TLS Error using public IP adress

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Smallyoks
OpenVpn Newbie
Posts: 7
Joined: Mon Sep 03, 2018 8:53 am

TLS Error using public IP adress

Post by Smallyoks » Mon Sep 03, 2018 9:35 am

Hi everyone,

I'm struggling setting up my vpn. I'm looking for advices before I end up crushing my head with my keyboard.
I guess I am missing something somewhere.. where ?!

For now, server and client are in the same local network
Server local ip : 192.168.67.10
Client local ip : 192.168.67.11

There are 2 aspects in my issue which are related I believe :
- Using the server local ip address in client conf (remote 192.168.67.10 1194)
> MULTI: bad source address from client [192.168.67.11], packet dropped
> MULTI: bad source address from client [192.168.67.11], packet dropped
> ...
also : configuring specific routes in a custom client directory(ccd) does not improve the situation

- Using the public ip address (remote 77.XX.XX.XX 1194)
> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
> TLS Error: TLS handshake failed


OPENVPN CONFIGURATIONS
thibclient.ovpn
### CLIENT WIN10 ###
client
dev tun
;dev-node tap0 #virtual adapter's name
proto udp
;remote 192.168.67.10 1194
remote 77.XX.XX.XX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
### SECURITY,CERTS,KEYS ###
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\thibclient.crt"
key "C:\\Program Files\\OpenVPN\\config\\thibclient.key"
remote-cert-tls server
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 1
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
### LOG ###
verb 4


server.conf
### SERVER DEBIAN ###
;local x.x.x.x
port 1194
proto udp
dev tun
;dev-node tun0 #for windows
### SECURITY,KEYS,CERTS ###
ca /etc/openvpn/certs/keys/ca.crt
cert /etc/openvpn/certs/keys/server.crt
key /etc/openvpn/certs/keys/server.key
dh /etc/openvpn/dh4096.pem
tls-auth /etc/openvpn/certs/keys/ta.key 0
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
user openvpn
group nogroup
persist-key
persist-tun
### NETWORK ###
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt # a record of virtual client ip
topology subnet
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
# custom client config
client-config-dir /etc/openvpn/ccd
route 192.168.67.0 255.255.255.0
# create ccd/thibclient with "iroute 192.168.67.11 255.255.255.0" inside
### LOG ###
status openvpn-status.log
log /etc/openvpn/openvpn.log
verb 4
explicit-exit-notify 1


NETWORK CONFIG

Code: Select all

	Carte Ethernet tap0 :
	Suffixe DNS propre à la connexion. . . :
	Description. . . . . . . . . . . . . . : TAP-Windows Adapter V9
	Adresse physique . . . . . . . . . . . : 00-FF-F7-CF-00-EE
	DHCP activé. . . . . . . . . . . . . . : Oui
	Configuration automatique activée. . . : Oui
	Adresse IPv6 de liaison locale. . . . .: fe80::813e:bf28:f873:6689%21(préféré)
	Adresse IPv4. . . . . . . . . . . . . .: 10.8.0.4(préféré)
	Masque de sous-réseau. . . . . . . . . : 255.255.255.0
	Bail obtenu. . . . . . . . . . . . . . : dimanche 2 septembre 2018 20:28:09
	Bail expirant. . . . . . . . . . . . . : lundi 2 septembre 2019 20:28:06
	Passerelle par défaut. . . . . . . . . :
	Serveur DHCP . . . . . . . . . . . . . : 10.8.0.254
	IAID DHCPv6 . . . . . . . . . . . : 335609847
	DUID de client DHCPv6. . . . . . . . : 00-01-00-01-21-C0-74-FA-74-D0-2B-62-84-BF
	Serveurs DNS. . .  . . . . . . . . . . : 8.8.8.8
	NetBIOS sur Tcpip. . . . . . . . . . . : Activé
server
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100
(UNSPEC)
RX packets 182251 bytes 11157558 (10.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 345209 bytes 461668880 (440.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.67.10 netmask 255.255.255.0 broadcast 192.168.67.255
inet6 fe80::4173:c79a:189f:5ec prefixlen 64 scopeid 0x20<link>
ether 78:2b:cb:9d:98:4a txqueuelen 1000 (Ethernet)
RX packets 596604 bytes 552177239 (526.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 590829 bytes 560550504 (534.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 21 memory 0xf7fe0000-f8000000


FIREWALLS & NAT
-On my win10 client I disabled firewall for the tests.
-On the server :

Code: Select all

### INTERFACE RESEAU ###
	# carte reseau physique
	card="enp0s25"
	# carte vituel (tun/tap)
	vcard="tun0"
	### RULES ###
	# Vider les tables actuelles & règles personnelles
	iptables -t filter -F
	iptables -t filter -X
	# Interdire toute connexion entrante et sortante
	iptables -t filter -P INPUT DROP
	iptables -t filter -P OUTPUT DROP
	# Ne pas casser les connexions établies
	iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	# Autoriser loopback
	iptables -t filter -A INPUT -i lo -j ACCEPT
	#iptables -t filter -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
	iptables -t filter -A OUTPUT -o lo -j ACCEPT
	# Activer NAT
	iptables -t nat -A POSTROUTING -p udp -d 192.168.67.11 --dport 1194 -j MASQUERADE
	iptables -t nat -A PREROUTING -p udp -i $card -d 77.203.117.203 -j DNAT --to-destination 192.168.67.11
	#iptables -t nat -A POSTROUTING -o $card -j MASQUERADE
	#iptables -t nat -A POSTROUTING -s 192.168.67.0/24 -j SNAT --to-source 77.203.117.203
	# Activer ICMP (ping)
	iptables -t filter -A INPUT -p icmp -j ACCEPT
	iptables -t filter -A OUTPUT -p icmp -j ACCEPT
	### OUVERTURE PORTS ###
	# SSH
	iptables -t filter -A INPUT -i $card -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
	iptables -t filter -A OUTPUT -o $card -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
	# SAMBA
	iptables -t filter -A INPUT -i $card -p tcp -m state --state NEW,ESTABLISHED --dport 445 -j ACCEPT
	iptables -t filter -A OUTPUT -o $card -p tcp -m state --state NEW,ESTABLISHED --sport 445 -j ACCEPT
	# OPENVPN
	iptables -t filter -A INPUT -i $card -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
	iptables -t filter -A OUTPUT -o $card -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
	# allow DNS traffic through vpn
	iptables -t filter -A INPUT -i $card -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
	iptables -t filter -A OUTPUT -o $card -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
	iptables -t filter -A INPUT -i $card -p tcp -m state --state ESTABLISHED --sport 53 -j ACCEPT
	iptables -t filter -A OUTPUT -o $card -p tcp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
	# allow HTTP/S for updates
	iptables -t filter -A INPUT -i $card -p tcp -m state --state ESTABLISHED --sport 80 -j ACCEPT
	iptables -t filter -A INPUT -i $card -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT
	iptables -t filter -A OUTPUT -o $card -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
	iptables -t filter -A OUTPUT -o $card -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
	# allow NTP to sync clock
	iptables -t filter -A INPUT -i $card -p udp -m state --state ESTABLISHED --sport 123 -j ACCEPT
	iptables -t filter -A OUTPUT -o $card -p udp -m state --state NEW,ESTABLISHED --dport 123 -j ACCEPT
	# allow TUN tunnel through the vpn
	iptables -t filter -A INPUT -i $vcard -j ACCEPT
	iptables -t filter -A FORWARD -i $vcard -j ACCEPT
	iptables -t filter -A OUTPUT -o $vcard -j ACCEPT
	iptables -t filter -A FORWARD -i $vcard -o $card -s 10.8.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -t filter -A FORWARD -i $card -o $vcard -s 10.8.0.0/24 -j ACCEPT
	iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	### BLOCKED TRAFFIC ###
	# log blocked traffic
	iptables -t filter -A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 4
	iptables -t filter -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 4
	iptables -t filter -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: " --log-level 4
	# block all other traffic
	iptables -t filter -A INPUT -j REJECT
	iptables -t filter -A FORWARD -j REJECT
	iptables -t filter -A OUTPUT -j REJECT
	# rejeter tout le traffic ipv6 pour éviter fuites du vpn
	ip6tables -t filter -A INPUT -j REJECT
	ip6tables -t filter -A FORWARD -j REJECT
	ip6tables -t filter -A OUTPUT -j REJECT
Firewalls seems allright to me. Is the issue in my NAT configuration ?
What else could it be ?

One other thing I noticed :
On the way to google, what does the step 3 means ?
tracert

C:\Users\Thib ssd>tracert -d 8.8.8.8
> Détermination de l’itinéraire vers 8.8.8.8 avec un maximum de 30 sauts.
1 13 ms 1 ms <1 ms 10.8.0.1
2 3 ms 1 ms 2 ms 192.168.67.1
3 * * * Délai d’attente de la demande dépassé.
4 7 ms 9 ms 39 ms 195.132.10.121
5 38 ms 22 ms 23 ms 172.19.132.146
6 17 ms 17 ms 18 ms 72.14.196.224
7 17 ms 17 ms 17 ms 108.170.244.193
8 18 ms 17 ms 17 ms 66.249.94.175
9 17 ms 17 ms 18 ms 8.8.8.8
Itinéraire déterminé.


Well I have not clue on what's happening..
I would really appreciate any advice.

Thanks
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error using public IP adress

Post by TinCanTech » Mon Sep 03, 2018 11:52 am

You did not include your log files:
viewtopic.php?f=30&t=22603
Smallyoks wrote:
Mon Sep 03, 2018 9:35 am
 For now, server and client are in the same local network
Smallyoks wrote:
Mon Sep 03, 2018 9:35 am
 - Using the server local ip address in client conf (remote 192.168.67.10 1194)
> MULTI: bad source address from client [192.168.67.11], packet dropped
> MULTI: bad source address from client [192.168.67.11], packet dropped
> ...
also : configuring specific routes in a custom client directory(ccd) does not improve the situation
Verify the CCD is being used and the --iroute is suitable.
Smallyoks wrote:
Mon Sep 03, 2018 9:35 am
 Using the public ip address (remote 77.XX.XX.XX 1194)
> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
> TLS Error: TLS handshake failed
Router port forwarding of UDP 1194 and/or "hairpinning" (Does your router allow LAN clients access to WAN ports?)
Top
Smallyoks
OpenVpn Newbie
Posts: 7
Joined: Mon Sep 03, 2018 8:53 am

Re: TLS Error using public IP adress

Post by Smallyoks » Mon Sep 03, 2018 4:12 pm

Thank you very much for your reply. You highlighted stuff I didn't really pay attention

I have indeed an issue with routing. I get the 2 followings error using ccd (see logs for details) :
1) RTNETLINK answers: Invalid argument
Mon Sep 3 14:16:28 2018 us=938143 ERROR: Linux route add command failed: external program exited with error status: 2
2) RTNETLINK answers: File exists
Mon Sep 3 14:14:09 2018 us=548180 ERROR: Linux route add command failed: external program exited with error status: 2


Here are my server logs in 3 situations :
without specified route

Code: Select all

Mon Sep  3 14:21:35 2018 us=356466 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Mon Sep  3 14:21:35 2018 us=356482 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Mon Sep  3 14:21:35 2018 us=357576 Diffie-Hellman initialized with 4096 bit key
Mon Sep  3 14:21:35 2018 us=358093 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Sep  3 14:21:35 2018 us=358111 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Sep  3 14:21:35 2018 us=358126 TLS-Auth MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Sep  3 14:21:35 2018 us=360543 TUN/TAP device tun0 opened
Mon Sep  3 14:21:35 2018 us=360573 TUN/TAP TX queue length set to 100
Mon Sep  3 14:21:35 2018 us=360590 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Sep  3 14:21:35 2018 us=360610 /sbin/ip link set dev tun0 up mtu 1500
Mon Sep  3 14:21:35 2018 us=361992 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Mon Sep  3 14:21:35 2018 us=362878 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Sep  3 14:21:35 2018 us=363276 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Sep  3 14:21:35 2018 us=363298 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Sep  3 14:21:35 2018 us=363316 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Sep  3 14:21:35 2018 us=363328 UDPv4 link remote: [AF_UNSPEC]
Mon Sep  3 14:21:35 2018 us=363342 GID set to nogroup
Mon Sep  3 14:21:35 2018 us=363357 UID set to openvpn
Mon Sep  3 14:21:35 2018 us=363374 MULTI: multi_init called, r=256 v=256
Mon Sep  3 14:21:35 2018 us=363412 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Mon Sep  3 14:21:35 2018 us=363432 ifconfig_pool_read(), in='thibclient,10.8.0.4', TODO: IPv6
Mon Sep  3 14:21:35 2018 us=363446 succeeded -> ifconfig_pool_set()
Mon Sep  3 14:21:35 2018 us=363459 IFCONFIG POOL LIST
Mon Sep  3 14:21:35 2018 us=363470 thibclient,10.8.0.4
Mon Sep  3 14:21:35 2018 us=363522 Initialization Sequence Completed
.
Mon Sep  3 14:23:28 2018 us=121912 MULTI: multi_create_instance called
Mon Sep  3 14:23:28 2018 us=121960 192.168.67.11:55375 Re-using SSL/TLS context
Mon Sep  3 14:23:28 2018 us=122063 192.168.67.11:55375 Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Sep  3 14:23:28 2018 us=122078 192.168.67.11:55375 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Sep  3 14:23:28 2018 us=122109 192.168.67.11:55375 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Mon Sep  3 14:23:28 2018 us=122122 192.168.67.11:55375 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Mon Sep  3 14:23:28 2018 us=122159 192.168.67.11:55375 TLS: Initial packet from [AF_INET]192.168.67.11:55375, sid=b2f31902 2ad85b45
Mon Sep  3 14:23:28 2018 us=283886 192.168.67.11:55375 VERIFY OK: depth=1, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN="Thib", name=Thib, emailAddress=xx@gmail.com
Mon Sep  3 14:23:28 2018 us=284277 192.168.67.11:55375 VERIFY OK: depth=0, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN=thibclient, name=Thib, emailAddress=xx@gmail.com
Mon Sep  3 14:23:28 2018 us=349261 192.168.67.11:55375 peer info: IV_VER=2.4.6
Mon Sep  3 14:23:28 2018 us=349291 192.168.67.11:55375 peer info: IV_PLAT=win
Mon Sep  3 14:23:28 2018 us=349304 192.168.67.11:55375 peer info: IV_PROTO=2
Mon Sep  3 14:23:28 2018 us=349317 192.168.67.11:55375 peer info: IV_NCP=2
Mon Sep  3 14:23:28 2018 us=349329 192.168.67.11:55375 peer info: IV_LZ4=1
Mon Sep  3 14:23:28 2018 us=349341 192.168.67.11:55375 peer info: IV_LZ4v2=1
Mon Sep  3 14:23:28 2018 us=349353 192.168.67.11:55375 peer info: IV_LZO=1
Mon Sep  3 14:23:28 2018 us=349365 192.168.67.11:55375 peer info: IV_COMP_STUB=1
Mon Sep  3 14:23:28 2018 us=349378 192.168.67.11:55375 peer info: IV_COMP_STUBv2=1
Mon Sep  3 14:23:28 2018 us=349390 192.168.67.11:55375 peer info: IV_TCPNL=1
Mon Sep  3 14:23:28 2018 us=349403 192.168.67.11:55375 peer info: IV_GUI_VER=OpenVPN_GUI_11
Mon Sep  3 14:23:28 2018 us=350297 192.168.67.11:55375 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Sep  3 14:23:28 2018 us=350327 192.168.67.11:55375 [thibclient] Peer Connection Initiated with [AF_INET]192.168.67.11:55375
Mon Sep  3 14:23:28 2018 us=350358 thibclient/192.168.67.11:55375 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
Mon Sep  3 14:23:28 2018 us=350398 thibclient/192.168.67.11:55375 MULTI: Learn: 10.8.0.4 -> thibclient/192.168.67.11:55375
Mon Sep  3 14:23:28 2018 us=350412 thibclient/192.168.67.11:55375 MULTI: primary virtual IP for thibclient/192.168.67.11:55375: 10.8.0.4
Mon Sep  3 14:23:29 2018 us=504466 thibclient/192.168.67.11:55375 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep  3 14:23:29 2018 us=504517 thibclient/192.168.67.11:55375 SENT CONTROL [thibclient]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Sep  3 14:23:29 2018 us=504535 thibclient/192.168.67.11:55375 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
Mon Sep  3 14:23:29 2018 us=504614 thibclient/192.168.67.11:55375 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep  3 14:23:29 2018 us=504629 thibclient/192.168.67.11:55375 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep  3 14:23:29 2018 us=864199 thibclient/192.168.67.11:55375 MULTI: bad source address from client [::], packet dropped
Mon Sep  3 14:23:34 2018 us=934868 thibclient/192.168.67.11:55375 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:23:35 2018 us=14543 thibclient/192.168.67.11:55375 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:23:35 2018 us=37370 thibclient/192.168.67.11:55375 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:23:35 2018 us=635872 thibclient/192.168.67.11:55375 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:23:35 2018 us=636410 thibclient/192.168.67.11:55375 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:23:35 2018 us=636450 thibclient/192.168.67.11:55375 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:23:35 2018 us=874169 thibclient/192.168.67.11:55375 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:23:35 2018 us=889516 thibclient/192.168.67.11:55375 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:23:35 2018 us=889719 thibclient/192.168.67.11:55375 MULTI: bad source address from client [192.168.67.11], packet dropped
2. routing to 192.168.67.11 - client address

