Re: [Openvpn-users] Disconnects, maybe from "Bad source address" messages after connection

Mon, 09 Feb 2015 10:25:00 -0800 

Hi,

On Mon, Feb 09, 2015 at 11:07:55AM -0500, Jeff Mitchell wrote:
> Mon Feb  9 15:34:12 2015 us=645586 pomluser/172.19.41.84:51109 MULTI:
> bad source address from client [10.0.2.15], packet dropped
> Mon Feb  9 15:34:14 2015 us=651738 pomluser/172.19.41.84:51109 MULTI:
> bad source address from client [10.0.2.15], packet dropped
> Mon Feb  9 15:34:18 2015 us=658866 pomluser/172.19.41.84:51109 MULTI:
> bad source address from client [10.0.2.15], packet dropped

This is unlikely to be the issue.  It's most likely "some program
received a packet on the eth0 address, responded to it, and the return
route points to the VPN session" - in which case the packet is sourced
from the eth0 address (always reply from the address you've been
contacted on)...

> The client is inside a VM running on a laptop. When the client
> connects, the address OpenVPN sees is the address of the host, which
> makes sense given that the VM is using a NATed connection:

My bet is on the NAT.  If NAT state is lost, and the next packet ends
up on a different external IP address or port, the server won't recognize
you anymore ("no idea who that client is, drop packet").

You should be able to observe that using tcpdump on the server side
- look for packets towards port 443 (where your daemon listens on) 
and observe if the source address/source port changes when things
get "stuck".

If it's NAT state, and you can't fix the NAT, OpenVPN 2.3.7 on the
client side and "git master" on the server side will bring a solution
(TLS floating using peer-id).  But 2.3.7 is not released yet and we're
ironing out the last wrinkles on the server side.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: pgpkAqfMB339s.pgp
Description: PGP signature

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to