In this recipe, we focus again on a VPN configuration where we try to connect a client-side LAN to a server-side LAN. Normally, this is done by adding a client-config-dir
directive to the OpenVPN server configuration, and then by adding the appropriate CCD file. However, if the CCD file is not found or is not readable, then the VPN connection will function properly, but the hosts on the client-side LAN will not be able to reach the hosts on the server-side LAN and vice versa. In this case, the OpenVPN server log file will show messages of the form MULTI: bad source
, if the verbosity is set high enough. In this recipe, we will first set up a VPN as is done in the Routing:
subnets on both sides recipe from Chapter 2, Client-server IP-only Networks, but with a missing CCD file for the client. Then, we will show how to trigger the MULTI: bad source
warnings and what can be done to resolve the issue.
We use the following network layout:
Set up the client and server certificates using the first recipe from the Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the configuration file example2-5-server.conf
from the Using client-config-dir files recipe from Chapter 2, Client-server IP-only Networks. For the client, keep the configuration file basic-udp-client.conf
from the Server-side routing recipe from Chapter 2, Client-server IP-only Networks.
[root@server]# chmod 700 /etc/openvpn/cookbook/clients
example2-5-server.conf
and with increased verbosity: [root@server]# openvpn --config example2-5-server.conf --verb 5
[root@client]# openvpn --config basic-udp-client.conf ... ... Initialization Sequence Completed
However, when a host on the client-side LAN tries to reach a machine on the server-side LAN, the following message appears in the OpenVPN server log file:
... openvpnclient1/client-ip:58370 MULTI: bad source address
from client [192.168.4.66], packet dropped
In this recipe, the root cause of the problem can be resolved as done in the Troubleshooting client-config-dir issues recipe from Chapter 6, Troubleshooting OpenVPN - Configurations, fix the permissions of the directory /etc/openvpn/cookbook/clients
and reconnect the OpenVPN client.
In order to connect a remote LAN to an OpenVPN server, two server-configuration directives are needed:
route remote-lan remote-mask client-config-dir /etc/openvpn/cookbook/clients
And also a CCD file containing the name of the client certificate. The CCD file contains:
iroute remote-lan remote-mask
Without this, the OpenVPN server does not know which VPN client the remote network is connected to. If a packet comes in from a client that the OpenVPN server does not know about, then the packet is dropped and, with "verb 5" or higher, the warning MULTI: bad source
is printed.
Apart from the warnings explained above, there is one other major reason for the MULTI: bad source
messages to occur.
Sometimes the MULTI: bad source
message is printed in the OpenVPN server log file even when no client-side LAN is connected to the VPN client. This happens most often with VPN clients running Windows. When a file share is accessed over the VPN connection, Windows sometimes sends packets with a different source IP address to that of the VPN interface. These packets are not recognized by the OpenVPN server and the warning is printed. The solution to this issue is not known.
client-config-dir
setupclient-config-dir
directive18.119.158.74