OpenVPN LAN to LAN: bad source address from client [172.26.1.78], packet dropped

sverker

New Around Here
I'm attempting to set up a lan to lan vpn between two Asus routers running Merlin firmware. I've read through numerous threads on this topic in the forum but none seems to match the issue I see.

Server side:
Network: 172.26.2.0/24
Router: Asus RT-AC3200 with Merlin fw 384.13_10
Generated openvpn config:
Code:
[email protected]:/tmp/home/root# cat /etc/openvpn/server1/config.ovpn
# Automatically generated configuration
daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
txqueuelen 1000
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
comp-lzo adaptive
keepalive 15 60
verb 5
push "route 172.26.2.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
duplicate-cn
route 172.26.1.0 255.255.255.0
push "route 172.26.1.0 255.255.255.0"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up updown.sh
down updown.sh
status-version 2
status status 5

# Custom Configuration
Code:
[email protected]:/tmp/home/root# cat /etc/openvpn/server1/ccd/limeoffice
iroute 172.26.1.0 255.255.255.0
From /tmp/syslog:
Code:
Aug  3 17:30:28 ovpn-server1[2107]: MULTI: multi_create_instance called
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 Re-using SSL/TLS context
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 LZO compression initializing
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 TLS: Initial packet from [AF_INET6]::ffff:85.11.56.254:30739, sid=286712f9 a629a7fb
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC3200, [email protected]
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, [email protected]
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 peer info: IV_VER=2.4.3
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 peer info: IV_PLAT=linux
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 peer info: IV_PROTO=2
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 peer info: IV_NCP=2
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 peer info: IV_LZ4=1
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 peer info: IV_LZ4v2=1
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 peer info: IV_LZO=1
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 peer info: IV_COMP_STUB=1
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 peer info: IV_COMP_STUBv2=1
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 peer info: IV_TCPNL=1
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Aug  3 17:30:28 ovpn-server1[2107]: 85.11.56.254:30739 TLS: Username/Password authentication succeeded for username 'limeoffice'
Aug  3 17:30:29 ovpn-server1[2107]: 85.11.56.254:30739 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Aug  3 17:30:29 ovpn-server1[2107]: 85.11.56.254:30739 [client] Peer Connection Initiated with [AF_INET6]::ffff:85.11.56.254:30739
Aug  3 17:30:29 ovpn-server1[2107]: client/85.11.56.254:30739 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Aug  3 17:30:29 ovpn-server1[2107]: client/85.11.56.254:30739 MULTI: Learn: 10.8.0.2 -> client/85.11.56.254:30739
Aug  3 17:30:29 ovpn-server1[2107]: client/85.11.56.254:30739 MULTI: primary virtual IP for client/85.11.56.254:30739: 10.8.0.2
Aug  3 17:30:30 ovpn-server1[2107]: client/85.11.56.254:30739 PUSH: Received control message: 'PUSH_REQUEST'
Aug  3 17:30:30 ovpn-server1[2107]: client/85.11.56.254:30739 SENT CONTROL [client]: 'PUSH_REPLY,route 172.26.2.0 255.255.255.0 vpn_gateway 500,route 172.26.1.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Aug  3 17:30:30 ovpn-server1[2107]: client/85.11.56.254:30739 Data Channel: using negotiated cipher 'AES-128-GCM'
Aug  3 17:30:30 ovpn-server1[2107]: client/85.11.56.254:30739 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Aug  3 17:30:30 ovpn-server1[2107]: client/85.11.56.254:30739 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Aug  3 17:30:30 ovpn-server1[2107]: client/85.11.56.254:30739 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
 

sverker

New Around Here
Client side:
Network: 172.26.1.0/24
Router: Asus RT-N66U with Merlin fw 380.70
Generated openvpn config:
Code:
[email protected]:/tmp/home/root# cat /etc/openvpn/client5/config.ovpn
# Automatically generated configuration
daemon
client
dev tun15
proto udp
remote xxxxxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo adaptive
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 5
ca ca.crt
cert client.crt
key client.key
auth-user-pass up
status-version 2
status status 5

