troubleshooting server DD-WRT v24-sp2 (06/08/12) big - build 19342 and client Tunnelblick 3.3beta32 (build 3183) - OpenVPN 2.3-alpha1

[László Sándor]

Hi,

I'm way past the RTFM/STFW phase, but I cannot get my mac connect to the OpenVPN server. I followed instructions for the webGUI server setup and the Tunnelblick-specific client setup, but something must be wrong (e.g. the script?): http://www.dd-wrt.com/wiki/index.php/OpenVPN

I paste in a few things, and would really grateful any guidance, hint etc.

Thanks so much, in advance!

Here is screenshot of server settings:

Here is the list of files I had in my .tblk folder:

ca.key

client1.crt

ca.crt

02.pem

client1.key

client.conf

server.key

vpn-up.sh

03.pem

01.pem

dh1024.pem

server.crt

Here is what is in my client.conf:

##############################################

# Sample client-side OpenVPN 2.0 config file #

# for connecting to multi-client server.     #

#                                            #

# This configuration can be used by multiple #

# clients, however each client should have   #

# its own cert and key files.                #

#                                            #

# On Windows, you might want to rename this  #

# file so it has a .ovpn extension           #

##############################################

# Specify that we are a client and that we

# will be pulling certain config file directives

# from the server.

client

# Use the same setting as you are using on

# the server.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

dev tap 

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one.  On XP SP2,

# you may need to disable the firewall

# for the TAP adapter.

#dev-node MyTap

 

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

proto tcp

# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

remote SERVER-NOT-SHOWN 1194 

# Choose a random host from the remote

# list for load-balancing.  Otherwise

# try hosts in the order specified.

#remote-random 

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Downgrade privileges after initialization (non-Windows only)

user nobody

group nobody

# Try to preserve some state across restarts.

persist-key

persist-tun

# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN

# server, put the proxy server/IP and

# port number here.  See the man page

# if your proxy server requires

# authentication.

#http-proxy-retry # retry on connection failures

#http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot

# of duplicate packets.  Set this flag

# to silence duplicate packet warnings.

mute-replay-warnings

# SSL/TLS parms.

# See the server config file for more

# description.  It's best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

ca ca.crt

cert client1.crt

key client1.key

up "./vpn-up.sh"

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

# http://openvpn.net/howto.html#mitm

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server".  The build-key-server

# script in the easy-rsa folder will do this.

ns-cert-type server

# If a tls-auth key is used on the server

# then every client must also have the key.

#tls-auth ta.key 1

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

#cipher x

# Enable compression on the VPN link.

# Don't enable this unless it is also

# enabled in the server config file.

comp-lzo

# Set log file verbosity.

verb 3

# Silence repeating messages

;mute 20

----------- END OF CLIENT.CONF

Here are the contents of vpn-up.sh:

#!/usr/bin/python

import os, sys

try:

    tun_dev, tun_mtu, link_mtu = sys.argv[1:4]

except:

    sys.exit(0)

if tun_dev[0:3] == 'tap'

    os.system('/usr/sbin/ipconfig set "%s" DHCP' % os.environ['dev'])

----------- END OF SCRIPT

Here is some of console logs of the failed connection attempt:

1/28/13 5:25:16.814 PM acwebsecagent[142]: Connection : Auth key is not provided or is invalid, applying connection failure policy. CMode : 2 TMode : 1

1/28/13 5:25:16.814 PM acwebsecagent[142]: OnConnectionFailure : Fail Open - Reason = Unable to verify the license key

1/28/13 5:25:16.921 PM Tunnelblick[80815]: DEBUG: currentIPInfo(Name): IP address info was fetched in 110 milliseconds

1/28/13 5:25:16.921 PM Tunnelblick[80815]: DEBUG: currentIPInfo(Name): [140.247.210.147, 60177, 205.233.73.66]

1/28/13 5:25:17.721 PM acwebsecagent[142]: Connection : Auth key is not provided or is invalid, applying connection failure policy. CMode : 2 TMode : 1

1/28/13 5:25:17.721 PM acwebsecagent[142]: OnConnectionFailure : Fail Open - Reason = Unable to verify the license key

1/28/13 5:25:21.294 PM acwebsecagent[142]: Connection : Auth key is not provided or is invalid, applying connection failure policy. CMode : 2 TMode : 1

1/28/13 5:25:21.294 PM acwebsecagent[142]: OnConnectionFailure : Fail Open - Reason = Unable to verify the license key

1/28/13 5:25:22.000 PM kernel[0]: tap kernel extension version 20111101 <mattias...@gmx.de>

1/28/13 5:25:24.824 PM acwebsecagent[142]: Connection : Auth key is not provided or is invalid, applying connection failure policy. CMode : 2 TMode : 1

1/28/13 5:25:24.824 PM acwebsecagent[142]: OnConnectionFailure : Fail Open - Reason = Unable to verify the license key

1/28/13 5:25:26.318 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: Entered

1/28/13 5:25:26.318 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: No active threads for connection 45591552

1/28/13 5:25:26.319 PM Tunnelblick[80815]: DEBUG: killAllConnectionsIncludingDaemons: has checked for active daemons

1/28/13 5:25:26.319 PM Tunnelblick[80815]: DEBUG: includeDaemons = 0; noUnknownOpenVPNsRunning = 1; noActiveDaemons = 1 

1/28/13 5:25:26.320 PM Tunnelblick[80815]: DEBUG: killAllConnectionsIncludingDaemons: will use killAll

1/28/13 5:25:26.320 PM Tunnelblick[80815]: DEBUG: killAllConnectionsIncludingDaemons: requested killAll

1/28/13 5:25:26.397 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: Entered

1/28/13 5:25:26.398 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: No active threads for connection 45591552

1/28/13 5:25:26.399 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: Entered

1/28/13 5:25:26.400 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: No active threads for connection 45591552

1/28/13 5:25:26.400 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: Entered

1/28/13 5:25:26.401 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: No active threads for connection 45591552

1/28/13 5:25:26.401 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: Entered

1/28/13 5:25:26.401 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: No active threads for connection 45591552

1/28/13 5:25:26.460 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: Entered

1/28/13 5:25:26.461 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: No active threads for connection 45591552

1/28/13 5:25:26.872 PM Tunnelblick[80815]: DEBUG: killAllConnectionsIncludingDaemons: killAll finished

1/28/13 5:25:26.874 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: Entered

1/28/13 5:25:26.874 PM Tunnelblick[80815]: DEBUG: cancelAllIPCheckThreadsForConnection: No active threads for connection 45591552

[Jonathan K. Bullard]

What is "acwebsecagent"? Is it some kind of security software? Perhaps it is interfering with the connections.

If you are having a problem with Tunnelblick, please include the following with your question.

• the entire contents of the Tunnelblick log

Be sure to X out any sensitive information such as server IP addresses.

To get the Tunnelblick log on the Clipboard so you can paste it into an email:

1. Click the Tunnelblick icon
   
2. Click "VPN Details…"
   
3. Select the "Configurations" panel if it is not already selected
   
4. Select the configuration whose file you want to look at in the list on the left
   
5. Select the "Log" tab if it is not already selected
   
6. Click "Copy Log to Clipboard"

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To post to this group, send email to tunnelbli...@googlegroups.com.
To unsubscribe from this group, send email to tunnelblick-dis...@googlegroups.com.
Visit this group at http://groups.google.com/group/tunnelblick-discuss?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[László Sándor]

Thanks, Jonathan.

The error message said console log, so I did open up Console. But only from Tunnelblick, below is my log.

Please note that this attempt tried TCP when the server was already set up to accept that (though perhaps needs a hard reboot on the router to implement, which I cannot do now).

Also note I went back to OpenVPN 2.2.1 following your troubleshooting notes for Mountain Lion.

Thanks again.

2013-01-28 18:15:36 *Tunnelblick: OS X 10.8.2; Tunnelblick 3.3beta32 (build 3183)

2013-01-28 18:15:36 *Tunnelblick: Attempting connection with seim; Set nameserver = 3; monitoring connection

2013-01-28 18:15:36 *Tunnelblick: openvpnstart start seim.tblk 1337 3 0 3 0 370 -atADGNWradsgnw 2.2.1

2013-01-28 18:15:37 *Tunnelblick: openvpnstart log:

     Loading tap.kext

     

     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

     

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn

          --cd

          /Library/Application Support/Tunnelblick/Shared/seim.tblk/Contents/Resources

          --daemon

          --management

          127.0.0.1

          1337

          --config

          /Library/Application Support/Tunnelblick/Shared/seim.tblk/Contents/Resources/config.ovpn

          --log

          /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sseim.tblk-SContents-SResources-Sconfig.ovpn.3_0_3_0_370.1337.openvpn.log

          --management-query-passwords

          --management-hold

          --script-security

          2

          --up

          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw

          --plugin

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn-down-root.so

          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw

          --up-restart

2013-01-28 18:15:36 *Tunnelblick: openvpnstart starting OpenVPN:

                    *                    /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Library/Application Support/Tunnelblick/Shared/seim.tblk/Contents/Resources --daemon --management 127.0.0.1 1337 --config /Library/Application Support/Tunnelblick/Shared/seim.tblk/Contents/Resources/config.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sseim.tblk-SContents-SResources-Sconfig.ovpn.3_0_3_0_370.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw --plugin /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn-down-root.so /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw --up-restart

2013-01-28 18:15:37 *Tunnelblick: Established communication with OpenVPN

2013-01-28 18:15:37 Multiple --up scripts defined.  The previously configured script is overridden.

2013-01-28 18:15:37 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Oct 20 2012

2013-01-28 18:15:37 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337

2013-01-28 18:15:37 Need hold release from management interface, waiting...

2013-01-28 18:15:37 MANAGEMENT: Client connected from 127.0.0.1:1337

2013-01-28 18:15:37 MANAGEMENT: CMD 'pid'

2013-01-28 18:15:37 MANAGEMENT: CMD 'state on'

2013-01-28 18:15:37 MANAGEMENT: CMD 'state'

2013-01-28 18:15:37 MANAGEMENT: CMD 'bytecount 1'

2013-01-28 18:15:37 MANAGEMENT: CMD 'hold release'

2013-01-28 18:15:37 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2013-01-28 18:15:37 PLUGIN_INIT: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn-down-root.so '[/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn-down-root.so] [/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh] [-m] [-w] [-d] [-a] [-f] [-atADGNWradsgnw]' intercepted=PLUGIN_UP|PLUGIN_DOWN 

2013-01-28 18:15:37 LZO compression initialized

2013-01-28 18:15:37 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]

2013-01-28 18:15:37 Socket Buffers: R=[131072->65536] S=[131072->65536]

2013-01-28 18:15:37 MANAGEMENT: >STATE:1359414937,RESOLVE,,,

2013-01-28 18:15:38 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]

2013-01-28 18:15:38 Local Options hash (VER=V4): '31fdf004'

2013-01-28 18:15:38 Expected Remote Options hash (VER=V4): '3e6d1056'

2013-01-28 18:15:38 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay

2013-01-28 18:15:38 Attempting to establish TCP connection with 83.251.117.191:1194 [nonblock]

2013-01-28 18:15:38 MANAGEMENT: >STATE:1359414938,TCP_CONNECT,,,

2013-01-28 18:15:39 TCP: connect to SERVER:1194 failed, will try again in 5 seconds: Connection refused

2013-01-28 18:15:44 MANAGEMENT: >STATE:1359414944,RESOLVE,,,

2013-01-28 18:15:44 MANAGEMENT: >STATE:1359414944,TCP_CONNECT,,,

2013-01-28 18:15:45 TCP: connect to SERVER:1194 failed, will try again in 5 seconds: Connection refused

2013-01-28 18:15:50 MANAGEMENT: >STATE:1359414950,RESOLVE,,,

2013-01-28 18:15:50 MANAGEMENT: >STATE:1359414950,TCP_CONNECT,,,

2013-01-28 18:15:51 TCP: connect to SERVER:1194 failed, will try again in 5 seconds: Connection refused

2013-01-28 18:15:56 MANAGEMENT: >STATE:1359414956,RESOLVE,,,

2013-01-28 18:15:56 MANAGEMENT: >STATE:1359414956,TCP_CONNECT,,,

2013-01-28 18:15:57 TCP: connect to SERVER:1194 failed, will try again in 5 seconds: Connection refused

2013-01-28 18:16:01 *Tunnelblick: Disconnecting; Disconnect button pressed

2013-01-28 18:16:01 *Tunnelblick: Disconnecting using 'killall'

2013-01-28 18:16:01 PLUGIN_CLOSE: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn-down-root.so

2013-01-28 18:16:01 SIGTERM[hard,init_instance] received, process exiting

2013-01-28 18:16:01 MANAGEMENT: >STATE:1359414961,EXITING,init_instance,,

[Jonathan K. Bullard]

Here's the problem:

2013-01-28 18:15:38 MANAGEMENT: >STATE:1359414938,TCP_CONNECT,,,
2013-01-28 18:15:39 TCP: connect to SERVER:1194 failed, will try again in 5 seconds: Connection refused

The server (i.e., the DD-WRT) is not responding to the client (i.e., your Mac running Tunnelblick). This can be caused my any number of things, but in your case it is probably a problem in the DD-WRT/OpenVPN setup.

Also:

• A couple of the files in the .tblk should not be there: the server.key and server.crt files.
• The vpn-up.sh script in the .tblk will be a problem because you have told Tunnelblick to use its standard scripts. To replace the 'up' script with "vpn-up.sh", you should rename "vpn-up.sh" to be "up.tunnelblick.sh" (see Up/Down Shell Scripts).
• The "user nobody" and "group nobody" lines in the client configuration file can cause problems. I recommend that you get your VPN working without them, then add them back in and see if any other problems develop. (It is usually not possible to reconnect after transmission errors, for example, of they are used.)

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

To post to this group, send email to tunnelbli...@googlegroups.com.

[László Sándor]

Great, thank you, Jonathan. I am looking forward to trying things again after I can hard reboot my router.

Of course, I'm also grateful if you can guess what can go wrong with DD-WRT, but I understand that it's a very different issue.

