[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] strage routing problem


  • Subject: [Openvpn-users] strage routing problem
  • From: "Bonno Bloksma" <b.bloksma@xxxxxx>
  • Date: Thu, 31 Jan 2008 15:54:58 +0100

Hi,
 
I've attaches the message as a txt file as well to make sure all loglines are readable.
 
Help, I'm at a loss. There is a lot of information in the mail, I've tried to provide as much relevant information as possible.
I've been using OpenVPN for several years but this time I'm at a loss. :-(
 
I've got several sites, most sites have a /20 network. For all sites but one it works.
In the server log I can see lot's of lines that tell me:
Thu Jan 31 14:56:25 2008 linutr/194.109.163.129:63977 MULTI: bad source address from client [172.16.128.98], packet dropped
Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.212], packet dropped
Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.26], packet dropped
Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.208.107], packet dropped
Thu Jan 31 14:56:26 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.207], packet dropped
 
Maybe the error is obvious, but in case it isn't, here is "some" ;-) extra info:
 
At one site I was still using a ssh prt-redir (ppp) tunnel. The ppp tunnel at that site crashed yesterday and for whatever reason the ppp device refused to be created So...
Today I wanted to switch that last site over to an OpenVPN (tun) tunnel thinking that might solve the problem.
 
Alle client and server machines are Redhat 9 and Fedora versions (Will be Debian in a few months but that is the next project)
Server uses 172.16.1.64 255.255.255.192 for ip-numbers in the OpenVpn network
Server resides in 172.16.128.0/24 nertwork and has local ip 172.16.128.10
The link comes up. Client side gets 172.16.1.101
Client resides in 172.16.208.0/20 and has, among others, 172.16.208.1
I can ping from the client machine to the server machine and to the network in which the server resides.
So ping 172.16.128.10 does work as does ping 172.16.128.3 (another server).
However, ping 172.16.128.3 -I 172.16.208.1 does not work.
 
On the server I cannot ping the client side of the tunnel, nor any of its interfaces
So ping 172.16.1.101 does not work, nor does ping 172.16.208.1
 
Now to mee this seems like a classic routing problem but..... as far as I can see all routing lines are correct.
I've also disabled the firewall on the client machine to see if that was the problem, but it's not.
 
Routing lines on the server:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.1.66     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
217.114.99.192  0.0.0.0         255.255.255.224 U     0      0        0 eth0
172.16.1.64     172.16.1.66     255.255.255.192 UG    0      0        0 tun0
172.16.128.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
172.16.18.0     172.16.1.66     255.255.255.0   UG    0      0        0 tun0
172.16.132.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
172.16.17.0     172.16.1.66     255.255.255.0   UG    0      0        0 tun0
172.16.208.0    172.16.1.66     255.255.240.0   UG    0      0        0 tun0
172.16.192.0    172.16.1.66     255.255.240.0   UG    0      0        0 tun0
172.16.176.0    172.16.1.66     255.255.240.0   UG    0      0        0 tun0
172.16.32.0     172.16.1.66     255.255.240.0   UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         217.114.99.193  0.0.0.0         UG    0      0        0 eth0
 
Routing lines on the client:
 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
217.114.99.200  172.16.1.101    255.255.255.255 UGH   0      0        0 tun0
172.16.1.101    0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.16.1.64     172.16.1.101    255.255.255.192 UG    0      0        0 tun0
172.16.208.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
172.16.212.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.16.0.0      172.16.1.101    255.255.0.0     UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
 
Both Linux machines (client and server) have been given a reboot just in case.... but as I feared, that wasn't the solution.
 
About the log lines:
Wed Jan 30 17:55:20 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
Wed Jan 30 17:55:22 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
Wed Jan 30 17:55:24 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
Wed Jan 30 17:55:27 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
Wed Jan 30 17:55:29 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
Wed Jan 30 17:55:32 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
[...]
Thu Jan 31 14:56:25 2008 linutr/194.109.163.129:63977 MULTI: bad source address from client [172.16.128.98], packet dropped
Lines like these started to appear yesterday at the moment I was unable to connect to the linein2 site. The 172.16.128.98 server is our network monitor that monitors several machines in  the 172.16.0.0/16 network. The fact that these lines appear at the same time as the error to the linein2 site started would indicate a relation to the problem with the linein2 site. But, what would the relation be?
 
Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.212], packet dropped
Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.26], packet dropped
Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.208.107], packet dropped
Thu Jan 31 14:56:26 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.207], packet dropped
These are normal ip-numers at the linein2 site.
 

Routing table at the linutr site looks normal to me:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
217.114.99.200  172.16.1.93     255.255.255.255 UGH   0      0        0 tun0
172.16.1.93     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.16.1.64     172.16.1.93     255.255.255.192 UG    0      0        0 tun0
172.16.36.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.16.32.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
172.16.0.0      172.16.1.93     255.255.0.0     UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
 
The default route on the Linux machines is to the local router. The 192.168.1.x network is local to the site and NOT routed between sites. These have been duplicate at several sites before the problem started.