# Custom Configuration
float
keepalive 15 60
remote-cert-tls server
From syslog:
Code:
Aug  3 17:30:28 openvpn[19953]: OpenVPN 2.4.3 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr  8 2018
Aug  3 17:30:28 openvpn[19953]: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.08
Aug  3 17:30:28 openvpn[19955]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug  3 17:30:28 openvpn[19955]: LZO compression initializing
Aug  3 17:30:28 openvpn[19955]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Aug  3 17:30:28 openvpn[19955]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Aug  3 17:30:28 openvpn[19955]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug  3 17:30:28 openvpn[19955]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug  3 17:30:28 openvpn[19955]: TCP/UDP: Preserving recently used remote address: [AF_INET]92.34.10.8:1194
Aug  3 17:30:28 openvpn[19955]: Socket Buffers: R=[118784->118784] S=[118784->118784]
Aug  3 17:30:28 openvpn[19955]: UDP link local: (not bound)
Aug  3 17:30:28 openvpn[19955]: UDP link remote: [AF_INET]92.34.10.8:1194
Aug  3 17:30:28 openvpn[19955]: TLS: Initial packet from [AF_INET]92.34.10.8:1194, sid=a2442fd5 8f08c0a9
Aug  3 17:30:28 openvpn[19955]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug  3 17:30:28 openvpn[19955]: VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC3200, [email protected]
Aug  3 17:30:28 openvpn[19955]: VERIFY KU OK
Aug  3 17:30:28 openvpn[19955]: Validating certificate extended key usage
Aug  3 17:30:28 openvpn[19955]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug  3 17:30:28 openvpn[19955]: VERIFY EKU OK
Aug  3 17:30:28 openvpn[19955]: VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC3200, [email protected]
Aug  3 17:30:28 openvpn[19955]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Aug  3 17:30:28 openvpn[19955]: [RT-AC3200] Peer Connection Initiated with [AF_INET]92.34.10.8:1194
Aug  3 17:30:30 openvpn[19955]: SENT CONTROL [RT-AC3200]: 'PUSH_REQUEST' (status=1)
Aug  3 17:30:30 openvpn[19955]: PUSH: Received control message: 'PUSH_REPLY,route 172.26.2.0 255.255.255.0 vpn_gateway 500,route 172.26.1.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM'
Aug  3 17:30:30 openvpn[19955]: OPTIONS IMPORT: timers and/or timeouts modified
Aug  3 17:30:30 openvpn[19955]: OPTIONS IMPORT: --ifconfig/up options modified
Aug  3 17:30:30 openvpn[19955]: OPTIONS IMPORT: route options modified
Aug  3 17:30:30 openvpn[19955]: OPTIONS IMPORT: route-related options modified
Aug  3 17:30:30 openvpn[19955]: OPTIONS IMPORT: peer-id set
Aug  3 17:30:30 openvpn[19955]: OPTIONS IMPORT: adjusting link_mtu to 1625
Aug  3 17:30:30 openvpn[19955]: OPTIONS IMPORT: data channel crypto options modified
Aug  3 17:30:30 openvpn[19955]: Data Channel: using negotiated cipher 'AES-128-GCM'
Aug  3 17:30:30 openvpn[19955]: Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Aug  3 17:30:30 openvpn[19955]: Data Channel Encrypt: Cipher 'AES-128-GCM' initialized with 128 bit key
Aug  3 17:30:30 openvpn[19955]: Data Channel Decrypt: Cipher 'AES-128-GCM' initialized with 128 bit key
Aug  3 17:30:30 openvpn[19955]: TUN/TAP device tun15 opened
Aug  3 17:30:30 openvpn[19955]: TUN/TAP TX queue length set to 100
Aug  3 17:30:30 openvpn[19955]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Aug  3 17:30:30 openvpn[19955]: /usr/sbin/ip link set dev tun15 up mtu 1500
Aug  3 17:30:30 openvpn[19955]: /usr/sbin/ip addr add dev tun15 10.8.0.2/24 broadcast 10.8.0.255
Aug  3 17:30:32 openvpn[19955]: /usr/sbin/ip route add 172.26.2.0/24 metric 500 via 10.8.0.1
Aug  3 17:30:32 openvpn[19955]: Ignore conflicted routing rule: 172.26.1.0 255.255.255.0
Aug  3 17:30:32 openvpn-routing: Skipping, client 5 not in routing policy mode
Aug  3 17:30:32 openvpn[19955]: Initialization Sequence Completed
The tunnel is established, and it's possible to connect between the routers. Clients on server lan can ping and connect to client router but no traffic works between the lan's. If I do a ping from host on client lan I get this in the log on server side:
Aug 3 17:30:39 ovpn-server1[2107]: client/85.11.56.254:30739 MULTI: bad source address from client [172.26.1.78], packet dropped

What seems to be happening is that the server doesn't read the client-specific file and hence doesn't apply the iroute line, since it attempts to push that route to the client. Since the openvpn server runs with -cd /etc/openvpn/server1/ then the client-config-dir as above should point to /etc/openvpn/server1/ccd/. I have tried to override it but no better luck.
 

sverker

New Around Here
Indeed the issue was that the file in ccd wasn't read, because when I copied it to a DEFAULT file in the same folder then the iroute statement was activated and the traffic works between the lan's.

Another issue is that on the client router I need to add a rule to POSTROUTE chain otherwise packets that should be routed to tunnel are masqueraded with the ip from WAN interface.
 

sverker

New Around Here
Ok, I figured it out. Common Name is "client", and I thought it would use the username as CN. That's why my ccd file wasn't read. Adding directive username-as-common-name as custom configuration on server side solved the issue.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top