Code: Select all

Mon Sep  3 14:16:28 2018 us=932816 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Mon Sep  3 14:16:28 2018 us=932831 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Mon Sep  3 14:16:28 2018 us=934048 Diffie-Hellman initialized with 4096 bit key
Mon Sep  3 14:16:28 2018 us=934559 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Sep  3 14:16:28 2018 us=934577 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Sep  3 14:16:28 2018 us=934593 TLS-Auth MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Sep  3 14:16:28 2018 us=934758 ROUTE_GATEWAY 192.168.67.1/255.255.255.0 IFACE=enp0s25 HWADDR=78:2b:cb:9d:98:4a
Mon Sep  3 14:16:28 2018 us=935069 TUN/TAP device tun0 opened
Mon Sep  3 14:16:28 2018 us=935089 TUN/TAP TX queue length set to 100
Mon Sep  3 14:16:28 2018 us=935106 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Sep  3 14:16:28 2018 us=935125 /sbin/ip link set dev tun0 up mtu 1500
Mon Sep  3 14:16:28 2018 us=936215 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Mon Sep  3 14:16:28 2018 us=937315 /sbin/ip route add 192.168.67.11/24 via 10.8.0.2
RTNETLINK answers: Invalid argument
Mon Sep  3 14:16:28 2018 us=938143 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Sep  3 14:16:28 2018 us=938175 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Sep  3 14:16:28 2018 us=938584 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Sep  3 14:16:28 2018 us=938609 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Sep  3 14:16:28 2018 us=938627 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Sep  3 14:16:28 2018 us=938638 UDPv4 link remote: [AF_UNSPEC]
Mon Sep  3 14:16:28 2018 us=938652 GID set to nogroup
Mon Sep  3 14:16:28 2018 us=938667 UID set to openvpn
Mon Sep  3 14:16:28 2018 us=938693 MULTI: multi_init called, r=256 v=256
Mon Sep  3 14:16:28 2018 us=938726 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Mon Sep  3 14:16:28 2018 us=938744 ifconfig_pool_read(), in='thibclient,10.8.0.4', TODO: IPv6
Mon Sep  3 14:16:28 2018 us=938757 succeeded -> ifconfig_pool_set()
Mon Sep  3 14:16:28 2018 us=938770 IFCONFIG POOL LIST
Mon Sep  3 14:16:28 2018 us=938781 thibclient,10.8.0.4
Mon Sep  3 14:16:28 2018 us=938829 Initialization Sequence Completed
.
Mon Sep  3 14:24:39 2018 us=560022 MULTI: multi_create_instance called
Mon Sep  3 14:24:39 2018 us=560107 192.168.67.11:56174 Re-using SSL/TLS context
Mon Sep  3 14:24:39 2018 us=560229 192.168.67.11:56174 Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Sep  3 14:24:39 2018 us=560244 192.168.67.11:56174 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Sep  3 14:24:39 2018 us=560276 192.168.67.11:56174 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Mon Sep  3 14:24:39 2018 us=560288 192.168.67.11:56174 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Mon Sep  3 14:24:39 2018 us=560319 192.168.67.11:56174 TLS: Initial packet from [AF_INET]192.168.67.11:56174, sid=611d4c7f d5cd8c3a
Mon Sep  3 14:24:39 2018 us=740851 192.168.67.11:56174 VERIFY OK: depth=1, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN="Thib", name=Thib, emailAddress=xxx@gmail.com
Mon Sep  3 14:24:39 2018 us=741256 192.168.67.11:56174 VERIFY OK: depth=0, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN=thibclient, name=Thib, emailAddress=xxx@gmail.com
Mon Sep  3 14:24:39 2018 us=811517 192.168.67.11:56174 peer info: IV_VER=2.4.6
Mon Sep  3 14:24:39 2018 us=811543 192.168.67.11:56174 peer info: IV_PLAT=win
Mon Sep  3 14:24:39 2018 us=811557 192.168.67.11:56174 peer info: IV_PROTO=2
Mon Sep  3 14:24:39 2018 us=811569 192.168.67.11:56174 peer info: IV_NCP=2
Mon Sep  3 14:24:39 2018 us=811582 192.168.67.11:56174 peer info: IV_LZ4=1
Mon Sep  3 14:24:39 2018 us=811594 192.168.67.11:56174 peer info: IV_LZ4v2=1
Mon Sep  3 14:24:39 2018 us=811606 192.168.67.11:56174 peer info: IV_LZO=1
Mon Sep  3 14:24:39 2018 us=811619 192.168.67.11:56174 peer info: IV_COMP_STUB=1
Mon Sep  3 14:24:39 2018 us=811631 192.168.67.11:56174 peer info: IV_COMP_STUBv2=1
Mon Sep  3 14:24:39 2018 us=811644 192.168.67.11:56174 peer info: IV_TCPNL=1
Mon Sep  3 14:24:39 2018 us=811656 192.168.67.11:56174 peer info: IV_GUI_VER=OpenVPN_GUI_11
Mon Sep  3 14:24:39 2018 us=812752 192.168.67.11:56174 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Sep  3 14:24:39 2018 us=812787 192.168.67.11:56174 [thibclient] Peer Connection Initiated with [AF_INET]192.168.67.11:56174
Mon Sep  3 14:24:39 2018 us=812824 thibclient/192.168.67.11:56174 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/thibclient
Mon Sep  3 14:24:39 2018 us=812859 thibclient/192.168.67.11:56174 Options error: in --iroute 192.168.67.11 255.255.255.0 : Bad network/subnet specification
Mon Sep  3 14:24:39 2018 us=812878 thibclient/192.168.67.11:56174 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
Mon Sep  3 14:24:39 2018 us=812918 thibclient/192.168.67.11:56174 MULTI: Learn: 10.8.0.4 -> thibclient/192.168.67.11:56174
Mon Sep  3 14:24:39 2018 us=812932 thibclient/192.168.67.11:56174 MULTI: primary virtual IP for thibclient/192.168.67.11:56174: 10.8.0.4
Mon Sep  3 14:24:40 2018 us=247649 thibclient/192.168.67.11:56174 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep  3 14:24:40 2018 us=247692 thibclient/192.168.67.11:56174 SENT CONTROL [thibclient]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Sep  3 14:24:40 2018 us=247711 thibclient/192.168.67.11:56174 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
Mon Sep  3 14:24:40 2018 us=247800 thibclient/192.168.67.11:56174 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep  3 14:24:40 2018 us=247815 thibclient/192.168.67.11:56174 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep  3 14:24:42 2018 us=142964 thibclient/192.168.67.11:56174 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:24:42 2018 us=143031 thibclient/192.168.67.11:56174 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:24:42 2018 us=176204 thibclient/192.168.67.11:56174 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:24:42 2018 us=176305 thibclient/192.168.67.11:56174 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:24:42 2018 us=254581 thibclient/192.168.67.11:56174 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:24:42 2018 us=254643 thibclient/192.168.67.11:56174 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:24:45 2018 us=177436 thibclient/192.168.67.11:56174 MULTI: bad source address from client [192.168.67.11], packet dropped
Mon Sep  3 14:24:45 2018 us=177669 thibclient/192.168.67.11:56174 MULTI: bad source address from client [192.168.67.11], packet dropped
3. routing to 192.168.67.0