Met vriendelijke groet,
Bonno Bloksma
hoofd systeembeheer

tio hogeschool hospitality en toerisme
begijnenhof 8-12 / 5611 el eindhoven
t 040 296 28 28 / f 040 237 35 20
b.bloksma@xxxxxx  / www.tio.nl
Help, I'm at a loss. There is a lot of information in the mail, I've tried to provide as much relevant information as possible.
I've been using OpenVPN for several years but this time I'm at a loss. :-(

I've got several sites, most sites have a /20 network. For all sites but one it works.
In the server log I can see lot's of lines that tell me:
Thu Jan 31 14:56:25 2008 linutr/194.109.163.129:63977 MULTI: bad source address from client [172.16.128.98], packet dropped
Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.212], packet dropped
Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.26], packet dropped
Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.208.107], packet dropped
Thu Jan 31 14:56:26 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.207], packet dropped

Maybe the error is obvious, but in case it isn't, here is "some" extra info:

At one site I was still using a ssh prt-redir (ppp) tunnel. The ppp tunnel at that site crashed yesterday and for whatever reason the ppp device refuses to be created So...
Today I wanted to switch that last site over to an OpenVPN (tun) tunnel thinking that might solve the problem.

Alle client and server machines are Redhat 9 and Fedora versions (Will be Debian in a few months but that is the next project)
Server uses 172.16.1.64 255.255.255.192 for ip-numbers in the OpenVpn network
Server resides in 172.16.128.0/24 nertwork and has local ip 172.16.128.10
The link comes up. Client side gets 172.16.1.101
Client resides in 172.16.208.0/20 and has, among others, 172.16.208.1
I can ping from the client machine to the server machine and to the network in which the server resides.
So ping 172.16.128.10 does work as does ping 172.16.128.3 (another server).
However, ping 172.16.128.3 -I 172.16.208.1 does not work.

On the server I cannot ping the client side of the tunnel, nor any of its interfaces
So ping 172.16.1.101 does not work, nor does ping 172.16.208.1

Now to mee this seems like a classic routing problem but..... as far as I can see all routing lines are correct.
I've also disabled the firewall on the client machine to see if that was the problem, but it's not.

Routing lines on the server:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.1.66     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
217.114.99.192  0.0.0.0         255.255.255.224 U     0      0        0 eth0
172.16.1.64     172.16.1.66     255.255.255.192 UG    0      0        0 tun0
172.16.128.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
172.16.18.0     172.16.1.66     255.255.255.0   UG    0      0        0 tun0
172.16.132.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
172.16.17.0     172.16.1.66     255.255.255.0   UG    0      0        0 tun0
172.16.208.0    172.16.1.66     255.255.240.0   UG    0      0        0 tun0
172.16.192.0    172.16.1.66     255.255.240.0   UG    0      0        0 tun0
172.16.176.0    172.16.1.66     255.255.240.0   UG    0      0        0 tun0
172.16.32.0     172.16.1.66     255.255.240.0   UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         217.114.99.193  0.0.0.0         UG    0      0        0 eth0

Routing lines on the client:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
217.114.99.200  172.16.1.101    255.255.255.255 UGH   0      0        0 tun0
172.16.1.101    0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.16.1.64     172.16.1.101    255.255.255.192 UG    0      0        0 tun0
172.16.208.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
172.16.212.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.16.0.0      172.16.1.101    255.255.0.0     UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0

Both Linux machines (client and server) have been given a reboot just in case.... but as I feared, that wasn't the solution.

About the log lines:
Wed Jan 30 17:55:20 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
Wed Jan 30 17:55:22 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
Wed Jan 30 17:55:24 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
Wed Jan 30 17:55:27 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
Wed Jan 30 17:55:29 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
Wed Jan 30 17:55:32 2008 linutr/194.109.163.129:64482 MULTI: bad source address from client [172.16.128.98], packet dropped
[...]
Thu Jan 31 14:56:25 2008 linutr/194.109.163.129:63977 MULTI: bad source address from client [172.16.128.98], packet dropped
Lines like these started to appear yesterday at the moment I was unable to connect to the linein2 site. The 172.16.128.98 server is our network monitor that monitors several machines in  the 172.16.0.0/16 network. The fact that these lines appear at the same time as the error to the linein2 site started would indicate a relation to the problem with the linein2 site. But, what would the relation be?

Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.212], packet dropped
Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.26], packet dropped
Thu Jan 31 14:56:25 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.208.107], packet dropped
Thu Jan 31 14:56:26 2008 linein2/194.109.165.42:63736 MULTI: bad source address from client [172.16.212.207], packet dropped
These are normal ip-numers at the linein2 site.


Routing table at the linutr site looks normal to me:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
217.114.99.200  172.16.1.93     255.255.255.255 UGH   0      0        0 tun0
172.16.1.93     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.16.1.64     172.16.1.93     255.255.255.192 UG    0      0        0 tun0
172.16.36.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.16.32.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
172.16.0.0      172.16.1.93     255.255.0.0     UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0

The default route on the Linux machines is to the local router. The 192.168.1.x network is local to the site and NOT routed between sites. These have been duplicate at several sites before the problem started.
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users