MULTI: bad source address from client [::], packet dropped

tamar · Post by **tamar** » Fri Apr 30, 2021 4:44 am

Thank you in advance for your help

I can connect successfully, and OpenVPN's client (running on Windows10) shows traffic, but I can't actually actually go anywhere.

I don't have a firewall (on my server machine anyway, is additional port forwarding needed on the router side)? and I don't use iptables so I'm not sure if that's a consideration too, but I did check these settings to no avail.

FWIW, the local IP of the machine is 10.10.10.10. The router/DHCP server is 10.10.10.1. I'm sure I have some dhcp/route settings wrong, but I hate subnets and may need this spelled out.

OS

1

Linux 5.11.16-300.fc34.x86_64

Server Config

1

port 82

2

proto udp

3

proto udp6

4

dev tun

5

ca ca.crt

6

cert issued/server.crt

7

key private/server.key

8

dh dh.pem

9

topology subnet

10

server 172.16.0.0 255.255.255.0

11

ifconfig-pool-persist ipp.txt

12

push "redirect-gateway def1"

13

push "dhcp-option DNS 8.8.8.8"

14

push "dhcp-option DNS 208.67.222.222"

15

push "dhcp-option DNS 208.67.220.220"

16

keepalive 10 120

17

tls-auth ta.key 0

18

cipher AES-256-CBC

19

comp-lzo

20

user nobody

21

group nobody

22

persist-key

23

persist-tun

24

status /var/log/openvpn/openvpn-status.log

25

log-append /var/log/openvpn/openvpn.log

26

verb 4

27

explicit-exit-notify 1

28

auth SHA512

29

route 10.10.10.1 255.255.255.0

Client Config

1

client

2

tls-client

3

pull

4

dev tun

5

proto udp

6

remote x.x.x.x 82

7

resolv-retry infinite

8

nobind

9

dhcp-option DNS 8.8.8.8

10

persist-key

11

persist-tun

12

key-direction 1

13

tls-auth ta.key 1

14

comp-lzo

15

verb 4

16

ca ca.crt

17

cert client.crt

18

key client.key

19

auth SHA512

20

cipher AES-256-CBC

21

client-config-dir ccd

CCD file

1

iroute 10.10.10.1 255.255.255.0

These are partial, I got an error when trying to paste more.

Error Logs

1

client/10.10.10.1:51145 SENT CONTROL [client]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.10.10.1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 172.16.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

2

client/10.10.10.1:51145 IP packet with unknown IP version=0 seen

3

client/10.10.10.1:51145 MULTI: bad source address from client [::], packet dropped

4

client/10.10.10.1:51145 SIGTERM[soft,remote-exit] received, client-instance exiting

TinCanTech · Post by **TinCanTech** » Fri Apr 30, 2021 2:17 pm

Re: MULTI: bad source address from client [::], packet dropped

You can ignore that.

tamar wrote: ↑
Fri Apr 30, 2021 4:44 am
I don't use iptables

You need iptables or some-such, like ufw ..

tamar · Post by **tamar** » Fri Apr 30, 2021 2:46 pm

Thanks @TinCanTech - so I have iptables running, but not sure what rules to set up then. I'm not getting any outbound traffic from the connected VPN at all, so I'll take your recommendations on what's needed here. I appreciate it!

TinCanTech · Post by **TinCanTech** » Fri Apr 30, 2021 3:15 pm

Says what you need in the howto you already read.

tamar · Post by **tamar** » Fri Apr 30, 2021 3:53 pm

So like I said, I don't understand subnets etc and don't know what IPs I'm supposed to use for iptables.

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
This command assumes that the VPN subnet is 10.8.0.0/24 (taken from the server directive in the OpenVPN server configuration) and that the local ethernet interface is eth0.

Sorry I'm dense here, but I need it dumbed down a little more. I can change the ethernet interface, but I don't know the former.

The VPN subnet server directive as I pasted before from my server.conf, this is what I have:

Code: Select all

server 172.16.0.0 255.255.255.0

So does the iptables routing then become

Code: Select all

iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE

Somehow I don't think that is correct.

TinCanTech · Post by **TinCanTech** » Fri Apr 30, 2021 4:04 pm

That looks about right, also make sure your interface is called eth0.

tamar · Post by **tamar** » Fri Apr 30, 2021 8:58 pm

Yes, it's actually enp3s0 - the appropriate adjustment was made.

Thanks - I guess I assumed the 172.16.x.x subnet wouldn't be in the iptables (I did 10.10.0.0 since that's how my private network is defined). Looks like that solved it for me, hoping the people who connect don't have issues, thank you.