Code: Select all

Server logs routing to 192.168.67.0
Mon Sep  3 14:14:09 2018 us=541798 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Mon Sep  3 14:14:09 2018 us=541814 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Mon Sep  3 14:14:09 2018 us=543192 Diffie-Hellman initialized with 4096 bit key
Mon Sep  3 14:14:09 2018 us=543702 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Sep  3 14:14:09 2018 us=543720 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Sep  3 14:14:09 2018 us=543736 TLS-Auth MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Sep  3 14:14:09 2018 us=543896 ROUTE_GATEWAY 192.168.67.1/255.255.255.0 IFACE=enp0s25 HWADDR=78:2b:cb:9d:98:4a
Mon Sep  3 14:14:09 2018 us=544150 TUN/TAP device tun0 opened
Mon Sep  3 14:14:09 2018 us=544169 TUN/TAP TX queue length set to 100
Mon Sep  3 14:14:09 2018 us=544185 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Sep  3 14:14:09 2018 us=544205 /sbin/ip link set dev tun0 up mtu 1500
Mon Sep  3 14:14:09 2018 us=545470 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Mon Sep  3 14:14:09 2018 us=547265 /sbin/ip route add 192.168.67.0/24 via 10.8.0.2
RTNETLINK answers: File exists
Mon Sep  3 14:14:09 2018 us=548180 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Sep  3 14:14:09 2018 us=548212 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Sep  3 14:14:09 2018 us=548621 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Sep  3 14:14:09 2018 us=548644 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Sep  3 14:14:09 2018 us=548663 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Sep  3 14:14:09 2018 us=548675 UDPv4 link remote: [AF_UNSPEC]
Mon Sep  3 14:14:09 2018 us=548690 GID set to nogroup
Mon Sep  3 14:14:09 2018 us=548705 UID set to openvpn
Mon Sep  3 14:14:09 2018 us=548733 MULTI: multi_init called, r=256 v=256
Mon Sep  3 14:14:09 2018 us=548773 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Mon Sep  3 14:14:09 2018 us=548791 ifconfig_pool_read(), in='thibclient,10.8.0.4', TODO: IPv6
Mon Sep  3 14:14:09 2018 us=548805 succeeded -> ifconfig_pool_set()
Mon Sep  3 14:14:09 2018 us=548817 IFCONFIG POOL LIST
Mon Sep  3 14:14:09 2018 us=548829 thibclient,10.8.0.4
Mon Sep  3 14:14:09 2018 us=548877 Initialization Sequence Completed
.
Mon Sep  3 14:25:47 2018 us=406792 MULTI: multi_create_instance called
Mon Sep  3 14:25:47 2018 us=406841 192.168.67.11:57315 Re-using SSL/TLS context
Mon Sep  3 14:25:47 2018 us=406950 192.168.67.11:57315 Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Sep  3 14:25:47 2018 us=406965 192.168.67.11:57315 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Sep  3 14:25:47 2018 us=406997 192.168.67.11:57315 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Mon Sep  3 14:25:47 2018 us=407009 192.168.67.11:57315 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Mon Sep  3 14:25:47 2018 us=407040 192.168.67.11:57315 TLS: Initial packet from [AF_INET]192.168.67.11:57315, sid=f3e6619e 8a045777
Mon Sep  3 14:25:47 2018 us=595023 192.168.67.11:57315 VERIFY OK: depth=1, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN="Thib", name=Thib, emailAddress=xxx@gmail.com
Mon Sep  3 14:25:47 2018 us=595414 192.168.67.11:57315 VERIFY OK: depth=0, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN=thibclient, name=Thib, emailAddress=xxx@gmail.com
Mon Sep  3 14:25:47 2018 us=659967 192.168.67.11:57315 peer info: IV_VER=2.4.6
Mon Sep  3 14:25:47 2018 us=659996 192.168.67.11:57315 peer info: IV_PLAT=win
Mon Sep  3 14:25:47 2018 us=660009 192.168.67.11:57315 peer info: IV_PROTO=2
Mon Sep  3 14:25:47 2018 us=660021 192.168.67.11:57315 peer info: IV_NCP=2
Mon Sep  3 14:25:47 2018 us=660033 192.168.67.11:57315 peer info: IV_LZ4=1
Mon Sep  3 14:25:47 2018 us=660045 192.168.67.11:57315 peer info: IV_LZ4v2=1
Mon Sep  3 14:25:47 2018 us=660058 192.168.67.11:57315 peer info: IV_LZO=1
Mon Sep  3 14:25:47 2018 us=660070 192.168.67.11:57315 peer info: IV_COMP_STUB=1
Mon Sep  3 14:25:47 2018 us=660082 192.168.67.11:57315 peer info: IV_COMP_STUBv2=1
Mon Sep  3 14:25:47 2018 us=660095 192.168.67.11:57315 peer info: IV_TCPNL=1
Mon Sep  3 14:25:47 2018 us=660107 192.168.67.11:57315 peer info: IV_GUI_VER=OpenVPN_GUI_11
Mon Sep  3 14:25:47 2018 us=661295 192.168.67.11:57315 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Sep  3 14:25:47 2018 us=661327 192.168.67.11:57315 [thibclient] Peer Connection Initiated with [AF_INET]192.168.67.11:57315
Mon Sep  3 14:25:47 2018 us=661369 thibclient/192.168.67.11:57315 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/thibclient
Mon Sep  3 14:25:47 2018 us=661414 thibclient/192.168.67.11:57315 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
Mon Sep  3 14:25:47 2018 us=661454 thibclient/192.168.67.11:57315 MULTI: Learn: 10.8.0.4 -> thibclient/192.168.67.11:57315
Mon Sep  3 14:25:47 2018 us=661468 thibclient/192.168.67.11:57315 MULTI: primary virtual IP for thibclient/192.168.67.11:57315: 10.8.0.4
Mon Sep  3 14:25:47 2018 us=661483 thibclient/192.168.67.11:57315 MULTI: internal route 192.168.67.0/24 -> thibclient/192.168.67.11:57315
Mon Sep  3 14:25:47 2018 us=661497 thibclient/192.168.67.11:57315 MULTI: Learn: 192.168.67.0/24 -> thibclient/192.168.67.11:57315
Mon Sep  3 14:25:48 2018 us=718002 thibclient/192.168.67.11:57315 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep  3 14:25:48 2018 us=718075 thibclient/192.168.67.11:57315 SENT CONTROL [thibclient]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Sep  3 14:25:48 2018 us=718113 thibclient/192.168.67.11:57315 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
Mon Sep  3 14:25:48 2018 us=718203 thibclient/192.168.67.11:57315 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep  3 14:25:48 2018 us=718217 thibclient/192.168.67.11:57315 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep  3 14:25:51 2018 us=174134 thibclient/192.168.67.11:57315 MULTI: Learn: 192.168.67.11 -> thibclient/192.168.67.11:57315
Mon Sep  3 14:30:24 2018 us=870167 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:30:25 2018 us=361460 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:30:28 2018 us=860429 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:30:29 2018 us=362827 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:30:32 2018 us=860885 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:30:33 2018 us=361216 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:30:36 2018 us=867287 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:30:37 2018 us=368898 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:38:36 2018 us=70137 thibclient/192.168.67.11:57315 MULTI: Learn: 192.168.67.11 -> thibclient/192.168.67.11:57315
Mon Sep  3 14:44:16 2018 us=777275 thibclient/192.168.67.11:57315 MULTI: Learn: 192.168.67.11 -> thibclient/192.168.67.11:57315
Mon Sep  3 14:45:36 2018 us=866679 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:45:37 2018 us=369101 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:45:40 2018 us=866819 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:45:41 2018 us=368346 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:45:44 2018 us=867965 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:45:45 2018 us=368334 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:45:48 2018 us=868156 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped
Mon Sep  3 14:45:49 2018 us=368439 thibclient/192.168.67.11:57315 MULTI: bad source address from client [192.168.56.1], packet dropped


