bad source address from client

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
grapi
OpenVpn Newbie
Posts: 1
Joined: Fri Jun 26, 2015 2:53 pm

bad source address from client

Post by grapi » Sun Jun 28, 2015 4:56 pm

Hello everybody,
this similar configuration is working in Tap mode between 2 DD wrt router, but impossible to work in Tun, what's wrong. In OPENVPN for IOS I have tun_prop_error : one of ifconfig .... must be specified

Image

Server openvpntunpc.conf :
mode server
port 1195
proto udp
dev tun1
dh /opt/ovpn/dh1024.pem
ca /opt/ovpn/ca.crt
cert /opt/ovpn/server.crt
key /opt/ovpn/server.key
client-to-client
keepalive 10 120
verb 5
status /opt/ovpn/log/ovpnpc-status.log
log /opt/ovpn/log/ovpnpc-log.log
tls-server
comp-lzo
persist-key
persist-tun
ifconfig 172.20.20.1 172.20.20.2
push "route 192.168.158.0 255.255.255.0 172.20.20.1 1"
push "route 192.168.158.0 255.255.255.0 172.20.20.2 1"
client-config-dir /opt/ovpn/ccd


ccd/client_pc :
iroute 192.168.158.0 255.255.255.0


client_pc.conf :
client
dev tun1
proto udp
remote 88.70.71.72 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client_pc.crt
key client_pc.key
ns-cert-type server
comp-lzo
verb 5
ifconfig 172.20.20.2 172.20.20.1


Start script openvpn on dd wrt :
/jffs/etc/config/ovpn.ipup
#!/bin/sh
logger -s -p local0.notice -t ip_restart_detected "########### $(date) - restarting open vpn service ###########"
####### stopping tun1, openvpn
cd /opt/ovpn
killall ovpnpc
rm /opt/ovpn/ovpnpc
ifconfig tun1 down
openvpn --rmtun --dev tun1
sleep 3
####### starting tun1, openvpn
ln -s /usr/sbin/openvpn /opt/ovpn/ovpnpc
openvpn --mktun --dev tun1
ifconfig tun1 0.0.0.0 netmask 255.255.255.0 promisc up
sleep 3
/opt/ovpn/ovpnpc --config /opt/ovpn/openvpntunpc.conf --daemon


Firewall adaptation :
iptables -I INPUT 1 -p tcp --dport 1195 -j ACCEPT
iptables -I FORWARD 1 -s 172.20.20.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.20.20.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.20.20.0/24 -j MASQUERADE
iptables -t nat -I POSTROUTING -o tun1 -j MASQUERADE


Log dd wrt after init tun 1 and openvpn :
ip_restart_detected: ########### Thu Jun 25 00:40:46 UTC 2015 - restarting open vpn service ###########
Thu Jun 25 00:40:46 2015 TUN/TAP device tun1 opened
Thu Jun 25 00:40:46 2015 Persist state set to: OFF
Thu Jun 25 00:40:49 2015 TUN/TAP device tun1 opened
Thu Jun 25 00:40:49 2015 Persist state set to: ON
Thu Jun 25 00:40:53 2015 us=335642 Socket Buffers: R=[114688->131072] S=[114688->131072]
Thu Jun 25 00:40:53 2015 us=336206 TUN/TAP device tun1 opened Thu Jun 25 00:40:53 2015 us=336433 TUN/TAP TX queue length set to 100
Thu Jun 25 00:40:53 2015 us=336666 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jun 25 00:40:53 2015 us=337003 /sbin/ifconfig tun1 172.20.20.1 pointopoint 172.20.20.2 mtu 1500
Thu Jun 25 00:40:53 2015 us=343522 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jun 25 00:40:53 2015 us=344956 UDPv4 link local (bound): [undef]
Thu Jun 25 00:40:53 2015 us=345302 UDPv4 link remote: [undef]
Thu Jun 25 00:40:53 2015 us=345677 MULTI: multi_init called, r=256 v=256 Thu Jun 25 00:40:53 2015 us=346720 Initialization Sequence Completed


Log client_pc after init :
Thu Jun 25 00:21:29 2015 us=311538 [server] Peer Connection Initiated with [AF_INET] 88.70.71.72:1195
Thu Jun 25 00:21:30 2015 us=328596 MANAGEMENT: >STATE:1435184490,GET_CONFIG,,,
Thu Jun 25 00:21:31 2015 us=345654 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jun 25 00:21:31 2015 us=435659 PUSH: Received control message: 'PUSH_REPLY,route 192.168.158.0 255.255.255.0 172.20.20.1 1,route 192.168.158.0 255.255.255.0 172.20.20.2 1,ping 10,ping-restart 120'
Thu Jun 25 00:21:31 2015 us=436659 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jun 25 00:21:31 2015 us=436659 OPTIONS IMPORT: route options modified
Thu Jun 25 00:21:31 2015 us=447660 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jun 25 00:21:31 2015 us=447660 MANAGEMENT: >STATE:1435184491,ASSIGN_IP,,172.20.20.2,
Thu Jun 25 00:21:31 2015 us=447660 open_tun, tt->ipv6=0
Thu Jun 25 00:21:31 2015 us=451660 TAP-WIN32 device [Connexion au réseau local 3] opened: \\.\Global\{733B272E-E6EF-43B6-98D7-28D91C06DF1D}.tap
Thu Jun 25 00:21:31 2015 us=451660 TAP-Windows Driver Version 9.9
Thu Jun 25 00:21:31 2015 us=452660 TAP-Windows MTU=1500
Thu Jun 25 00:21:31 2015 us=456661 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.20.20.2/255.255.255.252 on interface {733B272E-E6EF-43B6-98D7-28D91C06DF1D} [DHCP-serv: 172.20.20.1, lease-time: 31536000]
Thu Jun 25 00:21:31 2015 us=457661 Successful ARP Flush on interface [15] {733B272E-E6EF-43B6-98D7-28D91C06DF1D}
Thu Jun 25 00:21:36 2015 us=503949 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Thu Jun 25 00:21:36 2015 us=503949 MANAGEMENT: >STATE:1435184496,ADD_ROUTES,,,
Thu Jun 25 00:21:36 2015 us=503949 C:\Windows\system32\route.exe ADD 192.168.158.0 MASK 255.255.255.0 172.20.20.1 METRIC 1
Thu Jun 25 00:21:36 2015 us=542951 C:\Windows\system32\route.exe ADD 192.168.158.0 MASK 255.255.255.0 172.20.20.2 METRIC 1
Thu Jun 25 00:21:36 2015 us=568953 Initialization Sequence Completed
Thu Jun 25 00:21:36 2015 us=568953 MANAGEMENT: >STATE:1435184496,CONNECTED,SUCCESS,172.20.20.2, 88.70.71.72



Log dd wrt after client_pc connection :
Thu Jun 25 00:41:37 2015 us=78142 MULTI: multi_create_instance called
Thu Jun 25 00:41:37 2015 us=788632 80.12.35.7:46645 Re-using SSL/TLS context Thu Jun 25 00:41:37 2015 us=788933 80.12.35.7:46645 LZO compression initialized
Thu Jun 25 00:41:37 2015 us=790775 80.12.35.7:46645 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jun 25 00:41:37 2015 us=791033 80.12.35.7:46645 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jun 25 00:41:37 2015 us=791649 80.12.35.7:46645 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Jun 25 00:41:37 2015 us=791832 80.12.35.7:46645 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Jun 25 00:41:37 2015 us=792207 80.12.35.7:46645 Local Options hash (VER=V4): '530fdded'
Thu Jun 25 00:41:37 2015 us=792667 80.12.35.7:46645 Expected Remote Options hash (VER=V4): '41690919'
Thu Jun 25 00:41:37 2015 us=793328 80.12.35.7:46645 TLS: Initial packet from [AF_INET]80.12.35.7:46645, sid=fd96cf18 f561b8c3
Thu Jun 25 00:41:38 2015 us=435303 80.12.35.7:46645 VERIFY OK: depth=1, C=FR, ST=2B, L=PARIS, O=toto.net, OU=ici, CN=ddwrt, name=TOTO, emailAddress=moi@toto.net
Thu Jun 25 00:41:38 2015 us=440535 80.12.35.7:46645 VERIFY OK: depth=0, C=FR, ST=2B, L=PARIS, O=toto.net, OU=ici, CN=client_pc, name=TOTO, emailAddress=moi@toto.net
Thu Jun 25 00:41:38 2015 us=760793 80.12.35.7:46645 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 25 00:41:38 2015 us=761068 80.12.35.7:46645 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 00:41:38 2015 us=761687 80.12.35.7:46645 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 25 00:41:38 2015 us=761915 80.12.35.7:46645 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 25 00:41:38 2015 us=806660 80.12.35.7:46645 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jun 25 00:41:38 2015 us=807013 80.12.35.7:46645 [client_pc] Peer Connection Initiated with [AF_INET]80.12.35.7:46645
Thu Jun 25 00:41:38 2015 us=807610 client_pc/80.12.35.7:46645 OPTIONS IMPORT: reading client specific options from: /opt/ovpn/ccd/client_pc
Thu Jun 25 00:41:38 2015 us=808469 client_pc/80.12.35.7:46645 MULTI: no dynamic or static remote --ifconfig address is available for client_pc/80.12.35.7:46645
Thu Jun 25 00:41:38 2015 us=808694 client_pc/80.12.35.7:46645 MULTI: internal route 192.168.158.0/24 -> client_pc/80.12.35.7:46645
Thu Jun 25 00:41:38 2015 us=808940 client_pc/80.12.35.7:46645 MULTI: Learn: 192.168.158.0/24 -> client_pc/80.12.35.7:46645
Thu Jun 25 00:41:40 2015 us=977705 client_pc/80.12.35.7:46645 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jun 25 00:41:40 2015 us=977926 client_pc/80.12.35.7:46645 send_push_reply(): safe_cap=940
Thu Jun 25 00:41:40 2015 us=978479 client_pc/80.12.35.7:46645 SENT CONTROL [client_pc]: 'PUSH_REPLY,route 192.168.158.0 255.255.255.0 172.20.20.1 1,route 192.168.158.0 255.255.255.0 172.20.20.2 1,ping 10,ping-restart 120' (status=1)

Routage client_pc:
Image

Log dd wrt after client_pc ping 192.168.158.7:
Thu Jun 25 00:43:16 2015 us=574521 client_pc /80.12.35.7:46645 MULTI: bad source address from client [172.20.20.2], packet dropped
Thu Jun 25 00:43:21 2015 us=136509 client_pc /80.12.35.7:46645 MULTI: bad source address from client [172.20.20.2], packet dropped
Thu Jun 25 00:43:26 2015 us=126735 client_pc /80.12.35.7:46645 MULTI: bad source address from client [172.20.20.2], packet dropped

best regards
Eric

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: bad source address from client

Post by Traffic » Mon Jun 29, 2015 9:20 pm

Using custom options on your DD-WRT Router you may be able to implement this solution:
HOWTO: Expanding the scope of the VPN to include additional machines

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: bad source address from client

Post by Traffic » Mon Jun 29, 2015 9:50 pm

Also, See --server in The Manual v23x

Locked