#StackBounty: #networking #server #vpn #iptables #openvpn OPENVPN: MULTI: bad source address from client

Bounty: 50

I struggled this problem for two days, but the problem is still here. Hope someone can provide suggestion or the way how to diagnose it.

What i want is let all client visit Internet over the OpenVPN server. Therefore, I first follow instructions Routing all client traffic (including web-traffic) through the VPN. After configuration, and setup iptables, the connection between VPN server and client succeeds, but the client can not visit any website (the brower is hang there). The ping from server and client are OK.

I checked log at the server, and there are some records like:

   Oct  3 09:16:21 iZbp15fejv9adv7o3izfm1Z ovpn-delta[1827]: laptop/131.202.XX.XX:59701 UDPv4 READ [93] from [AF_INET]131.202.XX.XX:59701: P_DATA_V1 kid=0 DATA len=92
    Oct  3 09:16:21 iZbp15fejv9adv7o3izfm1Z ovpn-delta[1827]: laptop/131.202.XX.XX:59701 MULTI: bad source address from client [131.202.XX.XX], packet dropped

where the IP: 131.202.XX.XX is my laptop IP address. This record is explained in “MULTI: bad source address from client , packet dropped” or “GET INST BY VIRT: [failed]”, why this IP is not (tun0) at my laptop, and the detail implementation for the problem? My laptop connects to Internet using WIFI, and it is a device that runs openvpn --config client.conf.

As this is very simple example, Do I have a way to avoid this error, or any sample to config client-config-dir and create a ccd file

the /etc/openvpn/delta.conf at the server:

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

port 1194

proto udp

dev tun

;dev-node MyTap

ca ca.crt
cert delta.crt
key delta.key  # This file should be kept secret

dh dh2048.pem


ifconfig-pool-persist ipp.txt



;push "route"
;push "route"

;client-config-dir ccd
;client-config-dir ccd
;learn-address ./script

;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
push "dhcp-option DNS"

;push "dhcp-option DNS"
;push "dhcp-option DNS"

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
;max-clients 100
;user nobody
;group nogroup
status openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20

while the client.conf is:

dev tun
proto udp
remote 1194
;remote my-server-2 1194

resolv-retry infinite


ca ca.crt
cert laptop.crt
key laptop.key
ns-cert-type server

;tls-auth ta.key 1

verb 3
;mute 20

For IP router configuration, I added the iptables to /etc/rc.local, so that iptables can be changed at server startup.

root@iZbp15fejv9adv7o3izfm1Z:/var/log# cat /etc/rc.local 
#!/bin/sh -e
# rc.local
#I also tried comment out first three instructions, but still does not work 
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

service dnsmasq restart

exit 0

and the /etc/sysctl.conf


telnet serverIP 80 is OK. In the server: /var/logs/syslog:

Is there any solution?

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.