[Solved] Problem when connecting Samba

[cakemaker]

I have read the HowTo in details and google a lot. I guess my problem may be ISP related but not sure. Here's the details and hope you can help.

My goal is to connect to a samba server on a pc behind the openvpn server (subnet 192.168.1.0).
The openvpn server is on CentOS, and I am using openvpn 2.0.9-1 .
The openvpn client (netbook, WinXP) connects to internet thru a mobile (bluetooth + gprs)
I can ping and visit http server in the same subnet.

What I think I do correctly:
The two conf files below are very much the standard one. Besides, I have
- run "echo 1 > /proc/sys/net/ipv4/ip_forward" on the openvpn server
- set a static route 10.8.0.0 to the openvpn server on my Tomato-router (gateway of the 192.subnet)
- update smb.conf so that 10.8.0.0/24 is included under "hosts allow"
- update iptables & /etc/hosts.allow of the samba pc
- update iptables of the openvpn server by "iptables -A INPUT -i tun+ -j ACCEPT"
- update iptables of the openvpn server by "iptables -A FORWARE -i tun+ -j ACCEPT"

What I don't understand:
When I run "net use z: \\192.168.1.2\sharename /USER:myusername" from a command prompt window, I get the following message on the server log

Code: Select all

Sat Dec 25 22:56:16 2010 client1/123.136.11.171:32154 MULTI: bad source address from client [10.55.171.180], packet dropped

10.55.171.180 is the ip# assigned by my ISP as I can see in the output of "ipconfig /all"
123.136.11.171, as find by a WhoIs site, belongs to my ISP !?!
Is it kind of scenario that standard openvpn setting not cater for?
I am lacking idea where and how to move on.
Thanks in advance for your help.

server.conf

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert ovpnsrv1.crt
key ovpnsrv1.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

client.conf

Code: Select all

client
dev tun
proto udp
remote ip-of-tomato-router 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

[cakemaker]

What I don't understand (as mentioned above) is that the server log "bad source address from client [10.55.171.180]" while 10.55.171.180 is just the ip.addr of the openvpn client. How comes the server report the client as bad source !?!

Anyway, I google further and find this --> http://openvpn.net/index.php/open-sourc ... iledq.html
So, this (bad source address) error message means it doesn't know how to route the packet to (10.55.171.180) this machine for whatever reason (am I correct?)
okay, as what is advised by lot of other hopefully relevant materials from google, I try the "client-config-dir ccd" approach.
My server.conf now has 3 more lines

Code: Select all

client-config-dir ccd
route 10.55.171.180 255.255.255.255  # 255 x4 for not to include unknown people who use the same ISP and get close ip#
client-to-client

I have created a file, client1, under /etc/openvpn/ccd with

Code: Select all

iroute 10.55.171.180 255.255.255.255

(yes, I know it is not practical because this ip.addr 10.55.171.180 change everytime when I dialup on the road. I treat it as a learning/debug process.)

The result is
==========
When I try to connect the samba, no more "bad source address" error is reported.
But still, I cannot connect the samba server.

In addition, Wireshark on openvpn server pc reports lot of Checksum errors

Code: Select all

Checksum: 0xb851 [incorrect, should be 0x7b26 (maybe caused by "UDP checksum offload"?)]

for packets with
Source: the openvpn server : 1194
Dest'n: 123.136.11.xxx(still belongs to my ISP) : 24595
while oppsite direction packets look fine.
And, the "0xb851" repeats as constant on every packet while the 0x7b26 change everytime.

Sorry for my poor English/presentation. Hope you can follow my explanation. Thanks a lot for any help or idea.

[cakemaker]

I move the openvpn server to the same machine of samba.
Keep the basic setting as of my first post.
I still can see the "bad source address" error on server log.
But, I can connect the samba server now.

One thing may worth mention is that my original openvpn server is on a vbox vm.
Not sure if it also affect the result.

[gladiatr72]

Hey there,

Your English is quite passable--you're undoubtedly much better with English than I am with... well... anything that's not English, so let's leave it at that.

Checksum: 0xb851 [incorrect, should be 0x7b26 (maybe caused by "UDP checksum offload"?)]

Ignore this. This is an issue that crops up with certain ethernet drivers. Hopefully if/when your ethernet card decides to check out, it doesn't do so in a way that is so subtle as to make it necessary to try to figure out if these messages are legitimate!

When you get a moment, please post the logs from your server and client systems as well as the routing tables on both ends.

If your vpn tunnel is solid, your ISP will become irrelevant when it comes to communication between your client and the server network.

Regards,
Stephen

[cakemaker]

Thank you very much for your reply.
I am still interested in how much and how vbox can work with openvpn.
Will repeat the previous setting and capture the log within next few days.