[resolved] Client routing and martian prob

[flash]

My goal is configuration for roadwarriors to server's lan hosts. The client and server connection is successful BUT shortly after client connection is established the syslog fills with martian complaints. Although a newbie to openvpn and networking, I am reasonably sure the martians mean a configuration error. I am not sure where to start troubleshooting the martians.

Routing from server to client is pushed successfully yet client is unable to reach host 10.10.11.8 while host 10.10.11.1 is reachable. While ssh'd into 10.10.11.1 the host 10.10.11.8 is reachable.

Really would appreciate another set of eyes to spot where I've gone wrong.

Regards,
flash

server.conf

Code: Select all

port 2727
proto udp 
dev tap0 
ca keys/ca.crt 
cert keys/captain.crt 
key keys/captain.key   
dh keys/dh2048.pem 
ifconfig-pool-persist logs/ipp.txt 
server-bridge 10.10.12.254 255.255.255.0 10.10.12.80 10.10.12.90 
client-to-client 
keepalive 10 120 
cipher AES-128-CBC  
push "route 10.10.10.0 255.255.255.0"
push "route 10.10.11.0 255.255.255.0"
tls-auth keys/ta.key 0
comp-lzo 
max-clients 5
user nobody 
group nobody
persist-key 
persist-tun 
persist-local-ip
persist-remote-ip
push "persist-key"
push "persist-tun"
log-append /var/log/openvpn.log
status logs/openvpn-status.log 
verb 5 
=== netstat====
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
zz.zzz.zz.96    0.0.0.0         255.255.255.240 U         0 0          0 br0
10.10.12.0      0.0.0.0         255.255.255.0   U         0 0          0 br1
10.10.10.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.10.11.0      0.0.0.0         255.255.255.0   U         0 0          0 eth2
0.0.0.0         zz.zzz.zz.zz    0.0.0.0         UG        0 0          0 br0
===Shorewall zones, interfaces files
#ZONE	TYPE		OPTIONS		IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
bri	ipv4							#zone for public address
net:bri	bport4
opv	ipv4
vpn:opv	bport4
loc	ipv4
dmz	ipv4
#
#ZONE	INTERFACE	BROADCAST	OPTIONS
bri	br0	detect		routefilter,routeback,bridge,tcpflags,logmartians,blacklist,nosmurfs
net	br0:eth1
opv	br1	detect		bridge,routefilter,tcpflags,logmartians,routeback,nosmurfs
vpn	br1:tap0	detect
loc	eth0		detect	 	routeback
dmz	eth2		detect		routeback

client:

Code: Select all

conf:
client
dev tap0
port 2727
proto udp
remote xx.xxx.xx.101
ping 10
resolv-retry infinite
user nobody
group nobody
persist-key
persist-tun
ca client/ca.crt
cert client/client1.crt
key client/client1.key
ns-cert-type server
tls-auth client/ta.key 1
cipher AES-128-CBC
comp-lzo
pull
verb 5
log-append /var/log/openvpn.log

==netstat==
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         xx.1x.208.1    0.0.0.0         UG        0 0          0 br0
10.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 eth0
10.0.2.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.0.8.0        0.0.0.0         255.255.255.0   U         0 0          0 eth2
10.10.10.0      10.10.12.254    255.255.255.0   UG        0 0          0 tap0
10.10.11.0      10.10.12.254    255.255.255.0   UG        0 0          0 tap0
10.10.12.0      0.0.0.0         255.255.255.0   U         0 0          0 tap0
xx.1x.208.0    0.0.0.0         255.255.248.0   U         0 0          0 br0

==shorewall interfaces and zones files==
#ZONE	TYPE		OPTIONS		IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
bri	ipv4							#zone for public address
dmz:bri	bport4
vpn:bri	bport4
wr0	ipv4
loc	ipv4
#

#ZONE		INTERFACE	BROADCAST	OPTIONS
bri		br0		detect		bridge,nosmurfs,blacklist,tcpflags,routeback,dhcp,routefilter
dmz		br0:eth1	detect
vpn		br0:tap0	detect	
loc		eth2            detect          dhcp,tcpflags,routefilter
wr0		eth0		detect		dhcp,tcpflags,routefilter

[janjust]

please post the exact log message from syslog - the word 'martian' does not occur in the openvpn sources at all.

