Tunnelblick cannot connect to website
671 views
Skip to first unread message
jimlo...@gmail.com
Apr 11, 2018, 11:37:50 AM4/11/18
to tunnelblick-discuss
I have installed Tunnelblick and added the configuration file given to me by our organization.
Tunnelblick connects using the .ovpn configuration file just fine.
I'm on Mac High Sierra, 10.13.4 (same as others in my organization)
However when I go to the website I get a browser message "This site can’t be reached xxx.xxxx.org refused to connect."
I've read countless suggestions and tried these.
changed Set DNS/WINS: from "Set nameserver" to "Set nameserver (3.0b10)"
installed the beta version, tried both nameserver settings
changed DNS resolvers in Network Preferences to use openDNS or google servers
when I connect I see the Search Domains in Network Settings DNS change from "home" to "openvpn"
Do you have any other ideas that could help me tunnel to this website?
Thanks,
jim
Tunnelblick developer
Apr 12, 2018, 8:47:03 AM4/12/18
to tunnelblick-discuss
Are the others in your organization who have macOS 10.13.4 using the VPN successfully?
When you say "go to the website", do you mean "go to a specific website"? If so, is the specific website an "internal" website for the organization? If so, are you fully specifying the URL for the site (e.g., https://www.example.org")?
Is "Route all IPv4 traffic through the VPN" checked? (Try it both checked and unchecked.)
Please post the diagnostic info you obtain from following the instructions at Read Before You Post.
je...@segeln.de
May 8, 2018, 5:53:35 AM5/8/18
to tunnelblick-discuss
I've got a similar problem:
VPN connects successfully.
After VPN is connected, all DNS queries work fine using "nslookup", "dig" or "host".
However other programs like "ping", "safari", "ssh", etc. may not resolve any hostname any more, except those already cached before Tunnelblick started.
The name server associated with the VPN is 172.31.255.222.
It is set correctly (at 9:12:18 in the details below).
At this point of time DNS resolution is not working any more (as explained above)
The following behavior shown in the log below is not visible all the time. It may be triggered by some external event in the "Allianz" network I'm connected to at the moment. I've not seen it, when the WLAN was connected to other networks:
Approximatly 2 minutes after VPN establishment, Tunnelblick tries to revert the DNS setting to the pre-VPN values.
Though in the log this is shown on success, /etc/resolv.conf still shows VPN values and at this point of time suddenly DNS resolution starts to be functional (including all VPN hosts).
It seems, that Tunnelblick 3.7.5a is not able to update the MacOS resolver on High sierra 10.13.4 correctly.
However, when trying to revert the DNS settings, this suddenly succeeds.
The problem appeared first when then latest MacOS update (10.13.4) was applied (2 days ago).
*Tunnelblick: OS X 10.13.4; Tunnelblick 3.7.5a (build 5011); prior version 3.6.9 (build 4685); Admin user
git commit 8aa639b020f231f1cea64abfe272e6deedfa916b
Configuration clnt-muc-hamisch-mb
"Sanitized" condensed configuration file for /Library/Application Support/Tunnelblick/Shared/clnt-muc-hamisch-mb.tblk:
client
dev tun
proto udp
remote 194.49.60.7 9001
tls-remote "/C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=loc...@strawberry.com"
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-128-CBC
auth MD5
comp-lzo
verb 3
reneg-sec 0
<ca>
[Security-related line(s) omitted]
</ca>
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
================================================================================
Non-Apple kexts that are loaded:
Index Refs Address Size Wired Name (Version) UUID <Linked Against>
159 0 0xffffff7f858c6000 0x1d000 0x1d000 com.McAfee.SFKext (1) 9A3A93A5-7270-3484-B55D-54C81770C43D <5 4 1>
161 0 0xffffff7f82f42000 0xf000 0xf000 com.McAfee.AVKext (1) 99F9C282-090A-3DEE-8149-ED15B224F634 <4 1>
================================================================================
There are no unusual files in clnt-muc-hamisch-mb.tblk
================================================================================
Configuration preferences:
-skipWarningThatMayNotConnectInFutureBecauseOfOpenVPNOptions = 1
-skipWarningThatNotUsingSpecifiedOpenVPN = 1
useDNS = 1
-useRouteUpInsteadOfUp = 1
-keychainHasUsernameAndPassword = 1
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
-allowChangesToManuallySetNetworkSettings = 1
-lastConnectionSucceeded = 1
-prependDomainNameToSearchDomains = 1
-doNotShowOnTunnelblickMenu = 1
================================================================================
Wildcard preferences:
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
================================================================================
Program preferences:
placeIconInStandardPositionInStatusBar = 1
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
"3.7.5a (build 5011)",
"3.6.9 (build 4685)"
)
statusDisplayNumber = 0
lastLaunchTime = 547456151.69498
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = clnt-muc-hamisch-mb
keyboardShortcutIndex = 1
updateCheckAutomatically = 0
NSWindow Frame ConnectingWindow = 525 527 389 187 0 0 1440 877
NSWindow Frame SUUpdateAlert = 410 373 620 392 0 0 1440 877
detailsWindowFrameVersion = 5011
detailsWindowFrame = {{260, 316}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = settings
leftNavSelectedDisplayName = clnt-muc-hamisch-mb
AdvancedWindowTabIdentifier = connectingAndDisconnecting
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
haveDealtWithAfterDisconnect = 1
SUEnableAutomaticChecks = 0
SUFeedURL = https://www.tunnelblick.net/appcast-s.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SULastCheckTime = 2018-05-08 04:08:14 +0000
SULastProfileSubmissionDate = 2018-05-08 04:08:14 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
haveDealtWithSparkle1dot5b6 = 1
updateSendProfileInfo = 1
================================================================================
Tunnelblick Log:
*Tunnelblick: OS X 10.13.4; Tunnelblick 3.7.5a (build 5011); prior version 3.6.9 (build 4685)
2018-05-08 09:12:11 *Tunnelblick: Attempting connection with clnt-muc-hamisch-mb; Set nameserver = 769; monitoring connection
2018-05-08 09:12:11 *Tunnelblick: openvpnstart start clnt-muc-hamisch-mb.tblk 1337 769 0 3 0 1163696 -ptADGNWradsgnw 2.3.18-openssl-1.0.2o
2018-05-08 09:12:11 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.18-openssl-1.0.2o/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sclnt--muc--hamisch--mb.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1163696.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Shared/clnt-muc-hamisch-mb.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 5011 3.7.5a (build 5011)"
--verb
3
--config
/Library/Application Support/Tunnelblick/Shared/clnt-muc-hamisch-mb.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Shared/clnt-muc-hamisch-mb.tblk/Contents/Resources
--management
127.0.0.1
1337
/Library/Application Support/Tunnelblick/cnnheipnmbjmencmbccipfaifjhlkidooplabofo.mip
--management-query-passwords
--management-hold
--script-security
2
--route-up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -o -p -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -o -p -w -ptADGNWradsgnw
2018-05-08 09:12:11 *Tunnelblick: Established communication with OpenVPN
2018-05-08 09:12:11 *Tunnelblick: Obtained VPN username and password from the Keychain
2018-05-08 09:12:11 DEPRECATED OPTION: --tls-remote, please update your configuration
2018-05-08 09:12:11 OpenVPN 2.3.18 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 27 2018
2018-05-08 09:12:11 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
2018-05-08 09:12:11 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2018-05-08 09:12:11 Need hold release from management interface, waiting...
2018-05-08 09:12:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2018-05-08 09:12:11 MANAGEMENT: CMD 'pid'
2018-05-08 09:12:11 MANAGEMENT: CMD 'state on'
2018-05-08 09:12:11 MANAGEMENT: CMD 'state'
2018-05-08 09:12:11 MANAGEMENT: CMD 'bytecount 1'
2018-05-08 09:12:11 MANAGEMENT: CMD 'hold release'
2018-05-08 09:12:11 MANAGEMENT: CMD 'username "Auth" "jens"'
2018-05-08 09:12:11 MANAGEMENT: CMD 'password [...]'
2018-05-08 09:12:11 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-05-08 09:12:11 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-05-08 09:12:11 UDPv4 link local: [undef]
2018-05-08 09:12:11 UDPv4 link remote: [AF_INET]194.49.60.7:9001
2018-05-08 09:12:11 MANAGEMENT: >STATE:1525763531,WAIT,,,
2018-05-08 09:12:11 MANAGEMENT: >STATE:1525763531,AUTH,,,
2018-05-08 09:12:11 TLS: Initial packet from [AF_INET]194.49.60.7:9001, sid=5087b008 2ad12e98
2018-05-08 09:12:11 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-05-08 09:12:11 VERIFY OK: depth=1, /C=DE/ST=BY/L=Munich/O=Strawberry/OU=CA/CN=sb-mucgw-00/name=Strawberry_CA_Munich/emailAddress=loc...@strawberry.com
2018-05-08 09:12:11 VERIFY X509NAME OK: /C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=loc...@strawberry.com
2018-05-08 09:12:11 VERIFY OK: depth=0, /C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=loc...@strawberry.com
2018-05-08 09:12:11 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2018-05-08 09:12:11 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2018-05-08 09:12:11 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2018-05-08 09:12:11 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2018-05-08 09:12:11 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2018-05-08 09:12:11 [sb-mucgw-00] Peer Connection Initiated with [AF_INET]194.49.60.7:9001
2018-05-08 09:12:11 *Tunnelblick: openvpnstart starting OpenVPN
2018-05-08 09:12:13 MANAGEMENT: >STATE:1525763533,GET_CONFIG,,,
2018-05-08 09:12:14 SENT CONTROL [sb-mucgw-00]: 'PUSH_REQUEST' (status=1)
2018-05-08 09:12:14 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.0.0,route 172.17.0.0 255.255.0.0,route 172.18.0.0 255.255.0.0,route 172.31.2.0 255.255.255.0,route 172.31.128.0 255.255.248.0,route 172.31.255.0 255.255.255.0,dhcp-option DNS 172.31.255.222,dhcp-option DOMAIN strawberry.com,route 172.30.254.1,topology net30,ping 10,ping-restart 120,ifconfig 172.30.254.26 172.30.254.25'
2018-05-08 09:12:14 OPTIONS IMPORT: timers and/or timeouts modified
2018-05-08 09:12:14 OPTIONS IMPORT: --ifconfig/up options modified
2018-05-08 09:12:14 OPTIONS IMPORT: route options modified
2018-05-08 09:12:14 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-05-08 09:12:14 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2018-05-08 09:12:14 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2018-05-08 09:12:14 Opened utun device utun2
2018-05-08 09:12:14 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2018-05-08 09:12:14 MANAGEMENT: >STATE:1525763534,ASSIGN_IP,,172.30.254.26,
2018-05-08 09:12:14 /sbin/ifconfig utun2 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-05-08 09:12:14 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-05-08 09:12:14 /sbin/ifconfig utun2 172.30.254.26 172.30.254.25 mtu 1500 netmask 255.255.255.255 up
2018-05-08 09:12:14 MANAGEMENT: >STATE:1525763534,ADD_ROUTES,,,
2018-05-08 09:12:14 /sbin/route add -net 172.16.0.0 172.30.254.25 255.255.0.0
add net 172.16.0.0: gateway 172.30.254.25
2018-05-08 09:12:14 /sbin/route add -net 172.17.0.0 172.30.254.25 255.255.0.0
add net 172.17.0.0: gateway 172.30.254.25
2018-05-08 09:12:14 /sbin/route add -net 172.18.0.0 172.30.254.25 255.255.0.0
add net 172.18.0.0: gateway 172.30.254.25
2018-05-08 09:12:14 /sbin/route add -net 172.31.2.0 172.30.254.25 255.255.255.0
add net 172.31.2.0: gateway 172.30.254.25
2018-05-08 09:12:14 /sbin/route add -net 172.31.128.0 172.30.254.25 255.255.248.0
add net 172.31.128.0: gateway 172.30.254.25
2018-05-08 09:12:14 /sbin/route add -net 172.31.255.0 172.30.254.25 255.255.255.0
add net 172.31.255.0: gateway 172.30.254.25
2018-05-08 09:12:14 /sbin/route add -net 172.30.254.1 172.30.254.25 255.255.255.255
add net 172.30.254.1: gateway 172.30.254.25
**********************************************
Start of output from client.up.tunnelblick.sh
Disabled IPv6 for 'Wi-Fi'
Retrieved from OpenVPN: name server(s) [ 172.31.255.222 ], domain name [ strawberry.com ], search domain(s) [ ], and SMB server(s) [ ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Prepending 'strawberry.com' to search domains '' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '172.18.8.33 172.18.8.34' to '172.31.255.222'
Changed DNS SearchDomains setting from '' to 'strawberry.com'
Changed DNS DomainName setting from 'public-wlan.allianz.com' to 'strawberry.com'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of '127.0.0.1'
DNS servers '172.31.255.222' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2018-05-08 09:12:18 *Tunnelblick: No 'connected.sh' script to execute
2018-05-08 09:12:18 Initialization Sequence Completed
2018-05-08 09:12:18 MANAGEMENT: >STATE:1525763538,CONNECTED,SUCCESS,172.30.254.26,194.49.60.7
2018-05-08 09:13:51 *Tunnelblick process-network-changes: ServerAddresses changed from
* <array> {
* 0 : 172.31.255.222
* }
* to (pre-VPN)
* <array> {
* 0 : 172.18.8.33
* 1 : 172.18.8.34
* }
2018-05-08 09:13:51 *Tunnelblick process-network-changes: SearchDomains changed from
* <array> {
* 0 : strawberry.com
* }
* to (pre-VPN)
*
2018-05-08 09:13:51 *Tunnelblick process-network-changes: DomainName changed from
* to (pre-VPN)
2018-05-08 09:13:51 *Tunnelblick process-network-changes: Restoring ServerAddresses, DomainName, SearchDomains to post-VPN values
2018-05-08 09:14:02 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-05-08 09:16:22 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-05-08 09:23:13 *Tunnelblick process-network-changes: A system configuration change was ignored
================================================================================
"Sanitized" full configuration file
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 194.49.60.7 9001
;remote ast.strawberry.com 443
;remote my-server-2 1194
# Distinguished Name of server
# Retrieve by: openssl x509 -subject -noout -in server.crt
tls-remote "/C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=loc...@strawberry.com"
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;cert [inline]
;ca [inline]
;key [inline]
;ca ast.strawberry.com.ca.crt
;cert ast.strawberry.com.user.crt
;key ast.strawberry.com.user.key
# Force username and password
auth-user-pass
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
cipher AES-128-CBC
auth MD5
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
# Let the server decide when to renegotiate keys
reneg-sec 0
<ca>
[Security-related line(s) omitted]
</ca>
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
================================================================================
ifconfig output:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
XHC20: flags=0<> mtu 0
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether 6a:00:02:0b:0e:00
media: autoselect <full-duplex>
status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether 6a:00:02:0b:0e:01
media: autoselect <full-duplex>
status: inactive
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether f4:5c:89:cd:79:39
inet 172.27.18.24 netmask 0xffffe000 broadcast 172.27.31.255
inet6 fe80::c33:e297:b0ac:71b6%en0 prefixlen 64 secured scopeid 0x7
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 06:5c:89:cd:79:39
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether 9a:aa:5c:35:d1:19
inet6 fe80::98aa:5cff:fe35:d119%awdl0 prefixlen 64 scopeid 0x9
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 6a:00:02:0b:0e:00
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 5 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 6 priority 0 path cost 0
media: <unknown type>
status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::fb8f:de50:b43f:a99a%utun0 prefixlen 64 scopeid 0xb
nd6 options=201<PERFORMNUD,DAD>
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 172.30.254.26 --> 172.30.254.25 netmask 0xffffffff
================================================================================
Console Log:
2018-05-08 05:59:48 Tunnelblick[1681] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-08 05:59:48 Tunnelblick[1681] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-08 06:08:15 Tunnelblick[1681] Sparkle: ===== Tunnelblick =====
2018-05-08 06:08:15 Tunnelblick[1681] Sparkle: Verified appcast signature
2018-05-08 06:08:46 Tunnelblick[1681] Sparkle: Extracting using '/usr/bin/ditto' '-x' '-k' '-' < '/Users/jens/Library/Caches/net.tunnelblick.tunnelblick/org.sparkle-project.Sparkle/Tunnelblick 5011/Tunnelblick_3.7.5a_build_5011.zip' '/Users/jens/Library/Caches/net.tunnelblick.tunnelblick/org.sparkle-project.Sparkle/Tunnelblick 5011'
2018-05-08 06:08:53 Tunnelblick[1681] updater:willInstallUpdate: Starting cleanup.
2018-05-08 06:08:54 Tunnelblick[1681] pthread_mutex_lock( &unloadKextsMutex ) failed; status = 16, errno = 2
2018-05-08 06:08:54 Tunnelblick[1681] updater:willInstallUpdate: Cleanup finished.
2018-05-08 06:08:54 Tunnelblick[1681] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes
2018-05-08 06:08:54 Tunnelblick[1681] pthread_mutex_trylock( &cleanupMutex ) failed; status = 16, errno = 22
2018-05-08 06:08:54 Tunnelblick[1681] pthread_mutex_trylock( &cleanupMutex ) failed is normal and expected when Tunnelblick is updated
2018-05-08 06:08:54 Tunnelblick[1681] Finished shutting down Tunnelblick; allowing termination
2018-05-08 06:09:03 Tunnelblick[11191] Tunnelblick: OS X 10.13.4; Tunnelblick 3.7.5a (build 5011)
2018-05-08 06:09:03 Tunnelblick[11191] Propagating '-resetPrimaryInterfaceAfterDisconnect' preferences that are TRUE to '-resetPrimaryInterfaceAfterUnexpectedDisconnect'
2018-05-08 06:09:03 Tunnelblick[11191] No .mip
2018-05-08 06:09:03 Tunnelblick[11191] Need to replace and/or reload 'tunnelblickd':
daemonHashesMatch = NO
plistHashesMatch = YES
activePlistMatches = YES
2018-05-08 06:09:15 Tunnelblick[11191] Tunnelblick muss:
• zur Absicherung Eigentümer und Rechte des Programms ändern
2018-05-08 06:09:15 Tunnelblick[11191] Beginning installation or repair
2018-05-08 06:09:16 Tunnelblick[11191] Installation or repair succeeded; Log:
Tunnelblick installer started 2018-05-08 06:09:15. 1 arguments: 0x0105
Changed permissions from 744 to 755 on /var/log/Tunnelblick
Created .mip
Replaced /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist
Used launchctl to load tunnelblickd
Tunnelblick installer finished without error
2018-05-08 06:09:33 Tunnelblick[11191] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-08 06:09:34 Tunnelblick[11191] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-08 06:09:34 Tunnelblick[11191] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-08 06:13:08 Tunnelblick[11191] Set 'expect disconnect' flag
2018-05-08 06:13:10 Tunnelblick[11191] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-08 06:13:11 Tunnelblick[11191] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-08 06:13:11 Tunnelblick[11191] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-08 08:05:44 Tunnelblick[11191] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-08 08:05:44 Tunnelblick[11191] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-08 08:05:44 Tunnelblick[11191] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-08 08:51:11 Tunnelblick[11191] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-08 08:51:12 Tunnelblick[11191] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-08 08:51:12 Tunnelblick[11191] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-08 08:53:33 Tunnelblick[11191] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes
2018-05-08 08:53:33 Tunnelblick[11191] pthread_mutex_lock( &unloadKextsMutex ) failed; status = 16, errno = 2
2018-05-08 08:53:34 Tunnelblick[11191] Finished shutting down Tunnelblick; allowing termination
2018-05-08 08:53:46 Tunnelblick[13408] Tunnelblick: OS X 10.13.4; Tunnelblick 3.7.5a (build 5011)
2018-05-08 08:53:55 Tunnelblick[13408] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-08 08:53:55 Tunnelblick[13408] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-08 08:53:55 Tunnelblick[13408] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-08 08:54:43 Tunnelblick[13408] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes
2018-05-08 08:54:43 Tunnelblick[13408] pthread_mutex_lock( &unloadKextsMutex ) failed; status = 16, errno = 2
2018-05-08 08:54:44 Tunnelblick[13408] Finished shutting down Tunnelblick; allowing termination
2018-05-08 09:09:10 Tunnelblick[13887] Tunnelblick: OS X 10.13.4; Tunnelblick 3.7.5a (build 5011)
2018-05-08 09:12:11 Tunnelblick[13887] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-08 09:12:11 Tunnelblick[13887] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-08 09:12:11 Tunnelblick[13887] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
Tunnelblick developer
May 8, 2018, 7:12:38 AM5/8/18
to tunnelblick-discuss
Yes, it looks like Tunnelblick isn't successful in updating the DNS resolvers when the VPN is first established.
However at 2018-05-08 09:13:51, it isn't that "Tunnelblick tries to revert the DNS setting to the pre-VPN values". It is the other way around -- the network settings have been reverted to pre-VPN settings by something else (probably a DHCP renewal), and Tunnelblick is trying to restore them to the POST-VPN values. And that seems to succeed.
The different behavior by different programs (nslookup, ping, etc.) is expected because they do not use the same DNS resolution mechanism that the rest of macOS uses.
You can use the following command in Terminal to enable extra logging of the "up" script:
defaults write net.tunnelblick.tunnelblick DB-UP -bool yes
That might point to what is going on.
To stop the extra logging, use
defaults delete net.tunnelblick.tunnelblick DB-UP
je...@segeln.de
May 8, 2018, 2:43:21 PM5/8/18
to tunnelblick-discuss
Hi,
![]()
I ran Wireshark later today when the issue showed up once again.
It turns out, that the DNS configuration itsself seems not to be the issue, but packets get routed into the wrong direction ...
172.27.18.24/22 is the WLAN IP of the Macbook.
The routing table at this point of time was
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 172.27.15.254 UGSc 132 0 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 3 32066 lo0
169.254 link#7 UCS 0 0 en0
172.16 172.30.254.25 UGSc 0 0 utun1
172.17 172.30.254.25 UGSc 0 0 utun1
172.18 172.30.254.25 UGSc 0 0 utun1
172.27/19 link#7 UCS 1 0 en0
172.27.15.254/32 link#7 UCS 1 0 en0
172.27.15.254 0:1c:7f:a1:1:99 UHLWIir 13 126 en0 562
172.27.18.24/32 link#7 UCS 2 0 en0
172.27.31.255 ff:ff:ff:ff:ff:ff UHLWbI 0 9 en0
172.30.254.1/32 172.30.254.25 UGSc 0 0 utun1
172.30.254.25 172.30.254.26 UH 8 0 utun1
172.31.2/24 172.30.254.25 UGSc 0 0 utun1
172.31.128/21 172.30.254.25 UGSc 0 0 utun1
172.31.255/24 172.30.254.25 UGSc 1 0 utun1
224.0.0/4 link#7 UmCS 1 0 en0
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
255.255.255.255/32 link#7 UCS 1 0 en0
255.255.255.255 ff:ff:ff:ff:ff:ff UHLWbI 0 9 en0
Wireshark was listening on the WLAN interface only (not utun1)
So I'd expect not to see any traffic destined to 172.31.255.222 in the capture, but only the OpenVPN packets.
Those also may be seen:
194.49.60.7 is the public IP of the remote tunnel endpoint and I'm running OpenVPN on port udp/9001.
Next hop for packets destined to the DNS server 172.31.255.222 should be 172.30.254.25 on utun1
However packets to this DNS server sometimes are forwarded on the WLAN interface towards the firewall (checkpoint according to the MAC address resolution).
I'm phrasing "sometimes", because "nslookup" succeeds to send the UDP DNS queries vial the tunnel, but the macOS DNS resolver invoked by "ping" does not.
I saw this issue for the first time, when I installed the latest High Sierra update to macOS.
I'm not aware of any "route caching" mechanism ... but maybe something like that was introduced? Or is it just a bug?
However your explanation also points to some "route caching" mechanism ... because if an OS process reverted the DNS settings to pre-VPN values, then this OS process should be aware of cached routes and flush them.
May that point into the direction of the root cause ... ?
Kind regards
Jens
je...@segeln.de
May 8, 2018, 2:46:40 PM5/8/18
to tunnelblick-discuss
Just updated the screenshot in my previous post
je...@segeln.de
May 9, 2018, 2:26:28 AM5/9/18
to tunnelblick-discuss
From IP protocol perspective the only option for an UDP client to "cache" a route would be ip loose source routing.
Is mDNSresponder (as part of the Bonjour suite) doing that, because it discovered the DNS server on interface en0 before the tunnel parameters became configured? If yes, how does somebody tell mDNSresponder to forget about things learned earlier?
je...@segeln.de
May 9, 2018, 4:46:06 AM5/9/18
to tunnelblick-discuss
I've traced another session:
-skipWarningThatCannotConnectBecauseOfOpenVPNOptionConflicts = 1
useDNS = 1
-useRouteUpInsteadOfUp = 1
-keychainHasUsernameAndPassword = 1
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
-allowChangesToManuallySetNetworkSettings = 1
-lastConnectionSucceeded = 1
-prependDomainNameToSearchDomains = 1
-doNotShowOnTunnelblickMenu = 1
================================================================================
Wildcard preferences:
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
================================================================================
Program preferences:
placeIconInStandardPositionInStatusBar = 1
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
"3.7.5a (build 5011)",
"3.6.9 (build 4685)"
)
statusDisplayNumber = 0
lastLaunchTime = 547460776.1576819
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = clnt-muc-hamisch-mb
keyboardShortcutIndex = 1
updateCheckAutomatically = 0
NSWindow Frame ConnectingWindow = 525 527 389 187 0 0 1440 877
NSWindow Frame SUUpdateAlert = 410 373 620 392 0 0 1440 877
detailsWindowFrameVersion = 5011
detailsWindowFrame = {{203, 379}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = log
leftNavSelectedDisplayName = clnt-muc-hamisch-mb
AdvancedWindowTabIdentifier = connectingAndDisconnecting
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
haveDealtWithAfterDisconnect = 1
SUEnableAutomaticChecks = 0
SUFeedURL = https://www.tunnelblick.net/appcast-s.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SULastCheckTime = 2018-05-08 04:08:14 +0000
SULastProfileSubmissionDate = 2018-05-08 04:08:14 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
haveDealtWithSparkle1dot5b6 = 1
updateSendProfileInfo = 1
================================================================================
Tunnelblick Log:
2018-05-09 10:28:26 *Tunnelblick: openvpnstart starting OpenVPN
*Tunnelblick: OS X 10.13.4; Tunnelblick 3.7.5a (build 5011); prior version 3.6.9 (build 4685)
2018-05-09 10:28:26 *Tunnelblick: Attempting connection with clnt-muc-hamisch-mb; Set nameserver = 769; monitoring connection
2018-05-09 10:28:26 *Tunnelblick: openvpnstart start clnt-muc-hamisch-mb.tblk 1338 769 0 3 0 1163696 -ptADGNWradsgnw 2.3.18-openssl-1.0.2o
2018-05-09 10:28:27 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.18-openssl-1.0.2o/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sclnt--muc--hamisch--mb.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1163696.1338.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Shared/clnt-muc-hamisch-mb.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 5011 3.7.5a (build 5011)"
--verb
3
--config
/Library/Application Support/Tunnelblick/Shared/clnt-muc-hamisch-mb.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Shared/clnt-muc-hamisch-mb.tblk/Contents/Resources
--management
127.0.0.1
1338
/Library/Application Support/Tunnelblick/cnnheipnmbjmencmbccipfaifjhlkidooplabofo.mip
--management-query-passwords
--management-hold
--script-security
2
--route-up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -o -p -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -o -p -w -ptADGNWradsgnw
2018-05-09 10:28:27 *Tunnelblick: Established communication with OpenVPN
2018-05-09 10:28:27 DEPRECATED OPTION: --tls-remote, please update your configuration
2018-05-09 10:28:27 OpenVPN 2.3.18 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 27 2018
2018-05-09 10:28:27 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
2018-05-09 10:28:27 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338
2018-05-09 10:28:27 Need hold release from management interface, waiting...
