| status openvpn-status.log
| verb 1

Client Config:
| client
| dev tap
| pull
| proto udp
| remote ssl.celix.at 1194
| resolv-retry infinite
| nobind
| persist-key
| persist-tun
| ca ca.crt
| cert celix.crt
| key celix.key
| ns-cert-type server
| comp-lzo
| verb 1

/etc/sysctl.conf
| net.link.ether.bridge.config=em0,tap0
| net.link.ether.bridge.enable=1

/boot/loader.conf
| ipdivert_load=yes
| bridge_load=yes

______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users