[flash]

Client's gateway ip is 98.170.208.1

Code: Select all

Server syslog:
Dec 21 07:12:11 gateway kernel: martian source 98.187.15.124 from 98.187.15.97, on dev br1
Dec 21 07:12:11 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:11 gateway kernel: martian source 98.170.194.197 from 98.170.192.1, on dev br1
Dec 21 07:12:11 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:12 gateway kernel: martian source 98.174.43.8 from 98.174.43.1, on dev br1
Dec 21 07:12:12 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:12 gateway kernel: martian source 98.170.213.142 from 98.170.208.1, on dev br1
Dec 21 07:12:12 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:12 gateway kernel: martian source 98.170.198.129 from 98.170.192.1, on dev br1
Dec 21 07:12:12 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:12 gateway kernel: martian source 98.171.3.73 from 98.171.3.1, on dev br1
Dec 21 07:12:12 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:12 gateway kernel: martian source 98.187.15.104 from 98.187.15.97, on dev br1
Dec 21 07:12:12 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:13 gateway kernel: martian source 98.170.192.96 from 98.170.192.1, on dev br1
Dec 21 07:12:13 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:13 gateway kernel: martian source 174.76.147.8 from 174.76.147.1, on dev br1
Dec 21 07:12:13 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:13 gateway kernel: martian source 98.174.44.190 from 98.174.44.1, on dev br1
Dec 21 07:12:13 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:16 gateway kernel: net_ratelimit: 11 callbacks suppressed
Dec 21 07:12:16 gateway kernel: martian source 98.170.215.56 from 98.170.208.1, on dev br1
Dec 21 07:12:16 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:17 gateway kernel: martian source 98.170.195.145 from 98.170.192.1, on dev br1
Dec 21 07:12:17 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:17 gateway kernel: martian source 98.170.195.50 from 98.170.192.1, on dev br1
Dec 21 07:12:17 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:17 gateway kernel: martian source 98.173.20.80 from 98.173.20.65, on dev br1
Dec 21 07:12:17 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:18 gateway kernel: martian source 98.170.211.177 from 98.170.208.1, on dev br1
Dec 21 07:12:18 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:18 gateway kernel: martian source 98.170.199.190 from 98.170.192.1, on dev br1
Dec 21 07:12:18 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:19 gateway kernel: martian source 98.170.192.36 from 98.170.192.1, on dev br1
Dec 21 07:12:19 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:19 gateway kernel: martian source 98.170.210.193 from 98.170.208.1, on dev br1
Dec 21 07:12:19 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:19 gateway kernel: martian source 98.174.44.106 from 98.174.44.1, on dev br1
Dec 21 07:12:19 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:19 gateway kernel: martian source 98.170.195.148 from 98.170.192.1, on dev br1
Dec 21 07:12:19 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06
Dec 21 07:12:22 gateway kernel: net_ratelimit: 7 callbacks suppressed
Dec 21 07:12:22 gateway kernel: martian source 98.174.44.106 from 98.174.44.1, on dev br1
Dec 21 07:12:22 gateway kernel: ll header: ff:ff:ff:ff:ff:ff:00:14:f1:e8:69:db:08:06

[janjust]

this is a routing issue: the kernel is receiving packets which is does not know how to process/forward/route; check iptables/shorewall, ensure IP forwarding is enabled, check the bridge configuration etc etc

[flash]

Thanks janjust for reply. The error was in client's shorewall interfaces file:

Code: Select all

clients orig shorewall interfaces file
====================
#ZONE      INTERFACE   BROADCAST   OPTIONS
bri      br0      detect      bridge,nosmurfs,blacklist,tcpflags,routeback,dhcp,routefilter
dmz      br0:eth1   detect
vpn      br0:tap0   detect   
loc      eth2            detect          dhcp,tcpflags,routefilter
wr0      eth0      detect      dhcp,tcpflags,routefilter

clients current shorewall interfaces file
====================
#ZONE      INTERFACE   BROADCAST   OPTIONS
bri      br0      detect      bridge,nosmurfs,blacklist,tcpflags,routeback,dhcp,routefilter
dmz      br0:eth1   detect
vpn      tap0   detect   <<-- changed tap0 from bridge port
loc      eth2            detect          dhcp,tcpflags,routefilter
wr0      eth0      detect      dhcp,tcpflags,routefilter

One more question ... observed following in client's syslog during openvpn startup:

Code: Select all

Dec 22 04:51:02 client1 openvpn[1791]: Options error: remote: port number associated with host [my is out of range
Dec 22 04:51:02 client1 openvpn[1791]: Use --help for more information.

Client's openvpn.log shows both local and remote port in profile:

Code: Select all

Thu Dec 22 04:51:01 2011 us=663560 Current Parameter Settings:
Thu Dec 22 04:51:01 2011 us=909374   config = 'client.conf'
Thu Dec 22 04:51:01 2011 us=909425   mode = 0
Thu Dec 22 04:51:01 2011 us=909461   persist_config = DISABLED
Thu Dec 22 04:51:01 2011 us=909492   persist_mode = 1
Thu Dec 22 04:51:01 2011 us=909525   show_ciphers = DISABLED
Thu Dec 22 04:51:01 2011 us=909555   show_digests = DISABLED
Thu Dec 22 04:51:01 2011 us=909586   show_engines = DISABLED
Thu Dec 22 04:51:01 2011 us=909616   genkey = DISABLED
Thu Dec 22 04:51:01 2011 us=909648   key_pass_file = '[UNDEF]'
Thu Dec 22 04:51:01 2011 us=909678   show_tls_ciphers = DISABLED
Thu Dec 22 04:51:01 2011 us=909736 Connection profiles [default]:
Thu Dec 22 04:51:01 2011 us=909773   proto = udp
Thu Dec 22 04:51:01 2011 us=909805   local = '[UNDEF]'
Thu Dec 22 04:51:01 2011 us=909836   local_port = 2727
Thu Dec 22 04:51:01 2011 us=909867   remote = 'xx.xx.xx.101'
Thu Dec 22 04:51:01 2011 us=909898   remote_port = 2727
Thu Dec 22 04:51:01 2011 us=909929   remote_float = DISABLED
Thu Dec 22 04:51:01 2011 us=909959   bind_defined = DISABLED
Thu Dec 22 04:51:01 2011 us=909991   bind_local = ENABLED
Thu Dec 22 04:51:01 2011 us=910021   connect_retry_seconds = 5
Thu Dec 22 04:51:01 2011 us=910053   connect_timeout = 10
Thu Dec 22 04:51:01 2011 us=910083   connect_retry_max = 0
Thu Dec 22 04:51:01 2011 us=910115   socks_proxy_server = '[UNDEF]'
Thu Dec 22 04:51:01 2011 us=910147   socks_proxy_port = 0
Thu Dec 22 04:51:01 2011 us=910185   socks_proxy_retry = DISABLED
Thu Dec 22 04:51:01 2011 us=910226 Connection profiles END