In the client side :
Client log of the third situation

Code: Select all

Mon Sep 03 14:25:45 2018 us=232037 Connection reset command was pushed by server ('')
Mon Sep 03 14:25:45 2018 us=232037 TCP/UDP: Closing socket
Mon Sep 03 14:25:45 2018 us=232037 SIGUSR1[soft,server-pushed-connection-reset] received, process restarting
Mon Sep 03 14:25:45 2018 us=232037 MANAGEMENT: >STATE:1535977545,RECONNECTING,server-pushed-connection-reset,,,,,
Mon Sep 03 14:25:45 2018 us=232037 Restart pause, 5 second(s)
Mon Sep 03 14:25:50 2018 us=232280 Re-using SSL/TLS context
Mon Sep 03 14:25:50 2018 us=232280 Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Sep 03 14:25:50 2018 us=232280 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Sep 03 14:25:50 2018 us=232280 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Mon Sep 03 14:25:50 2018 us=232280 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Mon Sep 03 14:25:50 2018 us=232280 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.67.10:1194
Mon Sep 03 14:25:50 2018 us=232280 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Sep 03 14:25:50 2018 us=232280 UDP link local: (not bound)
Mon Sep 03 14:25:50 2018 us=232280 UDP link remote: [AF_INET]192.168.67.10:1194
Mon Sep 03 14:25:50 2018 us=232280 MANAGEMENT: >STATE:1535977550,WAIT,,,,,,
Mon Sep 03 14:25:50 2018 us=232280 MANAGEMENT: >STATE:1535977550,AUTH,,,,,,
Mon Sep 03 14:25:50 2018 us=232280 TLS: Initial packet from [AF_INET]192.168.67.10:1194, sid=c226b8fa 9dbc3e1d
Mon Sep 03 14:25:50 2018 us=310419 VERIFY OK: depth=1, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN="Thib", name=Thib, emailAddress=xxx@gmail.com
Mon Sep 03 14:25:50 2018 us=310419 VERIFY KU OK
Mon Sep 03 14:25:50 2018 us=310419 Validating certificate extended key usage
Mon Sep 03 14:25:50 2018 us=310419 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Sep 03 14:25:50 2018 us=310419 VERIFY EKU OK
Mon Sep 03 14:25:50 2018 us=310419 VERIFY OK: depth=0, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN=server, name=Thib, emailAddress=xxx@gmail.com
Mon Sep 03 14:25:50 2018 us=482292 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Sep 03 14:25:50 2018 us=482292 [server] Peer Connection Initiated with [AF_INET]192.168.67.10:1194
Mon Sep 03 14:25:51 2018 us=544854 MANAGEMENT: >STATE:1535977551,GET_CONFIG,,,,,,
Mon Sep 03 14:25:51 2018 us=544854 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Sep 03 14:25:51 2018 us=544854 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mon Sep 03 14:25:51 2018 us=544854 OPTIONS IMPORT: timers and/or timeouts modified
Mon Sep 03 14:25:51 2018 us=544854 OPTIONS IMPORT: --ifconfig/up options modified
Mon Sep 03 14:25:51 2018 us=544854 OPTIONS IMPORT: route options modified
Mon Sep 03 14:25:51 2018 us=544854 OPTIONS IMPORT: route-related options modified
Mon Sep 03 14:25:51 2018 us=544854 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Sep 03 14:25:51 2018 us=544854 OPTIONS IMPORT: peer-id set
Mon Sep 03 14:25:51 2018 us=544854 OPTIONS IMPORT: adjusting link_mtu to 1624
Mon Sep 03 14:25:51 2018 us=544854 OPTIONS IMPORT: data channel crypto options modified
Mon Sep 03 14:25:51 2018 us=544854 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Sep 03 14:25:51 2018 us=544854 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
Mon Sep 03 14:25:51 2018 us=544854 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep 03 14:25:51 2018 us=544854 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Sep 03 14:25:51 2018 us=544854 Preserving previous TUN/TAP instance: tap0
Mon Sep 03 14:25:51 2018 us=544854 Initialization Sequence Completed
Mon Sep 03 14:25:51 2018 us=544854 MANAGEMENT: >STATE:1535977551,CONNECTED,SUCCESS,10.8.0.4,192.168.67.10,1194,,
My server has an ethernet connexion with my internet box, and my client is using wi-fi. I didn't configure anything specific because of that, shall I ? I thought Iptables was enough.

