{"id":306,"date":"2008-05-17T11:49:59","date_gmt":"2008-05-17T08:49:59","guid":{"rendered":"http:\/\/www.void.gr\/kargig\/blog\/?p=306"},"modified":"2008-05-17T11:51:51","modified_gmt":"2008-05-17T08:51:51","slug":"openvpn-multi-bad-source-address-from-client-solution","status":"publish","type":"post","link":"https:\/\/www.void.gr\/kargig\/blog\/2008\/05\/17\/openvpn-multi-bad-source-address-from-client-solution\/","title":{"rendered":"Openvpn &#8211; MULTI: bad source address from client &#8211; solution"},"content":{"rendered":"<p><strong>Problematic Configuration:<\/strong><br \/>\n<em>OpenVPN server config:<\/em><br \/>\n<code>dev tun<br \/>\nport 1194<br \/>\nproto udp<br \/>\nca \/etc\/openvpn\/ca.crt<br \/>\ncert \/etc\/openvpn\/server.crt<br \/>\nkey \/etc\/openvpn\/server.key<br \/>\ndh \/etc\/openvpn\/dh1024.pem<br \/>\npersist-key<br \/>\npersist-tun<br \/>\nserver 10.8.0.0 255.255.255.0<br \/>\nkeepalive 10 30<br \/>\nclient-to-client<br \/>\ncomp-lzo<br \/>\nifconfig-pool-persist ipp.txt<br \/>\nstatus \/etc\/openvpn\/openvpn-status.log<br \/>\nverb 3<br \/>\npush \"redirect-gateway\"<br \/>\n<\/code><\/p>\n<p><em>OpenVPN client config:<\/em><br \/>\n<code>dev tun<br \/>\nclient<br \/>\nproto udp<br \/>\npersist-tun<br \/>\npersist-key<br \/>\nresolv-retry infinite<br \/>\nmute-replay-warnings<br \/>\nremote REMOTE.HOST 1194<br \/>\nca \/etc\/openvpn\/ca.crt<br \/>\ncert \/etc\/openvpn\/client1.crt<br \/>\nkey \/etc\/openvpn\/client1.key<br \/>\ncomp-lzo<br \/>\nverb 3<br \/>\n<\/code><\/p>\n<p><strong>The problem:<\/strong><br \/>\nUsing the above config files I continuously got errors like this on the server syslog: <\/p>\n<blockquote><p>May 1 00:00:00 hostname ovpn-openvpn[22563]: client1\/X.Y.Z.W:1194 MULTI: bad source address from client [10.10.1.11], packet dropped<\/p><\/blockquote>\n<p>where X.Y.Z.W is my public IP and 10.10.1.11 is the Lan IP of the machine that makes the connection to the openvpn server.<\/p>\n<p><strong>The solution:<\/strong><br \/>\n<em>OpenVPN server config:<\/em><br \/>\n<code>dev tun<br \/>\nport 1194<br \/>\nproto udp<br \/>\nca \/etc\/openvpn\/ca.crt<br \/>\ncert \/etc\/openvpn\/server.crt<br \/>\nkey \/etc\/openvpn\/server.key<br \/>\ndh \/etc\/openvpn\/dh1024.pem<br \/>\npersist-key<br \/>\npersist-tun<br \/>\nserver 10.8.0.0 255.255.255.0<br \/>\nkeepalive 10 30<br \/>\nclient-to-client<br \/>\ncomp-lzo<br \/>\nifconfig-pool-persist ipp.txt<br \/>\nstatus \/etc\/openvpn\/openvpn-status.log<br \/>\nverb 3<br \/>\npush \"redirect-gateway\"<br \/>\n<strong>client-config-dir ccd<br \/>\nroute 10.10.1.0 255.255.255.0<br \/>\n<\/strong><\/code><\/p>\n<p>Then I created the <em>\/etc\/openvpn\/ccd\/<\/em> dir and put inside a file named <em>client1<\/em> with the following contents:<br \/>\n<code># cat \/etc\/openvpn\/ccd\/client1<br \/>\niroute 10.10.1.0 255.255.255.0<br \/>\n<\/code><\/p>\n<p>Client configuration stays the same. <\/p>\n<p>All should be fine now and in your server logs you will now see entries like this:<\/p>\n<blockquote><p>May 1 00:00:00 hostname ovpn-openvpn[27096]: client1\/X.Y.Z.W:1194 MULTI: Learn: 10.10.1.11 -> client1\/X.Y.Z.W:1194<\/p><\/blockquote>\n<p><strong>Hint:<\/strong> If you want your clients to be able to access the internet through the VPN tunnel you _must_ create NAT.<br \/>\n<em>a typical config on a debian acting as the OpenVPN server:<\/em><br \/>\n<code># cat \/etc\/network\/interfaces<br \/>\nauto lo<br \/>\niface lo inet loopback<br \/>\n# The primary network interface<br \/>\nauto eth0<br \/>\niface eth0 inet static<br \/>\n  address A.B.C.D<br \/>\n  netmask 255.255.255.0<br \/>\n  gateway A.B.C.E<br \/>\n  network A.B.C.0<br \/>\n  broadcast A.B.C.255<br \/>\n  post-up iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.1\/24 -j MASQUERADE<br \/>\n  post-up echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward<br \/>\n<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Problematic Configuration: OpenVPN server config: dev tun port 1194 proto udp ca \/etc\/openvpn\/ca.crt cert \/etc\/openvpn\/server.crt key \/etc\/openvpn\/server.key dh \/etc\/openvpn\/dh1024.pem persist-key persist-tun server 10.8.0.0 255.255.255.0 keepalive 10 30 client-to-client comp-lzo ifconfig-pool-persist ipp.txt status \/etc\/openvpn\/openvpn-status.log verb 3 push &#8220;redirect-gateway&#8221; OpenVPN client config: dev tun client proto udp persist-tun persist-key resolv-retry infinite mute-replay-warnings remote REMOTE.HOST 1194 ca \/etc\/openvpn\/ca.crt [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"footnotes":""},"categories":[6,5,3,8,4],"tags":[],"class_list":["post-306","post","type-post","status-publish","format-standard","hentry","category-encryption","category-internet","category-linux","category-networking","category-privacy"],"aioseo_notices":[],"views":148374,"_links":{"self":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/comments?post=306"}],"version-history":[{"count":0,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/306\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/media?parent=306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/categories?post=306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/tags?post=306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}