Re: [Openvpn-users] MULTI: bad source address from client [217.164.246.54], packet dropped

[Peter N. <pn...@no...>]

Hi=20
I've a successful connection between my openVPN server (behind Linux =
firewall) and a roadwarrior (Windows XP client openVPN client which is NOT =
serving as a LAN gateway). However I receive the following error on the =
server when I connect successfully from the roadwarrior:=20

openvpn[17117]: petehome/217.164.246.54:1089 Data Channel Decrypt: Using =
160 bit message hash 'SHA1' for HMAC authentication=20
nowsnme openvpn[17117]: petehome/217.164.246.54:1089 Control Channel: =
TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA=20
openvpn[17117]: petehome/217.164.246.54:1089 MULTI: bad source address =
from client [217.164.246.54], packet dropped=20

 openVPNserver machine <----> gw (Linux firewall) <---->ISP <-------> =
client machine=20

10.0.0.10                         10.0.0.254                   80.122.134.2=
              217.164.256.54=20


I've enabled the following=20
1. push route LAN network=20
2. redirect-gateway=20
3. push dhcp-options=20
4. client-to-client=20

I don't need to create a ccd directory (as I've seen forums relating to =
this issue). Please note that without enabling the above options, my VPN =
works without errors, it's only when I want to push all traffic in the =
tunnel that I get this error. On the client/roadwarrior side I'm able to =
browse the internal network and use the internal Internet and there are no =
errors when connecting. iptables and routes have been added to openVPN =
server and LAN gateway/firewall according to the following on openvpn.net:=
=20
1. http://openvpn.net/howto.html#redirect=20
2. http://openvpn.net/howto.html#dhcp=20
3. http://openvpn.net/faq.html#ip-forward=20
4. http://openvpn.net/faq.html#firewall=20


I also tried connecting a roadwarrior (Linux) to the server and it gave =
the same error (only with a different IP instead of 217.164.246.54 seen =
above). Please advice as to what to do next to resolve this error. Thanks =
for your feedback.=20

Kind Regards=20
Peter=20

my sample server.conf file on the server is below:=20

# Configure server mode for ethernet bridging.=20
# You must first use your OS's bridging capability=20
# to bridge the TAP interface with the ethernet=20
# NIC interface.  Then you must manually set the=20
# IP/netmask on the bridge interface, here we=20
# assume 10.8.0.4/255.255.255.0.  Finally we=20
# must set aside an IP range in this subnet=20
# (start=3D10.8.0.50 end=3D10.8.0.100) to allocate=20
# to connecting clients.  Leave this line commented=20
# out unless you are ethernet bridging.=20
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100=20

# Push routes to the client to allow it=20
# to reach other private subnets behind=20
# the server.  Remember that these=20
# private subnets will also need=20
# to know to route the OpenVPN client=20
# address pool (10.8.0.0/255.255.255.0)=20
# back to the OpenVPN server.=20
;push "route 192.168.10.0 255.255.255.0"=20
;push "route 192.168.20.0 255.255.255.0"=20
push "route 10.0.0.0 255.255.255.0"=20

# To assign specific IP addresses to specific=20
# clients or if a connecting client has a private=20
# subnet behind it that should also have VPN access,=20
# use the subdirectory "ccd" for client-specific=20
# configuration files (see man page for more info).=20

# EXAMPLE: Suppose the client=20
# having the certificate common name "Thelonious"=20
# also has a small subnet behind his connecting=20
# machine, such as 192.168.40.128/255.255.255.248.=20
# First, uncomment out these lines:=20
;client-config-dir ccd=20
;route 192.168.40.128 255.255.255.248=20
;route 10.0.0.0 255.255.255.0=20
# Then create a file ccd/Thelonious with this line:=20
#   iroute 192.168.40.128 255.255.255.248=20
# This will allow Thelonious' private subnet to=20
# access the VPN.  This example will only work=20
# if you are routing, not bridging, i.e. you are=20
# using "dev tun" and "server" directives.=20

# EXAMPLE: Suppose you want to give=20
# Thelonious a fixed VPN IP address of 10.9.0.1.=20
# First uncomment out these lines:=20
;client-config-dir ccd=20
;route 10.9.0.0 255.255.255.252=20
# Then add this line to ccd/Thelonious:=20
#   ifconfig-push 10.9.0.1 10.9.0.2=20

