[nas-2000] Re: OpenVPN Server

  • From: philipp Wehrheim <flipstar@xxxxxxx>
  • To: nas-2000@xxxxxxxxxxxxx
  • Date: Sun, 25 Nov 2007 15:02:21 +0100


Codebotcher wrote:
> Hi Flip,
>> Hey,
>> Codebotcher schrieb:
> [..]
>>> Yes it does! Good job. OpenVPN is working for me now and I owe the
>>> community a howto. I have some hand-written notes next to me, but I have
>>> to put them in a human-readable form. Setting up OpenVPN is quite
>>> trivial once all the required modules are available. Generating the keys
>>> and certificates might be tricky, though. I did it on my Linux PC and
>>> simply copied the relevant files to the NAS, but I'm sure this can be
>>> simplified.
>>> What's the next step from here? I'm still using the openvpn 2.0.7 you
>>> sent to the list some time ago. Can we put everything in an ipkg that
>>> automatically installs all packages OpenVPN is depending on? I don't
>>> have the ipkg builder installed on my Linux PC, yet. If I would provide
>>> you with all the files in a structure, could you do that?
>> Sure I would love to :-D
>> Or you can build a ipkg by hand. there are two tar archives inside the
>> ar (ipkg) file ;-)
>> With OpenVPN you/we can do quite a number of wicket things like:
>> - mount/access files secure -> yes that's what is was designed for
>> but another option would be to:
>> -Get a mobilie-fon with a sip-client and a vpn-client that can connect       
>>      to openvpn (and a dataflatrate is prefered)
>> -Tell your sip-client to connet trough the vpn-tunnel to your LAN
>>      and from the LAN ether to your local asterisk or your preferred         
>>      sip provider.
>> and wheee you can get phone calls on your mobile and people will only
>> pay for the local call.
>> thanks again
>> --
>> flip
> I just wanted to give you an update on the status of the OpenVPN
> project. At the moment I'm struggling with a quite bizarre problem. I
> managed to setup and configure the OpenVPN on my NAS in the same way as
> the OpenVPN on my Linux server running Debian. I'm able to connect to
> the NAS via OpenVPN from my Windows notebook using OpenVPN GUI
> (http://www.openvpn.se/) and to browse the files which are offered by
> the NAS' samba server. Browsing through the files is pretty fast, but as
> soon as I try to open a file, let's say a 100 byte config file with a
> text editor, the transfer stalls and throws the following error message
> on my NAS:
> Sun Nov 25 14:36:11 2007 notebook1/ MULTI: bad source
> address from client [], packet dropped

guess google likes me better :-P



gives me


> Sun Jan  9 18:10:41 2005 Markku_Leinio/193.166.XXX.XXX:1663 MULTI: bad
> source address from client [10.YYY.YYY.YYY], packet dropped

That error occurs when OpenVPN gets a packet from a client for which it
has no return route back to the client.  It's a security feature that
prevents other machines on the client LAN from using the VPN unless they
are explicity allowed to.  --dev tap mode is more permissive (because of
the semantics of ethernet bridging) and does not enforce any source
address checking unless you use a --learn-address script.

To explicitly allow packets from 10.YYY.YYY.YYY, you need to use

Hope that may help ...

> I checked if Google finds something related to this problem, but to no
> avail. It seems that the NAS is not able to route back to my notebook.
> Another strange observation I have made is that it is possible to browse
> the directories on the NAS using TotalCommander as a FTP client, but as
> soon as a file transfer is initiated, the connection breaks with the
> same error as for samba. Now comes the funny thing: The command line ftp
> client of Windows XP works! I can browse /and/ transfer files from an to
> the NAS through the OpenVPN tunnel.
> (BTW: The same OpenVPN server configuration works on my Debian Linux
> server without any problems!)

Did you took a closer look into the Debain start files?
What exactly are they doing like setting flags etc...

> As a project in my job is coming to a code-freeze next week followed by
> a delivery to the customer in the week after, I will be off for a while
> and won't be able to work on this issue here. :-(  

good luck then!

> I pick it up again
> as soon as I have the time again. I will try to look at the routing
> tables first and run a test, where my notebook is not in the same
> physical network as the NAS. (At the moment they are both in my
> 192.168.x.x private network and can see each other both on the local and
> the OpenVPN net. Maybe this is a problem here.)


Other related posts: