3

I have OpenVPN setup and working. My office is part of a large building that operates several VLANs. Obviously from within our own VLAN I can access local resources, and from somewhere else in the world I can use OpenVPN. But when connected to a different VLAN in the same establishment I cannot do either.

OpenVPN is complaining because it is connecting to the building's external IP address, but the reply is being routed back internally (by switches I have no control over), which means the reply is not from the expected IP. Result:

 Incoming packet rejected from [AF_INET]10.67.5.1:1194[2], expected peer address: [AF_INET]195.x.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)

(x.x.x = censored public ip)

Anyone help? (I realise this is similar to other posts but I thought my problem was a bit different and justified a separate question)

As requested, server conf:

 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.67.15.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.67.5.0 255.255.255.0" keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3

Client config

 client remote example.org ca /etc/openvpn/ca.crt cert /etc/openvpn/client_rich.crt key /etc/openvpn/client_rich.key comp-lzo yes dev tun proto udp nobind auth-nocache script-security 2 persist-key persist-tun user openvpn group openvpn
Improve this question
4
  • Please edit your post to append the server and client configuration files. Commented Oct 4, 2011 at 15:40
  • What happens if you peer with 10.67... when you are on that network? Commented Oct 5, 2011 at 3:17
  • @quanta: have done. Commented Oct 5, 2011 at 8:44
  • @polynomial: 'peer with'? Commented Oct 5, 2011 at 8:44

1 Answer 1

Reset to default
6

As it said, add a float option to the client config and try again.

--float

Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client.

Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option.

Improve this answer
1
  • Thanks, I have tried this with patchy results. Still testing. It appeared to be working for about 90seconds, though! Commented Oct 6, 2011 at 13:11

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.