I had a running OpenVPN server on a RPi (buster, Debian 10). After upgrade it stopped working completely. Before that I had some issues with some public networks, which I did not investigate.
When I connect with my Ubuntu (18.04), indicator shows that I am connected to VPN but I do not get any connection. ping returns no packets.
Server openvpn logs show:
MULTI: bad source address from client [x.x.x.x], packet dropped
Here [x.x.x.x] are client local IP address.
Ubuntu Client [x.x.x.x] --- Router A --- Internet --- Router B --- Server/RPi
Here is my server.conf:
local 192.168.x.x # THIS IS MY RASPBERRY PI LOCAL IP ADDRESS
dev tun
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/cert.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/cert.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh2048.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.x.x 255.255.255.0" # THIS IS MY RASPBERRY PI LOCAL IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 8.8.4.4" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1 bypass-dhcp"
#push "redirect-gateway local"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
key-direction 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
ifconfig-pool-persist ipp.txt
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 4
I also have a firewall rule script:
#!/bin/sh
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
I really tried to understand but it does not make sense. Some sources mention that I need to make client specific config dir. But this was not necessary before. And how come the server received the local IP address of the client? Server only needs to know the public IP of the client/Router A.
