Yet another DNS problem
213 views
Skip to first unread message
Magnus Bark
Sep 29, 2016, 1:31:47 PM9/29/16
to tunnelblick-discuss
Very short version: Everything seems to work fine, except for the DNS.
I am running Tunnelblick 3.6.7c (build 4606) on a Macbook Pro late 2013 running MacOS Sierra 10.12. The tunnelblick logs are partly in Swedish since that is the system language, and I haven't found any way to change the language in tunnelblick.
The server I connect got a quite new Ubuntu 16.04.1 installation running openvpn 2.3.10. The setup is made by me according to this giude.
I can connect to the openvpn server, I can download the configuration and I can see traffic running to and from the server. I can also access other computers using my web browser or ssh using the server IP number, but not using the DNS name.
All five DNS settings in tunnelblick have been tested, all with the same negative result.
Please tell if there is any other information that might be useful for tracking down this issue. Thanks in advice!
And now for the diagnostic information:
I am running Tunnelblick 3.6.7c (build 4606) on a Macbook Pro late 2013 running MacOS Sierra 10.12. The tunnelblick logs are partly in Swedish since that is the system language, and I haven't found any way to change the language in tunnelblick.
The server I connect got a quite new Ubuntu 16.04.1 installation running openvpn 2.3.10. The setup is made by me according to this giude.
I can connect to the openvpn server, I can download the configuration and I can see traffic running to and from the server. I can also access other computers using my web browser or ssh using the server IP number, but not using the DNS name.
All five DNS settings in tunnelblick have been tested, all with the same negative result.
Please tell if there is any other information that might be useful for tracking down this issue. Thanks in advice!
And now for the diagnostic information:
*Tunnelblick: OS X 10.12.0; Tunnelblick 3.6.7c (build 4606); prior version 3.6.6 (build 4582); Admin user
git commit 0e1e8adb3913d6f5f4d2be68f69da627cc9cba47
Configuration krill
"Sanitized" condensed configuration file for /Users/bark/Library/Application Support/Tunnelblick/Configurations/krill.tblk:
client
dev tun
proto udp
remote 130.236.252.57 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
<ca>
[Security-related line(s) omitted]
</ca>
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
<tls-auth>
[Security-related line(s) omitted]
</tls-auth>
================================================================================
Non-Apple kexts that are loaded:
Index Refs Address Size Wired Name (Version) UUID <Linked Against>
141 0 0xffffff7f83087000 0x3000 0x3000 com.avast.PacketForwarder (2.1) DF6C7E21-ED1D-328A-8285-4B2BB47556BA <4 1>
143 0 0xffffff7f8308f000 0x8000 0x8000 com.avast.AvastFileShield (3.0.0) 3AFBF1BE-DB0F-3F1E-B813-68B6F2F79283 <5 4 1>
================================================================================
There are no unusual files in krill.tblk
================================================================================
Configuration preferences:
useDNS = 1
-routeAllTrafficThroughVpn = 1
-useDownRootPlugin = 1
-lastConnectionSucceeded = 1
================================================================================
Wildcard preferences:
================================================================================
Program preferences:
skipWarningThatIPAddressDidNotChangeAfterConnection = 1
placeIconInStandardPositionInStatusBar = 1
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
"3.6.7c (build 4606)",
"3.6.6 (build 4582)",
"3.6.5 (build 4566)",
"3.6.4a (build 4561)",
"3.6.3 (build 4560)",
"3.6.1 (build 4543.4551)",
"3.5.7 (build 4270.4517)",
"3.5.6 (build 4270.4505)",
"3.5.5 (build 4270.4461)"
)
lastLaunchTime = 496861855.317576
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = krill
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
updateSendProfileInfo = 1
NSWindow Frame ConnectingWindow = 445 443 389 187 0 0 1280 777
detailsWindowFrameVersion = 4606
detailsWindowFrame = {{180, 232}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = settings
leftNavSelectedDisplayName = krill
AdvancedWindowTabIdentifier = whileConnected
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 1
SUFeedURL = https://www.tunnelblick.net/appcast-s.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SULastCheckTime = 2016-09-29 17:10:56 +0000
SULastProfileSubmissionDate = 2016-09-25 09:48:20 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 11
WebKitStandardFont = .AppleSystemUIFont
tunnelblickdHash = 004cdba8e08abd144bc48409040bc80e29c12ee9741ed7d73754f51d2547f7ea
tunnelblickdPlistHash = ce400d395d1801b003398461b5420021f4d591822783a04b79b2f43956d28620
================================================================================
Tunnelblick Log:
================================================================================
"Sanitized" full configuration file
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 130.236.252.57 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC
auth SHA256
key-direction 1
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
<ca>
[Security-related line(s) omitted]
</ca>
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
<tls-auth>
[Security-related line(s) omitted]
</tls-auth>
================================================================================
ifconfig output:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 32:00:15:3d:09:e0
media: autoselect <full-duplex>
status: inactive
en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 32:00:15:3d:09:e1
media: autoselect <full-duplex>
status: inactive
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 54:26:96:cf:99:71
inet 192.168.10.211 netmask 0xffffff00 broadcast 192.168.10.255
inet6 fe80::18db:24b8:9219:ebb7%en0 prefixlen 64 secured scopeid 0x6
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 06:26:96:cf:99:71
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether 5e:05:e8:4d:a4:37
inet6 fe80::5c05:e8ff:fe4d:a437%awdl0 prefixlen 64 scopeid 0x8
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
bridge0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 32:00:15:3d:09:e0
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 4 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 5 priority 0 path cost 0
media: <unknown type>
status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::4c9a:aef8:27f:cbcb%utun0 prefixlen 64 scopeid 0xa
nd6 options=201<PERFORMNUD,DAD>
================================================================================
Console Log:
2016-09-29 18:43:36 Tunnelblick[846] currentIPInfo(Name): IP address info could not be fetched within 34.7 seconds; the error was 'Error Domain=NSURLErrorDomain Code=-1001 "Begäran nådde en maxtidsgräns." UserInfo={NSUnderlyingError=0x608000645c40 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "Begäran nådde en maxtidsgräns." UserInfo={NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, _kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4, NSLocalizedDescription=Begäran nådde en maxtidsgräns.}}, NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, _kCFStreamErrorDomainKey=4, _kCFStreamErrorCodeKey=-2102, NSLocalizedDescription=Begäran nådde en maxtidsgräns.}'; the response was '(null)'
2016-09-29 19:07:31 Tunnelblick[846] Sparkle Error: An error occurred while extracting the archive. Please try again later.
2016-09-29 19:10:42 Tunnelblick[8102] Tunnelblick: OS X 10.12.0; Tunnelblick 3.6.7c (build 4606)
2016-09-29 19:10:43 Tunnelblick[8102] Tunnelblick cannot run when it is on /Volumes because the volume has the MNT_NOSUID statfs flag set.
2016-09-29 19:10:51 Tunnelblick[846] SIGTERM (signal 15) received
2016-09-29 19:10:51 Tunnelblick[846] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes
2016-09-29 19:10:51 Tunnelblick[846] Finished shutting down Tunnelblick; allowing termination
2016-09-29 19:10:52 Tunnelblick[8102] Tunnelblick behöver:
• Installeras i /Applications som Tunnelblick
• Ändra ägarrättigheter och tillstånd för programmet för att säkra det
• Säkra konfigurationer
2016-09-29 19:10:52 Tunnelblick[8102] Beginning installation or repair
2016-09-29 19:10:53 Tunnelblick[8102] Installation or repair succeeded; Log:
Tunnelblick installer started 2016-09-29 19:10:52. 1 arguments: 0x0017
Moved /Applications/Tunnelblick.app to the Trash
Copied /Volumes/Tunnelblick/Tunnelblick.app to /Applications/Tunnelblick.app
Removed all 'com.apple.quarantine' extended attributes
Changed ownership of /Applications/Tunnelblick.app and its contents from 501:80 to 0:0
Need to replace and/or reload 'tunnelblickd'
Replaced /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist
Used launchctl to load tunnelblickd
Tunnelblick installer finished without error
2016-09-29 19:10:53 Tunnelblick[8102] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes
2016-09-29 19:10:53 Tunnelblick[8124] Tunnelblick: OS X 10.12.0; Tunnelblick 3.6.7c (build 4606)
2016-09-29 19:10:53 Tunnelblick[8102] Finished shutting down Tunnelblick; allowing termination
2016-09-29 19:10:54 Tunnelblick[8124] Set program update feedURL to https://www.tunnelblick.net/appcast-s.rss
2016-09-29 19:10:54 com.avast.fileshield[321] Detected unmount of /Volumes/Tunnelblick
2016-09-29 19:10:56 Tunnelblick[8124] Sparkle: ===== Tunnelblick.app =====
2016-09-29 19:10:56 Tunnelblick[8124] Sparkle: Verified appcast signature
2016-09-29 19:11:55 Tunnelblick[8124] currentIPInfo(Name): IP address info could not be fetched within 35.4 seconds; the error was 'Error Domain=NSURLErrorDomain Code=-1001 "Begäran nådde en maxtidsgräns." UserInfo={NSUnderlyingError=0x608000253830 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "Begäran nådde en maxtidsgräns." UserInfo={NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, _kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4, NSLocalizedDescription=Begäran nådde en maxtidsgräns.}}, NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, _kCFStreamErrorDomainKey=4, _kCFStreamErrorCodeKey=-2102, NSLocalizedDescription=Begäran nådde en maxtidsgräns.}'; the response was '(null)'
2016-09-29 19:12:31 Tunnelblick[8124] currentIPInfo(Address): IP address info could not be fetched within 36.0 seconds; the error was 'Error Domain=NSURLErrorDomain Code=-1001 "Begäran nådde en maxtidsgräns." UserInfo={NSUnderlyingError=0x600000250ef0 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "Begäran nådde en maxtidsgräns." UserInfo={NSErrorFailingURLStringKey=http://205.233.73.116/ipinfo, NSErrorFailingURLKey=http://205.233.73.116/ipinfo, _kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4, NSLocalizedDescription=Begäran nådde en maxtidsgräns.}}, NSErrorFailingURLStringKey=http://205.233.73.116/ipinfo, NSErrorFailingURLKey=http://205.233.73.116/ipinfo, _kCFStreamErrorDomainKey=4, _kCFStreamErrorCodeKey=-2102, NSLocalizedDescription=Begäran nådde en maxtidsgräns.}'; the response was '(null)'
Tunnelblick developer
Sep 29, 2016, 1:48:47 PM9/29/16
to tunnelblick-discuss
Thank you for providing the diagnostic info. Unfortunately, on Sierra that info to not include the Tunnelblick log (it appears to be empty, apparently because of a bug in Tunnelblick).
Can you post that info separately? (It doesn't matter if some of it is in Swedish; most of it won't be.)
Click on the "Log" tab of the "VPN Details" window, connect, and disconnect, and then click anywhere in the log and do Command-A to "Select All", then Command-C" to copy it to the Clipboard. You can then paste it into a reply.
Note: Several of the options in your OpenVPN configuration are problematic:
- user nobody and group nogroup are likely to cause problems because (even if the openvpn-down-root plugin is used), OpenVPN will not be able to restore routing to its pre-connected state because at that point OpenVPN is no longer running as root.
- persist-tun is likely to cause problems if/when OpenVPN tries to reconnect the VPN. That can happen when network problems occur and in certain other situations.
I suggest that you comment out those three options by prefixing them with a semicolon (";").
On Thursday, September 29, 2016 at 1:31:47 PM UTC-4, Magnus Bark wrote:
Very short version: Everything seems to work fine, except for the DNS.
I am running Tunnelblick 3.6.7c (build 4606) on a Macbook Pro late 2013 running MacOS Sierra 10.12. The tunnelblick logs are partly in Swedish since that is the system language, and I haven't found any way to change the language in tunnelblick.
The server I connect got a quite new Ubuntu 16.04.1 installation running openvpn 2.3.10. The setup is made by me according to this giude.
I can connect to the openvpn server, I can download the configuration and I can see traffic running to and from the server. I can also access other computers using my web browser or ssh using the server IP number, but not using the DNS name.
All five DNS settings in tunnelblick have been tested, all with the same negative result.
Please tell if there is any other information that might be useful for tracking down this issue. Thanks in advice!
And now for the diagnostic information:
<snip>
Magnus Bark
Sep 29, 2016, 1:58:53 PM9/29/16
to tunnelblick-discuss
Thanks for your quick reply. Here is the log:
I will check the options later on.
I will check the options later on.
*Tunnelblick: OS X 10.12.0; Tunnelblick 3.6.7c (build 4606); prior version 3.6.6 (build 4582)
2016-09-29 19:11:07 *Tunnelblick: Attempting connection with krill using shadow copy; Set nameserver = 771; monitoring connection
2016-09-29 19:11:07 *Tunnelblick: openvpnstart start krill.tblk 1337 771 0 1 0 1065776 -ptADGNWradsgnw 2.3.12
2016-09-29 19:11:07 OpenVPN 2.3.12 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Sep 26 2016
2016-09-29 19:11:07 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
2016-09-29 19:11:07 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2016-09-29 19:11:07 Need hold release from management interface, waiting...
2016-09-29 19:11:07 *Tunnelblick: openvpnstart starting OpenVPN
2016-09-29 19:11:08 *Tunnelblick: openvpnstart log:
Warning: Tunnelblick is using 'openvpn-down-root.so', so the route-pre-down script will not be used. You can override this by providing a custom route-pre-down script (which may be a copy of Tunnelblick's standard route-pre-down script) in a Tunnelblick VPN Configuration. However, that script will not be executed as root unless the 'user' and 'group' options are removed from the OpenVPN configuration file. If the 'user' and 'group' options are removed, then you don't need to use a custom route-pre-down script.OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Sbark-SLibrary-SApplication Support-STunnelblick-SConfigurations-Skrill.tblk-SContents-SResources-Sconfig.ovpn.771_0_1_0_1065776.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/bark/krill.tblk/Contents/Resources
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/bark/krill.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/bark/krill.tblk/Contents/Resources
--management
127.0.0.1
1337
--management-query-passwords
--management-hold
--redirect-gateway
def1
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--plugin
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn-down-root.so
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2016-09-29 19:11:08 *Tunnelblick: Established communication with OpenVPN
2016-09-29 19:11:08 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2016-09-29 19:11:08 MANAGEMENT: CMD 'pid'
2016-09-29 19:11:08 MANAGEMENT: CMD 'state on'
2016-09-29 19:11:08 MANAGEMENT: CMD 'state'
2016-09-29 19:11:08 MANAGEMENT: CMD 'bytecount 1'
2016-09-29 19:11:08 MANAGEMENT: CMD 'hold release'
2016-09-29 19:11:08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2016-09-29 19:11:08 PLUGIN_INIT: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn-down-root.so '[/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn-down-root.so] [/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh] [-9] [-d] [-f] [-m] [-w] [-ptADGNWradsgnw]' intercepted=PLUGIN_UP|PLUGIN_DOWN
2016-09-29 19:11:08 Control Channel Authentication: tls-auth using INLINE static key file
2016-09-29 19:11:08 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2016-09-29 19:11:08 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2016-09-29 19:11:08 Socket Buffers: R=[196724->196724] S=[9216->9216]
2016-09-29 19:11:08 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2016-09-29 19:11:08 UDPv4 link local: [undef]
2016-09-29 19:11:08 UDPv4 link remote: [AF_INET]130.236.252.57:1194
2016-09-29 19:11:08 MANAGEMENT: >STATE:1475169068,WAIT,,,
2016-09-29 19:11:08 MANAGEMENT: >STATE:1475169068,AUTH,,,
2016-09-29 19:11:08 TLS: Initial packet from [AF_INET]130.236.252.57:1194, sid=0059a2b3 f73e9e90
