how-to block ads
|
mudtoe
join:2005-10-09
Cleveland, OH
| reply to Cyberian75
Re: OpenVPN Errors -- MULTI: bad source address from client
First, are you trying to route all your traffic through the VPN and use the VPN server as your internet gateway, or are you trying to setup a split tunnel where only the traffic destined for your VPN server's network goes through OpenVPN, and the rest of the traffic uses the client's internet connection? Check to see if you have a "redirect-gateway def1" statement in your client's config file. If so then you are routing everything through the VPN.
Also, is your VPN connection a routed connection, or a bridge connection (i.e. TUN versus TAP configuration)? If you are using a routed connection (TUN) and want everything to go through the VPN server, then you have to have the correct routes setup. If you are using a bridge connection (TAP) then you don't need additional routes to send all traffic through the VPN server.
Lastly, verify that the IP address range of the client's local network doesn't overlap with the IP address range of the VPN server's network (I'm assuming that both the client local network and the VPN server local network are in the NAT range). Goofy things can happen if the ranges overlap, just as can happen when using IPSEC if the ranges overlap.
I've been converting everyone for whom I setup an OpenVPN configuration to the 172.16.x.x - 172.31.x.x range for their local network, even though they don't need the quantity of addresses this range provides by default. The reason I do this is that every hotspot or hotel that I've come across uses either the 192.168.x.x or the 10.x.x.x range for their local NAT network, and therefore using this range significantly decreases the potential for an addressing conflict. Of course, if your situation requires you to connect to corporate networks, then the 172 range isn't as good an idea, as most large companies use this range for their internal networks (I'm guessing that hotels avoid using the 172 range for their networks precisely because they know that they have a lot of corporate customers who need to make VPN connections to their corporate networks using this range).
mudtoe | |
Cyberian75
join:2004-03-16
Beaverton, OR
 ·callwithus
 ·Verizon FIOS
1 edit | I'm using my VPN as a gateway using TUN to route all client traffic through the tunnel, and yes, I do have "redirect-gateway" in my config. But what's "def1" for?
Also, I've converted my LAN to 192.168.100.nnn, and my VPN server is using 10.0.0.0/24. Do I need to change the network part, too, and not just the subnet?
I tried to connect a client from a different IP with a NAT IP of 192.168.1.n, but while it does connect to the server, the client can't even ping the VPN server. The Internet connection, not the VPN connection, just times out.
Since it does connect, it's not an issue with my router or firewall.
Here's my server config:
port nnnnn
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
ccd-exclusive
route 192.168.0.0 255.255.0.0
push "redirect-gateway"
push "dhcp-option DNS 68.238.64.12"
push "dhcp-option DNS 68.238.128.12"
push "dhcp-option DNS 4.2.2.2"
push "dhcp-option DNS 4.2.2.4"
tls-auth ta.key 0
cipher AES-128-CBC # AES
comp-lzo
max-clients 5
persist-key
persist-tun
ping 15
ping-restart 300 # 5 minutes
resolv-retry 300 # 5 minutes
status openvpn-status.log
verb 5
--
Michael | |
Cyberian75
join:2004-03-16
Beaverton, OR | reply to mudtoe
I can now ping the server [10.10.0.1], I think. I've "10.10.0.0 255.255.255.0" in my server config. The client does get read/write data from the server, so I don't know what's going on.
--
Michael | |
|
