Tunnelblick won't set IPv6 on TAP device while Router Advertisements are present
342 views
Skip to first unread message
meren...@gmail.com
Jan 31, 2017, 9:47:10 AM1/31/17
to tunnelblick-discuss
I am running an OpenVPN server with both public IPv4/IPv6.
Windows OpenVPN clients obtain an IPv4 from our OpenVPN server config, and IPv6 from our router (they are bridged so they get IPv6 router advertisements)
Tunnelblick clients obtain too an IPv4 from our OpenVPN server config, but fail to obtain IPv6 from our router and get this error:
WARNING: Will NOT set up IPv6 on TAP device because it does not use DHCP.
If I disable the ifconfig-pool in my OpenVPN server config and instead use an external DHCP server, Tunnelblick clients obtain successfully both IPv4/IPv6.
full client log:
*Tunnelblick: OS X 10.12.2; Tunnelblick 3.7.1beta01 (build 4800); prior version 3.7.0beta01 (build 4780)2017-01-31 15:10:50 *Tunnelblick: Attempting connection with casper using shadow copy; Set nameserver = 769; monitoring connection2017-01-31 15:10:50 *Tunnelblick: openvpnstart start casper.tblk 1337 769 0 1 0 1589618 -ptADGNWradsgnw 2.5_git_4590c38-libressl-2.5.02017-01-31 15:10:50 OpenVPN 2.5_git_4590c38 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jan 30 20172017-01-31 15:10:50 library versions: LibreSSL 2.5.0, LZO 2.092017-01-31 15:10:50 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:13372017-01-31 15:10:50 Need hold release from management interface, waiting...2017-01-31 15:10:50 *Tunnelblick: openvpnstart starting OpenVPN2017-01-31 15:10:51 *Tunnelblick: openvpnstart log: Loading tap-signed.kext OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.5_git_4590c38-libressl-2.5.0/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Suser1-SLibrary-SApplication Support-STunnelblick-SConfigurations-Scasper.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1589618.1337.openvpn.log --cd /Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources --verb 3 --config /Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources/config.ovpn --verb 3 --cd /Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources --management 127.0.0.1 1337 --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw --route-pre-down /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw
2017-01-31 15:10:51 *Tunnelblick: Established communication with OpenVPN2017-01-31 15:10:51 *Tunnelblick: Obtained VPN username and password from the Keychain2017-01-31 15:10:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:13372017-01-31 15:10:51 MANAGEMENT: CMD 'pid'2017-01-31 15:10:51 MANAGEMENT: CMD 'state on'2017-01-31 15:10:51 MANAGEMENT: CMD 'state'2017-01-31 15:10:51 MANAGEMENT: CMD 'bytecount 1'2017-01-31 15:10:51 MANAGEMENT: CMD 'hold release'2017-01-31 15:10:51 MANAGEMENT: CMD 'username "Auth" "user1"'2017-01-31 15:10:51 MANAGEMENT: CMD 'password [...]'2017-01-31 15:10:51 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts2017-01-31 15:10:51 TCP/UDP: Preserving recently used remote address: [AF_INET]125.125.29.2:11942017-01-31 15:10:51 Socket Buffers: R=[196724->196724] S=[9216->9216]2017-01-31 15:10:51 UDP link local (bound): [AF_INET][undef]:11942017-01-31 15:10:51 UDP link remote: [AF_INET]125.125.29.2:11942017-01-31 15:10:51 MANAGEMENT: >STATE:1485868251,WAIT,,,,,,2017-01-31 15:10:51 MANAGEMENT: >STATE:1485868251,AUTH,,,,,,2017-01-31 15:10:51 TLS: Initial packet from [AF_INET]125.125.29.2:1194, sid=02b53e89 6de3bd8c2017-01-31 15:10:51 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this2017-01-31 15:10:51 VERIFY OK: depth=1, xxx2017-01-31 15:10:51 VERIFY X509NAME OK: xxx2017-01-31 15:10:51 VERIFY OK: xxx2017-01-31 15:10:51 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA2017-01-31 15:10:51 [xxx] Peer Connection Initiated with [AF_INET]125.125.29.2:11942017-01-31 15:10:52 MANAGEMENT: >STATE:1485868252,GET_CONFIG,,,,,,2017-01-31 15:10:52 SENT CONTROL [xxx]: 'PUSH_REQUEST' (status=1)2017-01-31 15:10:52 PUSH: Received control message: 'PUSH_REPLY,route remote_host 255.255.255.255 net_gateway,route 125.125.28.0 255.255.254.0 125.125.29.1,route-gateway 125.125.29.1,ping 5,ping-restart 15,ifconfig 125.125.29.109 255.255.255.128,peer-id 0,cipher AES-256-GCM'2017-01-31 15:10:52 OPTIONS IMPORT: timers and/or timeouts modified2017-01-31 15:10:52 OPTIONS IMPORT: --ifconfig/up options modified2017-01-31 15:10:52 OPTIONS IMPORT: route options modified2017-01-31 15:10:52 OPTIONS IMPORT: route-related options modified2017-01-31 15:10:52 OPTIONS IMPORT: peer-id set2017-01-31 15:10:52 OPTIONS IMPORT: adjusting link_mtu to 16572017-01-31 15:10:52 OPTIONS IMPORT: data channel crypto options modified2017-01-31 15:10:52 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key2017-01-31 15:10:52 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key2017-01-31 15:10:52 GDG6: remote_host_ipv6=n/a2017-01-31 15:10:52 GDG6: problem writing to routing socket2017-01-31 15:10:52 TUN/TAP device /dev/tap0 opened2017-01-31 15:10:52 do_ifconfig, tt->did_ifconfig_ipv6_setup=02017-01-31 15:10:52 MANAGEMENT: >STATE:1485868252,ASS125.125.IGN_IP,,125.125.29.109,,,,2017-01-31 15:10:52 /sbin/ifconfig tap0 delete ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address2017-01-31 15:10:52 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure2017-01-31 15:10:52 /sbin/ifconfig tap0 125.125.29.109 netmask 255.255.255.128 mtu 1500 up2017-01-31 15:10:52 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1585 125.125.29.109 255.255.255.128 init ********************************************** Start of output from client.up.tunnelblick.sh NOTE: No network configuration changes need to be made. WARNING: Will NOT monitor for other network configuration changes. WARNING: Will NOT set up IPv6 on TAP device because it does not use DHCP. DNS servers '177.177.211.34 177.177.210.210' will be used for DNS queries when the VPN is active NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems. Flushed the DNS cache via dscacheutil /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil Notified mDNSResponder that the DNS cache was flushed End of output from client.up.tunnelblick.sh **********************************************2017-01-31 15:10:55 *Tunnelblick: No 'connected.sh' script to execute2017-01-31 15:10:55 MANAGEMENT: >STATE:1485868255,ADD_ROUTES,,,,,,2017-01-31 15:10:55 /sbin/route add -net 125.125.29.2 192.168.60.1 255.255.255.255 add net 125.125.29.2: gateway 192.168.60.12017-01-31 15:10:55 /sbin/route add -net 125.125.28.0 125.125.29.1 255.255.254.0 add net 125.125.28.0: gateway 125.125.29.1
2017-01-31 15:10:55 Initialization Sequence Completed
2017-01-31 15:10:55 MANAGEMENT: >STATE:1485868255,CONNECTED,SUCCESS,125.125.29.109,125.125.29.2,1194,,2017-01-31 15:11:00 *Tunnelblick: This computer's apparent public IP address (125.125.28.254) was unchanged after the connection was made
server.conf:
dev tap
proto udp
port 1194
management 127.0.0.1 1194
server-bridge 125.125.29.1 255.255.255.128 125.125.29.109 125.125.29.111
ifconfig-pool-persist pool-persist-tap
push "route remote_host 255.255.255.255 net_gateway"
push "route 125.125.28.0 255.255.254.0 125.125.29.1"
#push "tun-ipv6" - not needed in version 2.4
dh keys/dh1024.pem
ca new-ssl/sha256/CA/ca.crt
cert new-ssl/sha256/cert.crt
key new-ssl/sha256/key.key
keepalive 5 15
persist-key
persist-tun
comp-lzo
script-security 2
up ./upscript
down ./downscript
mute-replay-warnings
client-cert-not-required
username-as-common-name
client-config-dir clients
auth-user-pass-verify ./auth_radius.pl via-file
syslog openvpn-tap.log
verb 4client.conf:
dev tap
remote 125.125.29.2
tls-client
ca ca.crt
verify-x509-name xxx.xxx name
mute-replay-warnings
pull
route 125.125.212.0 255.255.255.0
# uncomment to enable default gateway redirection
#redirect-gateway def1
route-method exe
route-delay 2
auth-user-pass
verb 4
comp-lzo
Tunnelblick developer
Jan 31, 2017, 10:40:19 AM1/31/17
to tunnelblick-discuss, meren...@gmail.com
(Although it is possible this is related to an OpenVPN problem (OpenVPN Trak ticket #668), but I don't think so.)
First, be aware that Tunnelblick does not have any support for IPv6 built into its up/down scripts. If you're sure that IPv6 is working if you "disable the ifconfig-pool in my OpenVPN server config and instead use an external DHCP server", then I guess that's not a problem for you.
From the error message you are getting:
WARNING: Will NOT set up IPv6 on TAP device because it does not use DHCP.
it looks like Tunnelblick isn't recognizing that the connection should use DHCP. Tunnelblick considers a tap connection to use DHCP in the following line from Tunnelblick's "client.up.tunnelblick.sh" script:
if [ -z "${route_vpn_gateway}" -o "$route_vpn_gateway" == "dhcp" -o "$route_vpn_gateway" == "DHCP" ]; then
(The route_vpn_gateway environment variable is set by OpenVPN before calling the script.)
So it looks like OpenVPN is passing a non-empty value in route_vpn_gateway but the value is not "dhcp" or "DHCP".
If the value is mixed-case, such as "Dhcp", that would cause this problem.
If that's the situation, I will fix the script so it allows that, but I'd like to find out if that's really the problem before doing that.
If you are willing to help, I would be happy to look into this. Attached is a script named up.sh that is the same as Tunnelblick's standard "client.up.tunnelblick.sh" script except that it logs the value of route_vpn_gateway (so we can see what is going on) and forces the connection to be considered a DHCP connection (so you can see if recognizing the connection as a DHCP connection works and doesn't just lead to other problems). The changes to the script consist of inserting the following four lines starting at line 1430:
logMessage "route_vpn_gateway = '${route_vpn_gateway}'; forcing bRouteGatewayIsDhcp 'true'"bRouteGatewayIsDhcp="true"
To use the script, download it and copy it into your Tunnelblick VPN configuration in the folder at
/Users/user1/Library/Application Support/Tunnelblick/Configurations/casper.tblk/Contents/Resources
You will be asked for your computer admin username/password the first time you connect the configuration after making the change.
Then post the results here.
mer...@gmail.com
Jan 31, 2017, 11:15:45 AM1/31/17
to tunnelblick-discuss, meren...@gmail.com
Hello and thank you for your help,
Using an external DHCP server only for OpenVPN clients would not a preferable option, I used it just a temporary workaround to see what's going on.
I ran Tunnelblick using the script you suggested.
The Warning I mentioned on my first post has now disappeared, I attach the last log:
2017-01-31 17:58:41 *Tunnelblick: openvpnstart starting OpenVPN
*Tunnelblick: OS X 10.12.2; Tunnelblick 3.7.1beta01 (build 4800); prior version 3.7.0beta01 (build 4780)
2017-01-31 17:58:41 *Tunnelblick: Attempting connection with casper using shadow copy; Set nameserver = 769; monitoring connection
2017-01-31 17:58:41 *Tunnelblick: openvpnstart start casper.tblk 1338 769 0 1 0 1589618 -ptADGNWradsgnw 2.5_git_4590c38-libressl-2.5.0
2017-01-31 17:58:43 *Tunnelblick: openvpnstart log:
Warning: up script /Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources/up.sh is not new version; not using ' -6 -9 -a -d -f -m -w -ptADGNWradsgnw' options
Loading tap-signed.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.5_git_4590c38-libressl-2.5.0/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Suser1-SLibrary-SApplication Support-STunnelblick-SConfigurations-Scasper.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1589618.1338.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources
--management
127.0.0.1
1338
--management-query-passwords
--management-hold
--script-security
2
--up
"/Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources/up.sh"
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw
--route-pre-down
/Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw
2017-01-31 17:58:42 OpenVPN 2.5_git_4590c38 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jan 30 2017
2017-01-31 17:58:42 library versions: LibreSSL 2.5.0, LZO 2.09
2017-01-31 17:58:42 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338
2017-01-31 17:58:42 Need hold release from management interface, waiting...
2017-01-31 17:58:43 *Tunnelblick: Established communication with OpenVPN
2017-01-31 17:58:43 *Tunnelblick: Obtained VPN username and password from the Keychain
2017-01-31 17:58:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338
2017-01-31 17:58:43 MANAGEMENT: CMD 'pid'
2017-01-31 17:58:43 MANAGEMENT: CMD 'state on'
2017-01-31 17:58:43 MANAGEMENT: CMD 'state'
2017-01-31 17:58:43 MANAGEMENT: CMD 'bytecount 1'
2017-01-31 17:58:43 MANAGEMENT: CMD 'hold release'
2017-01-31 17:58:43 MANAGEMENT: CMD 'username "Auth" "user1"'
2017-01-31 17:58:43 MANAGEMENT: CMD 'password [...]'