2016-09-29 19:11:08 VERIFY OK: depth=1, C=SE, ST=Ostg, L=Linköping, O=Ctrl-C ACS, OU=Brugd, CN=Ctrl-C ACS CA, name=server, emailAddress=bark@bofh.se
2016-09-29 19:11:08 Validating certificate key usage
2016-09-29 19:11:08 ++ Certificate has key usage 00a0, expects 00a0
2016-09-29 19:11:08 VERIFY KU OK
2016-09-29 19:11:08 Validating certificate extended key usage
2016-09-29 19:11:08 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2016-09-29 19:11:08 VERIFY EKU OK
2016-09-29 19:11:08 VERIFY OK: depth=0, C=SE, ST=Ostg, L=Linköping, O=Ctrl-C ACS, OU=Brugd, CN=server, name=server, emailAddress=bark@bofh.se
2016-09-29 19:11:08 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2016-09-29 19:11:08 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2016-09-29 19:11:08 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2016-09-29 19:11:08 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2016-09-29 19:11:08 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2016-09-29 19:11:08 [server] Peer Connection Initiated with [AF_INET]130.236.252.57:1194
2016-09-29 19:11:09 MANAGEMENT: >STATE:1475169069,GET_CONFIG,,,
2016-09-29 19:11:10 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2016-09-29 19:11:10 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
2016-09-29 19:11:10 OPTIONS IMPORT: timers and/or timeouts modified
2016-09-29 19:11:10 OPTIONS IMPORT: --ifconfig/up options modified
2016-09-29 19:11:10 OPTIONS IMPORT: route options modified
2016-09-29 19:11:10 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2016-09-29 19:11:10 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2016-09-29 19:11:10 Opened utun device utun1
2016-09-29 19:11:10 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016-09-29 19:11:10 MANAGEMENT: >STATE:1475169070,ASSIGN_IP,,10.8.0.6,
2016-09-29 19:11:10 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2016-09-29 19:11:10 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2016-09-29 19:11:10 /sbin/ifconfig utun1 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
2016-09-29 19:11:10 PLUGIN_CALL: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn-down-root.so/PLUGIN_UP status=0
2016-09-29 19:11:10 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1570 10.8.0.6 10.8.0.5 init
**********************************************
Start of output from client.up.tunnelblick.sh
Disabled IPv6 for 'Wi-Fi'
Disabled IPv6 for 'iPhone'
Retrieved from OpenVPN: name server(s) [ 208.67.222.222 208.67.220.220 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
WARNING: Ignoring ServerAddresses '208.67.222.222 208.67.220.220' because ServerAddresses was set manually
Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Did not change DNS ServerAddresses setting of '8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220' (but re-set it)
Changed DNS SearchDomains setting from '' to 'openvpn'
Changed DNS DomainName setting from 'lan' to 'openvpn'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of 'workgroup'
Did not change SMB WINSAddresses setting of ''
DNS servers '8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220' were set manually
DNS servers '8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220' will be used for DNS queries when the VPN is active
The DNS servers include only free public DNS servers known to Tunnelblick.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2016-09-29 19:11:14 *Tunnelblick: No 'connected.sh' script to execute
2016-09-29 19:11:14 /sbin/route add -net 130.236.252.57 192.168.10.1 255.255.255.255
route: writing to routing socket: File exists
add net 130.236.252.57: gateway 192.168.10.1: File exists
2016-09-29 19:11:14 /sbin/route add -net 0.0.0.0 10.8.0.5 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.5
2016-09-29 19:11:14 /sbin/route add -net 128.0.0.0 10.8.0.5 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.5
2016-09-29 19:11:14 MANAGEMENT: >STATE:1475169074,ADD_ROUTES,,,
2016-09-29 19:11:14 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255
add net 10.8.0.1: gateway 10.8.0.5
2016-09-29 19:11:14 GID set to nogroup
2016-09-29 19:11:14 UID set to nobody
2016-09-29 19:11:14 Initialization Sequence Completed
2016-09-29 19:11:14 MANAGEMENT: >STATE:1475169074,CONNECTED,SUCCESS,10.8.0.6,130.236.252.57
2016-09-29 19:11:55 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
2016-09-29 19:12:31 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's IP address after connecting.
2016-09-29 19:14:32 *Tunnelblick: Disconnecting; 'Disconnect' (toggle) menu command invoked
2016-09-29 19:14:33 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2016-09-29 19:14:33 *Tunnelblick: Disconnecting using 'kill'
2016-09-29 19:14:33 *Tunnelblick: No 'post-disconnect.sh' script to execute
2016-09-29 19:14:33 *Tunnelblick: Expected disconnection occurred.
2016-09-29 19:14:33 event_wait : Interrupted system call (code=4)
2016-09-29 19:14:33 /sbin/route delete -net 10.8.0.1 10.8.0.5 255.255.255.255
route: must be root to alter routing table
2016-09-29 19:14:33 ERROR: OS X route delete command failed: external program exited with error status: 77
2016-09-29 19:14:33 /sbin/route delete -net 130.236.252.57 192.168.10.1 255.255.255.255
route: must be root to alter routing table
2016-09-29 19:14:33 ERROR: OS X route delete command failed: external program exited with error status: 77
2016-09-29 19:14:33 /sbin/route delete -net 0.0.0.0 10.8.0.5 128.0.0.0
route: must be root to alter routing table
2016-09-29 19:14:33 ERROR: OS X route delete command failed: external program exited with error status: 77
2016-09-29 19:14:33 /sbin/route delete -net 128.0.0.0 10.8.0.5 128.0.0.0
route: must be root to alter routing table
2016-09-29 19:14:33 ERROR: OS X route delete command failed: external program exited with error status: 77
2016-09-29 19:14:33 Closing TUN/TAP interface
2016-09-29 19:14:33 PLUGIN_CALL: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn-down-root.so/PLUGIN_DOWN status=0
2016-09-29 19:14:33 PLUGIN_CLOSE: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn-down-root.so
2016-09-29 19:14:33 SIGTERM[hard,] received, process exiting
2016-09-29 19:14:33 MANAGEMENT: >STATE:1475169273,EXITING,SIGTERM,,
Tunnelblick developer
Sep 29, 2016, 2:11:04 PM9/29/16
to tunnelblick-discuss
Ah. These entries:
2016-09-29 19:11:55 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.2016-09-29 19:12:31 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's IP address after connecting.
Indicate that it is not a DNS problem. There appears to be no connectivity at all -- Tunnelblick was not able to access tunnelblick.net either by name or by IP address. That is usually a problem on the VPN server.
Note also the following entries:
WARNING: Ignoring ServerAddresses '208.67.222.222 208.67.220.220' because ServerAddresses was set manually
Did not change DNS ServerAddresses setting of '8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220' (but re-set it)
As a matter of policy, Tunnelblick does not modify DNS addresses if they were set manually.
Magnus Bark
Oct 4, 2016, 2:18:03 PM10/4/16
to tunnelblick-discuss
Hello, all
After a closer inspection of the server configuration, I found out that I had forgot so set up masquerading. When that in place, the VPN tunnel works perfectly.
But why did the ssh and web-using-ip-number work? I only tried to connect with the same server as I run OpenVPN on.
Once again, I thank you for your kind help!
I will now close the ticket.
After a closer inspection of the server configuration, I found out that I had forgot so set up masquerading. When that in place, the VPN tunnel works perfectly.
But why did the ssh and web-using-ip-number work? I only tried to connect with the same server as I run OpenVPN on.
Once again, I thank you for your kind help!
I will now close the ticket.
Reply all
Reply to author
Forward
0 new messages