2018-05-09 10:28:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338
2018-05-09 10:28:27 MANAGEMENT: CMD 'pid'
2018-05-09 10:28:27 *Tunnelblick: Obtained VPN username and password from the Keychain
2018-05-09 10:28:27 MANAGEMENT: CMD 'state on'
2018-05-09 10:28:27 MANAGEMENT: CMD 'state'
2018-05-09 10:28:27 MANAGEMENT: CMD 'bytecount 1'
2018-05-09 10:28:27 MANAGEMENT: CMD 'hold release'
2018-05-09 10:28:27 MANAGEMENT: CMD 'username "Auth" "jens"'
2018-05-09 10:28:27 MANAGEMENT: CMD 'password [...]'
2018-05-09 10:28:27 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-05-09 10:28:27 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-05-09 10:28:27 UDPv4 link local: [undef]
2018-05-09 10:28:27 UDPv4 link remote: [AF_INET]194.49.60.7:9001
2018-05-09 10:28:27 MANAGEMENT: >STATE:1525854507,WAIT,,,
2018-05-09 10:28:27 MANAGEMENT: >STATE:1525854507,AUTH,,,
2018-05-09 10:28:27 TLS: Initial packet from [AF_INET]194.49.60.7:9001, sid=8b7ad86c 33e05d40
2018-05-09 10:28:27 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-05-09 10:28:27 VERIFY OK: depth=1, /C=DE/ST=BY/L=Munich/O=Strawberry/OU=CA/CN=sb-mucgw-00/name=Strawberry_CA_Munich/emailAddress=loc...@strawberry.com
2018-05-09 10:28:27 VERIFY X509NAME OK: /C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=loc...@strawberry.com
2018-05-09 10:28:27 VERIFY OK: depth=0, /C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=loc...@strawberry.com
2018-05-09 10:28:27 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2018-05-09 10:28:27 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2018-05-09 10:28:27 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2018-05-09 10:28:27 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2018-05-09 10:28:27 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2018-05-09 10:28:27 [sb-mucgw-00] Peer Connection Initiated with [AF_INET]194.49.60.7:9001
2018-05-09 10:28:29 MANAGEMENT: >STATE:1525854509,GET_CONFIG,,,
2018-05-09 10:28:30 SENT CONTROL [sb-mucgw-00]: 'PUSH_REQUEST' (status=1)
2018-05-09 10:28:30 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.0.0,route 172.17.0.0 255.255.0.0,route 172.18.0.0 255.255.0.0,route 172.31.2.0 255.255.255.0,route 172.31.128.0 255.255.248.0,route 172.31.255.0 255.255.255.0,dhcp-option DNS 172.31.255.222,dhcp-option DOMAIN strawberry.com,route 172.30.254.1,topology net30,ping 10,ping-restart 120,ifconfig 172.30.254.26 172.30.254.25'
2018-05-09 10:28:30 OPTIONS IMPORT: timers and/or timeouts modified
2018-05-09 10:28:30 OPTIONS IMPORT: --ifconfig/up options modified
2018-05-09 10:28:30 OPTIONS IMPORT: route options modified
2018-05-09 10:28:30 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-05-09 10:28:30 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2018-05-09 10:28:30 Opened utun device utun1
2018-05-09 10:28:30 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2018-05-09 10:28:30 MANAGEMENT: >STATE:1525854510,ASSIGN_IP,,172.30.254.26,
2018-05-09 10:28:30 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-05-09 10:28:30 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-05-09 10:28:30 /sbin/ifconfig utun1 172.30.254.26 172.30.254.25 mtu 1500 netmask 255.255.255.255 up
2018-05-09 10:28:30 MANAGEMENT: >STATE:1525854510,ADD_ROUTES,,,
2018-05-09 10:28:30 /sbin/route add -net 172.16.0.0 172.30.254.25 255.255.0.0
add net 172.16.0.0: gateway 172.30.254.25
2018-05-09 10:28:30 /sbin/route add -net 172.17.0.0 172.30.254.25 255.255.0.0
add net 172.17.0.0: gateway 172.30.254.25
2018-05-09 10:28:30 /sbin/route add -net 172.18.0.0 172.30.254.25 255.255.0.0
add net 172.18.0.0: gateway 172.30.254.25
2018-05-09 10:28:30 /sbin/route add -net 172.31.2.0 172.30.254.25 255.255.255.0
add net 172.31.2.0: gateway 172.30.254.25
2018-05-09 10:28:30 /sbin/route add -net 172.31.128.0 172.30.254.25 255.255.248.0
add net 172.31.128.0: gateway 172.30.254.25
2018-05-09 10:28:30 /sbin/route add -net 172.31.255.0 172.30.254.25 255.255.255.0
add net 172.31.255.0: gateway 172.30.254.25
2018-05-09 10:28:30 /sbin/route add -net 172.30.254.1 172.30.254.25 255.255.255.255
add net 172.30.254.1: gateway 172.30.254.25
**********************************************
Start of output from client.up.tunnelblick.sh
Disabled IPv6 for 'Wi-Fi'
Retrieved from OpenVPN: name server(s) [ 172.31.255.222 ], domain name [ strawberry.com ], search domain(s) [ ], and SMB server(s) [ ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Prepending 'strawberry.com' to search domains '' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '172.18.8.33 172.18.8.34' to '172.31.255.222'
Changed DNS SearchDomains setting from '' to 'strawberry.com'
Changed DNS DomainName setting from 'public-wlan.allianz.com' to 'strawberry.com'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of '127.0.0.1'
DNS servers '172.31.255.222' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2018-05-09 10:28:34 *Tunnelblick: No 'connected.sh' script to execute
2018-05-09 10:28:34 Initialization Sequence Completed
2018-05-09 10:28:34 MANAGEMENT: >STATE:1525854514,CONNECTED,SUCCESS,172.30.254.26,194.49.60.7
2018-05-09 10:30:52 *Tunnelblick process-network-changes: ServerAddresses changed from
* <array> {
* 0 : 172.31.255.222
* }
* to (pre-VPN)
* <array> {
* 0 : 172.18.8.33
* 1 : 172.18.8.34
* }
2018-05-09 10:30:52 *Tunnelblick process-network-changes: SearchDomains changed from
2018-05-09 10:30:52 *Tunnelblick process-network-changes: DomainName changed from
2018-05-09 10:30:52 *Tunnelblick process-network-changes: Restoring ServerAddresses, DomainName, SearchDomains to post-VPN values
2018-05-09 10:31:03 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-05-09 10:33:23 *Tunnelblick process-network-changes: A system configuration change was ignored
inet 172.27.30.71 netmask 0xffffe000 broadcast 172.27.31.255
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
inet6 fe80::5ce4:79c9:7702:9f48%utun2 prefixlen 64 scopeid 0xd
nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 172.30.254.26 --> 172.30.254.25 netmask 0xffffffff
================================================================================
Console Log:
2018-05-09 08:20:56 Tunnelblick[15407] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-09 08:20:56 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-09 08:20:56 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-09 09:07:57 Tunnelblick[15407] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-09 09:07:57 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-09 09:07:57 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-09 09:19:52 Tunnelblick[15407] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-09 09:19:53 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-09 09:19:53 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-09 10:28:26 Tunnelblick[15407] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-09 10:28:27 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-09 10:28:27 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
When Tunnelblick came up, it configured networks, routes and DNS accordingly.
However DNS queries were sent on interface en0, though the DNS server was reachable on utun1 only.
Then, at 10:30:51.597 a DHCP update came in. This DHCP update reverted the DNS settings to the pre-VPN values.
From now on DNS queries were sent to the pre-VPN DNS server once again ...
... until 10:30:52.379 when Tunnelblick successfully overwrote the DNS settings using the VPN values
Tunnelblick developer
May 9, 2018, 7:48:27 AM5/9/18
to tunnelblick-discuss
Try putting a check in "Route all IPv4 traffic through the VPN".
je...@segeln.de
May 9, 2018, 8:26:03 AM5/9/18
to tunnelblick-discuss
Hi,
I tried that ...
The result is surprising:
1. After VPN came up, I saw only packets addressed to the local network an to the VPN remote tunnel gateway in Wireshark.
Additionally I saw a lot of retransmissions coming in from other remote servers, that were still trying to reach me via the WLAN.
That's fine ...
2. I don't see and traffic destined to the DNS server on the VPN any more
However I see a lot of traffic on the VPN now.
That's also fine and expected ....
3. But:
Name resolution still does not work
4. And:
At the point of time the DHCP event comes in, things change as they did w/o the "route all IPv4 traffic" option enabled:
- name service started to be functional
- VPN traffic increased dramatically
One thing I've expected was HTTP traffic and others not working fine, because on the VPN side firewalls are closed.
As DNS traffic was encapsulated into the VPN I would have expected name resolution to be functional, but it was not.
br, Jens
-routeAllTrafficThroughVpn = 1
2018-05-09 14:06:16 *Tunnelblick: openvpnstart starting OpenVPN
*Tunnelblick: OS X 10.13.4; Tunnelblick 3.7.5a (build 5011); prior version 3.6.9 (build 4685)
2018-05-09 14:06:16 *Tunnelblick: Attempting connection with clnt-muc-hamisch-mb; Set nameserver = 769; monitoring connection
2018-05-09 14:06:16 *Tunnelblick: openvpnstart start clnt-muc-hamisch-mb.tblk 1338 769 0 3 0 1164208 -ptADGNWradsgnw 2.3.18-openssl-1.0.2o
2018-05-09 14:06:17 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.18-openssl-1.0.2o/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sclnt--muc--hamisch--mb.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1164208.1338.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Shared/clnt-muc-hamisch-mb.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 5011 3.7.5a (build 5011)"
--verb
3
--config
/Library/Application Support/Tunnelblick/Shared/clnt-muc-hamisch-mb.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Shared/clnt-muc-hamisch-mb.tblk/Contents/Resources
--management
127.0.0.1
1338
/Library/Application Support/Tunnelblick/cnnheipnmbjmencmbccipfaifjhlkidooplabofo.mip
--management-query-passwords
--management-hold
--redirect-gateway
def1
--script-security
2
--route-up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -o -p -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -o -p -w -ptADGNWradsgnw
2018-05-09 14:06:16 DEPRECATED OPTION: --tls-remote, please update your configuration
2018-05-09 14:06:16 OpenVPN 2.3.18 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 27 2018
2018-05-09 14:06:16 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
2018-05-09 14:06:16 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338
2018-05-09 14:06:16 Need hold release from management interface, waiting...