2017-01-31 17:58:43 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-01-31 17:58:43 TCP/UDP: Preserving recently used remote address: [AF_INET]125.125.29.2:1194
2017-01-31 17:58:43 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-01-31 17:58:43 UDP link local (bound): [AF_INET][undef]:1194
2017-01-31 17:58:43 UDP link remote: [AF_INET]125.125.29.2:1194
2017-01-31 17:58:43 MANAGEMENT: >STATE:1485878323,WAIT,,,,,,
2017-01-31 17:58:43 MANAGEMENT: >STATE:1485878323,AUTH,,,,,,
2017-01-31 17:58:43 TLS: Initial packet from [AF_INET]125.125.29.2:1194, sid=deea627e 51ff1f38
2017-01-31 17:58:43 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-01-31 17:58:43 VERIFY OK: depth=1, xxx
2017-01-31 17:58:43 VERIFY X509NAME OK: xxx
2017-01-31 17:58:43 VERIFY OK: depth=0, xxx
2017-01-31 17:58:43 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-01-31 17:58:43 [xxx] Peer Connection Initiated with [AF_INET]125.125.29.2:1194
2017-01-31 17:58:44 MANAGEMENT: >STATE:1485878324,GET_CONFIG,,,,,,
2017-01-31 17:58:44 SENT CONTROL [xxx]: 'PUSH_REQUEST' (status=1)
2017-01-31 17:58:44 PUSH: Received control message: 'PUSH_REPLY,route remote_host 255.255.255.255 net_gateway,route 125.125.28.0 255.255.254.0 125.125.29.1,route-gateway 125.125.29.1,ping 5,ping-restart 15,ifconfig 125.125.29.109 255.255.255.128,peer-id 0,cipher AES-256-GCM'
2017-01-31 17:58:44 OPTIONS IMPORT: timers and/or timeouts modified
2017-01-31 17:58:44 OPTIONS IMPORT: --ifconfig/up options modified
2017-01-31 17:58:44 OPTIONS IMPORT: route options modified
2017-01-31 17:58:44 OPTIONS IMPORT: route-related options modified
2017-01-31 17:58:44 OPTIONS IMPORT: peer-id set
2017-01-31 17:58:44 OPTIONS IMPORT: adjusting link_mtu to 1657
2017-01-31 17:58:44 OPTIONS IMPORT: data channel crypto options modified
2017-01-31 17:58:44 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-01-31 17:58:44 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-01-31 17:58:44 TUN/TAP device /dev/tap0 opened
2017-01-31 17:58:44 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-01-31 17:58:44 MANAGEMENT: >STATE:1485878324,ASSIGN_IP,,125.125.29.109,,,,
2017-01-31 17:58:44 /sbin/ifconfig tap0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-01-31 17:58:44 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-01-31 17:58:44 /sbin/ifconfig tap0 125.125.29.109 netmask 255.255.255.128 mtu 1500 up
2017-01-31 17:58:44 /Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources/up.sh tap0 1500 1585 125.125.29.109 255.255.255.128 init
**********************************************
Start of output from up.sh
NOTE: No network configuration changes need to be made.
DNS servers '177.177.211.34 177.177.210.210' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
End of output from up.sh
**********************************************
2017-01-31 17:58:46 MANAGEMENT: >STATE:1485878326,ADD_ROUTES,,,,,,
2017-01-31 17:58:46 /sbin/route add -net 125.125.29.2 192.168.60.1 255.255.255.255
2017-01-31 17:58:46 *Tunnelblick: No 'connected.sh' script to execute
add net 125.125.29.2: gateway 192.168.60.1
2017-01-31 17:58:46 /sbin/route add -net 125.125.28.0 125.125.29.1 255.255.254.0
add net 125.125.28.0: gateway 125.125.29.1
2017-01-31 17:58:46 Initialization Sequence Completed
2017-01-31 17:58:46 MANAGEMENT: >STATE:1485878326,CONNECTED,SUCCESS,125.125.29.109,125.125.29.2,1194,,
2017-01-31 17:58:52 *Tunnelblick: This computer's apparent public IP address (125.125.28.254) was unchanged after the connection was madeTunnelblick developer
Jan 31, 2017, 11:58:44 AM1/31/17
to tunnelblick-discuss, meren...@gmail.com, mer...@gmail.com
The warning goes away. But is your IPv6 connection working? And your IPv4 connection?
I don't understand the new log output: it seems to be missing the extra logging that I inserted so we could see what is going on!
Even if we figure out a way for Tunnelblick to detect that DHCP is being used on IPv6, I don't think it would do what you want because if we set the tap device to use DHCP it would use DHCP for both IPv6 and IPv4, and you want IPv4 to be set up by the OpenVPN server, not DHCP.
Presumably there is a way to have DHCP used only for IPv6 and not IPv4, but I'm not aware of one. A kludgy workaround would be to have the script first use DHCP to get IPv4 and IPv6 info, and then override the IPv4 info. I'm reluctant to put that sort of thing in Tunnelblick's scripts, though.
Why not have the OpenVPN server set up both IPv4 and IPv6?
Konstantinos Merentitis
Jan 31, 2017, 12:37:43 PM1/31/17
to Tunnelblick developer, tunnelblick-discuss
On 31 Jan 2017, at 18:58, Tunnelblick developer <jkbu...@gmail.com> wrote:The warning goes away. But is your IPv6 connection working? And your IPv4 connection?
IPv4 is still ok, but my IPv6 connection is still not working on tap0, I am sure I placed the up script at the correct place because I was asked for my admin password when I ran again my client as you mentioned.
I don't understand the new log output: it seems to be missing the extra logging that I inserted so we could see what is going on!
Logging is setup to 3, tried also more verbosity without seeing any difference regarding the changes - nothing about “route_vpn_gateway”.
Is there any chance that something in the script overrides my config?
I'm assuming that when you say your setup gets "IPv6 from our router (they are bridged so they get IPv6 router advertisements)", you mean it gets IPv6 info via DHCP. Assuming that’s correct, you want to specify that IPv6 is set via DHCP but IPv4 is not, and I am not sure that your OpenVPN server is doing that correctly.
IPv6 is set via Router Advertisements, it’s *not* a DHCPv6. As long as the TAP adapter is Layer2 bridged with our router, it gets IPv6 RA’s. This setup works on Windows TAP adapters for a long time, and it seems to also work in my case only if I disable OpenVPN’s DHCPv4 (ifconfig-pool), that’s why I believe that it’s a Tunnelblick “issue".
I think you need to consult OpenVPN experts and see what they suggest, and ask them how that situation can be detected by an "up" script and how the "up" script should handle it. SeeEven if we figure out a way for Tunnelblick to detect that DHCP is being used on IPv6, I don't think it would do what you want because if we set the tap device to use DHCP it would use DHCP for both IPv6 and IPv4, and you want IPv4 to be set up by the OpenVPN server, not DHCP.Presumably there is a way to have DHCP used only for IPv6 and not IPv4, but I'm not aware of one. A kludgy workaround would be to have the script first use DHCP to get IPv4 and IPv6 info, and then override the IPv4 info. I'm reluctant to put that sort of thing in Tunnelblick's scripts, though.Why not have the OpenVPN server set up both IPv4 and IPv6?
This (or an up script) could be a solution, but would first like to assure that nothing can be made to change it client-side.
Konstantinos Merentitis
Jan 31, 2017, 12:46:10 PM1/31/17
to Tunnelblick developer, tunnelblick-discuss
UPDATE:
I placed your changes to the original client.up.tunnelblick.sh and it seems to work!
**********************************************
Start of output from client.up.tunnelblick.sh
route_vpn_gateway = '125.125.29.1'; forcing bRouteGatewayIsDhcp 'true'
Did 'ipconfig set "tap0" DHCP'
Did 'ipconfig set "tap0" AUTOMATIC-V6'
Configuring tap DNS via DHCP asynchronously
End of output from client.up.tunnelblick.sh
**********************************************
I now get both IPv4/6 on my TAP adapter
Tunnelblick developer
Jan 31, 2017, 1:03:54 PM1/31/17
to tunnelblick-discuss, jkbu...@gmail.com, meren...@gmail.com
Hmmm. I'm not sure why the changes didn't log before, but I'm glad they appear to work now.
However, I am concerned that means that IPv4 and IPv6 are both being set up via DHCP, and not by OpenVPN (for IPv4) and router advertisements (for IPv6).
There should be more output in the log (after the " End of output from client.up.tunnelblick.sh" message) that tells what is going on when the DHCP info comes in. (DHCP is processed asynchronously, after the script finishes, so the output from the processing comes after that log message).
As a modification of what I wrote earlier, I think the problem is that OpenVPN does not have a way to specify DHCP-like info should be taken from OpenVPN for IPv4 and by some other mechanism (DHCP or router advertisements) for IPv6.
Note: I could be wrong, but I think the OpenVPN logging level doesn't affect the up script's logging level, but in any case, it would not affect the extra logging message I inserted, which should have appeared no matter what.
meren...@gmail.com
Jan 31, 2017, 2:05:00 PM1/31/17
to tunnelblick-discuss, jkbu...@gmail.com, meren...@gmail.com
I am attaching the full log:
2017-01-31 20:53:12 *Tunnelblick: openvpnstart starting OpenVPN
*Tunnelblick: OS X 10.12.2; Tunnelblick 3.7.1beta01 (build 4800); prior version 3.7.0beta01 (build 4780)
2017-01-31 20:53:12 *Tunnelblick: Attempting connection with casper using shadow copy; Set nameserver = 1281; monitoring connection
2017-01-31 20:53:12 *Tunnelblick: openvpnstart start casper.tblk 1338 1281 0 1 0 1589618 -ptADGNWradsgnw 2.4.0-libressl-2.5.0
2017-01-31 20:53:13 *Tunnelblick: openvpnstart log:
Loading tap-signed.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.0-libressl-2.5.0/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Suser1-SLibrary-SApplication Support-STunnelblick-SConfigurations-Scasper.tblk-SContents-SResources-Sconfig.ovpn.1281_0_1_0_1589618.1338.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources
--verb
5
--config
/Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources/config.ovpn
--verb
5
--cd
/Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources
--management
127.0.0.1
1338
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw
--route-pre-down
/Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw
2017-01-31 20:53:13 us=53141 Current Parameter Settings:
2017-01-31 20:53:13 us=53294 config = '/Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources/config.ovpn'
2017-01-31 20:53:13 us=53301 mode = 0
2017-01-31 20:53:13 us=53306 show_ciphers = DISABLED
2017-01-31 20:53:13 us=53310 show_digests = DISABLED
2017-01-31 20:53:13 us=53314 show_engines = DISABLED
2017-01-31 20:53:13 us=53318 genkey = DISABLED
2017-01-31 20:53:13 us=53322 key_pass_file = '[UNDEF]'
2017-01-31 20:53:13 us=53325 show_tls_ciphers = DISABLED
2017-01-31 20:53:13 us=53329 connect_retry_max = 0
2017-01-31 20:53:13 us=53333 Connection profiles [0]:
2017-01-31 20:53:13 us=53339 proto = udp
2017-01-31 20:53:13 us=53344 local = '[UNDEF]'
2017-01-31 20:53:13 us=53348 local_port = '1194'
2017-01-31 20:53:13 us=53352 remote = '125.125.29.2'
2017-01-31 20:53:13 us=53356 remote_port = '1194'
2017-01-31 20:53:13 us=53360 remote_float = DISABLED
2017-01-31 20:53:13 us=53364 bind_defined = DISABLED
2017-01-31 20:53:13 us=53368 bind_local = ENABLED
2017-01-31 20:53:13 us=53372 bind_ipv6_only = DISABLED
2017-01-31 20:53:13 us=53376 connect_retry_seconds = 5
2017-01-31 20:53:13 us=53380 connect_timeout = 120
2017-01-31 20:53:13 us=53384 xormethod = 0
2017-01-31 20:53:13 us=53388 xormask = ''
2017-01-31 20:53:13 us=53392 xormasklen = 0
2017-01-31 20:53:13 us=53396 socks_proxy_server = '[UNDEF]'
2017-01-31 20:53:13 us=53400 socks_proxy_port = '[UNDEF]'
2017-01-31 20:53:13 us=53404 tun_mtu = 1500
2017-01-31 20:53:13 us=53408 tun_mtu_defined = ENABLED
2017-01-31 20:53:13 us=53412 link_mtu = 1500
2017-01-31 20:53:13 us=53416 link_mtu_defined = DISABLED
2017-01-31 20:53:13 us=53420 tun_mtu_extra = 32
2017-01-31 20:53:13 us=53424 tun_mtu_extra_defined = ENABLED
2017-01-31 20:53:13 us=53428 mtu_discover_type = -1
2017-01-31 20:53:13 us=53432 fragment = 0
2017-01-31 20:53:13 us=53436 mssfix = 1450
2017-01-31 20:53:13 us=53440 explicit_exit_notification = 0
2017-01-31 20:53:13 us=53444 Connection profiles END
2017-01-31 20:53:13 us=53447 remote_random = DISABLED
2017-01-31 20:53:13 us=53451 ipchange = '[UNDEF]'
2017-01-31 20:53:13 us=53455 dev = 'tap'
2017-01-31 20:53:13 us=53459 dev_type = '[UNDEF]'
2017-01-31 20:53:13 us=53463 dev_node = '[UNDEF]'
2017-01-31 20:53:13 us=53467 lladdr = '[UNDEF]'
2017-01-31 20:53:13 us=53471 topology = 1
2017-01-31 20:53:13 us=53475 ifconfig_local = '[UNDEF]'
2017-01-31 20:53:13 us=53481 ifconfig_remote_netmask = '[UNDEF]'
2017-01-31 20:53:13 us=53486 ifconfig_noexec = DISABLED
2017-01-31 20:53:13 us=53489 ifconfig_nowarn = DISABLED
2017-01-31 20:53:13 us=53494 ifconfig_ipv6_local = '[UNDEF]'
2017-01-31 20:53:13 us=53497 ifconfig_ipv6_netbits = 0
2017-01-31 20:53:13 us=53501 ifconfig_ipv6_remote = '[UNDEF]'
2017-01-31 20:53:13 us=53505 shaper = 0
2017-01-31 20:53:13 us=53509 mtu_test = 0
2017-01-31 20:53:13 us=53513 mlock = DISABLED
2017-01-31 20:53:13 us=53517 keepalive_ping = 0
2017-01-31 20:53:13 us=53521 keepalive_timeout = 0
2017-01-31 20:53:13 us=53525 inactivity_timeout = 0
2017-01-31 20:53:13 us=53529 ping_send_timeout = 0
2017-01-31 20:53:13 us=53533 ping_rec_timeout = 0
2017-01-31 20:53:13 us=53537 ping_rec_timeout_action = 0
2017-01-31 20:53:13 us=53541 ping_timer_remote = DISABLED
2017-01-31 20:53:13 us=53544 remap_sigusr1 = 0
2017-01-31 20:53:13 us=53548 persist_tun = DISABLED
2017-01-31 20:53:13 us=53552 persist_local_ip = DISABLED
2017-01-31 20:53:13 us=53556 persist_remote_ip = DISABLED
2017-01-31 20:53:13 us=53560 persist_key = DISABLED
2017-01-31 20:53:13 us=53564 passtos = DISABLED
2017-01-31 20:53:13 us=53568 resolve_retry_seconds = 1000000000
2017-01-31 20:53:13 us=53577 resolve_in_advance = DISABLED
2017-01-31 20:53:13 us=53582 username = '[UNDEF]'
2017-01-31 20:53:13 us=53586 groupname = '[UNDEF]'
2017-01-31 20:53:13 us=53590 chroot_dir = '[UNDEF]'
2017-01-31 20:53:13 us=53594 cd_dir = '/Library/Application Support/Tunnelblick/Users/user1/casper.tblk/Contents/Resources'
2017-01-31 20:53:13 us=53598 writepid = '[UNDEF]'
2017-01-31 20:53:13 us=53602 up_script = '/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw'
2017-01-31 20:53:13 us=53606 down_script = '/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw'
2017-01-31 20:53:13 us=53610 down_pre = DISABLED
2017-01-31 20:53:13 us=53614 up_restart = DISABLED
2017-01-31 20:53:13 us=53618 up_delay = DISABLED
2017-01-31 20:53:13 us=53622 daemon = ENABLED
2017-01-31 20:53:13 us=53628 inetd = 0
2017-01-31 20:53:13 us=53632 log = ENABLED
2017-01-31 20:53:13 us=53636 suppress_timestamps = DISABLED
2017-01-31 20:53:13 us=53640 machine_readable_output = DISABLED
2017-01-31 20:53:13 us=53644 nice = 0
2017-01-31 20:53:13 us=53648 verbosity = 5
2017-01-31 20:53:13 us=53652 mute = 0
2017-01-31 20:53:13 us=53656 status_file = '[UNDEF]'
2017-01-31 20:53:13 us=53660 status_file_version = 1
2017-01-31 20:53:13 us=53664 status_file_update_freq = 60
2017-01-31 20:53:13 us=53668 occ = ENABLED
2017-01-31 20:53:13 us=53671 rcvbuf = 0
2017-01-31 20:53:13 us=53675 sndbuf = 0
2017-01-31 20:53:13 us=53679 sockflags = 0
2017-01-31 20:53:13 us=53683 fast_io = DISABLED
2017-01-31 20:53:13 us=53687 comp.alg = 2
2017-01-31 20:53:13 us=53691 comp.flags = 1
2017-01-31 20:53:13 us=53695 route_script = '[UNDEF]'
2017-01-31 20:53:13 us=53699 route_default_gateway = '[UNDEF]'
2017-01-31 20:53:13 us=53703 route_default_metric = 0
2017-01-31 20:53:13 us=53707 route_noexec = DISABLED
2017-01-31 20:53:13 us=53711 route_delay = 0
2017-01-31 20:53:13 us=53716 route_delay_window = 30
2017-01-31 20:53:13 us=53720 route_delay_defined = DISABLED
2017-01-31 20:53:13 us=53724 route_nopull = DISABLED
2017-01-31 20:53:13 us=53728 route_gateway_via_dhcp = DISABLED
2017-01-31 20:53:13 us=53732 allow_pull_fqdn = DISABLED
2017-01-31 20:53:13 us=53736 management_addr = '127.0.0.1'
2017-01-31 20:53:13 us=53740 management_port = '1338'
2017-01-31 20:53:13 us=53745 management_user_pass = '[UNDEF]'
2017-01-31 20:53:13 us=53749 management_log_history_cache = 250
2017-01-31 20:53:13 us=53753 management_echo_buffer_size = 100
2017-01-31 20:53:13 us=53758 management_write_peer_info_file = '[UNDEF]'
2017-01-31 20:53:13 us=53762 management_client_user = '[UNDEF]'
2017-01-31 20:53:13 us=53766 management_client_group = '[UNDEF]'
2017-01-31 20:53:13 us=53771 management_flags = 6
2017-01-31 20:53:13 us=53775 shared_secret_file = '[UNDEF]'
2017-01-31 20:53:13 us=53779 key_direction = 0
2017-01-31 20:53:13 us=53783 ciphername = 'BF-CBC'
2017-01-31 20:53:13 us=53787 ncp_enabled = ENABLED
2017-01-31 20:53:13 us=53791 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2017-01-31 20:53:13 us=53796 authname = 'SHA1'
2017-01-31 20:53:13 us=53800 prng_hash = 'SHA1'
2017-01-31 20:53:13 us=53804 prng_nonce_secret_len = 16
2017-01-31 20:53:13 us=53808 keysize = 0
2017-01-31 20:53:13 us=53812 engine = DISABLED
2017-01-31 20:53:13 us=53816 replay = ENABLED
2017-01-31 20:53:13 us=53820 mute_replay_warnings = ENABLED
2017-01-31 20:53:13 us=53824 replay_window = 64
2017-01-31 20:53:13 us=53828 replay_time = 15
2017-01-31 20:53:13 us=53832 packet_id_file = '[UNDEF]'
2017-01-31 20:53:13 us=53836 use_iv = ENABLED
2017-01-31 20:53:13 us=53841 test_crypto = DISABLED
2017-01-31 20:53:13 us=53849 tls_server = DISABLED
2017-01-31 20:53:13 us=53854 tls_client = ENABLED
2017-01-31 20:53:13 us=53858 key_method = 2
2017-01-31 20:53:13 us=53862 ca_file = 'ca.crt'
2017-01-31 20:53:13 us=53866 ca_path = '[UNDEF]'
2017-01-31 20:53:13 us=53872 dh_file = '[UNDEF]'
2017-01-31 20:53:13 us=53876 cert_file = '[UNDEF]'
2017-01-31 20:53:13 us=53880 extra_certs_file = '[UNDEF]'
2017-01-31 20:53:13 us=53884 priv_key_file = '[UNDEF]'
2017-01-31 20:53:13 us=53888 pkcs12_file = '[UNDEF]'
2017-01-31 20:53:13 us=53892 cipher_list = '[UNDEF]'
2017-01-31 20:53:13 us=53896 tls_verify = '[UNDEF]'
2017-01-31 20:53:13 us=53900 tls_export_cert = '[UNDEF]'
2017-01-31 20:53:13 us=53904 verify_x509_type = 2
2017-01-31 20:53:13 us=53908 verify_x509_name = 'xxx'
2017-01-31 20:53:13 us=53912 crl_file = '[UNDEF]'
2017-01-31 20:53:13 us=53916 ns_cert_type = 0
2017-01-31 20:53:13 us=53920 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53925 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53929 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53932 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53936 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53940 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53944 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53948 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53952 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53956 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53960 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53964 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53967 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53971 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53975 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53979 remote_cert_ku[i] = 0
2017-01-31 20:53:13 us=53983 remote_cert_eku = '[UNDEF]'
2017-01-31 20:53:13 us=53987 ssl_flags = 0
2017-01-31 20:53:13 us=53991 tls_timeout = 2
2017-01-31 20:53:13 us=53995 renegotiate_bytes = -1
2017-01-31 20:53:13 us=53999 renegotiate_packets = 0
2017-01-31 20:53:13 us=54003 renegotiate_seconds = 3600
2017-01-31 20:53:13 us=54007 handshake_window = 60
2017-01-31 20:53:13 us=54011 transition_window = 3600
2017-01-31 20:53:13 us=54015 single_session = DISABLED
2017-01-31 20:53:13 us=54019 push_peer_info = DISABLED
2017-01-31 20:53:13 us=54023 tls_exit = DISABLED
2017-01-31 20:53:13 us=54027 tls_auth_file = '[UNDEF]'
2017-01-31 20:53:13 us=54031 tls_crypt_file = '[UNDEF]'
2017-01-31 20:53:13 us=54035 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54039 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54044 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54048 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54052 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54056 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54060 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54064 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54068 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54072 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54076 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54080 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54084 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54088 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54093 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54097 pkcs11_protected_authentication = DISABLED
2017-01-31 20:53:13 us=54101 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54105 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54114 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54118 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54122 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54126 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54130 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54134 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54138 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54142 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54146 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54150 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54155 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54159 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54163 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54167 pkcs11_private_mode = 00000000
2017-01-31 20:53:13 us=54171 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54174 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54178 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54182 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54186 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54190 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54194 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54198 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54202 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54206 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54210 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54214 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54218 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54222 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54226 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54230 pkcs11_cert_private = DISABLED
2017-01-31 20:53:13 us=54234 pkcs11_pin_cache_period = -1
2017-01-31 20:53:13 us=54239 pkcs11_id = '[UNDEF]'
2017-01-31 20:53:13 us=54243 pkcs11_id_management = DISABLED
2017-01-31 20:53:13 us=54259 server_network = 0.0.0.0
2017-01-31 20:53:13 us=54264 server_netmask = 0.0.0.0
2017-01-31 20:53:13 us=54278 server_network_ipv6 = ::
2017-01-31 20:53:13 us=54282 server_netbits_ipv6 = 0
2017-01-31 20:53:13 us=54287 server_bridge_ip = 0.0.0.0
2017-01-31 20:53:13 us=54291 server_bridge_netmask = 0.0.0.0
2017-01-31 20:53:13 us=54296 server_bridge_pool_start = 0.0.0.0
2017-01-31 20:53:13 us=54301 server_bridge_pool_end = 0.0.0.0
2017-01-31 20:53:13 us=54305 ifconfig_pool_defined = DISABLED
2017-01-31 20:53:13 us=54309 ifconfig_pool_start = 0.0.0.0
2017-01-31 20:53:13 us=54314 ifconfig_pool_end = 0.0.0.0
2017-01-31 20:53:13 us=54319 ifconfig_pool_netmask = 0.0.0.0
2017-01-31 20:53:13 us=54323 ifconfig_pool_persist_filename = '[UNDEF]'
2017-01-31 20:53:13 us=54327 ifconfig_pool_persist_refresh_freq = 600
2017-01-31 20:53:13 us=54331 ifconfig_ipv6_pool_defined = DISABLED
2017-01-31 20:53:13 us=54336 ifconfig_ipv6_pool_base = ::
2017-01-31 20:53:13 us=54340 ifconfig_ipv6_pool_netbits = 0
2017-01-31 20:53:13 us=54344 n_bcast_buf = 256
2017-01-31 20:53:13 us=54348 tcp_queue_limit = 64
2017-01-31 20:53:13 us=54352 real_hash_size = 256
2017-01-31 20:53:13 us=54356 virtual_hash_size = 256
2017-01-31 20:53:13 us=54360 client_connect_script = '[UNDEF]'
2017-01-31 20:53:13 us=54364 learn_address_script = '[UNDEF]'
2017-01-31 20:53:13 us=54369 client_disconnect_script = '[UNDEF]'
2017-01-31 20:53:13 us=54373 client_config_dir = '[UNDEF]'
2017-01-31 20:53:13 us=54377 ccd_exclusive = DISABLED
2017-01-31 20:53:13 us=54381 tmp_dir = '/var/folders/rn/mc4_2pn532s2n_77fbjlk31h0000gn/T/'
2017-01-31 20:53:13 us=54387 push_ifconfig_defined = DISABLED
2017-01-31 20:53:13 us=54397 push_ifconfig_local = 0.0.0.0
2017-01-31 20:53:13 us=54402 push_ifconfig_remote_netmask = 0.0.0.0
2017-01-31 20:53:13 us=54406 push_ifconfig_ipv6_defined = DISABLED
2017-01-31 20:53:13 us=54411 push_ifconfig_ipv6_local = ::/0
2017-01-31 20:53:13 us=54415 push_ifconfig_ipv6_remote = ::
2017-01-31 20:53:13 us=54419 enable_c2c = DISABLED
2017-01-31 20:53:13 us=54423 duplicate_cn = DISABLED
2017-01-31 20:53:13 us=54427 cf_max = 0
2017-01-31 20:53:13 us=54431 cf_per = 0
2017-01-31 20:53:13 us=54435 max_clients = 1024
2017-01-31 20:53:13 us=54439 max_routes_per_client = 256
2017-01-31 20:53:13 us=54444 auth_user_pass_verify_script = '[UNDEF]'
2017-01-31 20:53:13 us=54448 auth_user_pass_verify_script_via_file = DISABLED
2017-01-31 20:53:13 us=54452 auth_token_generate = DISABLED
2017-01-31 20:53:13 us=54456 auth_token_lifetime = 0
2017-01-31 20:53:13 us=54460 port_share_host = '[UNDEF]'
2017-01-31 20:53:13 us=54464 port_share_port = '[UNDEF]'
2017-01-31 20:53:13 us=54468 client = DISABLED
2017-01-31 20:53:13 us=54472 pull = ENABLED
2017-01-31 20:53:13 us=54476 auth_user_pass_file = 'stdin'
2017-01-31 20:53:13 us=54481 OpenVPN 2.4.0 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jan 30 2017
2017-01-31 20:53:13 us=54490 library versions: LibreSSL 2.5.0, LZO 2.09
2017-01-31 20:53:13 us=55682 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338
2017-01-31 20:53:13 us=55793 Need hold release from management interface, waiting...
