Connection Repeatedly Fails
434 views
Skip to first unread message
Swings
Jun 7, 2011, 9:35:06 AM6/7/11
to tunnelblick-discuss
I recently purchased Secure Tunnel's VPN for use in China, and it
worked fine for about 24 hours. After a few days of traveling and
switching hotels, I tried to use it again. I can launch Tunnelblick,
but it won't connect to anything, and it says 0 connections active.
Any idea what's wrong? I can post the log if its needed. thanks in
advance!
worked fine for about 24 hours. After a few days of traveling and
switching hotels, I tried to use it again. I can launch Tunnelblick,
but it won't connect to anything, and it says 0 connections active.
Any idea what's wrong? I can post the log if its needed. thanks in
advance!
jkbull...gmail.com
Jun 7, 2011, 9:45:52 AM6/7/11
to tunnelbli...@googlegroups.com
You should probably contact Secure Tunnel's support for this (you're paying them). Tunnelblick is just the free software that they recommend their customers use.
That said, I'll be happy to look at the log if you post it. (Please quit Tunnelblick and relaunch it before you try to connect, then post the entire log. (From the Details... window: Command-A selects all of the log, Command-C copies it to the Clipboard).
The problem probably has to do with the "Great Firewall of China" blocking their server and not anything to do with Tunnelblick itself, but post the log and we'll see.
Swings
Jun 7, 2011, 11:26:35 AM6/7/11
to tunnelblick-discuss
Their discussion forum is down at the moment, so I thought I'd try
here first.
It's most likely just a problem with them, but I'd like to make sure
just in case.
2011-06-07 11:24:43 *Tunnelblick: OS X 10.6.7; Tunnelblick 3.1.7
(build 2190.2413); OpenVPN 2.1.4
2011-06-07 11:24:47 *Tunnelblick: Attempting connection with Secure-
Tunnel Private Network from Deploy; Set nameserver = 1; monitoring
connection
2011-06-07 11:24:47 *Tunnelblick: /Applications/Tunnelblick.app/
Contents/Resources/openvpnstart start Secure-Tunnel\ Private\
Network.conf 1339 1 0 2 0 50
2011-06-07 11:24:47 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2]
[PKCS11] built on Mar 1 2011
2011-06-07 11:24:47 MANAGEMENT: TCP Socket listening on 127.0.0.1:1339
2011-06-07 11:24:47 Need hold release from management interface,
waiting...
2011-06-07 11:24:47 MANAGEMENT: Client connected from 127.0.0.1:1339
2011-06-07 11:24:47 MANAGEMENT: CMD 'pid'
2011-06-07 11:24:47 MANAGEMENT: CMD 'state on'
2011-06-07 11:24:47 MANAGEMENT: CMD 'state'
2011-06-07 11:24:47 MANAGEMENT: CMD 'hold release'
2011-06-07 11:24:47 MANAGEMENT: CMD 'username "Auth" "Dswings"'
2011-06-07 11:24:47 MANAGEMENT: CMD 'password [...]'
2011-06-07 11:24:47 WARNING: No server certificate verification method
has been enabled. See http://openvpn.net/howto.html#mitm for more
info.
2011-06-07 11:24:47 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2011-06-07 11:24:47 LZO compression initialized
2011-06-07 11:24:47 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:
0 ET:0 EL:0 ]
2011-06-07 11:24:47 Socket Buffers: R=[42080->65536] S=[9216->65536]
2011-06-07 11:24:47 MANAGEMENT: >STATE:1307460287,RESOLVE,,,
2011-06-07 11:24:47 RESOLVE: NOTE: stpn.secure-tunnel.com resolves to
2 addresses
2011-06-07 11:24:47 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:
135 ET:32 EL:0 AF:3/1 ]
2011-06-07 11:24:47 Local Options hash (VER=V4): 'd79ca330'
2011-06-07 11:24:47 Expected Remote Options hash (VER=V4): 'f7df56b8'
2011-06-07 11:24:47 UDPv4 link local: [undef]
2011-06-07 11:24:47 UDPv4 link remote: 38.119.107.88:443
2011-06-07 11:24:47 MANAGEMENT: >STATE:1307460287,WAIT,,,
2011-06-07 11:24:47 *Tunnelblick: openvpnstart: /Applications/
Tunnelblick.app/Contents/Resources/openvpn --cd /Applications/
Tunnelblick.app/Contents/Resources/Deploy --daemon --management
127.0.0.1 1339 --config /Applications/Tunnelblick.app/Contents/
Resources/Deploy/Secure-Tunnel Private Network.conf --log /Library/
Application Support/Tunnelblick/Logs/-SApplications-STunnelblick.app-
SContents-SResources-SDeploy-SSecure--Tunnel Private Network.conf.
1_0_2_0_50.1339.openvpn.log --management-query-passwords --management-
hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/
Resources/client.up.tunnelblick.sh -m -w -d -a --down /Applications/
Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d
-a --up-restart
2011-06-07 11:24:47 *Tunnelblick: Obtained VPN username and password
from the Keychain
2011-06-07 11:24:48 MANAGEMENT: >STATE:1307460288,AUTH,,,
2011-06-07 11:24:48 TLS: Initial packet from 38.119.107.88:443,
sid=31b04b94 dc896992
2011-06-07 11:24:48 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2011-06-07 11:24:52 VERIFY OK: depth=1, /C=US/ST=ND/L=Fargo/
O=www.secure-tunnel.com/CN=stpn.secure-tunnel.com/
emailAddress=co...@secure-tunnel.com
2011-06-07 11:24:52 VERIFY OK: depth=0, /C=US/ST=ND/L=Fargo/
O=www.secure-tunnel.com/CN=stpn.secure-tunnel.com/
emailAddress=co...@secure-tunnel.com
2011-06-07 11:25:05 Data Channel Encrypt: Cipher 'BF-CBC' initialized
with 128 bit key
2011-06-07 11:25:05 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2011-06-07 11:25:05 Data Channel Decrypt: Cipher 'BF-CBC' initialized
with 128 bit key
2011-06-07 11:25:05 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2011-06-07 11:25:05 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-
AES256-SHA, 1024 bit RSA
2011-06-07 11:25:05 [stpn.secure-tunnel.com] Peer Connection Initiated
with 38.119.107.88:443
2011-06-07 11:25:06 MANAGEMENT: >STATE:1307460306,GET_CONFIG,,,
2011-06-07 11:25:07 SENT CONTROL [stpn.secure-tunnel.com]:
'PUSH_REQUEST' (status=1)
2011-06-07 11:25:07 AUTH: Received AUTH_FAILED control message
2011-06-07 11:25:07 TCP/UDP: Closing socket
2011-06-07 11:25:07 SIGTERM[soft,auth-failure] received, process
exiting
2011-06-07 11:25:07 MANAGEMENT: >STATE:1307460307,EXITING,auth-
failure,,
2011-06-07 11:25:08 *Tunnelblick: Flushed the DNS cache
here first.
It's most likely just a problem with them, but I'd like to make sure
just in case.
2011-06-07 11:24:43 *Tunnelblick: OS X 10.6.7; Tunnelblick 3.1.7
(build 2190.2413); OpenVPN 2.1.4
2011-06-07 11:24:47 *Tunnelblick: Attempting connection with Secure-
Tunnel Private Network from Deploy; Set nameserver = 1; monitoring
connection
2011-06-07 11:24:47 *Tunnelblick: /Applications/Tunnelblick.app/
Contents/Resources/openvpnstart start Secure-Tunnel\ Private\
Network.conf 1339 1 0 2 0 50
2011-06-07 11:24:47 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2]
[PKCS11] built on Mar 1 2011
2011-06-07 11:24:47 MANAGEMENT: TCP Socket listening on 127.0.0.1:1339
2011-06-07 11:24:47 Need hold release from management interface,
waiting...
2011-06-07 11:24:47 MANAGEMENT: Client connected from 127.0.0.1:1339
2011-06-07 11:24:47 MANAGEMENT: CMD 'pid'
2011-06-07 11:24:47 MANAGEMENT: CMD 'state on'
2011-06-07 11:24:47 MANAGEMENT: CMD 'state'
2011-06-07 11:24:47 MANAGEMENT: CMD 'hold release'
2011-06-07 11:24:47 MANAGEMENT: CMD 'username "Auth" "Dswings"'
2011-06-07 11:24:47 MANAGEMENT: CMD 'password [...]'
2011-06-07 11:24:47 WARNING: No server certificate verification method
has been enabled. See http://openvpn.net/howto.html#mitm for more
info.
2011-06-07 11:24:47 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2011-06-07 11:24:47 LZO compression initialized
2011-06-07 11:24:47 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:
0 ET:0 EL:0 ]
2011-06-07 11:24:47 Socket Buffers: R=[42080->65536] S=[9216->65536]
2011-06-07 11:24:47 MANAGEMENT: >STATE:1307460287,RESOLVE,,,
2011-06-07 11:24:47 RESOLVE: NOTE: stpn.secure-tunnel.com resolves to
2 addresses
2011-06-07 11:24:47 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:
135 ET:32 EL:0 AF:3/1 ]
2011-06-07 11:24:47 Local Options hash (VER=V4): 'd79ca330'
2011-06-07 11:24:47 Expected Remote Options hash (VER=V4): 'f7df56b8'
2011-06-07 11:24:47 UDPv4 link local: [undef]
2011-06-07 11:24:47 UDPv4 link remote: 38.119.107.88:443
2011-06-07 11:24:47 MANAGEMENT: >STATE:1307460287,WAIT,,,
2011-06-07 11:24:47 *Tunnelblick: openvpnstart: /Applications/
Tunnelblick.app/Contents/Resources/openvpn --cd /Applications/
Tunnelblick.app/Contents/Resources/Deploy --daemon --management
127.0.0.1 1339 --config /Applications/Tunnelblick.app/Contents/
Resources/Deploy/Secure-Tunnel Private Network.conf --log /Library/
Application Support/Tunnelblick/Logs/-SApplications-STunnelblick.app-
SContents-SResources-SDeploy-SSecure--Tunnel Private Network.conf.