2018-05-09 14:06:17 *Tunnelblick: Established communication with OpenVPN
2018-05-09 14:06:17 *Tunnelblick: Obtained VPN username and password from the Keychain
2018-05-09 14:06:17 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338
2018-05-09 14:06:17 MANAGEMENT: CMD 'pid'
2018-05-09 14:06:17 MANAGEMENT: CMD 'state on'
2018-05-09 14:06:17 MANAGEMENT: CMD 'state'
2018-05-09 14:06:17 MANAGEMENT: CMD 'bytecount 1'
2018-05-09 14:06:17 MANAGEMENT: CMD 'hold release'
2018-05-09 14:06:17 MANAGEMENT: CMD 'username "Auth" "jens"'
2018-05-09 14:06:17 MANAGEMENT: CMD 'password [...]'
2018-05-09 14:06:17 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-05-09 14:06:17 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-05-09 14:06:17 UDPv4 link local: [undef]
2018-05-09 14:06:17 UDPv4 link remote: [AF_INET]194.49.60.7:9001
2018-05-09 14:06:17 MANAGEMENT: >STATE:1525867577,WAIT,,,
2018-05-09 14:06:17 MANAGEMENT: >STATE:1525867577,AUTH,,,
2018-05-09 14:06:17 TLS: Initial packet from [AF_INET]194.49.60.7:9001, sid=5eb6c190 7453e441
2018-05-09 14:06:17 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-05-09 14:06:17 VERIFY OK: depth=1, /C=DE/ST=BY/L=Munich/O=Strawberry/OU=CA/CN=sb-mucgw-00/name=Strawberry_CA_Munich/emailAddress=loc...@strawberry.com
2018-05-09 14:06:17 VERIFY X509NAME OK: /C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=loc...@strawberry.com
2018-05-09 14:06:17 VERIFY OK: depth=0, /C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=loc...@strawberry.com
2018-05-09 14:06:17 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2018-05-09 14:06:17 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2018-05-09 14:06:17 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2018-05-09 14:06:17 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2018-05-09 14:06:17 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2018-05-09 14:06:17 [sb-mucgw-00] Peer Connection Initiated with [AF_INET]194.49.60.7:9001
2018-05-09 14:06:18 MANAGEMENT: >STATE:1525867578,GET_CONFIG,,,
2018-05-09 14:06:20 SENT CONTROL [sb-mucgw-00]: 'PUSH_REQUEST' (status=1)
2018-05-09 14:06:20 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.0.0,route 172.17.0.0 255.255.0.0,route 172.18.0.0 255.255.0.0,route 172.31.2.0 255.255.255.0,route 172.31.128.0 255.255.248.0,route 172.31.255.0 255.255.255.0,dhcp-option DNS 172.31.255.222,dhcp-option DOMAIN strawberry.com,route 172.30.254.1,topology net30,ping 10,ping-restart 120,ifconfig 172.30.254.26 172.30.254.25'
2018-05-09 14:06:20 OPTIONS IMPORT: timers and/or timeouts modified
2018-05-09 14:06:20 OPTIONS IMPORT: --ifconfig/up options modified
2018-05-09 14:06:20 OPTIONS IMPORT: route options modified
2018-05-09 14:06:20 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-05-09 14:06:20 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2018-05-09 14:06:20 Opened utun device utun1
2018-05-09 14:06:20 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2018-05-09 14:06:20 MANAGEMENT: >STATE:1525867580,ASSIGN_IP,,172.30.254.26,
2018-05-09 14:06:20 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-05-09 14:06:20 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-05-09 14:06:20 /sbin/ifconfig utun1 172.30.254.26 172.30.254.25 mtu 1500 netmask 255.255.255.255 up
2018-05-09 14:06:20 /sbin/route add -net 194.49.60.7 172.27.15.254 255.255.255.255
add net 194.49.60.7: gateway 172.27.15.254
2018-05-09 14:06:20 /sbin/route add -net 0.0.0.0 172.30.254.25 128.0.0.0
add net 0.0.0.0: gateway 172.30.254.25
2018-05-09 14:06:20 /sbin/route add -net 128.0.0.0 172.30.254.25 128.0.0.0
add net 128.0.0.0: gateway 172.30.254.25
2018-05-09 14:06:20 MANAGEMENT: >STATE:1525867580,ADD_ROUTES,,,
2018-05-09 14:06:20 /sbin/route add -net 172.16.0.0 172.30.254.25 255.255.0.0
add net 172.16.0.0: gateway 172.30.254.25
2018-05-09 14:06:20 /sbin/route add -net 172.17.0.0 172.30.254.25 255.255.0.0
add net 172.17.0.0: gateway 172.30.254.25
2018-05-09 14:06:20 /sbin/route add -net 172.18.0.0 172.30.254.25 255.255.0.0
add net 172.18.0.0: gateway 172.30.254.25
2018-05-09 14:06:20 /sbin/route add -net 172.31.2.0 172.30.254.25 255.255.255.0
add net 172.31.2.0: gateway 172.30.254.25
2018-05-09 14:06:20 /sbin/route add -net 172.31.128.0 172.30.254.25 255.255.248.0
add net 172.31.128.0: gateway 172.30.254.25
2018-05-09 14:06:20 /sbin/route add -net 172.31.255.0 172.30.254.25 255.255.255.0
add net 172.31.255.0: gateway 172.30.254.25
2018-05-09 14:06:20 /sbin/route add -net 172.30.254.1 172.30.254.25 255.255.255.255
add net 172.30.254.1: gateway 172.30.254.25
**********************************************
Start of output from client.up.tunnelblick.sh
Disabled IPv6 for 'Wi-Fi'
Retrieved from OpenVPN: name server(s) [ 172.31.255.222 ], domain name [ strawberry.com ], search domain(s) [ ], and SMB server(s) [ ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Prepending 'strawberry.com' to search domains '' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '172.18.8.33 172.18.8.34' to '172.31.255.222'
Changed DNS SearchDomains setting from '' to 'strawberry.com'
Changed DNS DomainName setting from 'public-wlan.allianz.com' to 'strawberry.com'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of '127.0.0.1'
DNS servers '172.31.255.222' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2018-05-09 14:06:24 *Tunnelblick: No 'connected.sh' script to execute
2018-05-09 14:06:24 Initialization Sequence Completed
2018-05-09 14:06:24 MANAGEMENT: >STATE:1525867584,CONNECTED,SUCCESS,172.30.254.26,194.49.60.7
2018-05-09 14:10:45 *Tunnelblick process-network-changes: ServerAddresses changed from
* <array> {
* 0 : 172.31.255.222
* }
* to (pre-VPN)
* <array> {
* 0 : 172.18.8.33
* 1 : 172.18.8.34
* }
2018-05-09 14:10:45 *Tunnelblick process-network-changes: SearchDomains changed from
2018-05-09 14:10:45 *Tunnelblick process-network-changes: DomainName changed from
2018-05-09 14:10:45 *Tunnelblick process-network-changes: Restoring ServerAddresses, DomainName, SearchDomains to post-VPN values
2018-05-09 11:26:37 Tunnelblick[15407] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-09 11:26:38 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-09 11:26:38 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-09 12:34:41 Tunnelblick[15407] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-09 12:34:42 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-09 12:34:42 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-09 12:56:24 Tunnelblick[15407] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-09 12:56:24 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-09 12:56:25 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-09 13:50:18 Tunnelblick[15407] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-09 13:50:18 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-09 13:50:18 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-09 13:59:56 Tunnelblick[15407] Set 'expect disconnect' flag
2018-05-09 14:00:22 Tunnelblick[15407] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-09 14:00:23 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-09 14:00:23 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-09 14:05:14 Tunnelblick[15407] Set 'expect disconnect' flag
2018-05-09 14:05:28 Tunnelblick[15407] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-09 14:05:28 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-09 14:05:28 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
2018-05-09 14:05:46 Tunnelblick[15407] Set 'expect disconnect' flag
2018-05-09 14:06:16 Tunnelblick[15407] Configuration clnt-muc-hamisch-mb will use OpenVPN 2.3.18 - OpenSSL v1.0.2o instead of 2.4.4 - OpenSSL v1.0.2o
2018-05-09 14:06:17 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'username'
2018-05-09 14:06:17 Tunnelblick[15407] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-clnt-muc-hamisch-mb' account = 'password'
je...@segeln.de
May 9, 2018, 3:31:31 PM5/9/18
to tunnelblick-discuss
The following workaround will force the race condition to stop:
sudo ifconfig en0 down; sudo ifconfig en0 up
tls-remote "/C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=locad...@strawberry.com"
2018-05-09 14:06:17 VERIFY OK: depth=1, /C=DE/ST=BY/L=Munich/O=Strawberry/OU=CA/CN=sb-mucgw-00/name=Strawberry_CA_Munich/emailAddress=locadm@strawberry.com2018-05-09 14:06:17 VERIFY X509NAME OK: /C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=locad...@strawberry.com2018-05-09 14:06:17 VERIFY OK: depth=0, /C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=locad...@strawberry.com
tls-remote "/C=DE/ST=BY/L=Munich/O=Strawberry/OU=IT/CN=sb-mucgw-00/name=Strawberry_VPN_access_point_munich/emailAddress=locad...@strawberry.com"
Tunnelblick developer
May 10, 2018, 7:50:53 PM5/10/18
to tunnelblick-discuss
You might try checking "Set DNS after routes are set" for the configuration on Tunnelblick's Advanced settings window (and not up/down the interface).
je...@segeln.de
May 11, 2018, 4:23:36 AM5/11/18
to tunnelblick-discuss
I've already enabled this setting.
