probleme de connexion avec tunnelblick

[sebastie...@gmail.com]

Hello,

I find myself facing a blockage with tunnelblick.
I set up an openvpn connection that works very well with openvpn clients on windows.
on the other hand I have a problem with tunnelblick on mac with the generated openvpn configuration file.
Let me explain, once connected, I can communicate with the other machine connected to the virtual ip range which is 192.168.20.x
On the other hand I can not communicate with the servers of my remote site which are the range ip 192.168.1.X which is annoying because it was there the whole purpose of the thing.

I realize that the box on which I am connected with my mac is on the same ip range of my remote site. So I changed the ip range of my box and suddenly it works.

Yet with an openvpn client under windows I do not meet this problem even if the range of the local box is on the same ip range as my remote site.

I can not afford to ask my users to change the ip range of their box (too complicated for them) and I can not change the ip range of my remote site because it is already interconnected with other site in MPLS and that will engender too much change.


I do not see why the client under windows knows how to manage and not tunnelblick.

I do not really know if it can help on this reflection but here is the tunnelblick log captured during the connection :

Tunnelblick Log:\
\
*Tunnelblick: OS X 10.11.3; Tunnelblick 3.7.4 (build 4900)\
2017-11-17 12:05:58 *Tunnelblick: Attempting connection with pfSense-UDP4-1194-User1-config; Set nameserver = 769; monitoring connection\
2017-11-17 12:05:58 *Tunnelblick: openvpnstart start pfSense-UDP4-1194-User1-config.tblk 1338 769 0 3 0 1132336 -ptADGNWradsgnw 2.3.18-openssl-1.0.2m\
2017-11-17 12:05:58 *Tunnelblick: openvpnstart log:\
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):\
\
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.18-openssl-1.0.2m/openvpn\
--daemon\
--log\
/Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SpfSense--UDP4--1194--User1--config.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1132336.1338.openvpn.log\
--cd\
/Library/Application Support/Tunnelblick/Shared/pfSense-UDP4-1194-User1-config.tblk/Contents/Resources\
--setenv\
IV_GUI_VER\
"net.tunnelblick.tunnelblick 4900 3.7.4 (build 4900)"\
--verb\
3\
--config\
/Library/Application Support/Tunnelblick/Shared/pfSense-UDP4-1194-User1-config.tblk/Contents/Resources/config.ovpn\
--verb\
3\
--cd\
/Library/Application Support/Tunnelblick/Shared/pfSense-UDP4-1194-User1-config.tblk/Contents/Resources\
--management\
127.0.0.1\
1338\
--management-query-passwords\
--management-hold\
--redirect-gateway\
def1\
--script-security\
2\
--up\
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -o -r -w -ptADGNWradsgnw\
--down\
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -o -r -w -ptADGNWradsgnw\
\
2017-11-17 12:05:58 *Tunnelblick: Established communication with OpenVPN\
2017-11-17 12:05:58 Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Shared/pfSense-UDP4-1194-User1-config.tblk/Contents/Resources/config.ovpn:10: block-outside-dns (2.3.18)\
2017-11-17 12:05:58 OpenVPN 2.3.18 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Nov 2 2017\
2017-11-17 12:05:58 library versions: OpenSSL 1.0.2m 2 Nov 2017, LZO 2.10\
2017-11-17 12:05:58 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338\
2017-11-17 12:05:58 Need hold release from management interface, waiting...\
