Hello,
I want to use OpenVPN to link together some remote sites and their
networks, but I'm getting "MULTI: bad source address from client"
messages in the logs and I think I've done everything necessary to
prevent it. In addition, clients behind one site are not successfully
able to ping interface addresses on the other server.
My thinking for linking these sites was that each OpenVPN server would
both serve a set of clients and link to each other in a mesh, pushing
routes as appropriate, so that there is no dependency on a single
central server in case any of the sites go down.
To this end, I've allocated myself a /16 in private address space and
apportioned them out as shown in the diagram (right now, trying to
just get two sites working). Viewable correctly in fixed-width font:
Local VPN Clients
10.88.8.0/20
|
|
--------------------------
| tun0 |
| |
| |
| Ingress A |----Local LAN clients
| | 10.88.0.0/28
| |
| tun1 tun2 |
| 10.88.0.16/28 |
--------------------------
in out
| |
| |
| |
| |
| |
| |
out in
--------------------------
| tun1 tun2 |
| 10.88.0.48/28 |
| |
| |
| Ingress B |----Local LAN clients
| | 10.88.0.32/28
| |
| tun0 |
--------------------------
|
|
Local VPN Clients
10.88.16.0/20
So ideally what would happen is that Ingress A and Ingress B connect
to each other; Ingress A pushes routes for 10.88.0.0/28,
10.88.0.16/28, and 10.88.8.0/20 to Ingress B, while Ingress B pushes
routes for 10.88.0.32/28, 10.88.0.48/28, and 10.88.16.0/20 to Ingress
A.
This actually seems to work fine between the servers -- connections
are established both ways and from both servers I can ping all
relevant IPs. However, I'm getting a lot of "MULTI: bad source address
from client" in the logs. In addition, although routes seem to be
getting pushed appropriately, I am not able to ping end-to-end.
Although Ingress A and Ingress B can ping all of each other's
addresses, a client behind Ingress A can ping only one of Ingress B's
addresses (the one on the other end of the tunnel for which Ingress B
is the server and Ingress A is the client), and vice versa, and cannot
ping end-to-end with other clients or other interfaces on the remote
server. I have tried 'echo 1 > /proc/sys/net/ipv4/ip_forward' and
'echo 1 > /proc/sys/net/ipv4/conf/all/forwarding' to ensure forwarding
is enabled, with no luck.
Below are my configuration files and various bits of output...I'd
appreciate any help understanding what the issue is. I think by now
the config files are a bit more complicated than they need but
searching around said I needed to add all routes + iroute statements
to fix this problem.
Thanks!
--Jeff
=================== Ingress A, tun0 =======================
port 443
proto udp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-server
topology subnet
server 10.88.8.0 255.255.248.0
push "route 10.88.0.0 255.255.0.0"
push "dhcp-option DNS 10.88.0.1"
client-to-client
keepalive 10 60
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
comp-lzo
duplicate-cn
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
mute 20
verb 4
=================== Ingress A, tun1 =======================
port 1194
proto udp
dev tun1
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-server
topology subnet
server 10.88.0.16 255.255.255.240
push "route 10.88.0.0 255.255.255.240"
push "route 10.88.0.16 255.255.255.240"
push "route 10.88.8.0 255.255.248.0"
route 10.88.0.48 255.255.255.240
push "route 10.88.0.48 255.255.255.240"
route 10.88.0.32 255.255.255.240
push "route 10.88.0.32 255.255.255.240"
route 10.88.16.0 255.255.248.0
push "route 10.88.16.0 255.255.248.0"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 10 60
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
comp-lzo
duplicate-cn
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
mute 20
verb 4
=================== Ingress A, ingressb CCD entry =======================
iroute 10.88.0.32 255.255.255.240
iroute 10.88.0.48 255.255.255.240
iroute 10.88.16.0 255.255.248.0
=================== Ingress A, client for Ingress B =======================
client
dev tun2
proto udp
remote 172.27.102.193 1194
float
resolv-retry 10
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert ingressa.crt
key ingressa.key
pull
keepalive 10 60
auth-retry interact
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 4
mute 20
=================== Ingress B, interfaces and routes =======================
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN group default
link/ether 26:ce:e0:d1:2c:f4 brd ff:ff:ff:ff:ff:ff
inet 10.88.0.1/28 brd 10.88.0.15 scope global dummy0
