OpenVPN client issue: bad source address from client

[chrisedwards]

I have Merlin firmware on my Asus N66U setup. Running latest build 270.24.

OpenVPN client is setup and connects to the OpenVPN server with no issues. Web traffic at least appears to be routing through the OpenVPN server. However, on the OpenVPN server I am receiving the following errors in syslog:

24.212.211.xxx is my public IP address that my Asus N66U router is getting.
10.200.0.0 is the subnet openvpn server assigns connecting clients
192.168.32.0 is my home network subnet (the network hosted by the Asus N66u router)

Feb 17 23:44:30 hiro openvpn[15864]: client1/24.212.211.xxx:48443 MULTI: bad source address from client [24.212.211.xxx], packet dropped

I would have thought that the source on the packets going through the VPN would be Masqueraded using the VPN IP address instead?

Setup:

Local router: /tmp/etc/openvpn/client1/client1.ovpn

# Automatically generated configuration
daemon
client
dev tun11
proto udp
remote hiro.dotsbox.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo yes
redirect-gateway def1
verb 3
script-security 2
up updown.sh
down updown.sh
ca ca.crt
cert client.crt
key client.key
status-version 2
status status

# Custom Configuration

Server config:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.200.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 4.2.2.1"
duplicate-cn
keepalive 10 30
client-config-dir ccd
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
push "explicit-exit-notify 3"

Connection syslog:

Feb 17 23:34:18 hiro openvpn[15864]: UDPv4 link local (bound): [undef]:1194
Feb 17 23:34:18 hiro openvpn[15864]: UDPv4 link remote: [undef]
Feb 17 23:34:18 hiro openvpn[15864]: MULTI: multi_init called, r=256 v=256
Feb 17 23:34:18 hiro openvpn[15864]: IFCONFIG POOL: base=10.200.0.4 size=62
Feb 17 23:34:18 hiro openvpn[15864]: IFCONFIG POOL LIST
Feb 17 23:34:18 hiro openvpn[15864]: Initialization Sequence Completed
Feb 17 23:34:30 hiro openvpn[15864]: MULTI: multi_create_instance called
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Re-using SSL/TLS context
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 LZO compression initialized
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Local Options hash (VER=V4): '530fdded'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Expected Remote Options hash (VER=V4): '41690919'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 TLS: Initial packet from 24.212.211.xxx:48443, sid=6b99f477 19fe2ae6
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 VERIFY OK: depth=1, /C=CA/ST=ON/L=Toronto/O=./OU=VPN/CN=hiro.dotsbox.com/name=VPN/emailAddress=admin@dotsbox.com
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 VERIFY OK: depth=0, /C=CA/ST=ON/L=Toronto/O=./OU=VPN/CN=client1/name=VPN/emailAddress=admin@dotsbox.com
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 NOTE: Options consistency check may be skewed by version differences
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1542'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'tls-client' is present in local config but missing in remote config, local='tls-client'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 [client1] Peer Connection Initiated with 24.212.211.xxx:48443
Feb 17 23:34:30 hiro openvpn[15864]: client1/24.212.211.xxx:48443 OPTIONS IMPORT: reading client specific options from: ccd/client1
Feb 17 23:34:30 hiro openvpn[15864]: client1/24.212.211.xxx:48443 MULTI: Learn: 10.200.0.6 -> client1/24.212.211.xxx:48443
Feb 17 23:34:32 hiro openvpn[15864]: client1/24.212.211.xxx:48443 PUSH: Received control message: 'PUSH_REQUEST'
Feb 17 23:34:32 hiro openvpn[15864]: client1/24.212.211.xxx:48443 SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 4.2.2.1,explicit-exit-notify 3,route 10.200.0.0 255.255.255.0,topology net30,ping 10,ping-restart 30,ifconfig 10.200.0.6 10.200.0.5' (status=1)
[B]Feb 17 23:34:33 hiro openvpn[15864]: client1/24.212.211.xxx:48443 MULTI: bad source address from client [24.212.211.xxx], packet dropped
Feb 17 23:34:33 hiro openvpn[15864]: client1/24.212.211.xxx:48443 MULTI: bad source address from client [24.212.211.xxx], packet dropped
Feb 17 23:34:35 hiro openvpn[15864]: client1/24.212.211.xxx:48443 MULTI: bad source address from client [24.212.211.xxx], packet dropped
Feb 17 23:34:37 hiro openvpn[15864]: client1/24.212.211.xxx:48443 MULTI: bad source address from client [24.212.211.xxx], packet dropped[/B]
...

What's weird is the it seems like it doesn't know where to route 24.212.211.xxx even though that's the connecting machine. I'm guessing that the source of these packets should be being rewritten to 10.200.0.2 somewhere? But not sure what I could be missing.

route

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.200.0.2      *               255.255.255.255 UH    0      0        0 tun0
localserversubnet    *               255.255.255.240 U     0      0        0 eth0
10.200.0.0      10.200.0.2      255.255.255.0   UG    0      0        0 tun0
link-local      *               255.255.0.0     U     1002   0        0 eth0
default         hostgatewayname 0.0.0.0         UG    0      0        0 eth0

iptables

iptables -t nat -A POSTROUTING -s 10.200.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

I have a ccd file setup on the server. 192.168.32.0 is local subnet on the Asus router. I can ping clients from the server no issue. Ie. ping 192.168.32.10, a device on my home network succeeds from the server.

ccd file:

iroute 192.168.32.0 255.255.255.0

Any ideas how I can get ride of these errors? There seems to be some lag in certain applications (xbox live login takes much longer). I can browse through the VPN just fine and it is being routed through the vpn as http://www.whatismyip.com/ shows the server IP address instead of the asus router public IP.