2017-11-17 12:05:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338\
2017-11-17 12:05:58 MANAGEMENT: CMD 'pid'\
2017-11-17 12:05:58 MANAGEMENT: CMD 'state on'\
2017-11-17 12:05:58 MANAGEMENT: CMD 'state'\
2017-11-17 12:05:58 MANAGEMENT: CMD 'bytecount 1'\
2017-11-17 12:05:58 MANAGEMENT: CMD 'hold release'\
2017-11-17 12:05:58 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts\
2017-11-17 12:05:58 Control Channel Authentication: tls-auth using INLINE static key file\
2017-11-17 12:05:58 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication\
2017-11-17 12:05:58 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication\
2017-11-17 12:05:58 Socket Buffers: R=[196724->196724] S=[9216->9216]\
2017-11-17 12:05:58 UDPv4 link local (bound): [undef]\
2017-11-17 12:05:58 UDPv4 link remote: [AF_INET]%IPSITE_DISTANT%:1194\
2017-11-17 12:05:58 MANAGEMENT: >STATE:1510916758,WAIT,,,\
2017-11-17 12:05:58 MANAGEMENT: >STATE:1510916758,AUTH,,,\
2017-11-17 12:05:58 TLS: Initial packet from [AF_INET]%IPSITE_DISTANT%:1194, sid=9cb0af28 0fec11b7\
2017-11-17 12:05:58 VERIFY OK: depth=1, C=FR, ST=%DEPT%, L=%VILLE%, O=%SOCIETE% du %VILLE%, emailAddress=%ADRESS%@%SOCIETE%-%VILLE%.fr, CN=OpenVPN CA\
2017-11-17 12:05:58 Validating certificate key usage\
2017-11-17 12:05:58 ++ Certificate has key usage 00a0, expects 00a0\
2017-11-17 12:05:58 VERIFY KU OK\
2017-11-17 12:05:58 Validating certificate extended key usage\
2017-11-17 12:05:58 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\
2017-11-17 12:05:58 VERIFY EKU OK\
2017-11-17 12:05:58 VERIFY X509NAME OK: C=FR, ST=%DEPT%, L=%VILLE%, O=%SOCIETE% du %VILLE%, emailAddress=%ADRESS%@%SOCIETE%-%VILLE%.fr, CN=certif-serveur-%SOCIETE%-%VILLE%\
2017-11-17 12:05:58 VERIFY OK: depth=0, C=FR, ST=%DEPT%, L=%VILLE%, O=%SOCIETE% du %VILLE%, emailAddress=%ADRESS%@%SOCIETE%-%VILLE%.fr, CN=certif-serveur-%SOCIETE%-%VILLE%\
2017-11-17 12:05:58 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key\
2017-11-17 12:05:58 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication\
2017-11-17 12:05:58 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key\
2017-11-17 12:05:58 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication\
2017-11-17 12:05:58 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA\
2017-11-17 12:05:58 [certif-serveur-%SOCIETE%-%VILLE%] Peer Connection Initiated with [AF_INET]%IPSITE_DISTANT%:1194\
2017-11-17 12:05:58 *Tunnelblick: openvpnstart starting OpenVPN\
2017-11-17 12:05:59 MANAGEMENT: >STATE:1510916759,GET_CONFIG,,,\
2017-11-17 12:06:00 SENT CONTROL [certif-serveur-%SOCIETE%-%VILLE%]: 'PUSH_REQUEST' (status=1)\
2017-11-17 12:06:00 PUSH: Received control message: 'PUSH_REPLY,route %RESEAU DISTANT% 255.255.255.0,dhcp-option DOMAIN %SOCIETE%-%VILLE%.fr,dhcp-option DNS %DNS1%,dhcp-option DNS %DNS2%,register-dns,redirect-gateway def1,route %RESEAU DISTANT% 255.255.255.0,route-gateway %GATEWAY RESEAU VIRTUEL%,topology subnet,ping 10,ping-restart 60,ifconfig %IP CLIENT MAC VIRTUEL% 255.255.255.0,peer-id 1'\
2017-11-17 12:06:00 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: register-dns (2.3.18)\
2017-11-17 12:06:00 OPTIONS IMPORT: timers and/or timeouts modified\
2017-11-17 12:06:00 OPTIONS IMPORT: --ifconfig/up options modified\
2017-11-17 12:06:00 OPTIONS IMPORT: route options modified\
2017-11-17 12:06:00 OPTIONS IMPORT: route-related options modified\
2017-11-17 12:06:00 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified\
2017-11-17 12:06:00 OPTIONS IMPORT: peer-id set\