Thanks
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error using public IP adress

Post by TinCanTech » Mon Sep 03, 2018 5:09 pm

First, your --iroute

Code: Select all

Options error: in --iroute 192.168.67.11 255.255.255.0 : Bad network/subnet specification
So change your ccd file to contain

Code: Select all

iroute 192.168.67.11
you do not need the netmask because it is a host address.

In future, please use BB code [ code ] for log files not [ oconf=x ]
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error using public IP adress

Post by TinCanTech » Mon Sep 03, 2018 5:12 pm

Smallyoks wrote:
Mon Sep 03, 2018 4:12 pm
 2) RTNETLINK answers: File exists
Mon Sep 3 14:14:09 2018 us=548180 ERROR: Linux route add command failed: external program exited with error status: 2
This is because the server and client are on the same LAN .. try from another location.
Top
Smallyoks
OpenVpn Newbie
Posts: 7
Joined: Mon Sep 03, 2018 8:53 am

Re: TLS Error using public IP adress

Post by Smallyoks » Tue Sep 04, 2018 8:01 am

TinCanTech wrote:
Mon Sep 03, 2018 5:09 pm
In future, please use BB code [ code ] for log files not [ oconf=x ]
I get it, sorry :roll:
TinCanTech wrote:
Mon Sep 03, 2018 5:12 pm
This is because the server and client are on the same LAN .. try from another location.
Oh ok. It seems a bit odd to me since routes are specified. I don't really understand why it is a problem. :geek:

Anyway thank you very much for your help, I'll come back with fresh news asap.
Unfortunately I cannot try your suggestions until sunday.
Top
Smallyoks
OpenVpn Newbie
Posts: 7
Joined: Mon Sep 03, 2018 8:53 am

Re: TLS Error using public IP adress

Post by Smallyoks » Thu Sep 13, 2018 9:22 pm

I removed the route netmask in both server.conf and ccd file, like so :

server.conf

port 1194
proto udp
dev tun
ca /etc/openvpn/certs/keys/ca.crt
cert /etc/openvpn/certs/keys/server.crt
key /etc/openvpn/certs/keys/server.key
dh /etc/openvpn/dh4096.pem
tls-auth /etc/openvpn/certs/keys/ta.key 0
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
user openvpn
group nogroup
persist-key
persist-tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt # a record of virtual client ip
topology subnet
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120

client-config-dir /etc/openvpn/ccd
route 192.168.67.0
push "route 192.168.67.0"

status openvpn-status.log
log /etc/openvpn/openvpn.log
verb 4
explicit-exit-notify 1

ccd file

iroute 192.168.67.11


I don't have route errors anymore. It still doesn't work but I assume it is showing progress :

Using the server's local address in the client config (remote 192.168.67.10 1194):
---> the client is shown connected to the VPN but now, the client doesn't have internet access anymore. which actually means the client is still connected to the vpn. Before I removed the netmask the client reused its own road to internet (bypassing the virtual adapter).

---> also, after about 90s, I have another thibclient/192.168.67.11:56268 MULTI: bad source address from client [192.168.56.1], packet dropped
I'm not sure it matters or not, it is related to a virtual machine set up on the client.

Using the server's public address in the client config (remote 77.XX.XX.XX.XX 1194)
---> the TLS error occurs (the virtual adapter doesn't mount)
==> Using the public ip address doesn't make sense since I am trying connect my VPN from a local area, right ? I guess this explains a lot about the mentionned TLS error. If so it should probably end this topic

Code: Select all

CLIENT LOG	
	Thu Sep 13 22:25:28 2018 us=705044 Connection reset command was pushed by server ('')
	Thu Sep 13 22:25:28 2018 us=705044 TCP/UDP: Closing socket
	Thu Sep 13 22:25:28 2018 us=705044 SIGUSR1[soft,server-pushed-connection-reset] received, process restarting
	Thu Sep 13 22:25:28 2018 us=705044 MANAGEMENT: >STATE:1536870328,RECONNECTING,server-pushed-connection-reset,,,,,
	Thu Sep 13 22:25:28 2018 us=705044 Restart pause, 5 second(s)
	Thu Sep 13 22:25:33 2018 us=771857 Re-using SSL/TLS context
	Thu Sep 13 22:25:33 2018 us=771857 Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
	Thu Sep 13 22:25:33 2018 us=771857 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
	Thu Sep 13 22:25:33 2018 us=771857 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
	Thu Sep 13 22:25:33 2018 us=771857 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
	Thu Sep 13 22:25:33 2018 us=771857 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.67.10:1194
	Thu Sep 13 22:25:33 2018 us=771857 Socket Buffers: R=[65536->65536] S=[65536->65536]
	Thu Sep 13 22:25:33 2018 us=771857 UDP link local: (not bound)
	Thu Sep 13 22:25:33 2018 us=771857 UDP link remote: [AF_INET]192.168.67.10:1194
	Thu Sep 13 22:25:33 2018 us=771857 MANAGEMENT: >STATE:1536870333,WAIT,,,,,,
	Thu Sep 13 22:25:33 2018 us=771857 MANAGEMENT: >STATE:1536870333,AUTH,,,,,,
	Thu Sep 13 22:25:33 2018 us=771857 TLS: Initial packet from [AF_INET]192.168.67.10:1194, sid=a903290c ed347242
	Thu Sep 13 22:25:33 2018 us=856499 VERIFY OK: depth=1, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN="Thib", name=Thib, emailAddress=thibault.arnoul@gmail.com
	Thu Sep 13 22:25:33 2018 us=856499 VERIFY KU OK
	Thu Sep 13 22:25:33 2018 us=856499 Validating certificate extended key usage
	Thu Sep 13 22:25:33 2018 us=856499 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
	Thu Sep 13 22:25:33 2018 us=856499 VERIFY EKU OK
	Thu Sep 13 22:25:33 2018 us=856499 VERIFY OK: depth=0, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN=server, name=Thib, emailAddress=thibault.arnoul@gmail.com
	Thu Sep 13 22:25:34 2018 us=54745 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
	Thu Sep 13 22:25:34 2018 us=54745 [server] Peer Connection Initiated with [AF_INET]192.168.67.10:1194
	Thu Sep 13 22:25:35 2018 us=272436 MANAGEMENT: >STATE:1536870335,GET_CONFIG,,,,,,
	Thu Sep 13 22:25:35 2018 us=272436 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
	Thu Sep 13 22:25:35 2018 us=272436 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route 192.168.67.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM'
	Thu Sep 13 22:25:35 2018 us=272436 OPTIONS IMPORT: timers and/or timeouts modified
	Thu Sep 13 22:25:35 2018 us=272436 OPTIONS IMPORT: --ifconfig/up options modified
	Thu Sep 13 22:25:35 2018 us=272436 OPTIONS IMPORT: route options modified
	Thu Sep 13 22:25:35 2018 us=272436 OPTIONS IMPORT: route-related options modified
	Thu Sep 13 22:25:35 2018 us=272436 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
	Thu Sep 13 22:25:35 2018 us=272436 OPTIONS IMPORT: peer-id set
	Thu Sep 13 22:25:35 2018 us=272436 OPTIONS IMPORT: adjusting link_mtu to 1624
	Thu Sep 13 22:25:35 2018 us=272436 OPTIONS IMPORT: data channel crypto options modified
	Thu Sep 13 22:25:35 2018 us=272436 Data Channel: using negotiated cipher 'AES-256-GCM'
	Thu Sep 13 22:25:35 2018 us=272436 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
	Thu Sep 13 22:25:35 2018 us=272436 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
	Thu Sep 13 22:25:35 2018 us=272436 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
	Thu Sep 13 22:25:35 2018 us=272436 Preserving previous TUN/TAP instance: tap0
	Thu Sep 13 22:25:35 2018 us=272436 Initialization Sequence Completed
	Thu Sep 13 22:25:35 2018 us=272436 MANAGEMENT: >STATE:1536870335,CONNECTED,SUCCESS,10.8.0.4,192.168.67.10,1194,,