-----------

Thu Dec 22 04:51:01 2011 us=917707 OpenVPN 2.1.4 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 17 2011
Thu Dec 22 04:51:01 2011 us=917949 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 22 04:51:01 2011 us=999071 Control Channel Authentication: using 'client/ta.key' as a OpenVPN static key file
Thu Dec 22 04:51:01 2011 us=999132 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 22 04:51:01 2011 us=999163 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 22 04:51:01 2011 us=999206 LZO compression initialized
Thu Dec 22 04:51:01 2011 us=999352 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Dec 22 04:51:01 2011 us=999422 Socket Buffers: R=[524288->131072] S=[524288->131072]
Thu Dec 22 04:51:01 2011 us=999463 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Dec 22 04:51:01 2011 us=999508 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Dec 22 04:51:01 2011 us=999531 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-se
rver'
Thu Dec 22 04:51:01 2011 us=999571 Local Options hash (VER=V4): 'a7133b47'
Thu Dec 22 04:51:01 2011 us=999603 Expected Remote Options hash (VER=V4): 'c5677ab3'
Thu Dec 22 04:51:02 2011 us=3993 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Dec 22 04:51:02 2011 us=4172 UDPv4 link local (bound): [undef]:2727
Thu Dec 22 04:51:02 2011 us=4224 UDPv4 link remote: xx.xx.xx.101:2727
Thu Dec 22 04:51:02 2011 us=91178 TLS: Initial packet from xx.xx.xx.101:2727, sid=7db0d81f 40a185fa
Thu Dec 22 04:51:02 2011 us=676645 VERIFY OK: depth=1, /C=US/ST=CA/L=City/O=Company/CN=Org_CA/emailAddress=emailaddress
Thu Dec 22 04:51:02 2011 us=677180 VERIFY OK: nsCertType=SERVER
Thu Dec 22 04:51:02 2011 us=677210 VERIFY OK: depth=0, /C=US/ST=CA/L=City/O=Company/CN=server/emailAddress=emailaddress
Thu Dec 22 04:51:03 2011 us=895549 Data Channel Encrypt: Cipher 'AES-128-CBC' initialize
d with 128 bit key
Thu Dec 22 04:51:03 2011 us=895595 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 22 04:51:03 2011 us=895624 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Dec 22 04:51:03 2011 us=895652 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WThu Dec 22 04:51:03 2011 us=895767 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Dec 22 04:51:03 2011 us=895814 [server] Peer Connection Initiated with xx.xx.xx.101:2727
Thu Dec 22 04:51:06 2011 us=302784 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Dec 22 04:51:06 2011 us=379033 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,route 10.10.11.0 255.255.255.0,persist-key,persist-tun,route-gateway 10.10.12.254,ping 10,ping-
restart 120,ifconfig 10.10.12.80 255.255.255.0'
Thu Dec 22 04:51:06 2011 us=379187 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 22 04:51:06 2011 us=379212 OPTIONS IMPORT: --persist options modified
Thu Dec 22 04:51:06 2011 us=379234 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 22 04:51:06 2011 us=379256 OPTIONS IMPORT: route options modified
Thu Dec 22 04:51:06 2011 us=379278 OPTIONS IMPORT: route-related options modified
Thu Dec 22 04:51:06 2011 us=379616 ROUTE default_gateway=98.xxx.xxx.1
Thu Dec 22 04:51:06 2011 us=379743 TUN/TAP device tap0 opened
Thu Dec 22 04:51:06 2011 us=379782 TUN/TAP TX queue length set to 100
Thu Dec 22 04:51:06 2011 us=379843 /sbin/ip link set dev tap0 up mtu 1500
Thu Dec 22 04:51:06 2011 us=383604 /sbin/ip addr add dev tap0 10.10.12.80/24 broadcast 10.10.12.255
Thu Dec 22 04:51:06 2011 us=386077 /sbin/ip route add 10.10.10.0/24 via 10.10.12.254
Thu Dec 22 04:51:06 2011 us=388077 /sbin/ip route add 10.10.11.0/24 via 10.10.12.254
Thu Dec 22 04:51:06 2011 us=389830 GID set to nobody
Thu Dec 22 04:51:06 2011 us=389899 UID set to nobody
Thu Dec 22 04:51:06 2011 us=389937 Initialization Sequence Completed

In that client's openvpn.log indicates initialization complete with both remote and local ports configured can I safety ignore client's syslog openvpn startup message 'Options error: remote: port number associated with host'? I am still troubleshooting routing issues and thought maybe I need to know reason for this complaint before going further.

Regards
flash

[janjust]

not sure what is going on here ; the "[my" part also confuses me. This warning occurs when the remote port is outside the range 0< port < 65536 but clearly the right value is chosen. Check the config file for funny characters.

[flash]

janjust, although the '[my' error persists, the server and clients are now communicating. Thanks for the help.