#StackBounty: #networking #server #vpn #iptables #openvpn OPENVPN: MULTI: bad source address from client

Bounty: 50

I struggled this problem for two days, but the problem is still here. Hope someone can provide suggestion or the way how to diagnose it.

What i want is let all client visit Internet over the OpenVPN server. Therefore, I first follow instructions Routing all client traffic (including web-traffic) through the VPN. After configuration, and setup iptables, the connection between VPN server and client succeeds, but the client can not visit any website (the brower is hang there). The ping from server and client are OK.

I checked log at the server, and there are some records like:

   Oct  3 09:16:21 iZbp15fejv9adv7o3izfm1Z ovpn-delta[1827]: laptop/131.202.XX.XX:59701 UDPv4 READ [93] from [AF_INET]131.202.XX.XX:59701: P_DATA_V1 kid=0 DATA len=92
    Oct  3 09:16:21 iZbp15fejv9adv7o3izfm1Z ovpn-delta[1827]: laptop/131.202.XX.XX:59701 MULTI: bad source address from client [131.202.XX.XX], packet dropped

where the IP: 131.202.XX.XX is my laptop IP address. This record is explained in “MULTI: bad source address from client , packet dropped” or “GET INST BY VIRT: [failed]”, why this IP is not 10.8.0.6 (tun0) at my laptop, and the detail implementation for the problem? My laptop connects to Internet using WIFI, and it is a device that runs openvpn --config client.conf.

As this is very simple example, Do I have a way to avoid this error, or any sample to config client-config-dir and create a ccd file

the /etc/openvpn/delta.conf at the server:

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

port 1194

proto udp

dev tun

;dev-node MyTap

ca ca.crt
cert delta.crt
key delta.key  # This file should be kept secret

dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

;server-bridge

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script

;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20

while the client.conf is:

   client
dev tun
proto udp
remote 116.62.193.49 1194
;remote my-server-2 1194
;remote-random

resolv-retry infinite

nobind

persist-key
persist-tun
ca ca.crt
cert laptop.crt
key laptop.key
ns-cert-type server

;tls-auth ta.key 1
comp-lzo

verb 3
;mute 20

For IP router configuration, I added the iptables to /etc/rc.local, so that iptables can be changed at server startup.

root@iZbp15fejv9adv7o3izfm1Z:/var/log# cat /etc/rc.local 
#!/bin/sh -e
#
# rc.local
#I also tried comment out first three instructions, but still does not work 
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

service dnsmasq restart

exit 0

and the /etc/sysctl.conf

net.ipv4.ip_forward=1

telnet serverIP 80 is OK. In the server: /var/logs/syslog:

Is there any solution?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.