Jens Hamisch
Jun 15, 2018, 10:16:10 AM6/15/18
to tunnelblick-discuss
Hi,
any news on this topic?
I've upgraded to Tunnelblick 3.7.6 (build 5060) but the problem is still persistent.
Kind regards
Jens
goo...@alshetgaatom.com
Jun 27, 2018, 2:00:01 PM6/27/18
to tunnelblick-discuss
Hi,
I got the feeling I am having the same issue. A couple of times a year a new update of Tunnelblick breaks something with the DNS. Then I either have to wait two or more releases for it to be fixed or downgrade to an earlier version that worked for me. Current version 3.7.6a (build 5080) is not working. The same for version 3.7.6 (build 5060) To my feeling version 3.6.5 (build 5010) was working fine. But I do not see an available download for this version.
Regards,
Frank
Tunnelblick developer
Jun 27, 2018, 2:16:49 PM6/27/18
to tunnelblick-discuss
Frank - Thanks for your report.
- Please post the diagnostic info you get by following the instructions at Read Before You Post.
- As is noted on the Deprecated Downloads page, "All other deprecated versions of Tunnelblick contain serious security vulnerabilities. Binary releases of such versions are not publicly available. Anyone requiring such a release may build it from source using the instructions included in the source code or may contact the developers for a copy."
We don't generally supply such binaries unless the user can demonstrate that newer versions of Tunnelblick cannot be made to work.
Message has been deleted
goo...@alshetgaatom.com
Jun 27, 2018, 2:48:56 PM6/27/18
to tunnelblick-discuss
Hi,
Thank you for your reply. Below is the Log.
Frank
*Tunnelblick: OS X 10.11.6; Tunnelblick 3.7.6a (build 5080); prior version 3.7.6 (build 5060); Admin user
git commit 6fdd1f713d2f62963325336c09e74808321191cb
Configuration [name]
"Sanitized" condensed configuration file for /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk:
dev tun
tls-client
remote [ipv4] 1194
redirect-gateway def1
pull
proto udp
script-security 2
reneg-sec 0
cipher BF-CBC
auth SHA1
auth-user-pass
<ca>
[Security-related line(s) omitted]
</ca>
================================================================================
Non-Apple kexts that are loaded:
Index Refs Address Size Wired Name (Version) UUID <Linked Against>
136 0 0xffffff7f810fa000 0x3000 0x3000 com.paceap.kext.pacesupport.snowleopard (5.9.1) 25206F6A-6BC3-E93C-C31E-371502C8CE8E <7 5 4 3 1>
139 3 0xffffff7f82ec6000 0x63000 0x63000 org.virtualbox.kext.VBoxDrv (5.2.6) C32CCC8B-7E44-3974-BEC0-9C1FA570690D <7 5 4 3 1>
146 0 0xffffff7f82f30000 0x8000 0x8000 org.virtualbox.kext.VBoxUSB (5.2.6) A60E8437-734A-3C07-8488-5885145AEE0C <145 139 39 7 5 4 3 1>
147 0 0xffffff7f82f38000 0x5000 0x5000 org.virtualbox.kext.VBoxNetFlt (5.2.6) 552BD757-0D66-3F90-9A20-C6C7881F4A2F <139 7 5 4 3 1>
148 0 0xffffff7f82f3d000 0x6000 0x6000 org.virtualbox.kext.VBoxNetAdp (5.2.6) 8B8163C1-1125-36B8-AC6A-1AA38506938D <139 5 4 1>
================================================================================
There are no unusual files in [name].tblk
================================================================================
Configuration preferences:
-keychainHasUsernameAndPassword = 1
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
-lastConnectionSucceeded = 1
================================================================================
Wildcard preferences:
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
================================================================================
Program preferences:
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
"3.7.6a (build 5080)",
"3.7.6 (build 5060)",
"3.7.5a (build 5011)",
"3.7.5 (build 5010)",
"3.7.4b (build 4921)",
"3.7.4a (build 4920)",
"3.7.4 (build 4900)",
"3.7.3 (build 4880)",
"3.7.2 (build 4850)",
"3.6.5 (build 4566)"
)
statusDisplayNumber = 0
lastLaunchTime = 551812556.86779
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = [name]
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
NSWindow Frame SettingsSheetWindow = 981 503 829 524 0 0 1680 1027
NSWindow Frame ConnectingWindow = 645 639 389 187 0 0 1680 1027
NSWindow Frame SUStatusFrame = 640 683 400 129 0 0 1680 1027
NSWindow Frame SUUpdateAlert = 530 486 620 392 0 0 1680 1027
NSWindow Frame ListingWindow = 635 250 500 627 0 0 1440 877
detailsWindowFrameVersion = 5011
detailsWindowFrame = {{516, 409}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = settings
leftNavSelectedDisplayName = [name]
AdvancedWindowTabIdentifier = connectingAndDisconnecting
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
haveDealtWithAfterDisconnect = 1
SUEnableAutomaticChecks = 1
SUFeedURL = https://www.tunnelblick.net/appcast-s.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SUAutomaticallyUpdate = 0
SULastCheckTime = 2018-06-27 18:17:59 +0000
SULastProfileSubmissionDate = 2018-06-27 03:48:47 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 11
WebKitStandardFont = .AppleSystemUIFont
userAgreementVersionAgreedTo = 1
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
haveDealtWithSparkle1dot5b6 = 1
tunnelblickdHash = 004cdba8e08abd144bc48409040bc80e29c12ee9741ed7d73754f51d2547f7ea
tunnelblickdPlistHash = ce400d395d1801b003398461b5420021f4d591822783a04b79b2f43956d28620
updateAutomatically = 0
updateSendProfileInfo = 1
================================================================================
Tunnelblick Log:
*Tunnelblick: OS X 10.11.6; Tunnelblick 3.7.6a (build 5080); prior version 3.7.6 (build 5060)
2018-06-27 20:23:33 *Tunnelblick: Attempting connection with [name] using shadow copy; Set nameserver = 769; monitoring connection
2018-06-27 20:23:33 *Tunnelblick: openvpnstart start [name].tblk 55298 769 0 1 0 1065264 -ptADGNWradsgnw 2.4.6-openssl-1.0.2o
2018-06-27 20:23:33 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2o/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-S[name]-SLibrary-SApplication Support-STunnelblick-SConfigurations-S[name].tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1065264.55298.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/[name]/[name].tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 5080 3.7.6a (build 5080)"
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/[name]/[name].tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/[name]/[name].tblk/Contents/Resources
--management
127.0.0.1
55298
/Library/Application Support/Tunnelblick/cnamnoldinkohojemepbnfhleeiolidbdahjnccf.mip
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2018-06-27 20:23:33 *Tunnelblick: openvpnstart starting OpenVPN
2018-06-27 20:23:33 *Tunnelblick: Established communication with OpenVPN
2018-06-27 20:23:33 *Tunnelblick: Obtained VPN username and password from the Keychain
2018-06-27 20:23:33 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 25 2018
2018-06-27 20:23:33 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
2018-06-27 20:23:33 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:55298
2018-06-27 20:23:33 Need hold release from management interface, waiting...
2018-06-27 20:23:33 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:55298
2018-06-27 20:23:33 MANAGEMENT: CMD 'pid'
2018-06-27 20:23:33 MANAGEMENT: CMD 'state on'
2018-06-27 20:23:33 MANAGEMENT: CMD 'state'
2018-06-27 20:23:33 MANAGEMENT: CMD 'bytecount 1'
2018-06-27 20:23:33 MANAGEMENT: CMD 'hold release'
2018-06-27 20:23:33 MANAGEMENT: CMD 'username "Auth" "[name]he"'
2018-06-27 20:23:33 MANAGEMENT: CMD 'password [...]'
2018-06-27 20:23:33 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2018-06-27 20:23:33 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-06-27 20:23:33 TCP/UDP: Preserving recently used remote address: [AF_INET][ipv4]:1194
2018-06-27 20:23:33 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-06-27 20:23:33 UDP link local (bound): [AF_INET][undef]:1194
2018-06-27 20:23:33 UDP link remote: [AF_INET][ipv4]:1194
2018-06-27 20:23:33 MANAGEMENT: >STATE:1530123813,WAIT,,,,,,
2018-06-27 20:23:33 MANAGEMENT: >STATE:1530123813,AUTH,,,,,,
2018-06-27 20:23:33 TLS: Initial packet from [AF_INET][ipv4]:1194, sid=24784592 7c51540e
2018-06-27 20:23:33 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-06-27 20:23:34 VERIFY OK: depth=2, O=Digital Signature Trust Co., CN=DST Root CA X3
2018-06-27 20:23:34 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2018-06-27 20:23:34 VERIFY OK: depth=0, CN=[url]
2018-06-27 20:23:34 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
2018-06-27 20:23:34 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2018-06-27 20:23:34 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-06-27 20:23:34 [[url]] Peer Connection Initiated with [AF_INET][ipv4]:1194
2018-06-27 20:23:35 MANAGEMENT: >STATE:1530123815,GET_CONFIG,,,,,,
2018-06-27 20:23:35 SENT CONTROL [[url]]: 'PUSH_REQUEST' (status=1)
2018-06-27 20:23:35 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 10.27.0.0 255.255.255.0,route 10.27.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.27.0.6 10.27.0.5'
2018-06-27 20:23:35 OPTIONS IMPORT: timers and/or timeouts modified
2018-06-27 20:23:35 OPTIONS IMPORT: --ifconfig/up options modified
2018-06-27 20:23:35 OPTIONS IMPORT: route options modified
2018-06-27 20:23:35 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
2018-06-27 20:23:35 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-06-27 20:23:35 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-06-27 20:23:35 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
2018-06-27 20:23:35 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-06-27 20:23:35 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-06-27 20:23:35 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
2018-06-27 20:23:35 Opened utun device utun0
2018-06-27 20:23:35 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2018-06-27 20:23:35 MANAGEMENT: >STATE:1530123815,ASSIGN_IP,,10.27.0.6,,,,
2018-06-27 20:23:35 /sbin/ifconfig utun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-06-27 20:23:35 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-06-27 20:23:35 /sbin/ifconfig utun0 10.27.0.6 10.27.0.5 mtu 1500 netmask 255.255.255.255 up
2018-06-27 20:23:35 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun0 1500 1541 10.27.0.6 10.27.0.5 init
**********************************************
Start of output from client.up.tunnelblick.sh
NOTE: No network configuration changes need to be made.
WARNING: Will NOT monitor for other network configuration changes.
WARNING: Will NOT disable IPv6 settings.
DNS servers '194.168.4.100 194.168.8.100' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
End of output from client.up.tunnelblick.sh
**********************************************
2018-06-27 20:23:38 /sbin/route add -net [ipv4] 192.168.0.1 255.255.255.255
add net [ipv4]: gateway 192.168.0.1
2018-06-27 20:23:38 /sbin/route add -net 0.0.0.0 10.27.0.5 128.0.0.0
add net 0.0.0.0: gateway 10.27.0.5
2018-06-27 20:23:38 /sbin/route add -net 128.0.0.0 10.27.0.5 128.0.0.0
add net 128.0.0.0: gateway 10.27.0.5
2018-06-27 20:23:38 MANAGEMENT: >STATE:1530123818,ADD_ROUTES,,,,,,
2018-06-27 20:23:38 /sbin/route add -net 192.168.2.0 10.27.0.5 255.255.255.0
add net 192.168.2.0: gateway 10.27.0.5
2018-06-27 20:23:38 /sbin/route add -net 10.27.0.0 10.27.0.5 255.255.255.0
add net 10.27.0.0: gateway 10.27.0.5
2018-06-27 20:23:38 /sbin/route add -net 10.27.0.1 10.27.0.5 255.255.255.255
add net 10.27.0.1: gateway 10.27.0.5
2018-06-27 20:23:38 Initialization Sequence Completed
2018-06-27 20:23:38 MANAGEMENT: >STATE:1530123818,CONNECTED,SUCCESS,10.27.0.6,[ipv4],1194,,
2018-06-27 20:23:38 *Tunnelblick: No 'connected.sh' script to execute
2018-06-27 20:25:16 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2018-06-27 20:25:17 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2018-06-27 20:25:17 *Tunnelblick: Disconnecting using 'kill'
2018-06-27 20:25:17 event_wait : Interrupted system call (code=4)
2018-06-27 20:25:17 /sbin/route delete -net 192.168.2.0 10.27.0.5 255.255.255.0
delete net 192.168.2.0: gateway 10.27.0.5
2018-06-27 20:25:17 /sbin/route delete -net 10.27.0.0 10.27.0.5 255.255.255.0
delete net 10.27.0.0: gateway 10.27.0.5
2018-06-27 20:25:17 /sbin/route delete -net 10.27.0.1 10.27.0.5 255.255.255.255
delete net 10.27.0.1: gateway 10.27.0.5
2018-06-27 20:25:17 /sbin/route delete -net [ipv4] 192.168.0.1 255.255.255.255
delete net [ipv4]: gateway 192.168.0.1
2018-06-27 20:25:17 /sbin/route delete -net 0.0.0.0 10.27.0.5 128.0.0.0
delete net 0.0.0.0: gateway 10.27.0.5
2018-06-27 20:25:17 /sbin/route delete -net 128.0.0.0 10.27.0.5 128.0.0.0
delete net 128.0.0.0: gateway 10.27.0.5
2018-06-27 20:25:17 Closing TUN/TAP interface
2018-06-27 20:25:17 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun0 1500 1541 10.27.0.6 10.27.0.5 init
**********************************************
Start of output from client.down.tunnelblick.sh
WARNING: Not restoring DNS settings because no saved Tunnelblick DNS information was found.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
End of output from client.down.tunnelblick.sh
**********************************************
2018-06-27 20:25:18 SIGTERM[hard,] received, process exiting
2018-06-27 20:25:18 MANAGEMENT: >STATE:1530123918,EXITING,SIGTERM,,,,,
2018-06-27 20:25:18 *Tunnelblick: No 'post-disconnect.sh' script to execute
2018-06-27 20:25:19 *Tunnelblick: Expected disconnection occurred.
================================================================================
"Sanitized" full configuration file
dev tun
tls-client
remote [ipv4] 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
redirect-gateway def1
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp
script-security 2
reneg-sec 0
cipher BF-CBC
auth SHA1
auth-user-pass
<ca>
[Security-related line(s) omitted]
</ca>
================================================================================
ifconfig output:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=1<PERFORMNUD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether [mac]
inet6 fe80::aebc:32ff:fe8c:5233%en0 prefixlen 64 scopeid 0x4
inet 192.168.0.16 netmask 0xffffff00 broadcast 192.168.0.255
nd6 options=1<PERFORMNUD>
media: autoselect
status: active
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether [mac]
media: autoselect <full-duplex>
status: inactive
en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether [mac]
media: autoselect <full-duplex>
status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether [mac]
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether [mac]
inet6 fe80::e89c:e7ff:fe47:808a%awdl0 prefixlen 64 scopeid 0x8
nd6 options=1<PERFORMNUD>
media: autoselect
status: active
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether [mac]
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 5 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 6 priority 0 path cost 0
nd6 options=1<PERFORMNUD>
media: <unknown type>
status: inactive
================================================================================
Console Log:
2018-06-27 19:15:02 Tunnelblick[636] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'username'
2018-06-27 19:15:02 Tunnelblick[636] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'password'
2018-06-27 19:15:37 Tunnelblick[636] Set 'expect disconnect' flag
2018-06-27 19:15:42 Tunnelblick[636] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes
2018-06-27 19:15:43 Tunnelblick[636] Finished shutting down Tunnelblick; allowing termination
2018-06-27 19:15:55 Tunnelblick[1571] Tunnelblick: OS X 10.11.6; Tunnelblick 3.7.6a (build 5080)
2018-06-27 19:15:57 Tunnelblick[1571] Sparkle: ===== Tunnelblick.app =====
2018-06-27 19:15:57 Tunnelblick[1571] Sparkle: Verified appcast signature
2018-06-27 19:16:02 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'username'
2018-06-27 19:16:02 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'password'
2018-06-27 19:16:56 Tunnelblick[1571] Set 'expect disconnect' flag
2018-06-27 19:18:58 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'username'
2018-06-27 19:18:58 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'password'
2018-06-27 19:21:09 Tunnelblick[1571] Set 'expect disconnect' flag
2018-06-27 19:32:14 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'username'
2018-06-27 19:32:14 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'password'
2018-06-27 19:33:06 Tunnelblick[1571] Set 'expect disconnect' flag
2018-06-27 19:59:05 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'username'
2018-06-27 19:59:05 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'password'
2018-06-27 19:59:42 Tunnelblick[1571] Set 'expect disconnect' flag
2018-06-27 20:17:54 Tunnelblick[1571] *** WARNING: Method userSpaceScaleFactor in class NSView is deprecated on 10.7 and later. It should not be used in new applications. Use convertRectToBacking: instead.
2018-06-27 20:17:58 Tunnelblick[1571] Sparkle: Verified appcast signature
2018-06-27 20:18:44 Tunnelblick[1571] Tunnelblick needs to perform an action that requires a computer administrator's authorization.