1_0_2_0_50.1339.openvpn.log --management-query-passwords --management-
hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/
Resources/client.up.tunnelblick.sh -m -w -d -a --down /Applications/
Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d
-a --up-restart
2011-06-07 11:24:47 *Tunnelblick: Obtained VPN username and password
from the Keychain
2011-06-07 11:24:48 MANAGEMENT: >STATE:1307460288,AUTH,,,
2011-06-07 11:24:48 TLS: Initial packet from 38.119.107.88:443,
sid=31b04b94 dc896992
2011-06-07 11:24:48 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2011-06-07 11:24:52 VERIFY OK: depth=1, /C=US/ST=ND/L=Fargo/
O=www.secure-tunnel.com/CN=stpn.secure-tunnel.com/
emailAddress=co...@secure-tunnel.com
2011-06-07 11:24:52 VERIFY OK: depth=0, /C=US/ST=ND/L=Fargo/
O=www.secure-tunnel.com/CN=stpn.secure-tunnel.com/
emailAddress=co...@secure-tunnel.com
2011-06-07 11:25:05 Data Channel Encrypt: Cipher 'BF-CBC' initialized
with 128 bit key
2011-06-07 11:25:05 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2011-06-07 11:25:05 Data Channel Decrypt: Cipher 'BF-CBC' initialized
with 128 bit key
2011-06-07 11:25:05 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2011-06-07 11:25:05 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-
AES256-SHA, 1024 bit RSA
2011-06-07 11:25:05 [stpn.secure-tunnel.com] Peer Connection Initiated
with 38.119.107.88:443
2011-06-07 11:25:06 MANAGEMENT: >STATE:1307460306,GET_CONFIG,,,
2011-06-07 11:25:07 SENT CONTROL [stpn.secure-tunnel.com]:
'PUSH_REQUEST' (status=1)
2011-06-07 11:25:07 AUTH: Received AUTH_FAILED control message
2011-06-07 11:25:07 TCP/UDP: Closing socket
2011-06-07 11:25:07 SIGTERM[soft,auth-failure] received, process
exiting
2011-06-07 11:25:07 MANAGEMENT: >STATE:1307460307,EXITING,auth-
failure,,
2011-06-07 11:25:08 *Tunnelblick: Flushed the DNS cache
jkbull...gmail.com
Jun 7, 2011, 11:40:11 AM6/7/11
to tunnelbli...@googlegroups.com
Actually, it looks like something else -- the credentials (username/password) that Tunnelblick used (which you had saved in the Keychain) was refused by Secure Tunnel. I suppose the Great Firewall could be meddling, but I suspect it is just a bad username/password.
You'll have to manually remove the username/password entry in the Keychain -- see the fourth post in https://groups.google.com/d/topic/tunnelblick-discuss/lUvlI2YRH8s/discussion. After that, you will be asked for it when you try to make a connection.
Tunnelblick 3.2beta14 will notice the authorization failure, notify you, and give you the option of trying with different credentials, so you might want to try it. You can always go back to the 3.1.7 stable version you're using now after you fix the problem. To try 3.2beta14 temporarily, download the disk image, but instead of double-clicking the Tunnelblick icon, just drag it to the Desktop. When you double-click that, it will run (after asking for admin credentials), it will run without being installed in /Applications. You can then drag it to the Trash when you are done, and then use the version 3.1.7 that's still in /Applications.
Swings
Jun 8, 2011, 9:25:13 AM6/8/11
to tunnelblick-discuss
Unfortunately, they blocked the link you posted. Any chance you can
explain or copy it on here? And so I just download Tunnelblick
3.2beta4, and use it to fix the bug, then delete it?
Thanks a lot for your hard work!
On Jun 7, 11:40 am, "jkbull...gmail.com" <jkbull...@gmail.com> wrote:
> Actually, it looks like something else -- the credentials
> (username/password) that Tunnelblick used (which you had saved in the
> Keychain) was refused by Secure Tunnel. I suppose the Great Firewall could
> be meddling, but I suspect it is just a bad username/password.