valid_lft forever preferred_lft forever
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.88.0.17/28 brd 10.88.0.31 scope global tun1
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.88.8.1/21 brd 10.88.15.255 scope global tun0
valid_lft forever preferred_lft forever
6: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.88.0.50/28 brd 10.88.0.63 scope global tun2
valid_lft forever preferred_lft forever
default via 172.27.102.1 dev eth0
10.88.0.0/28 dev dummy0 proto kernel scope link src 10.88.0.1
10.88.0.16/28 dev tun1 proto kernel scope link src 10.88.0.17
10.88.0.32/28 via 10.88.0.49 dev tun2
10.88.0.48/28 dev tun2 proto kernel scope link src 10.88.0.50
10.88.8.0/21 dev tun0 proto kernel scope link src 10.88.8.1
10.88.16.0/21 via 10.88.0.49 dev tun2
172.27.102.0/24 dev eth0 proto kernel scope link src 172.27.102.194
=================== Ingress B, tun0 =======================
port 443
proto udp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-server
topology subnet
server 10.88.16.0 255.255.248.0
push "route 10.88.0.0 255.255.0.0"
push "dhcp-option DNS 10.88.0.33"
client-to-client
keepalive 10 60
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
comp-lzo
duplicate-cn
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
mute 20
verb 4
=================== Ingress A, tun1 =======================
port 1194
proto udp
dev tun1
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-server
topology subnet
server 10.88.0.48 255.255.255.240
push "route 10.88.0.32 255.255.255.240"
push "route 10.88.0.48 255.255.255.240"
push "route 10.88.16.0 255.255.248.0"
route 10.88.0.16 255.255.255.240
push "route 10.88.0.16 255.255.255.240"
route 10.88.0.0 255.255.255.240
push "route 10.88.0.0 255.255.255.240"
route 10.88.8.0 255.255.248.0
push "route 10.88.8.0 255.255.248.0"client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 10 60
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
comp-lzo
duplicate-cn
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
mute 20
verb 4
=================== Ingress A, ingressa CCD entry =======================
iroute 10.88.0.0 255.255.255.240
iroute 10.88.0.16 255.255.255.240
iroute 10.88.8.0 255.255.248.0
=================== Ingress A, client for Ingress B =======================
client
dev tun2
proto udp
remote 172.27.102.194 1194
float
resolv-retry 10
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert ingressb.crt
key ingressb.key
pull
keepalive 10 60
auth-retry interact
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 4
mute 20
=================== Ingress B, interfaces and routes =======================
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN group default
link/ether 92:cc:95:55:17:4b brd ff:ff:ff:ff:ff:ff
inet 10.88.0.33/28 brd 10.88.0.47 scope global dummy0
valid_lft forever preferred_lft forever
4: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.88.0.49/28 brd 10.88.0.63 scope global tun2
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.88.16.1/21 brd 10.88.23.255 scope global tun0
valid_lft forever preferred_lft forever
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.88.0.18/28 brd 10.88.0.31 scope global tun1
valid_lft forever preferred_lft forever
default via 172.27.102.1 dev eth0
10.88.0.0/28 via 10.88.0.17 dev tun1
10.88.0.16/28 dev tun1 proto kernel scope link src 10.88.0.18
10.88.0.32/28 dev dummy0 proto kernel scope link src 10.88.0.33
10.88.0.48/28 dev tun2 proto kernel scope link src 10.88.0.49
10.88.8.0/21 via 10.88.0.17 dev tun1
10.88.16.0/21 dev tun0 proto kernel scope link src 10.88.16.1
172.27.102.0/24 dev eth0 proto kernel scope link src 172.27.102.193
=================== VPN Client behind Ingress A =======================
client
dev tun
proto udp
remote 172.27.102.194 443
float
resolv-retry 10
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert vpnuser.crt
key vpnuser.key
pull
keepalive 10 60
auth-retry interact
ns-cert-type server
tls-auth ta.key 1
comp-lzo
up-restart
up "/etc/rc.local vpnup"
down-pre
down "/etc/rc.local vpndown"
verb 4
mute 20
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.88.8.3/21 brd 10.88.15.255 scope global tun0
valid_lft forever preferred_lft forever
default via 172.28.118.1 dev p4p1
10.88.0.0/16 via 10.88.8.1 dev tun0
10.88.8.0/21 dev tun0 proto kernel scope link src 10.88.8.3
127.0.0.0/8 dev p4p1 proto kernel scope link src 127.88.0.1
169.254.0.0/16 dev p4p1 scope link metric 1000
172.28.118.0/23 dev p4p1 proto kernel scope link src 172.28.119.71
Pings to Ingress B's interfaces:
$ ping 10.88.0.33
PING 10.88.0.33 (10.88.0.33) 56(84) bytes of data.