Code: Select all

SERVER LOG 
	Thu Sep 13 22:25:27 2018 us=530088 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
	Thu Sep 13 22:25:27 2018 us=530106 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
	Thu Sep 13 22:25:27 2018 us=531340 Diffie-Hellman initialized with 4096 bit key
	Thu Sep 13 22:25:27 2018 us=531844 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
	Thu Sep 13 22:25:27 2018 us=531862 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
	Thu Sep 13 22:25:27 2018 us=531877 TLS-Auth MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
	Thu Sep 13 22:25:27 2018 us=532036 ROUTE_GATEWAY 192.168.67.1/255.255.255.0 IFACE=enp0s25 HWADDR=78:2b:cb:9d:98:4a
	Thu Sep 13 22:25:27 2018 us=532290 TUN/TAP device tun0 opened
	Thu Sep 13 22:25:27 2018 us=532309 TUN/TAP TX queue length set to 100
	Thu Sep 13 22:25:27 2018 us=532326 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
	Thu Sep 13 22:25:27 2018 us=532346 /sbin/ip link set dev tun0 up mtu 1500
	Thu Sep 13 22:25:27 2018 us=533545 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
	Thu Sep 13 22:25:27 2018 us=535521 /sbin/ip route add 192.168.67.0/32 via 10.8.0.2
	Thu Sep 13 22:25:27 2018 us=536697 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
	Thu Sep 13 22:25:27 2018 us=537146 Could not determine IPv4/IPv6 protocol. Using AF_INET
	Thu Sep 13 22:25:27 2018 us=537170 Socket Buffers: R=[212992->212992] S=[212992->212992]
	Thu Sep 13 22:25:27 2018 us=537188 UDPv4 link local (bound): [AF_INET][undef]:1194
	Thu Sep 13 22:25:27 2018 us=537199 UDPv4 link remote: [AF_UNSPEC]
	Thu Sep 13 22:25:27 2018 us=537214 GID set to nogroup
	Thu Sep 13 22:25:27 2018 us=537229 UID set to openvpn
	Thu Sep 13 22:25:27 2018 us=537247 MULTI: multi_init called, r=256 v=256
	Thu Sep 13 22:25:27 2018 us=537293 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
	Thu Sep 13 22:25:27 2018 us=537312 ifconfig_pool_read(), in='thibclient,10.8.0.4', TODO: IPv6
	Thu Sep 13 22:25:27 2018 us=537326 succeeded -> ifconfig_pool_set()
	Thu Sep 13 22:25:27 2018 us=537339 IFCONFIG POOL LIST
	Thu Sep 13 22:25:27 2018 us=537351 thibclient,10.8.0.4
	Thu Sep 13 22:25:27 2018 us=537405 Initialization Sequence Completed
	Thu Sep 13 22:25:30 2018 us=531015 MULTI: multi_create_instance called
	Thu Sep 13 22:25:30 2018 us=531062 192.168.67.11:56268 Re-using SSL/TLS context
	Thu Sep 13 22:25:30 2018 us=531168 192.168.67.11:56268 Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
	Thu Sep 13 22:25:30 2018 us=531182 192.168.67.11:56268 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
	Thu Sep 13 22:25:30 2018 us=531212 192.168.67.11:56268 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
	Thu Sep 13 22:25:30 2018 us=531224 192.168.67.11:56268 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
	Thu Sep 13 22:25:30 2018 us=531253 192.168.67.11:56268 TLS: Initial packet from [AF_INET]192.168.67.11:56268, sid=ef1c3f8d dada2691
	Thu Sep 13 22:25:30 2018 us=745115 192.168.67.11:56268 VERIFY OK: depth=1, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN="Thib", name=Thib, emailAddress=thibault.arnoul@gmail.com
	Thu Sep 13 22:25:30 2018 us=745548 192.168.67.11:56268 VERIFY OK: depth=0, C=FR, ST=75, L=Paris, O=Thib, OU=TA, CN=thibclient, name=Thib, emailAddress=thibault.arnoul@gmail.com
	Thu Sep 13 22:25:30 2018 us=810342 192.168.67.11:56268 peer info: IV_VER=2.4.6
	Thu Sep 13 22:25:30 2018 us=810368 192.168.67.11:56268 peer info: IV_PLAT=win
	Thu Sep 13 22:25:30 2018 us=810380 192.168.67.11:56268 peer info: IV_PROTO=2
	Thu Sep 13 22:25:30 2018 us=810391 192.168.67.11:56268 peer info: IV_NCP=2
	Thu Sep 13 22:25:30 2018 us=810403 192.168.67.11:56268 peer info: IV_LZ4=1
	Thu Sep 13 22:25:30 2018 us=810414 192.168.67.11:56268 peer info: IV_LZ4v2=1
	Thu Sep 13 22:25:30 2018 us=810425 192.168.67.11:56268 peer info: IV_LZO=1
	Thu Sep 13 22:25:30 2018 us=810437 192.168.67.11:56268 peer info: IV_COMP_STUB=1
	Thu Sep 13 22:25:30 2018 us=810448 192.168.67.11:56268 peer info: IV_COMP_STUBv2=1
	Thu Sep 13 22:25:30 2018 us=810460 192.168.67.11:56268 peer info: IV_TCPNL=1
	Thu Sep 13 22:25:30 2018 us=810471 192.168.67.11:56268 peer info: IV_GUI_VER=OpenVPN_GUI_11
	Thu Sep 13 22:25:30 2018 us=811747 192.168.67.11:56268 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
	Thu Sep 13 22:25:30 2018 us=811782 192.168.67.11:56268 [thibclient] Peer Connection Initiated with [AF_INET]192.168.67.11:56268
	Thu Sep 13 22:25:30 2018 us=811819 thibclient/192.168.67.11:56268 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/thibclient
	Thu Sep 13 22:25:30 2018 us=811860 thibclient/192.168.67.11:56268 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
	Thu Sep 13 22:25:30 2018 us=811900 thibclient/192.168.67.11:56268 MULTI: Learn: 10.8.0.4 -> thibclient/192.168.67.11:56268
	Thu Sep 13 22:25:30 2018 us=811913 thibclient/192.168.67.11:56268 MULTI: primary virtual IP for thibclient/192.168.67.11:56268: 10.8.0.4
	Thu Sep 13 22:25:30 2018 us=811926 thibclient/192.168.67.11:56268 MULTI: internal route 192.168.67.11 -> thibclient/192.168.67.11:56268
	Thu Sep 13 22:25:30 2018 us=811939 thibclient/192.168.67.11:56268 MULTI: Learn: 192.168.67.11 -> thibclient/192.168.67.11:56268
	Thu Sep 13 22:25:32 2018 us=30966 thibclient/192.168.67.11:56268 PUSH: Received control message: 'PUSH_REQUEST'
	Thu Sep 13 22:25:32 2018 us=31044 thibclient/192.168.67.11:56268 SENT CONTROL [thibclient]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route 192.168.67.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
	Thu Sep 13 22:25:32 2018 us=31079 thibclient/192.168.67.11:56268 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
	Thu Sep 13 22:25:32 2018 us=31170 thibclient/192.168.67.11:56268 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
	Thu Sep 13 22:25:32 2018 us=31184 thibclient/192.168.67.11:56268 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
	Thu Sep 13 22:36:59 2018 us=963438 thibclient/192.168.67.11:56268 MULTI: bad source address from client [192.168.56.1], packet dropped
	Thu Sep 13 22:37:00 2018 us=460246 thibclient/192.168.67.11:56268 MULTI: bad source address from client [192.168.56.1], packet dropped
	Thu Sep 13 22:37:03 2018 us=966382 thibclient/192.168.67.11:56268 MULTI: bad source address from client [192.168.56.1], packet dropped
	Thu Sep 13 22:37:04 2018 us=462147 thibclient/192.168.67.11:56268 MULTI: bad source address from client [192.168.56.1], packet dropped
	Thu Sep 13 22:37:07 2018 us=952067 thibclient/192.168.67.11:56268 MULTI: bad source address from client [192.168.56.1], packet dropped
	Thu Sep 13 22:37:08 2018 us=463863 thibclient/192.168.67.11:56268 MULTI: bad source address from client [192.168.56.1], packet dropped
	Thu Sep 13 22:37:11 2018 us=953744 thibclient/192.168.67.11:56268 MULTI: bad source address from client [192.168.56.1], packet dropped
	Thu Sep 13 22:37:12 2018 us=465634 thibclient/192.168.67.11:56268 MULTI: bad source address from client [192.168.56.1], packet dropped
I didn't configure anything directly from my internet box interface. All I did was NAT from the server. Is this actually the problem?
I didn't saw much about this in the documentations..

