Drop invalid packets!?

I have setup;
-TUN openvpn server
-TAP openvpn server

Both work great, but, if I enable "Drop invalid packets" I am no longer able to connect to any of my devices via openvpn utilizing TAP.

TUN no issues.

Anyone have any ideas whats going on? Is it possible packets on TAP are being misidentified as invalid packets?

My TAP is setup as a bridge utilizing ccd for ip assignment.

Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID
This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable, when we did not send anything to the host), and out-of-sequence packets which can be caused by sequence prediction or other similar attacks.
The invalid-checking rule is above the forward rules for each intra-zone forwarding, so it is not so easy to bypass it.

Could you post the configuration for both tunnels? You can mask any sensitive data, like keys and public addresses.

1 Like

Okay, did some more testing.... I think I know whats going on...

This issue is isolated to OpenVPN TAP use on Android only with the following app;

UPDATE: This issue was resolved by dropping list push 'route' from my server config

igmp proxy would be the place to start looking.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).


1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.