2017-01-31 20:53:13 us=950609 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338
2017-01-31 20:53:14 *Tunnelblick: Established communication with OpenVPN
2017-01-31 20:53:14 *Tunnelblick: Obtained VPN username and password from the Keychain
2017-01-31 20:53:14 us=45436 MANAGEMENT: CMD 'pid'
2017-01-31 20:53:14 us=45684 MANAGEMENT: CMD 'state on'
2017-01-31 20:53:14 us=45877 MANAGEMENT: CMD 'state'
2017-01-31 20:53:14 us=46031 MANAGEMENT: CMD 'bytecount 1'
2017-01-31 20:53:14 us=46122 MANAGEMENT: CMD 'hold release'
2017-01-31 20:53:14 us=74017 MANAGEMENT: CMD 'username "Auth" "user1"'
2017-01-31 20:53:14 us=74234 MANAGEMENT: CMD 'password [...]'
2017-01-31 20:53:14 us=75452 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-01-31 20:53:14 us=85634 LZO compression initializing
2017-01-31 20:53:14 us=86007 Control Channel MTU parms [ L:1654 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2017-01-31 20:53:14 us=89637 Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
2017-01-31 20:53:14 us=90090 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2017-01-31 20:53:14 us=90201 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2017-01-31 20:53:14 us=90310 TCP/UDP: Preserving recently used remote address: [AF_INET]125.125.29.2:1194
2017-01-31 20:53:14 us=90578 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-01-31 20:53:14 us=90841 UDP link local (bound): [AF_INET][undef]:1194
2017-01-31 20:53:14 us=90966 UDP link remote: [AF_INET]125.125.29.2:1194
2017-01-31 20:53:14 us=91359 MANAGEMENT: >STATE:1485888794,WAIT,,,,,,
WRTue Jan 31 20:53:14 2017 us=134700 MANAGEMENT: >STATE:1485888794,AUTH,,,,,,
2017-01-31 20:53:14 us=134794 TLS: Initial packet from [AF_INET]125.125.29.2:1194, sid=42930463 93d4729d
WTue Jan 31 20:53:14 2017 us=134960 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
WRWRTue Jan 31 20:53:14 2017 us=160796 VERIFY OK: depth=1, xxx
2017-01-31 20:53:14 us=161124 VERIFY X509NAME OK: xxx
2017-01-31 20:53:14 us=161189 VERIFY OK: depth=0, xxx
WRWRWRWTue Jan 31 20:53:14 2017 us=389792 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-01-31 20:53:14 us=390683 [xxx] Peer Connection Initiated with [AF_INET]125.125.29.2:1194
2017-01-31 20:53:15 us=710493 MANAGEMENT: >STATE:1485888795,GET_CONFIG,,,,,,
2017-01-31 20:53:15 us=710805 SENT CONTROL [xxx]: 'PUSH_REQUEST' (status=1)
RTue Jan 31 20:53:16 2017 us=93728 PUSH: Received control message: 'PUSH_REPLY,route remote_host 255.255.255.255 net_gateway,route 125.125.28.0 255.255.254.0 125.125.29.1,route-gateway 125.125.29.1,ping 5,ping-restart 15,ifconfig 125.125.29.109 255.255.255.128,peer-id 0,cipher AES-256-GCM'
2017-01-31 20:53:16 us=94148 OPTIONS IMPORT: timers and/or timeouts modified
2017-01-31 20:53:16 us=94662 OPTIONS IMPORT: --ifconfig/up options modified
2017-01-31 20:53:16 us=94735 OPTIONS IMPORT: route options modified
2017-01-31 20:53:16 us=94782 OPTIONS IMPORT: route-related options modified
2017-01-31 20:53:16 us=94828 OPTIONS IMPORT: peer-id set
2017-01-31 20:53:16 us=94875 OPTIONS IMPORT: adjusting link_mtu to 1657
2017-01-31 20:53:16 us=94921 OPTIONS IMPORT: data channel crypto options modified
2017-01-31 20:53:16 us=94984 Data Channel MTU parms [ L:1585 D:1450 EF:53 EB:411 ET:32 EL:3 ]
2017-01-31 20:53:16 us=95110 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-01-31 20:53:16 us=95167 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-01-31 20:53:16 us=95665 TUN/TAP device /dev/tap0 opened
2017-01-31 20:53:16 us=96330 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-01-31 20:53:16 us=96419 MANAGEMENT: >STATE:1485888796,ASSIGN_IP,,125.125.29.109,,,,
2017-01-31 20:53:16 us=96530 /sbin/ifconfig tap0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-01-31 20:53:16 us=103670 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-01-31 20:53:16 us=104271 /sbin/ifconfig tap0 125.125.29.109 netmask 255.255.255.128 mtu 1500 up
2017-01-31 20:53:16 us=110938 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1585 125.125.29.109 255.255.255.128 init
**********************************************
Start of output from client.up.tunnelblick.sh
route_vpn_gateway = '125.125.29.1'; forcing bRouteGatewayIsDhcp 'true'
Did 'ipconfig set "tap0" DHCP'
Did 'ipconfig set "tap0" AUTOMATIC-V6'
Configuring tap DNS via DHCP asynchronously
End of output from client.up.tunnelblick.sh
**********************************************
2017-01-31 20:53:18 *Tunnelblick: No 'connected.sh' script to execute
2017-01-31 20:53:18 us=250591 MANAGEMENT: >STATE:1485888798,ADD_ROUTES,,,,,,
2017-01-31 20:53:18 us=250733 /sbin/route add -net 125.125.29.2 192.168.2.1 255.255.255.255
add net 125.125.29.2: gateway 192.168.2.1
2017-01-31 20:53:18 us=255478 /sbin/route add -net 125.125.28.0 125.125.29.1 255.255.254.0
add net 125.125.28.0: gateway 125.125.29.1
2017-01-31 20:53:18 us=259970 Initialization Sequence Completed
2017-01-31 20:53:18 us=260155 MANAGEMENT: >STATE:1485888798,CONNECTED,SUCCESS,125.125.29.109,125.125.29.2,1194,,
RwrWrWSleeping for 0 seconds to wait for DHCP to finish setup.