# Suppose that you want to enable different=20
# firewall access policies for different groups=20
# of clients.  There are two methods:=20
# (1) Run multiple OpenVPN daemons, one for each=20
#     group, and firewall the TUN/TAP interface=20
#     for each group/daemon appropriately.=20
# (2) (Advanced) Create a script to dynamically=20
#     modify the firewall in response to access=20
#     from different clients.  See man=20
#     page for more info on learn-address script.=20
;learn-address ./script=20

# If enabled, this directive will configure=20
# all clients to redirect their default=20
# network gateway through the VPN, causing=20
# all IP traffic such as web browsing and=20
# and DNS lookups to go through the VPN=20
# (The OpenVPN server machine may need to NAT=20
# the TUN/TAP interface to the internet in=20
# order for this to work properly).=20
# CAVEAT: May break client's network config if=20
# client's local DHCP server packets get routed=20
# through the tunnel.  Solution: make sure=20
# client's local DHCP server is reachable via=20
# a more specific route than the default route=20
# of 0.0.0.0/0.0.0.0.=20
;push "redirect-gateway"=20
push "redirect-gateway"=20

# Certain Windows-specific network settings=20
# can be pushed to clients, such as DNS=20
# or WINS server addresses.  CAVEAT:=20
# http://openvpn.net/faq.html#dhcpcaveats=20
;push "dhcp-option DNS 10.8.0.1"=20
;push "dhcp-option WINS 10.8.0.1"=20
push "dhcp-option DNS 10.8.0.1"=20
push "dhcp-option DNS 10.0.0.25"=20
push "dhcp-option DNS 10.0.0.114"=20

# Uncomment this directive to allow different=20
# clients to be able to "see" each other.=20
# By default, clients will only see the server.=20
# To force clients to only see the server, you=20
# will also need to appropriately firewall the=20
# server's TUN/TAP interface.=20
client-to-client=20

# Uncomment this directive if multiple clients=20
# might connect with the same certificate/key=20
# files or common names.  This is recommended=20
# only for testing purposes.  For production use,=20
# each client should have its own certificate/key=20
# pair.=20
#=20
# IF YOU HAVE NOT GENERATED INDIVIDUAL=20
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,=20
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",=20
# UNCOMMENT THIS LINE OUT.=20
;duplicate-cn=20

# The keepalive directive causes ping-like=20
# messages to be sent back and forth over=20
# the link so that each side knows when=20
# the other side has gone down.=20
# Ping every 10 seconds, assume that remote=20
# peer is down if no ping received during=20
# a 120 second time period.=20
keepalive 10 120=20

# For extra security beyond that provided=20
# by SSL/TLS, create an "HMAC firewall"=20
# to help block DoS attacks and UDP port flooding.=20
#=20
# Generate with:=20
#   openvpn --genkey --secret ta.key=20
#=20
# The server and each client must have=20
# a copy of this key.=20
# The second parameter should be '0'=20
# on the server and '1' on the clients.=20
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret=20

# Select a cryptographic cipher.=20
# This config item must be copied to=20
# the client config file as well.=20
;cipher BF-CBC        # Blowfish (default)=20
;cipher AES-128-CBC   # AES=20
;cipher DES-EDE3-CBC  # Triple-DES=20

# Enable compression on the VPN link.=20
# If you enable it here, you must also=20
# enable it in the client config file.=20
comp-lzo=20

# The maximum number of concurrently connected=20
# clients we want to allow.=20
;max-clients 100=20

# It's a good idea to reduce the OpenVPN=20
# daemon's privileges after initialization.=20
#=20
# You can uncomment this out on=20
# non-Windows systems.=20
user nobody=20
group nobody=20

# The persist options will try to avoid=20
# accessing certain resources on restart=20
# that may no longer be accessible because=20
# of the privilege downgrade.=20
persist-key=20
persist-tun=20

# Output a short status file showing=20
# current connections, truncated=20
# and rewritten every minute.=20
status openvpn-status.log=20

# By default, log messages will go to the syslog (or=20
# on Windows, if running as a service, they will go to=20
# the "\Program Files\OpenVPN\log" directory).=20
# Use log or log-append to override this default.=20
# "log" will truncate the log file on OpenVPN startup,=20
# while "log-append" will append to it.  Use one=20
# or the other (but not both).=20
;log         openvpn.log=20
;log-append  openvpn.log=20

# Set the appropriate level of log=20
# file verbosity.=20
#=20
# 0 is silent, except for fatal errors=20
# 4 is reasonable for general usage=20
# 5 and 6 can help to debug connection problems=20
# 9 is extremely verbose=20
verb 3=20

# Silence repeating messages.  At most 20=20
# sequential messages of the same message=20
# category will be output to the log.=20
;mute 20=20