[nas-2000] Re: OpenVPN Server

  • From: Codebotcher <codebotcher@xxxxxx>
  • To: nas-2000@xxxxxxxxxxxxx
  • Date: Sun, 25 Nov 2007 15:31:48 +0100

-------- Original Message  --------
Subject: [nas-2000] Re: OpenVPN Server
From: philipp Wehrheim <flipstar@xxxxxxx>
To: nas-2000@xxxxxxxxxxxxx
Date: Sun Nov 25 2007 15:02:21 GMT+0100

> Hey,
> Codebotcher wrote:
>> Hi Flip,
>>> Hey,
>>> Codebotcher schrieb:
>> [..]
>>>> Yes it does! Good job. OpenVPN is working for me now and I owe the
>>>> community a howto. I have some hand-written notes next to me, but I have
>>>> to put them in a human-readable form. Setting up OpenVPN is quite
>>>> trivial once all the required modules are available. Generating the keys
>>>> and certificates might be tricky, though. I did it on my Linux PC and
>>>> simply copied the relevant files to the NAS, but I'm sure this can be
>>>> simplified.
>>>> What's the next step from here? I'm still using the openvpn 2.0.7 you
>>>> sent to the list some time ago. Can we put everything in an ipkg that
>>>> automatically installs all packages OpenVPN is depending on? I don't
>>>> have the ipkg builder installed on my Linux PC, yet. If I would provide
>>>> you with all the files in a structure, could you do that?
>>> Sure I would love to :-D
>>> Or you can build a ipkg by hand. there are two tar archives inside the
>>> ar (ipkg) file ;-)
>>> With OpenVPN you/we can do quite a number of wicket things like:
>>> - mount/access files secure -> yes that's what is was designed for
>>> but another option would be to:
>>> -Get a mobilie-fon with a sip-client and a vpn-client that can connect      
>>>     to openvpn (and a dataflatrate is prefered)
>>> -Tell your sip-client to connet trough the vpn-tunnel to your LAN
>>>     and from the LAN ether to your local asterisk or your preferred         
>>>     sip provider.
>>> and wheee you can get phone calls on your mobile and people will only
>>> pay for the local call.
>>> thanks again
>>> --
>>> flip
>> I just wanted to give you an update on the status of the OpenVPN
>> project. At the moment I'm struggling with a quite bizarre problem. I
>> managed to setup and configure the OpenVPN on my NAS in the same way as
>> the OpenVPN on my Linux server running Debian. I'm able to connect to
>> the NAS via OpenVPN from my Windows notebook using OpenVPN GUI
>> (http://www.openvpn.se/) and to browse the files which are offered by
>> the NAS' samba server. Browsing through the files is pretty fast, but as
>> soon as I try to open a file, let's say a 100 byte config file with a
>> text editor, the transfer stalls and throws the following error message
>> on my NAS:
>> Sun Nov 25 14:36:11 2007 notebook1/ MULTI: bad source
>> address from client [], packet dropped
> guess google likes me better :-P
> entering:
> http://www.google.de/search?hl=en&q=bad+source%0D%0Aopenvpn+%22address+from+client%22&btnG=Google+Search&meta=
> gives me
> http://openvpn.net/archive/openvpn-users/2005-01/msg00091.html
> ....
>> Sun Jan  9 18:10:41 2005 Markku_Leinio/193.166.XXX.XXX:1663 MULTI: bad
>> source address from client [10.YYY.YYY.YYY], packet dropped
> That error occurs when OpenVPN gets a packet from a client for which it
> has no return route back to the client.  It's a security feature that
> prevents other machines on the client LAN from using the VPN unless they
> are explicity allowed to.  --dev tap mode is more permissive (because of
> the semantics of ethernet bridging) and does not enforce any source
> address checking unless you use a --learn-address script.
> To explicitly allow packets from 10.YYY.YYY.YYY, you need to use
> --iroute/-client-config-dir.
> ....
> Hope that may help ...
Well, of course I came across this message, too, but configuring OpenVPN
in the way described unfortunately didn't solve the problem. :-(

IMHO this feature is just to prevent access to OpenVPN from clients in
the client's LAN, but not the client itself.

>> I checked if Google finds something related to this problem, but to no
>> avail. It seems that the NAS is not able to route back to my notebook.
>> Another strange observation I have made is that it is possible to browse
>> the directories on the NAS using TotalCommander as a FTP client, but as
>> soon as a file transfer is initiated, the connection breaks with the
>> same error as for samba. Now comes the funny thing: The command line ftp
>> client of Windows XP works! I can browse /and/ transfer files from an to
>> the NAS through the OpenVPN tunnel.
>> (BTW: The same OpenVPN server configuration works on my Debian Linux
>> server without any problems!)
> Did you took a closer look into the Debain start files?
> What exactly are they doing like setting flags etc...
Good hint. I will check this...

>> As a project in my job is coming to a code-freeze next week followed by
>> a delivery to the customer in the week after, I will be off for a while
>> and won't be able to work on this issue here. :-(  
> good luck then!
>> I pick it up again
>> as soon as I have the time again. I will try to look at the routing
>> tables first and run a test, where my notebook is not in the same
>> physical network as the NAS. (At the moment they are both in my
>> 192.168.x.x private network and can see each other both on the local and
>> the OpenVPN net. Maybe this is a problem here.)

Thanks and have a great weekend,


Other related posts: