Tunnelblick - Waiting for server response

[atla goutham]

Dear all,

 I am unable to connect to server. Its says "Waiting for server response". Here is my log file. I reinstalled the tunnelnlick and also I removed the user and group lines as suggested in some other post, but no use.

[jkbull...gmail.com]

Were you ever able to connect to this server or is this a new setup?

[atla goutham]

Yes. I used to connect. But I changed network recently. I am using university network now. Does this have any restrictions ? 

[jkbull...gmail.com]

Your university – or any network provider – could be blocking access to VPNs. You will have to ask your university about that.

If you control the VPN server and can change its configuration, you could try

• Using a different port (not 1194) as the OpenVPN port (what port to use depends on what else the server is doing); or
  
  
• The "scramble obfuscate" option to avoid the blocking, see Tunnelblick openvpn_xorpatch.
  

[atla goutham]

YES. It seems to be the problem with university network. How do I apply the patch ?

[jkbull...gmail.com]

You don't "apply the patch" to Tunnelblick, you just need to use Tunnelblick 3.6beta06 or later; the patched version of OpenVPN will be used automatically.

You do need to apply the patch to your VPN server (which may not be possible or practical). To do that you must be able to patch and build OpenVPN and install the patched version on your VPN server. You'll have to search the web for instructions on how to do that. See https://forums.openvpn.net/topic12605.html for the original discussion (but don't use the supplied patch, use a patch from Tunnelblick openvpn_xorpatch instead (it includes important changes to the patch). That page has versions of the patch for OpenVPN 2.3.6 and 2.3.7.

Then you just put the "scramble obfuscate XXXXXX" (where XXXX is the key) in both the server and the client configuration files.

[atla goutham]

I have installed the 3.6beta06 but the problem seems to be persist. Here is log

*Tunnelblick: OS X 10.10.3; Tunnelblick 3.6beta06 (build 4346); prior version 3.5.2 (build 4270.4346); Admin user

Configuration client

"Sanitized" condensed configuration file for /Library/Application Support/Tunnelblick/Shared/client.tblk:

client

dev tun

proto udp

remote vpn.ncbs.res.in 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert ashwinim.crt

key ashwinim.key

ns-cert-type server

tls-auth auth.key 1

comp-lzo

verb 3

================================================================================

Non-Apple kexts that are loaded:

Index Refs Address            Size       Wired      Name (Version) <Linked Against>

  143    3 0xffffff7f82d08000 0x58000    0x58000    org.virtualbox.kext.VBoxDrv (4.3.26) <7 5 4 3 1>

  144    0 0xffffff7f82d60000 0x8000     0x8000     org.virtualbox.kext.VBoxUSB (4.3.26) <143 100 39 7 5 4 3 1>

  145    0 0xffffff7f82d68000 0x5000     0x5000     org.virtualbox.kext.VBoxNetFlt (4.3.26) <143 7 5 4 3 1>

  146    0 0xffffff7f82d6d000 0x6000     0x6000     org.virtualbox.kext.VBoxNetAdp (4.3.26) <143 5 4 1>

================================================================================

There are no unusual files in client.tblk

================================================================================

Configuration preferences:

-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1

-lastConnectionSucceeded = 0

================================================================================

Wildcard preferences:

-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1

================================================================================

Program preferences:

launchAtNextLogin = 1

notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1

askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1

tunnelblickVersionHistory = (

    "3.6beta06 (build 4346)",

    "3.5.2 (build 4270.4346)",

    "3.5.0 (build 4265)",

    "3.4.2 (build 4055.4161)"

)

lastLaunchTime = 456741430.766704

connectionWindowDisplayCriteria = showWhenConnecting

maxLogDisplaySize = 102400

lastConnectedDisplayName = client

keyboardShortcutIndex = 1

namedCredentialsThatAllConfigurationsUse = Common

updateCheckAutomatically = 0

updateSendProfileInfo = 0

NSWindow Frame ConnectingWindow = 445 455 389 187 0 0 1280 777 

detailsWindowFrameVersion = 4346

detailsWindowFrame = {{182, 245}, {912, 467}}

detailsWindowLeftFrame = {{0, 0}, {164, 350}}

leftNavSelectedDisplayName = client

haveDealtWithSparkle1dot5b6 = 1

haveDealtWithOldTunTapPreferences = 1

haveDealtWithOldLoginItem = 1

SUEnableAutomaticChecks = 0

SUFeedURL = https://www.tunnelblick.net/appcast-b.rss

SUScheduledCheckInterval = 86400

SUSendProfileInfo = 0

SULastCheckTime = 2015-04-16 16:24:55 +0000

SUHasLaunchedBefore = 1

WebKitDefaultFontSize = 11

WebKitStandardFont = Lucida Grande

================================================================================

Tunnelblick Log:

2015-06-23 10:37:19 *Tunnelblick: OS X 10.10.3; Tunnelblick 3.6beta06 (build 4346); prior version 3.5.2 (build 4270.4346)

2015-06-23 10:37:20 *Tunnelblick: Attempting connection with client; Set nameserver = 1; monitoring connection

2015-06-23 10:37:20 *Tunnelblick: openvpnstart start client.tblk 1337 1 0 3 0 16688 -ptADGNWradsgnw 2.3.6

2015-06-23 10:37:20 *Tunnelblick: openvpnstart starting OpenVPN

2015-06-23 10:37:21 *Tunnelblick: openvpnstart log:

     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

     

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.6/openvpn

          --daemon

          --log

          /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sclient.tblk-SContents-SResources-Sconfig.ovpn.1_0_3_0_16688.1337.openvpn.log

          --cd

          /Library/Application Support/Tunnelblick/Shared/client.tblk/Contents/Resources

          --verb

          3

          --config

          /Library/Application Support/Tunnelblick/Shared/client.tblk/Contents/Resources/config.ovpn

          --cd

          /Library/Application Support/Tunnelblick/Shared/client.tblk/Contents/Resources

          --management

          127.0.0.1

          1337

          --management-query-passwords

          --management-hold

          --script-security

          2

          --up

          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw

          --down

          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw

2015-06-23 10:37:21 *Tunnelblick: Established communication with OpenVPN

2015-06-23 10:37:21 OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jun 12 2015

2015-06-23 10:37:21 library versions: OpenSSL 1.0.2c 12 Jun 2015, LZO 2.09

2015-06-23 10:37:21 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337

2015-06-23 10:37:21 Need hold release from management interface, waiting...

2015-06-23 10:37:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337

2015-06-23 10:37:21 MANAGEMENT: CMD 'pid'

2015-06-23 10:37:21 MANAGEMENT: CMD 'state on'

2015-06-23 10:37:21 MANAGEMENT: CMD 'state'

2015-06-23 10:37:21 MANAGEMENT: CMD 'bytecount 1'

2015-06-23 10:37:21 MANAGEMENT: CMD 'hold release'

2015-06-23 10:37:21 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2015-06-23 10:37:21 Control Channel Authentication: using 'auth.key' as a OpenVPN static key file

2015-06-23 10:37:21 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2015-06-23 10:37:21 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2015-06-23 10:37:21 Socket Buffers: R=[196724->65536] S=[9216->65536]

2015-06-23 10:37:21 MANAGEMENT: >STATE:1435048641,RESOLVE,,,

2015-06-23 10:37:21 UDPv4 link local: [undef]

2015-06-23 10:37:21 UDPv4 link remote: [AF_INET]158.144.176.252:1194

2015-06-23 10:37:21 MANAGEMENT: >STATE:1435048641,WAIT,,,

2015-06-23 10:38:11 *Tunnelblick: Disconnecting; notification window disconnect button pressed

2015-06-23 10:38:11 *Tunnelblick: Disconnecting using 'kill'

2015-06-23 10:38:11 event_wait : Interrupted system call (code=4)

2015-06-23 10:38:11 SIGTERM[hard,] received, process exiting

2015-06-23 10:38:11 MANAGEMENT: >STATE:1435048691,EXITING,SIGTERM,,

2015-06-23 10:38:13 *Tunnelblick: No 'post-disconnect.sh' script to execute

2015-06-23 10:38:13 *Tunnelblick: Expected disconnection occurred.