2017-11-17 12:06:00 OPTIONS IMPORT: adjusting link_mtu to 1560\
2017-11-17 12:06:00 Opened utun device utun0\
2017-11-17 12:06:00 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0\
2017-11-17 12:06:00 MANAGEMENT: >STATE:1510916760,ASSIGN_IP,,%IP CLIENT MAC VIRTUEL%,\
2017-11-17 12:06:00 /sbin/ifconfig utun0 delete\
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address\
2017-11-17 12:06:00 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure\
2017-11-17 12:06:00 /sbin/ifconfig utun0 %IP CLIENT MAC VIRTUEL% %IP CLIENT MAC VIRTUEL% netmask 255.255.255.0 mtu 1500 up\
2017-11-17 12:06:00 /sbin/route add -net %RESEAU VIRTUEL% %IP CLIENT MAC VIRTUEL% 255.255.255.0\
add net %RESEAU VIRTUEL%: gateway %IP CLIENT MAC VIRTUEL%\
2017-11-17 12:06:00 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -o -r -w -ptADGNWradsgnw utun0 1500 1560 %IP CLIENT MAC VIRTUEL% 255.255.255.0 init\
**********************************************\
Start of output from client.up.tunnelblick.sh\
Retrieved from OpenVPN: name server(s) [ %DNS1% %DNS2% ], domain name [ %SOCIETE%-%VILLE%.fr ], search domain(s) [ ], and SMB server(s) [ ]\
Not aggregating ServerAddresses because running on OS X 10.6 or higher\
Setting search domains to '%SOCIETE%-%VILLE%.fr' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected\
Saved the DNS and SMB configurations so they can be restored\
Changed DNS ServerAddresses setting from '%IP BOX LOCAL%' to '%DNS1% %DNS2%'\
Changed DNS SearchDomains setting from '' to '%SOCIETE%-%VILLE%.fr'\
Changed DNS DomainName setting from 'home' to '%SOCIETE%-%VILLE%.fr'\
Did not change SMB NetBIOSName setting of ''\
Did not change SMB Workgroup setting of ''\
Did not change SMB WINSAddresses setting of ''\
DNS servers '%DNS1% %DNS2%' will be used for DNS queries when the VPN is active\
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.\
Flushed the DNS cache via dscacheutil\
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil\
Notified mDNSResponder that the DNS cache was flushed\
Setting up to monitor system configuration with process-network-changes\
End of output from client.up.tunnelblick.sh\
**********************************************\
2017-11-17 12:06:04 *Tunnelblick: No 'connected.sh' script to execute\
2017-11-17 12:06:04 /sbin/route add -net %IPSITE_DISTANT% %IP BOX LOCAL% 255.255.255.255\
add net %IPSITE_DISTANT%: gateway %IP BOX LOCAL%\
2017-11-17 12:06:04 /sbin/route add -net 0.0.0.0 %GATEWAY RESEAU VIRTUEL% 128.0.0.0\
add net 0.0.0.0: gateway %GATEWAY RESEAU VIRTUEL%\
2017-11-17 12:06:04 /sbin/route add -net 128.0.0.0 %GATEWAY RESEAU VIRTUEL% 128.0.0.0\
add net 128.0.0.0: gateway %GATEWAY RESEAU VIRTUEL%\
2017-11-17 12:06:04 MANAGEMENT: >STATE:1510916764,ADD_ROUTES,,,\
2017-11-17 12:06:04 /sbin/route add -net %RESEAU DISTANT% %GATEWAY RESEAU VIRTUEL% 255.255.255.0\
route: writing to routing socket: File exists\
add net %RESEAU DISTANT%: gateway %GATEWAY RESEAU VIRTUEL%: File exists\
2017-11-17 12:06:04 /sbin/route add -net %RESEAU DISTANT% %GATEWAY RESEAU VIRTUEL% 255.255.255.0\
route: writing to routing socket: File exists\
add net %RESEAU DISTANT%: gateway %GATEWAY RESEAU VIRTUEL%: File exists\
2017-11-17 12:06:04 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this\
2017-11-17 12:06:04 Initialization Sequence Completed\
2017-11-17 12:06:04 MANAGEMENT: >STATE:1510916764,CONNECTED,SUCCESS,%IP CLIENT MAC VIRTUEL%,%IPSITE_DISTANT%\
2017-11-17 12:06:09 *Tunnelblick process-network-changes: A system configuration change was ignored\