rWrWSleeping for 1 seconds to wait for DHCP to finish setup.
rWrWRetrieved from DHCP/BOOTP packet: name server(s) [ 177.177.211.34 125.125.29.11 177.177.210.210 ], domain name [ xxx..admin.xxx ], search domain(s) [ ] and SMB server(s) [ ]
rWRwNot aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'xxx..admin.xxx' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
RwrWrWRwrWRwrWrWRwrWrWRwrWrWRwrWrWRwrWrWSaved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '192.168.2.192 192.168.2.1' to '177.177.211.34 125.125.29.11 177.177.210.210'
Changed DNS SearchDomains setting from '' to 'xxx..admin.xxx'
Changed DNS DomainName setting from 'lan' to 'xxx..admin.xxx'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of ''
DNS servers '177.177.211.34 125.125.29.11 177.177.210.210' will be used for DNS queries when the VPN is active
RwrWrWrWrWrWNOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
RwrWrWRwrWrWRwrWrWrWrWNotified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
2017-01-31 20:53:23 *Tunnelblick: This computer's apparent public IP address (22.22.76.218) was unchanged after the connection was made
2017-01-31 20:53:28 *Tunnelblick process-network-changes: A system configuration change was ignored
Tunnelblick developer
Jan 31, 2017, 2:43:48 PM1/31/17
to tunnelblick-discuss, jkbu...@gmail.com, meren...@gmail.com
So this is what happens when the DHCP info comes in (stripped of extraneous text):
Retrieved from DHCP/BOOTP packet: name server(s) [ 177.177.211.34 125.125.29.11 177.177.210.210 ], domain name [ xxx..admin.xxx ], search domain(s) [ ] and SMB server(s) [ ]
Not aggregating ServerAddresses because running on OS X 10.6 or higherSetting search domains to 'xxx..admin.xxx' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restoredChanged DNS ServerAddresses setting from '192.168.2.192 192.168.2.1' to '177.177.211.34 125.125.29.11 177.177.210.210'Changed DNS SearchDomains setting from '' to 'xxx..admin.xxx'Changed DNS DomainName setting from 'lan' to 'xxx..admin.xxx'Did not change SMB NetBIOSName setting of ''Did not change SMB Workgroup setting of ''Did not change SMB WINSAddresses setting of ''DNS servers '177.177.211.34 125.125.29.11 177.177.210.210' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.Flushed the DNS cache via dscacheutil/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushedSetting up to monitor system configuration with process-network-changes
The DHCP info doesn't include any IPv6 info, only IPv4 info. So Tunnelblick is not doing anything to set up IPv6, and it is setting up DNS, domain, and search domains from the DHCP info. I don't know if that's what you want. (The OpenVPN configuration isn't "pushing" any such info, so maybe it is what you want.)
How is Tunnelblick supposed to know that it should use DHCP for the tap interface? That is, what OpenVPN option tells Tunnelblick that it should use DHCP for the tap interface? That's an OpenVPN question.
Konstantinos Merentitis
Feb 8, 2017, 6:54:47 AM2/8/17
to Tunnelblick developer, tunnelblick-discuss
On 31 Jan 2017, at 21:43, Tunnelblick developer <jkbu...@gmail.com> wrote:So this is what happens when the DHCP info comes in (stripped of extraneous text):Retrieved from DHCP/BOOTP packet: name server(s) [ 177.177.211.34 125.125.29.11 177.177.210.210 ], domain name [ xxx..admin.xxx ], search domain(s) [ ] and SMB server(s) [ ]Not aggregating ServerAddresses because running on OS X 10.6 or higherSetting search domains to 'xxx..admin.xxx' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selectedSaved the DNS and SMB configurations so they can be restoredChanged DNS ServerAddresses setting from '192.168.2.192 192.168.2.1' to '177.177.211.34 125.125.29.11 177.177.210.210'Changed DNS SearchDomains setting from '' to 'xxx..admin.xxx'Changed DNS DomainName setting from 'lan' to 'xxx..admin.xxx'Did not change SMB NetBIOSName setting of ''Did not change SMB Workgroup setting of ''Did not change SMB WINSAddresses setting of ''DNS servers '177.177.211.34 125.125.29.11 177.177.210.210' will be used for DNS queries when the VPN is activeNOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.Flushed the DNS cache via dscacheutil/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutilNotified mDNSResponder that the DNS cache was flushedSetting up to monitor system configuration with process-network-changesThe DHCP info doesn't include any IPv6 info, only IPv4 info. So Tunnelblick is not doing anything to set up IPv6, and it is setting up DNS, domain, and search domains from the DHCP info.
IPv4 address, subnet mask and gateway are set through OpenVPN config though, and before the client.up script:
2017-01-31 20:53:16 us=104271 /sbin/ifconfig tap0 125.125.29.109 netmask 255.255.255.128 mtu 1500 up
2017-01-31 20:53:16 us=110938 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -6 -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1585 125.125.29.109 255.255.255.128 init
Is this the expected behavior after the script “bRouteGatewayIsDhcp=“true” changes?
I don't know if that's what you want. (The OpenVPN configuration isn't "pushing" any such info, so maybe it is what you want.)
Well, it is not exactly what I want. I wouldn’t like my DHCP server to be involved and let OpenVPN/Tunnelblick handle the ip configuration.
How is Tunnelblick supposed to know that it should use DHCP for the tap interface? That is, what OpenVPN option tells Tunnelblick that it should use DHCP for the tap interface? That’s an OpenVPN question.
This is done by using —server-bridge without any parameters (disabling the ifconfig-pool) , that’s what I tried at first place, but again, as I said I wouldn’t want this as I would like OpenVPN to handle IP configuration for IPv4
Is there a way to setup the following separately by forcing only “AUTOMATIC-V6" but not “DHCP” (which applies to v4 I suppose)?
125.125.29.1'; forcing bRouteGatewayIsDhcp 'true'
Did 'ipconfig set "tap0" DHCP'
Did ‘ipconfig set "tap0" AUTOMATIC-V6'
Did 'ipconfig set "tap0" DHCP'
Did ‘ipconfig set "tap0" AUTOMATIC-V6'
Thank you
Reply all
Reply to author
Forward
0 new messages