================================================================================

"Sanitized" full configuration file

##############################################

# Sample client-side OpenVPN 2.0 config file #

# for connecting to multi-client server.     #

#                                            #

# This configuration can be used by multiple #

# clients, however each client should have   #

# its own cert and key files.                #

#                                            #

# On Windows, you might want to rename this  #

# file so it has a .ovpn extension           #

##############################################

# Specify that we are a client and that we

# will be pulling certain config file directives

# from the server.

client

# Use the same setting as you are using on

# the server.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one.  On XP SP2,

# you may need to disable the firewall

# for the TAP adapter.

;dev-node MyTap

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

;proto tcp

proto udp

# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

remote vpn.ncbs.res.in 1194

;remote my-server-2 1194

# Choose a random host from the remote

# list for load-balancing.  Otherwise

# try hosts in the order specified.

;remote-random

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Downgrade privileges after initialization (non-Windows only)

# Try to preserve some state across restarts.

persist-key

persist-tun

# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN

# server, put the proxy server/IP and

# port number here.  See the man page

# if your proxy server requires

# authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot

# of duplicate packets.  Set this flag

# to silence duplicate packet warnings.

;mute-replay-warnings

# SSL/TLS parms.

# See the server config file for more

# description.  It's best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

ca ca.crt

cert ashwinim.crt

key ashwinim.key

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server".  The build-key-server

# script in the easy-rsa folder will do this.

ns-cert-type server

# If a tls-auth key is used on the server

# then every client must also have the key.

tls-auth auth.key 1

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

;cipher x

# Enable compression on the VPN link.

# Don't enable this unless it is also

# enabled in the server config file.

comp-lzo

# Set log file verbosity.

verb 3

# Silence repeating messages

;mute 20

================================================================================

ifconfig output:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

options=3<RXCSUM,TXCSUM>

inet6 ::1 prefixlen 128 

inet 127.0.0.1 netmask 0xff000000 

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 

nd6 options=1<PERFORMNUD>

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>

ether ac:87:a3:09:d5:94 

nd6 options=1<PERFORMNUD>

media: autoselect (none)

status: inactive

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether d8:bb:2c:b7:70:12 

inet6 fe80::dabb:2cff:feb7:7012%en1 prefixlen 64 scopeid 0x5 

inet 192.168.177.227 netmask 0xfffff800 broadcast 192.168.183.255

nd6 options=1<PERFORMNUD>

media: autoselect

status: active

fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078

lladdr 28:0b:5c:ff:fe:2b:07:da 

inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255

inet6 fe80::2a0b:5cff:fe2b:7da%fw0 prefixlen 64 scopeid 0x6 

nd6 options=1<PERFORMNUD>

media: autoselect <full-duplex>

status: inactive

en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

options=60<TSO4,TSO6>

ether d2:00:12:b0:7d:a0 

media: autoselect <full-duplex>

status: inactive

p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304

ether 0a:bb:2c:b7:70:12 

media: autoselect

status: inactive

awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1452

ether 12:1c:57:a6:eb:1e 

inet6 fe80::101c:57ff:fea6:eb1e%awdl0 prefixlen 64 scopeid 0x9 

nd6 options=1<PERFORMNUD>

media: autoselect

status: active

bridge0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500

options=63<RXCSUM,TXCSUM,TSO4,TSO6>

ether ae:87:a3:90:c9:00 

Configuration:

id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0

maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200

root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0

ipfilter disabled flags 0x2

member: en2 flags=3<LEARNING,DISCOVER>

       ifmaxaddr 0 port 7 priority 0 path cost 0

media: <unknown type>

status: inactive

bridge100: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=3<RXCSUM,TXCSUM>

ether ae:87:a3:90:c9:64 

inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255

inet6 fe80::ac87:a3ff:fe90:c964%bridge100 prefixlen 64 scopeid 0xb 

Configuration:

id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0

maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200

root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0

ipfilter disabled flags 0x2

member: en0 flags=3<LEARNING,DISCOVER>

       ifmaxaddr 0 port 4 priority 0 path cost 0

nd6 options=1<PERFORMNUD>

media: <unknown type>

status: inactive

================================================================================

Console Log:

2015-06-23 10:30:50 kernel[0] hfs: mounted Tunnelblick on device disk3s1

2015-06-23 10:30:50 mds[58] (Volume.Normal:2464) volume:0x7fd2bc086000 ********** Bootstrapped Creating a default store:1 SpotLoc:(null) SpotVerLoc:(null) occlude:0 /Volumes/Tunnelblick

2015-06-23 10:31:06 Tunnelblick[12210] Tunnelblick cannot run when it is on /Volumes because the volume has the MNT_NOSUID statfs flag set.

2015-06-23 10:31:15 Tunnelblick[7025] SIGTERM (signal 15) received

2015-06-23 10:31:15 Tunnelblick[7025] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes

2015-06-23 10:31:16 Tunnelblick[7025] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-06-23 10:31:16 Tunnelblick[7025] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-06-23 10:31:17 Tunnelblick[7025] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-06-23 10:31:17 tunnelblickd[12222] Status = 0 from tunnelblick-helper command 'deleteLogs'

2015-06-23 10:31:17 Tunnelblick[7025] Finished shutting down Tunnelblick; allowing termination

2015-06-23 10:31:17 Tunnelblick[12210] Beginning installation or repair

2015-06-23 10:31:18 authexec[12224] executing /Volumes/Tunnelblick/Tunnelblick.app/Contents/Resources/installer

2015-06-23 10:31:31 Tunnelblick[12210] Installation or repair succeeded; Log:

                                       Tunnelblick installer started 2015-06-23 10:31:18. 1 arguments: 0x0017

                                       Moved /Applications/Tunnelblick.app to the Trash

                                       Copied /Volumes/Tunnelblick/Tunnelblick.app to /Applications/Tunnelblick.app

                                       Changed ownership of /Applications/Tunnelblick.app and its contents from 501:20 to 0:0

                                       Used launchctl to load tunnelblickd

                                       Tunnelblick installer finished without error

2015-06-23 10:31:32 Tunnelblick[12210] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes

2015-06-23 10:31:33 Tunnelblick[12210] Finished shutting down Tunnelblick; allowing termination

2015-06-23 10:31:36 WindowServer[261] disable_update_timeout: UI updates were forcibly disabled by application "Tunnelblick" for over 1.00 seconds. Server has re-enabled them.

2015-06-23 10:31:36 WindowServer[261] common_reenable_update: UI updates were finally reenabled by application "Tunnelblick" after 1.15 seconds (server forcibly re-enabled them after 1.00 seconds)

2015-06-23 10:31:36 Tunnelblick[12231] Set program update feedURL to https://www.tunnelblick.net/appcast-b.rss

2015-06-23 10:36:14 Tunnelblick[12231] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes

2015-06-23 10:36:15 Tunnelblick[12231] Finished shutting down Tunnelblick; allowing termination

2015-06-23 10:37:09 Tunnelblick[12277] Set program update feedURL to https://www.tunnelblick.net/appcast-b.rss

[jkbull...gmail.com]

You didn't add the "scramble obfuscate XXXXX" option to the client configuration.

Did you add it to the server, and have the server running a patched version of OpenVPN?

Please read what I wrote again. I have highlighted two critical instructions:

You don't "apply the patch" to Tunnelblick, you just need to use Tunnelblick 3.6beta06 or later; the patched version of OpenVPN will be used automatically.

You do need to apply the patch to your VPN server (which may not be possible or practical). To do that you must be able to patch and build OpenVPN and install the patched version on your VPN server. You'll have to search the web for instructions on how to do that. See https://forums.openvpn.net/topic12605.html for the original discussion (but don't use the supplied patch, use a patch from Tunnelblick openvpn_xorpatch instead (it includes important changes to the patch). That page has versions of the patch for OpenVPN 2.3.6 and 2.3.7.

Then you just put the "scramble obfuscate XXXXXX" (where XXXX is the key) in both the server and the client configuration files.