TB mitm Error, DNS problem, auth-nocache
13 views
Skip to first unread message
feier
Jun 19, 2018, 1:25:27 PM6/19/18
to tunnelblick-discuss
hi, got some problems using tunnelblick.
log shows me some "mitm" problem, DNS problem and something with auth-nocache.
dunno how to fix that...
And the connection often disconnects..
Any help please?
Thanks, cheers
Log:
*Tunnelblick: OS X 10.13.5; Tunnelblick 3.7.6 (build 5060); prior version 3.7.5a (build 5011)
2018-06-19 19:17:57 *Tunnelblick: Attempting connection with vpngate_vpn286957072.opengw.net_tcp_1253 using shadow copy; Set nameserver = 769; monitoring connection
2018-06-19 19:17:57 *Tunnelblick: openvpnstart start vpngate_vpn286957072.opengw.net_tcp_1253.tblk 52104 769 0 1 0 1065264 -ptADGNWradsgnw 2.4.6-openssl-1.0.2o
2018-06-19 19:17:58 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2o/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Schech-SLibrary-SApplication Support-STunnelblick-SConfigurations-Svpngate_vpn286957072.opengw.net_tcp_1253.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1065264.52104.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/chech/vpngate_vpn286957072.opengw.net_tcp_1253.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 5060 3.7.6 (build 5060)"
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/chech/vpngate_vpn286957072.opengw.net_tcp_1253.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/chech/vpngate_vpn286957072.opengw.net_tcp_1253.tblk/Contents/Resources
--management
127.0.0.1
52104
/Library/Application Support/Tunnelblick/nkbdnfccagienbimdnmgojgpdeeinkemmadbmmfj.mip
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2018-06-19 19:17:57 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 9 2018
2018-06-19 19:17:57 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
2018-06-19 19:17:57 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:52104
2018-06-19 19:17:57 Need hold release from management interface, waiting...
2018-06-19 19:17:57 *Tunnelblick: openvpnstart starting OpenVPN
2018-06-19 19:17:58 *Tunnelblick: Established communication with OpenVPN
2018-06-19 19:17:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:52104
2018-06-19 19:17:58 MANAGEMENT: CMD 'pid'
2018-06-19 19:17:58 MANAGEMENT: CMD 'state on'
2018-06-19 19:17:58 MANAGEMENT: CMD 'state'
2018-06-19 19:17:58 MANAGEMENT: CMD 'bytecount 1'
2018-06-19 19:17:58 MANAGEMENT: CMD 'hold release'
2018-06-19 19:17:58 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2018-06-19 19:17:58 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-06-19 19:17:58 MANAGEMENT: >STATE:1529428678,RESOLVE,,,,,,
2018-06-19 19:17:58 TCP/UDP: Preserving recently used remote address: [AF_INET]113.148.130.195:1253
2018-06-19 19:17:58 Socket Buffers: R=[131072->131072] S=[131072->131072]
2018-06-19 19:17:58 Attempting to establish TCP connection with [AF_INET]113.148.130.195:1253 [nonblock]
2018-06-19 19:17:58 MANAGEMENT: >STATE:1529428678,TCP_CONNECT,,,,,,
2018-06-19 19:17:59 TCP connection established with [AF_INET]113.148.130.195:1253
2018-06-19 19:17:59 TCP_CLIENT link local: (not bound)
2018-06-19 19:17:59 TCP_CLIENT link remote: [AF_INET]113.148.130.195:1253
2018-06-19 19:17:59 MANAGEMENT: >STATE:1529428679,WAIT,,,,,,
2018-06-19 19:17:59 MANAGEMENT: >STATE:1529428679,AUTH,,,,,,
2018-06-19 19:17:59 TLS: Initial packet from [AF_INET]113.148.130.195:1253, sid=766d4530 e223ef39
2018-06-19 19:18:00 VERIFY OK: depth=2, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
2018-06-19 19:18:00 VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
2018-06-19 19:18:00 VERIFY OK: depth=0, OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.opengw.net
2018-06-19 19:18:02 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-06-19 19:18:02 [*.opengw.net] Peer Connection Initiated with [AF_INET]113.148.130.195:1253
2018-06-19 19:18:03 MANAGEMENT: >STATE:1529428683,GET_CONFIG,,,,,,
2018-06-19 19:18:03 SENT CONTROL [*.opengw.net]: 'PUSH_REQUEST' (status=1)
2018-06-19 19:18:05 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.45 10.211.1.46,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.46,redirect-gateway def1'
2018-06-19 19:18:05 OPTIONS IMPORT: timers and/or timeouts modified
2018-06-19 19:18:05 OPTIONS IMPORT: --ifconfig/up options modified
2018-06-19 19:18:05 OPTIONS IMPORT: route options modified
2018-06-19 19:18:05 OPTIONS IMPORT: route-related options modified
2018-06-19 19:18:05 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-06-19 19:18:05 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2018-06-19 19:18:05 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-06-19 19:18:05 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2018-06-19 19:18:05 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-06-19 19:18:05 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2018-06-19 19:18:05 Opened utun device utun1
2018-06-19 19:18:05 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2018-06-19 19:18:05 MANAGEMENT: >STATE:1529428685,ASSIGN_IP,,10.211.1.45,,,,
2018-06-19 19:18:05 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-06-19 19:18:05 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-06-19 19:18:05 /sbin/ifconfig utun1 10.211.1.45 10.211.1.46 mtu 1500 netmask 255.255.255.255 up
2018-06-19 19:18:05 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1559 10.211.1.45 10.211.1.46 init
**********************************************
Start of output from client.up.tunnelblick.sh
Disabled IPv6 for 'VPN (L2TP)'
Retrieved from OpenVPN: name server(s) [ 10.211.254.254 8.8.8.8 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '192.168.178.10' to '10.211.254.254 8.8.8.8'
Changed DNS SearchDomains setting from '' to 'openvpn'
Changed DNS DomainName setting from 'router to 'openvpn'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of ''
DNS servers '10.211.254.254 8.8.8.8' will be used for DNS queries when the VPN is active
NOTE: The DNS servers include one or more free public DNS servers known to Tunnelblick and one or more DNS servers not known to Tunnelblick. If used, the DNS servers not known to Tunnelblick may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2018-06-19 19:18:09 *Tunnelblick: No 'connected.sh' script to execute
2018-06-19 19:18:09 /sbin/route add -net 113.148.130.195 192.168.178.1 255.255.255.255
add net 113.148.130.195: gateway 192.168.178.10
2018-06-19 19:18:09 /sbin/route add -net 0.0.0.0 10.211.1.46 128.0.0.0
add net 0.0.0.0: gateway 10.211.1.46
2018-06-19 19:18:09 /sbin/route add -net 128.0.0.0 10.211.1.46 128.0.0.0
add net 128.0.0.0: gateway 10.211.1.46
2018-06-19 19:18:09 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-06-19 19:18:09 Initialization Sequence Completed
2018-06-19 19:18:09 MANAGEMENT: >STATE:1529428689,CONNECTED,SUCCESS,10.211.1.45,113.148.130.195,1253,192.168.178.23,50359
2018-06-19 19:18:14 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-06-19 19:18:19 *Tunnelblick: This computer's apparent public IP address changed from 12.34.56.78 before connection to 113.148.130.195 after connection
Tunnelblick developer
Jun 19, 2018, 3:35:34 PM6/19/18
to tunnelblick-discuss
You need to contact your VPN service provider, apparently VPNGate. That is the organization which gave you your configuration files, and perhaps a username and password, and to which you are probably paying a fee for VPN service. For more information, please see Getting VPN Service.
Tunnelblick is just the free software that many VPN service providers recommend or supply to their customers. We do not provide VPN service, just software.
Here are some comments about specific warnings in the log you posted:
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this.
Your computer may cache VPN passwords in its memory. If your computer is compromised, then they might be accessed. This is something that is under the control of VPNGate.
NOTE: The DNS servers include one or more free public DNS servers known to Tunnelblick and one or more DNS servers not known to Tunnelblick. If used, the DNS servers not known to Tunnelblick may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
This is something that is under the control of VPNGate.
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
This is something that is under the control of VPNGate.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
This is normal. Tunnelblick performs certain operations using "user-defined scripts". Because of the way that Tunnelblick secures the scripts, they are controlled by your computer administrator, not by a normal user.
Reply all
Reply to author
Forward
0 new messages