2018-06-27 20:18:44 Tunnelblick[1571] Beginning installation or repair
2018-06-27 20:18:44 authexec[2292] executing /Applications/Tunnelblick.app/Contents/Resources/installer
2018-06-27 20:18:44 Tunnelblick[1571] Installation or repair succeeded; Log:
Tunnelblick installer started 2018-06-27 20:18:44. 3 arguments: 0x1001
/Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk
/Library/Application Support/Tunnelblick/Shared/[name].tblk
Copied /Library/Application Support/Tunnelblick/Shared/[name].tblk
to /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk.temp
Deleted /Library/Application Support/Tunnelblick/Shared/[name].tblk
Renamed /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk.temp
to /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk
Changed ownership of /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk and its contents from 0:0 to 501:80
Changed permissions from 755 to 750 on /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk
Changed permissions from 755 to 750 on /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk/Contents
Changed permissions from 755 to 750 on /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk/Contents/Resources
Changed permissions from 700 to 740 on /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk/Contents/Resources/config.ovpn
Copied /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk
to /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk.temp
Renamed /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk.temp
to /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk
Changed ownership of /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk and its contents from 501:80 to 0:0
Changed permissions from 750 to 755 on /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk
Changed permissions from 750 to 755 on /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk/Contents
Changed permissions from 750 to 755 on /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk/Contents/Resources
Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk/Contents/Resources/config.ovpn
Created secure (shadow) copy of [name].tblk
Tunnelblick installer finished without error
2018-06-27 20:19:06 tunnelblickd[2293] Status = 252 from tunnelblick-helper command 'compareShadowCopy [name]'
2018-06-27 20:19:06 Tunnelblick[1571] tunnelblickd status from compareShadowCopy: 252
2018-06-27 20:19:16 tunnelblickd[2293] Status = 252 from tunnelblick-helper command 'compareShadowCopy [name]'
2018-06-27 20:19:16 Tunnelblick[1571] tunnelblickd status from compareShadowCopy: 252
2018-06-27 20:19:20 Tunnelblick[1571] Tunnelblick needs to perform an action that requires a computer administrator's authorization.
2018-06-27 20:19:20 Tunnelblick[1571] Beginning installation or repair
2018-06-27 20:19:21 authexec[2307] executing /Applications/Tunnelblick.app/Contents/Resources/installer
2018-06-27 20:19:21 Tunnelblick[1571] Installation or repair succeeded; Log:
Tunnelblick installer started 2018-06-27 20:19:21. 3 arguments: 0x0001
/Library/Application Support/Tunnelblick/Users/[name]/[name].tblk
/Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk
Copied /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk
to /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk.temp
Renamed /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk.temp
to /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk
Changed ownership of /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk and its contents from 501:80 to 0:0
Changed permissions from 750 to 755 on /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk
Changed permissions from 750 to 755 on /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk/Contents
Changed permissions from 750 to 755 on /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk/Contents/Resources
Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Users/[name]/[name].tblk/Contents/Resources/config.ovpn
Tunnelblick installer finished without error
2018-06-27 20:19:21 Tunnelblick[1571] Created or updated secure (shadow) copy of configuration file /Users/[name]/Library/Application Support/Tunnelblick/Configurations/[name].tblk
2018-06-27 20:19:22 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'username'
2018-06-27 20:19:22 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'password'
2018-06-27 20:19:49 Tunnelblick[1571] Set 'expect disconnect' flag
2018-06-27 20:19:50 tunnelblickd[2293] Status = 248 from tunnelblick-helper command 'kill 2314'
2018-06-27 20:19:50 Tunnelblick[1571] tunnelblickd status from kill: 248
tunnelblickd stderr:
'killOneOpenvpn(2314): Process does not exist
'
2018-06-27 20:23:33 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'username'
2018-06-27 20:23:33 Tunnelblick[1571] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-[name]' account = 'password'
2018-06-27 20:25:17 Tunnelblick[1571] Set 'expect disconnect' flag
Tunnelblick developer
Jun 27, 2018, 3:18:49 PM6/27/18
to tunnelblick-discuss
Thanks. You didn't enable "Check if the apparent public IP address changed after connecting", which might have provided more info, so the following is not guaranteed, but:
Your DNS setup uses cache1.service.virginmedia.net and cache2.service.virginmedia.net as nameservers.
As is shown in the log:
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
These look like your ISP's nameservers. Most ISP's don't respond to DNS requests from outside of their own network, and when you are connected to the VPN, the requests come from the VPN server, which is (probably) outside of your ISP's network. So your DNS isn't working when you connect to the VPN.
One solution is to include a line like:
dhcp-option DNS 8.8.8.8 8.8.4.4
in your OpenVPN configuration file (or have it "pushed" from your OpenVPN server).
Note: "8.8.8.8" and "8.8.4.4" are Google's Public DNS servers; there are lots of others. You can find a list of public nameservers known to Tunnelblick at https://github.com/Tunnelblick/Tunnelblick/blob/master/tunnelblick/FreePublicDnsServersList.txt.
goo...@alshetgaatom.com
Jun 27, 2018, 4:14:22 PM6/27/18
to tunnelblick-discuss
Hi,
I had to skip this step because in "Advanced" I could not find "Check if the apparent public IP address changed after connecting".
...
6. Click the "Advanced" button on the right; a new window will appear.
7. Make sure that "Check if the apparent public IP address changed after connecting" is checked.
...
It is not in the tab, "Connecting & Disconnecting", "While Connected", "VPN Credentials" or "Sound". I presume the checkbox is removed?
Frank
Tunnelblick developer
Jun 27, 2018, 4:32:13 PM6/27/18
to tunnelblick-discuss
Ah, sorry, that checkbox got moved to the settings tab on the main VPN Details window.
Thanks for pointing this out. I've fixed the webpage.
Jens Hamisch
Jun 28, 2018, 5:20:59 AM6/28/18
to tunnelblick-discuss
Hi,
I'm pretty sure, that my public IP is *not* changing after I connected to the VPN via Tunnelblick.
I also do not agree to your statement, that DNS cannot be working as long as there's no public internet DNS server in the DNS servers list.
There may be VPNs out to which that is correct, but generally speaking the statement is wrong.
In my case - and most likely in the majority of cases -, the one and only DNS server that should be connected to, after VPN is up, is the internal one. The internal DNS server also is capable of resolving public addresses. It turns out - as I already demonstrated using tcpdump earlier in this case - that:
1. DNS server IP address is updated correctly after VPN comes up,
2. Routing also is set up correctly, after VPN establishment.
2a. I was playing around with the Tunnelblick "DNS after/before routing" option ... it doesn't change anything
3. UDP packets destined to the intranet DNS server are still routed via the internet (default route), though a more specific route is available in the routing table at this point of time.
Point 3. is *only* true for UDP queries issued by the OS resolver! Any UDP query originated by "nslookup" or "dig", directly addressing the intranet DNS server, is routed correctly at the same time as OS resolver queries go down the wrong path!
Hence the OS resolver somehow caches the gateway to be used to connect to the DNS server and Tunnelblick for some reason is not able to signal the routing change to the OS resolver. The only IP option I'm aware of to do this would be the "loose IP source routing" option ... maybe it is used by the OS resolver?
This issue was present in a very old version of Tunnelblick (3.5.8 as far as I remember) already. I never upgraded to a newer one, before the issue arose.
It first started, when the OS became upgraded to 10.13.x (HighSierra). At this time the behavior as described was seen at first.
Upgrades to the current stable versions of Tunnelblick (including 3.7.6 build 5060) never fixed anything on that.
Upgrades to the current stable versions of Tunnelblick (including 3.7.6 build 5060) never fixed anything on that.
The situation more and more is becoming to be a nightmare, because MacOS disconnects from the WLAN each time, the screen-saver kicks in ...
After a few minutes of inactivity, WLAN connection is dropped and needs to be reestablished. This is followed by Tunnelblick to reestablish the VPN connection and raising the issue.
The race-condition is solved at the moment, when
- VPN is up *AND*
- WLAN DHCP tries to override network settings put in place by Tunnelblick.
After that happens, Tunnelblick is restoring it's network settings, however most likely the OS resolver already became signaled about the routing change as a consequence of the DHCP update.
The only possibility I'm aware of to trigger that is:
sudo ifconfig en0 down; sudo ifconfig en0 up
at the time VPN is up.
IMHO what's missing here is Tunnelblick to signal the OS resolver about a (possible) routing change at the moment, it sets up a new DNS server.
Kind regards
Jens
Tunnelblick developer
Jun 28, 2018, 6:55:37 AM6/28/18
to tunnelblick-discuss
Jens -
I was replying to Frank's post, not yours, and to his log, not yours.
I did not say DNS cannot be working as long as there's no public internet DNS server. Please read what I wrote more carefully.
goo...@alshetgaatom.com
Jun 28, 2018, 7:27:35 AM6/28/18
to tunnelblick-discuss
Thank you both for replying.
I am currently also focussing on the latest version of the OpenVPN Server I am connecting to. Don't want to rule out that the issue might also be in the server and not in the client.
With the respect to DNS. I tell Tunnelblick to route all traffic (gateway) through the VPN-tunnel. Then I expect the lookups to be routed through the tunnel to the DNS-server on the target (private) network. I will have to figure out how I can make this happen. Could also be some setting in the server or a combination of settings in server and client.
Regards,
Frank
P.S. I found out that the checkbox "Check if the apparent public IP address changed after connecting" is not to be found within "Advanced window" but is situated in the "Settings tab".
Jens Hamisch
Jun 28, 2018, 8:46:53 AM6/28/18
to tunnelblick-discuss
Hi,
yes ...
In my setup I'm not routing anything through the tunnel, but receive extra VPN routes from the VPN server.
I also played around in the past with the "route all traffic via VPN" option, but it did not solve the issue.
Something is forcing UDP packets from the OS resolver to the "old" gateway .. regardless of the target IP address and contradicting routes.
If I said, my only explanation to that would be "loose source routing", I'm telling about assumptions from abstract TCP/IP knowledge only.
I cannot tell for sure if that is the case ... it may also be something else deep inside of MacOS that became introduced with 10.13 ...
What did I do to figure this out?
I just installed Wireshark on my MacBook and captured the traffic on interface en0 while enabling the VPN.
Kind regards
Jens
...
Reply all
Reply to author
Forward
0 new messages