Cheers,

Chris

 

[huotg01]

I'm a little bit new to all that (I just setup my first OpenVPN using Merlin' firmware) and some more knowledgeable persons will probably answer your question and I will learn as much as you in this thread. In the mean time, what is

dev tun11

in the client ovpn ? I thought it was

dev tun

?

GH

 

[chrisedwards]

That config setting was generated by the webgui on the asus router. tun11 refers to the specific tunnel device that was created for the vpn connection.

ifconfig (on asus n66u):

tun11      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:10.200.0.6  P-t-P:10.200.0.5  Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
           RX packets:211 errors:0 dropped:0 overruns:0 frame:0
           TX packets:271 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:35077 (34.2 KiB)  TX bytes:34397 (33.5 KiB)

 

[jobongo]

I am trying to get a better understanding of the topology of your network. Are you hosting an openvpn server as well as connecting as a client to another openvpn service?

OpenVPN client is setup and connects to the OpenVPN server with no issues.

I noticed that you mentioned what the output on the server side was. Also, if this is the case, is the openvpn server also connected to the RT-N66U or are only your clients connecting to the router. The reason I ask is because your iptables rule to NAT all VPN IP adresses out the eth0 interface seems strange.

iptables -t nat -A POSTROUTING -s 10.200.0.0/24 -o eth0 -j MASQUERADE

In your connection log I noticed there are a few warnings concerning connection info.

Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1542'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Feb 17 23:34:30 hiro openvpn[15864]: 24.212.211.xxx:48443 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'

and wanted to make sure that these are the settings that you have implemented on your own server.

I am no expert. I have setup a few openvpn servers though and never seen this error. I may be just confused as to how your setup is but I would look at how you are NAT'ing your vpn. Let me know.

 

[chrisedwards]

Thanks for the response.

I'm hosting an openvpn server outside of my home network.

Local network (192.168.32.0) through Asus router acting as OpenVPN client with public ip address (24.212.211.xxx), connecting through internet to a OpenVPN server (64.237.49.xxx) running on a CentOS 6 KVM VPS that I have setup.

So to answer your question the openvpn server is not connecting to the asus router, it is external. The NAT routing is on the external server, which is to forward all vpn traffic through public interface eth0.

route on the asus router is:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
24.212.211.zzz  *               255.255.255.255 UH    0      0        0 eth0
10.200.0.1      10.200.0.5      255.255.255.255 UGH   0      0        0 tun11
64.237.49.xxx    24-212-211-xxx. 255.255.255.255 UGH   0      0        0 eth0
10.200.0.5      *               255.255.255.255 UH    0      0        0 tun11
24.212.211.yyy  *               255.255.255.224 U     0      0        0 eth0
192.168.32.0    *               255.255.255.0   U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         10.200.0.5      128.0.0.0       UG    0      0        0 tun11
128.0.0.0       10.200.0.5      128.0.0.0       UG    0      0        0 tun11
default         24-212-211-zzz. 0.0.0.0         UG    0      0        0 eth0
admin@RT-N66U:/tmp/home/root#

 

[chrisedwards]

Just to clarify, 10.200.0.x is the subnet that openvpn server is assigning to connected clients. I only have 1 ip address available on the server and so must use nat there. 192.168.32.x is the local subnet hosted by the asus router.

I haven't done any modification to asus iptables. All I've done is in the webgui client vpn, I've set redirect internet traffic = yes and create nat on tunnel = yes.

asus iptables:

admin@RT-N66U:/tmp/home/root# iptables --list -nv --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       58  6374 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
2      211 10236 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
3    13899 2181K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
4     2244  434K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
5     5476  934K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
6       61 21273 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
7        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
8        0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
9        1    48 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
10    2778  225K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 7771 packets, 737K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      931  329K ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
2    20284 2545K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3        0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
4      152  6080 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
5        6   355 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
6        0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0
7      355 19140 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5
8        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5
9        0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5
10    3591  503K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT

Chain OUTPUT (policy ACCEPT 20514 packets, 13M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FUPNP (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.32.100      udp dpt:50487
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.32.216      udp dpt:3074
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.32.100      tcp dpt:34179
4        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.32.100      udp dpt:34179

Chain PControls (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logaccept (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 7 level 4 prefix `ACCEPT '
2        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 7 level 4 prefix `DROP'
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

 

[jobongo]

This has piqued my interest and I am going to have to do a real quick setup to see if I can replicate the error. Give let me see what I can get. I'll post the results

 

[jobongo]

I have used your exact configuration and got the same errors that you did. I found that If I disabled the "redirect internet traffic" option in the webpage of the router this eliminated the errors. I did get a few here and there but I think that this was because of another network that I had hanging off the lan side of my router. I am going to look into that further.

I don't know why it causes an issue when you enable redirect internet traffic but you are already pushing this option from the server (redirect-gateway def1) so there may be some conflict when you enable it on the client side. I am no openvpn expert by any means. I hope this minor change helps in your situation. I will write if there is anything new.

 

[jobongo]

I would also like to add that I have reran this test with only one network while not using openvpn through the web interface ( I copied the client config and ran openvpn from that) and I had no errors. I left the server config the same as you have and the client config the same as you without the redirect-gateway def1 option. I also used the same ccd file as you with no problems. I hope this helps.

 

[chrisedwards]

Thanks. I'll give this a try later when I'm back at home.

Cheers,
Chris