>
> You'll have to manually remove the username/password entry in the Keychain
> -- see the fourth post inhttps://groups.google.com/d/topic/tunnelblick-discuss/lUvlI2YRH8s/dis....
explain or copy it on here? And so I just download Tunnelblick
3.2beta4, and use it to fix the bug, then delete it?
Thanks a lot for your hard work!
On Jun 7, 11:40 am, "jkbull...gmail.com" <jkbull...@gmail.com> wrote:
> Actually, it looks like something else -- the credentials
> (username/password) that Tunnelblick used (which you had saved in the
> Keychain) was refused by Secure Tunnel. I suppose the Great Firewall could
> be meddling, but I suspect it is just a bad username/password.
>
> You'll have to manually remove the username/password entry in the Keychain
jkbull...gmail.com
Jun 8, 2011, 9:33:51 AM6/8/11
to tunnelbli...@googlegroups.com
Yes, you can download 3.2beta14 (not 3.2beta4, which I assume was a typo), run it, try to connect, and it will detect the problem. Click the "Try again with different credentials" button and it will erase the bad username/password stored in the Keychain.
To be clear: 3.2beta14 doesn't fix the bug in earlier versions of the program - if you have a bad username/password in the Keychain old versions of the program will not complain. But 3.2beta14 will erase the bad username/password from the Keychain once (each time you use it).
An alternative, perhaps easier, is described in the fourth post in https://groups.google.com/d/topic/tunnelblick-discuss/lUvlI2YRH8s/discussion, which is copied here:
This means that the username or password you entered is not correct.There is a bug in Tunnelblick that sometimes does not handle this correctly and shows an incorrect error message. That is what is happening to you.You saved the username and password to the Keychain, so it doesn't ask you for them.You must delete the incorrect Keychain entries and try to connect again.To delete the incorrect Keychain entries:
- Launch /Application/Utilities/Keychain Access.
- Look for entries with names beginning with "Tunnelblick", and delete all of them.
- Try to connect again.
When you try to connect again, you will be asked for the username and password again. Type them very carefully and do not save them to the Keychain until you are sure they are correct and you have connected to the VPN service at least once.
Swings
Jun 8, 2011, 9:41:23 AM6/8/11
to tunnelblick-discuss
Alright it worked! Thank you so much for your help. I'll post here if
I find any further issues.
On Jun 8, 9:33 am, "jkbull...gmail.com" <jkbull...@gmail.com> wrote:
> Yes, you can download 3.2beta14 (not 3.2beta4, which I assume was a typo),
> run it, try to connect, and it will detect the problem. Click the "Try again
> with different credentials" button and it will erase the bad
> username/password stored in the Keychain.
>
> To be clear: 3.2beta14 doesn't fix the bug in earlier versions of the
> program - if you have a bad username/password in the Keychain old versions
> of the program will not complain. But 3.2beta14 will erase the bad
> username/password from the Keychain once (each time you use it).
>
> An alternative, perhaps easier, is described in the fourth post inhttps://groups.google.com/d/topic/tunnelblick-discuss/lUvlI2YRH8s/dis...,
> 2. Look for entries with names beginning with "Tunnelblick", and
> delete all of them.
> 3. Try to connect again.
I find any further issues.
On Jun 8, 9:33 am, "jkbull...gmail.com" <jkbull...@gmail.com> wrote:
> Yes, you can download 3.2beta14 (not 3.2beta4, which I assume was a typo),
> run it, try to connect, and it will detect the problem. Click the "Try again
> with different credentials" button and it will erase the bad
> username/password stored in the Keychain.
>
> To be clear: 3.2beta14 doesn't fix the bug in earlier versions of the
> program - if you have a bad username/password in the Keychain old versions
> of the program will not complain. But 3.2beta14 will erase the bad
> username/password from the Keychain once (each time you use it).
>
> which is copied here:
>
> This means that the username or password you entered is not correct.
>
> There is a bug in Tunnelblick that sometimes does not handle this correctly
> and shows an incorrect error message. That is what is happening to you.
>
> You saved the username and password to the Keychain, so it doesn't ask you
> for them.
>
> You must delete the incorrect Keychain entries and try to connect again.
>
> To delete the incorrect Keychain entries:
>
> 1. Launch /Application/Utilities/Keychain Access.
>
> This means that the username or password you entered is not correct.
>
> There is a bug in Tunnelblick that sometimes does not handle this correctly
> and shows an incorrect error message. That is what is happening to you.
>
> You saved the username and password to the Keychain, so it doesn't ask you
> for them.
>
> You must delete the incorrect Keychain entries and try to connect again.
>
> To delete the incorrect Keychain entries:
>
> 2. Look for entries with names beginning with "Tunnelblick", and
> delete all of them.
> 3. Try to connect again.
Reply all
Reply to author
Forward
0 new messages