That said, I got a brief comment in DD-WRT forums that recent builds do not have a working OpenVPN implementation (while my hardware cannot run older builds…). I could not verify that comment though, but perhaps others here can? 

[László Sándor]

Jonathan, and others, I am still not getting the TCP handshake. Is there an obvious next step, things to check? (Apart from general anxiety, kicking tires, contemplating DD-WRT upgrade…)

I did post in DD-WRT forums too but got no help yet. http://www.dd-wrt.com/phpBB2/viewtopic.php?p=737063#737063

2013-01-29 11:15:07 *Tunnelblick: openvpnstart starting OpenVPN:

                    *                    /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Library/Application Support/Tunnelblick/Shared/seim.tblk/Contents/Resources --daemon --management 127.0.0.1 1337 --config /Library/Application Support/Tunnelblick/Shared/seim.tblk/Contents/Resources/config.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sseim.tblk-SContents-SResources-Sconfig.ovpn.1_0_3_0_370.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up "/Library/Application Support/Tunnelblick/Shared/seim.tblk/Contents/Resources/up.tunnelblick.sh" -m -w -d -a -f -atADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw --up-restart

2013-01-29 11:15:08 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Oct 20 2012

2013-01-29 11:15:08 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337

2013-01-29 11:15:08 Need hold release from management interface, waiting...

2013-01-29 11:15:08 MANAGEMENT: Client connected from 127.0.0.1:1337

2013-01-29 11:15:08 MANAGEMENT: CMD 'pid'

2013-01-29 11:15:08 MANAGEMENT: CMD 'state on'

2013-01-29 11:15:08 MANAGEMENT: CMD 'state'

2013-01-29 11:15:08 MANAGEMENT: CMD 'bytecount 1'

2013-01-29 11:15:08 MANAGEMENT: CMD 'hold release'

2013-01-29 11:15:08 *Tunnelblick: Established communication with OpenVPN

2013-01-29 11:15:08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2013-01-29 11:15:08 LZO compression initialized

2013-01-29 11:15:08 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]

2013-01-29 11:15:08 Socket Buffers: R=[131072->65536] S=[131072->65536]

2013-01-29 11:15:08 MANAGEMENT: >STATE:1359476108,RESOLVE,,,

2013-01-29 11:15:08 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]

2013-01-29 11:15:08 Local Options hash (VER=V4): '31fdf004'

2013-01-29 11:15:08 Expected Remote Options hash (VER=V4): '3e6d1056'

2013-01-29 11:15:08 Attempting to establish TCP connection with 83.251.117.191:1194 [nonblock]

2013-01-29 11:15:08 MANAGEMENT: >STATE:1359476108,TCP_CONNECT,,,

2013-01-29 11:15:09 TCP: connect to SERVERIP:1194 failed, will try again in 5 seconds: Connection refused

2013-01-29 11:15:14 MANAGEMENT: >STATE:1359476114,RESOLVE,,,

2013-01-29 11:15:14 MANAGEMENT: >STATE:1359476114,TCP_CONNECT,,,

2013-01-29 11:15:15 TCP: connect to SERVERIP:1194 failed, will try again in 5 seconds: Connection refused

2013-01-29 11:15:20 MANAGEMENT: >STATE:1359476120,RESOLVE,,,

2013-01-29 11:15:20 MANAGEMENT: >STATE:1359476120,TCP_CONNECT,,,

2013-01-29 11:15:21 TCP: connect to 83.251.117.191:1194 failed, will try again in 5 seconds: Connection refused

2013-01-29 11:15:26 MANAGEMENT: >STATE:1359476126,RESOLVE,,,

2013-01-29 11:15:26 MANAGEMENT: >STATE:1359476126,TCP_CONNECT,,,

2013-01-29 11:15:27 TCP: connect to SERVERIP:1194 failed, will try again in 5 seconds: Connection refused

2013-01-29 11:15:30 *Tunnelblick: Disconnecting; Disconnect button pressed

2013-01-29 11:15:30 *Tunnelblick: Disconnecting using 'killall'

2013-01-29 11:15:30 SIGTERM[hard,init_instance] received, process exiting

2013-01-29 11:15:30 MANAGEMENT: >STATE:1359476130,EXITING,init_instance,,

[László Sándor]

And another quick update, sorry for sending this separately:

I did check my router's logs, and it shows the TCP connection as accepted! What else can I check to see where the handshake broke down?

myIP

TCP

1194

Accepted

[László Sándor]

We can close this thread. Other people had issues with OpenVPN in this DD-WRT build anyway — and I could get PPTP working on a newer build,  DD-WRT v24-sp2 (01/24/13) mini.

The network is surprisingly slow, but maybe this is what I can expect from a home router on a residential ISP a continent away.

Thanks for bearing with me, and good luck with Tunnelblick!