Understanding the MULTI: bad source warnings

In this recipe, we focus again on a VPN configuration where we try to connect a client-side LAN to a server-side LAN. Normally, this is done by adding a client-config-dir directive to the OpenVPN server configuration, and then by adding the appropriate CCD file. However, if the CCD file is not found or is not readable, then the VPN connection will function properly, but the hosts on the client-side LAN will not be able to reach the hosts on the server-side LAN and vice versa. In this case, the OpenVPN server log file will show messages of the form MULTI: bad source, if the verbosity is set high enough. In this recipe, we will first set up a VPN as is done in the Routing:  subnets on both sides recipe from Chapter 2Client-server IP-only Networks, but with a missing CCD file for the client. Then, we will show how to trigger the MULTI: bad source warnings and what can be done to resolve the issue.

Getting ready

We use the following network layout:

Getting ready

Set up the client and server certificates using the first recipe from the Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the configuration file example2-5-server.conf from the Using client-config-dir files recipe from Chapter 2Client-server IP-only Networks. For the client, keep the configuration file basic-udp-client.conf from the Server-side routing recipe from Chapter 2Client-server IP-only Networks.

How to do it...

  1. First, make sure the client CCD file is not accessible:
            [root@server]# chmod 700 /etc/openvpn/cookbook/clients
    
  2. Start the server using the configuration file example2-5-server.conf and with increased verbosity:
            [root@server]# openvpn --config example2-5-server.conf --verb 5
    
  3. Next, start the client to connect successfully:
            [root@client]# openvpn --config basic-udp-client.conf
            ...
            ... Initialization Sequence Completed
    

    However, when a host on the client-side LAN tries to reach a machine on the server-side LAN, the following message appears in the OpenVPN server log file:

            ... openvpnclient1/client-ip:58370 MULTI: bad source address 
            from client [192.168.4.66], packet dropped
    

In this recipe, the root cause of the problem can be resolved as done in the Troubleshooting client-config-dir issues recipe from Chapter 6Troubleshooting OpenVPN - Configurations, fix the permissions of the directory /etc/openvpn/cookbook/clients and reconnect the OpenVPN client.

How it works...

In order to connect a remote LAN to an OpenVPN server, two server-configuration directives are needed:

route remote-lan remote-mask 
client-config-dir /etc/openvpn/cookbook/clients 

And also a CCD file containing the name of the client certificate. The CCD file contains:

iroute remote-lan remote-mask 

Without this, the OpenVPN server does not know which VPN client the remote network is connected to. If a packet comes in from a client that the OpenVPN server does not know about, then the packet is dropped and, with "verb 5" or higher, the warning MULTI: bad source is printed.

There's more...

Apart from the warnings explained above, there is one other major reason for the MULTI: bad source messages to occur.

Other occurrences of the MULTI: bad source message

Sometimes the MULTI: bad source message is printed in the OpenVPN server log file even when no client-side LAN is connected to the VPN client. This happens most often with VPN clients running Windows. When a file share is accessed over the VPN connection, Windows sometimes sends packets with a different source IP address to that of the VPN interface. These packets are not recognized by the OpenVPN server and the warning is printed. The solution to this issue is not known.

See also

  • The Routing: subnets on both sides recipe from Chapter 2Client-server IP-only Networks, which explains the basics of setting up a client-config-dir setup
  • The Troubleshooting client-config-dir issues recipe from Chapter 6Troubleshooting OpenVPN - Configurations, which goes deeper into some of the frequently made mistakes when using the client-config-dir directive
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.1.25