^C
--- 10.88.0.33 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3022ms
$ ping 10.88.0.49
PING 10.88.0.49 (10.88.0.49) 56(84) bytes of data.
^C
--- 10.88.0.49 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3023ms
$ ping 10.88.16.1
PING 10.88.16.1 (10.88.16.1) 56(84) bytes of data.
^C
--- 10.88.16.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3024ms
$ ping 10.88.0.18
PING 10.88.0.18 (10.88.0.18) 56(84) bytes of data.
64 bytes from 10.88.0.18: icmp_seq=1 ttl=63 time=1.39 ms
64 bytes from 10.88.0.18: icmp_seq=2 ttl=63 time=1.54 ms
64 bytes from 10.88.0.18: icmp_seq=3 ttl=63 time=1.54 ms
64 bytes from 10.88.0.18: icmp_seq=4 ttl=63 time=1.53 ms
^C
--- 10.88.0.18 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 1.394/1.505/1.549/0.070 ms
=================== VPN Client behind Ingress B =======================
client
dev tun
proto udp
remote 172.27.102.193 443
float
resolv-retry 10
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert vpnuser.crt
key vpnuser.key
pull
keepalive 10 60
auth-retry interact
ns-cert-type server
tls-auth ta.key 1
comp-lzo
up-restart
up "/etc/rc.local vpnup"
down-pre
down "/etc/rc.local vpndown"
verb 4
mute 20
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.88.16.2/21 brd 10.88.23.255 scope global tun0
valid_lft forever preferred_lft forever
default via 10.0.2.2 dev eth0
10.0.2.0/24 dev eth0 proto kernel scope link src 10.0.2.15
10.88.0.0/16 via 10.88.16.1 dev tun0
10.88.16.0/21 dev tun0 proto kernel scope link src 10.88.16.2
127.0.0.0/8 dev eth0 proto kernel scope link src 127.88.0.1
169.254.0.0/16 dev eth0 scope link metric 1000
Pings to Ingress A's interfaces:
$ ping 10.88.0.1
PING 10.88.0.1 (10.88.0.1) 56(84) bytes of data.
^C
--- 10.88.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms
$ ping 10.88.0.17
PING 10.88.0.17 (10.88.0.17) 56(84) bytes of data.
^C
--- 10.88.0.17 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3025ms
$ ping 10.88.8.1
PING 10.88.8.1 (10.88.8.1) 56(84) bytes of data.
^C
--- 10.88.8.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3022ms
$ ping 10.88.0.50
PING 10.88.0.50 (10.88.0.50) 56(84) bytes of data.
64 bytes from 10.88.0.50: icmp_seq=1 ttl=63 time=148 ms
64 bytes from 10.88.0.50: icmp_seq=2 ttl=63 time=209 ms
64 bytes from 10.88.0.50: icmp_seq=3 ttl=63 time=190 ms
64 bytes from 10.88.0.50: icmp_seq=4 ttl=63 time=57.0 ms
^C
--- 10.88.0.50 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 57.080/151.398/209.812/58.752 ms
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