By the way, I assume this topic is getting out of range, please tell me if I should ask my questions separately.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error using public IP adress

Post by TinCanTech » Thu Sep 13, 2018 11:53 pm

Smallyoks wrote:
Thu Sep 13, 2018 9:22 pm
 ---> also, after about 90s, I have another thibclient/192.168.67.11:56268 MULTI: bad source address from client [192.168.56.1], packet dropped
I'm not sure it matters or not,
It does not matter ..
Top
Smallyoks
OpenVpn Newbie
Posts: 7
Joined: Mon Sep 03, 2018 8:53 am

Re: TLS Error using public IP adress

Post by Smallyoks » Fri Sep 14, 2018 11:24 am

I activated forwarding rules on my router on ports 1194 and 22, but it still behaves the same.
What I call my router is my internet box which I assume is a router.
Also, I have a MULTI: bad source address from client [::], packet dropped which I do not get every times.

server log

Code: Select all

Fri Sep 14 10:54:03 2018 us=384245 192.168.67.11:64473 [thibclient] Peer Connection Initiated with [AF_INET]192.168.67.11:64473
Fri Sep 14 10:54:03 2018 us=384698 thibclient/192.168.67.11:64473 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/thibclient
Fri Sep 14 10:54:03 2018 us=384981 thibclient/192.168.67.11:64473 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
Fri Sep 14 10:54:03 2018 us=385034 thibclient/192.168.67.11:64473 MULTI: Learn: 10.8.0.4 -> thibclient/192.168.67.11:64473
Fri Sep 14 10:54:03 2018 us=385048 thibclient/192.168.67.11:64473 MULTI: primary virtual IP for thibclient/192.168.67.11:64473: 10.8.0.4
Fri Sep 14 10:54:03 2018 us=385061 thibclient/192.168.67.11:64473 MULTI: internal route 192.168.67.11 -> thibclient/192.168.67.11:64473
Fri Sep 14 10:54:03 2018 us=385076 thibclient/192.168.67.11:64473 MULTI: Learn: 192.168.67.11 -> thibclient/192.168.67.11:64473
Fri Sep 14 10:54:04 2018 us=613177 thibclient/192.168.67.11:64473 PUSH: Received control message: 'PUSH_REQUEST'
Fri Sep 14 10:54:04 2018 us=613227 thibclient/192.168.67.11:64473 SENT CONTROL [thibclient]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,route 192.168.67.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Fri Sep 14 10:54:04 2018 us=613252 thibclient/192.168.67.11:64473 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
Fri Sep 14 10:54:04 2018 us=613331 thibclient/192.168.67.11:64473 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 14 10:54:04 2018 us=613346 thibclient/192.168.67.11:64473 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep 14 10:54:04 2018 us=739833 thibclient/192.168.67.11:64473 MULTI: bad source address from client [::], packet dropped
Top
Smallyoks
OpenVpn Newbie
Posts: 7
Joined: Mon Sep 03, 2018 8:53 am

Re: TLS Error using public IP adress

Post by Smallyoks » Fri Sep 14, 2018 11:26 am

Well, I'm starting to believe my whole setup is a nonsense.
My idea was to set up my own vpn to hide my public IP online. Since server and client are in the same lan, what I am actually doing is tunneling through the LAN ? Then there is no way the client can put on another public ip address.
In fact I should put this server somewhere else, and create a VPN to pretend my public IP adress is in this other location.

Am I right ? :|

Is there any tool I can use to create a fake location for my server, or it does not make sense at all ?
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error using public IP adress

Post by TinCanTech » Fri Sep 14, 2018 11:44 am

Your log shows that your VPN is working and if you can browse the internet while connected to your VPN then you have everything setup correctly.

If you go out to an untrusted public WiFi and connect to your VPN then all your data will be encrypted and you will be surfing the internet from your home and not the untrusted network.

And yes, you are correct, using a VPN from the same LAN as your server is fairly pointless if you connect via ethernet but there is some merit if you connect via WiFi.

You cannot fake the location of your server but you can use a VPN or VPS from a service provider.

You could read about TOR.
Top
Smallyoks
OpenVpn Newbie
Posts: 7
Joined: Mon Sep 03, 2018 8:53 am

Re: TLS Error using public IP adress

Post by Smallyoks » Fri Sep 14, 2018 12:42 pm

I'm gonna take a closer look at Tor then!

Thank you very much to make that all clear.
Top
Post Reply

Return to “Configuration”