TLS Error: Unroutable control packet received
6,088 views
Skip to first unread message
Justin Case
Apr 26, 2014, 7:46:34 AM4/26/14
to tunnelbli...@googlegroups.com
Dear all,
I am not sure if this is a certificate verification problem. I updated the server package on my Synology DSM. After that I couldn't log in to OpenVPN any more. I restored my certificates like after each server update. I am lost this time.
Thanks for your help!
*Tunnelblick: OS X 10.8.5; Tunnelblick 3.3.2 (build 3518.3792); prior version 3.3.0 (build 3518); Standard user
"Sanitized" configuration file for /Users/bodo/Library/Application Support/Tunnelblick/Configurations/flexlab.tblk:
dev tun
tls-client
remote flexlab.no-ip.org 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
#redirect-gateway
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 3600
auth-user-pass
================================================================================
Tunnelblick Log:
2014-04-26 13:37:59 *Tunnelblick: OS X 10.8.5; Tunnelblick 3.3.2 (build 3518.3792); prior version 3.3.0 (build 3518)
2014-04-26 13:38:00 *Tunnelblick: Attempting connection with flexlab using shadow copy; Set nameserver = 1; monitoring connection
2014-04-26 13:38:00 *Tunnelblick: openvpnstart start flexlab.tblk 1337 1 0 1 0 1329 -ptADGNWradsgnw 2.2.1
2014-04-26 13:38:00 *Tunnelblick: openvpnstart log:
Loading tun.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn
--cd
/Library/Application Support/Tunnelblick/Users/bodo/flexlab.tblk/Contents/Resources
--daemon
--management
127.0.0.1
1337
--config
/Library/Application Support/Tunnelblick/Users/bodo/flexlab.tblk/Contents/Resources/config.ovpn
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Sbodo-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sflexlab.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_1329.1337.openvpn.log
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -r -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -r -ptADGNWradsgnw
--up-restart
2014-04-26 13:38:00 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Apr 8 2014
2014-04-26 13:38:00 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
2014-04-26 13:38:00 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2014-04-26 13:38:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2014-04-26 13:38:00 LZO compression initialized
2014-04-26 13:38:00 UDPv4 link local (bound): [undef]:1194
2014-04-26 13:38:00 UDPv4 link remote: 10.0.1.5:1194
2014-04-26 13:38:00 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2014-04-26 13:38:00 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=TW/ST=Taiwan/L=Taipei/O=Synology_Inc./OU=Certificate_Authority/CN=Synology_Inc._CA/emailAddress=pro...@synology.com
2014-04-26 13:38:00 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2014-04-26 13:38:00 TLS Error: TLS object -> incoming plaintext read error
2014-04-26 13:38:00 TLS Error: TLS handshake failed
2014-04-26 13:38:00 SIGUSR1[soft,tls-error] received, process restarting
2014-04-26 13:38:00 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
2014-04-26 13:38:00 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2014-04-26 13:38:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2014-04-26 13:38:00 LZO compression initialized
2014-04-26 13:38:00 UDPv4 link local (bound): [undef]:1194
2014-04-26 13:38:00 UDPv4 link remote: 10.0.1.5:1194
2014-04-26 13:38:00 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=TW/ST=Taiwan/L=Taipei/O=Synology_Inc./OU=Certificate_Authority/CN=Synology_Inc._CA/emailAddress=pro...@synology.com
2014-04-26 13:38:00 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2014-04-26 13:38:00 TLS Error: TLS object -> incoming plaintext read error
2014-04-26 13:38:00 TLS Error: TLS handshake failed
2014-04-26 13:38:00 SIGUSR1[soft,tls-error] received, process restarting
2014-04-26 13:38:00 *Tunnelblick: Established communication with OpenVPN
2014-04-26 13:38:00 *Tunnelblick: Obtained VPN username and password from the Keychain
2014-04-26 13:38:00 *Tunnelblick: No 'reconnecting.sh' script to execute
2014-04-26 13:38:00 *Tunnelblick: openvpnstart starting OpenVPN:
* /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Library/Application Support/Tunnelblick/Users/bodo/flexlab.tblk/Contents/Resources --daemon --management 127.0.0.1 1337 --config /Library/Application Support/Tunnelblick/Users/bodo/flexlab.tblk/Contents/Resources/config.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Sbodo-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sflexlab.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_1329.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -r -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -r -ptADGNWradsgnw --up-restart
2014-04-26 13:38:01 *Tunnelblick: No 'reconnecting.sh' script to execute
2014-04-26 13:38:01 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
2014-04-26 13:38:01 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2014-04-26 13:38:01 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2014-04-26 13:38:01 LZO compression initialized
2014-04-26 13:38:01 UDPv4 link local (bound): [undef]:1194
2014-04-26 13:38:01 UDPv4 link remote: 10.0.1.5:1194
2014-04-26 13:38:01 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_ACK_V1)
2014-04-26 13:38:03 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:03 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:03 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_ACK_V1)
2014-04-26 13:38:04 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:04 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:05 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:05 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:05 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:05 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:06 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:06 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:07 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:07 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:07 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_ACK_V1)
2014-04-26 13:38:09 *Tunnelblick: Disconnecting; 'disconnect' button pressed
2014-04-26 13:38:09 *Tunnelblick: Disconnecting using 'killall'
2014-04-26 13:38:09 event_wait : Interrupted system call (code=4)
2014-04-26 13:38:09 SIGTERM[hard,] received, process exiting
2014-04-26 13:38:09 *Tunnelblick: No 'post-disconnect.sh' script to execute
================================================================================
Console Log:
2014-04-26 11:44:50 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 11:44:50 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 11:57:28 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 11:57:28 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 11:58:20 Tunnelblick[196] OK to go to sleep
2014-04-26 12:06:12 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 12:06:12 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 12:14:08 Tunnelblick[196] DEBUG: Updater: systemVersion 10.8.5 satisfies minimumSystemVersion 10.4.0
2014-04-26 12:14:08 Tunnelblick[196] DEBUG: Updater: systemVersion 10.8.5 satisfies minimumSystemVersion 10.4.0
2014-04-26 12:14:29 Tunnelblick[196] setShutdownVariables: invoked, but have already set them
2014-04-26 12:14:29 Tunnelblick[196] applicationShouldTerminate: termination because of restart; delayed until 'shutdownTunnelblick' finishes
2014-04-26 12:14:29 Tunnelblick[196] Finished shutting down Tunnelblick; allowing termination
2014-04-26 12:16:32 Tunnelblick[193] Set program update feedURL to https://www.tunnelblick.net/appcast-s.rss
2014-04-26 12:16:33 Tunnelblick[193] DEBUG: Updater: systemVersion 10.8.5 satisfies minimumSystemVersion 10.4.0
2014-04-26 12:16:33 Tunnelblick[193] DEBUG: Updater: systemVersion 10.8.5 satisfies minimumSystemVersion 10.4.0
2014-04-26 12:17:15 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 12:17:15 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 12:17:53 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 12:17:53 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 12:21:13 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 12:21:13 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 13:24:47 Tunnelblick[193] OK to go to sleep
2014-04-26 13:27:33 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 13:27:33 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 13:28:05 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 13:28:05 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 13:38:00 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 13:38:00 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
I am not sure if this is a certificate verification problem. I updated the server package on my Synology DSM. After that I couldn't log in to OpenVPN any more. I restored my certificates like after each server update. I am lost this time.
Thanks for your help!
*Tunnelblick: OS X 10.8.5; Tunnelblick 3.3.2 (build 3518.3792); prior version 3.3.0 (build 3518); Standard user
"Sanitized" configuration file for /Users/bodo/Library/Application Support/Tunnelblick/Configurations/flexlab.tblk:
dev tun
tls-client
remote flexlab.no-ip.org 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
#redirect-gateway
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 3600
auth-user-pass
================================================================================
Tunnelblick Log:
2014-04-26 13:37:59 *Tunnelblick: OS X 10.8.5; Tunnelblick 3.3.2 (build 3518.3792); prior version 3.3.0 (build 3518)
2014-04-26 13:38:00 *Tunnelblick: Attempting connection with flexlab using shadow copy; Set nameserver = 1; monitoring connection
2014-04-26 13:38:00 *Tunnelblick: openvpnstart start flexlab.tblk 1337 1 0 1 0 1329 -ptADGNWradsgnw 2.2.1
2014-04-26 13:38:00 *Tunnelblick: openvpnstart log:
Loading tun.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn
--cd
/Library/Application Support/Tunnelblick/Users/bodo/flexlab.tblk/Contents/Resources
--daemon
--management
127.0.0.1
1337
--config
/Library/Application Support/Tunnelblick/Users/bodo/flexlab.tblk/Contents/Resources/config.ovpn
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Sbodo-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sflexlab.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_1329.1337.openvpn.log
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -r -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -r -ptADGNWradsgnw
--up-restart
2014-04-26 13:38:00 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Apr 8 2014
2014-04-26 13:38:00 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
2014-04-26 13:38:00 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2014-04-26 13:38:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2014-04-26 13:38:00 LZO compression initialized
2014-04-26 13:38:00 UDPv4 link local (bound): [undef]:1194
2014-04-26 13:38:00 UDPv4 link remote: 10.0.1.5:1194
2014-04-26 13:38:00 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2014-04-26 13:38:00 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=TW/ST=Taiwan/L=Taipei/O=Synology_Inc./OU=Certificate_Authority/CN=Synology_Inc._CA/emailAddress=pro...@synology.com
2014-04-26 13:38:00 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2014-04-26 13:38:00 TLS Error: TLS object -> incoming plaintext read error
2014-04-26 13:38:00 TLS Error: TLS handshake failed
2014-04-26 13:38:00 SIGUSR1[soft,tls-error] received, process restarting
2014-04-26 13:38:00 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
2014-04-26 13:38:00 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2014-04-26 13:38:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2014-04-26 13:38:00 LZO compression initialized
2014-04-26 13:38:00 UDPv4 link local (bound): [undef]:1194
2014-04-26 13:38:00 UDPv4 link remote: 10.0.1.5:1194
2014-04-26 13:38:00 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=TW/ST=Taiwan/L=Taipei/O=Synology_Inc./OU=Certificate_Authority/CN=Synology_Inc._CA/emailAddress=pro...@synology.com
2014-04-26 13:38:00 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2014-04-26 13:38:00 TLS Error: TLS object -> incoming plaintext read error
2014-04-26 13:38:00 TLS Error: TLS handshake failed
2014-04-26 13:38:00 SIGUSR1[soft,tls-error] received, process restarting
2014-04-26 13:38:00 *Tunnelblick: Established communication with OpenVPN
2014-04-26 13:38:00 *Tunnelblick: Obtained VPN username and password from the Keychain
2014-04-26 13:38:00 *Tunnelblick: No 'reconnecting.sh' script to execute
2014-04-26 13:38:00 *Tunnelblick: openvpnstart starting OpenVPN:
* /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Library/Application Support/Tunnelblick/Users/bodo/flexlab.tblk/Contents/Resources --daemon --management 127.0.0.1 1337 --config /Library/Application Support/Tunnelblick/Users/bodo/flexlab.tblk/Contents/Resources/config.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Sbodo-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sflexlab.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_1329.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -r -ptADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -r -ptADGNWradsgnw --up-restart
2014-04-26 13:38:01 *Tunnelblick: No 'reconnecting.sh' script to execute
2014-04-26 13:38:01 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
2014-04-26 13:38:01 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2014-04-26 13:38:01 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2014-04-26 13:38:01 LZO compression initialized
2014-04-26 13:38:01 UDPv4 link local (bound): [undef]:1194
2014-04-26 13:38:01 UDPv4 link remote: 10.0.1.5:1194
2014-04-26 13:38:01 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_ACK_V1)
2014-04-26 13:38:03 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:03 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:03 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_ACK_V1)
2014-04-26 13:38:04 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:04 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:05 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:05 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:05 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:05 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:06 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:06 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:07 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:07 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_CONTROL_V1)
2014-04-26 13:38:07 TLS Error: Unroutable control packet received from 10.0.1.5:1194 (si=3 op=P_ACK_V1)
2014-04-26 13:38:09 *Tunnelblick: Disconnecting; 'disconnect' button pressed
2014-04-26 13:38:09 *Tunnelblick: Disconnecting using 'killall'
2014-04-26 13:38:09 event_wait : Interrupted system call (code=4)
2014-04-26 13:38:09 SIGTERM[hard,] received, process exiting
2014-04-26 13:38:09 *Tunnelblick: No 'post-disconnect.sh' script to execute
================================================================================
Console Log:
2014-04-26 11:44:50 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 11:44:50 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 11:57:28 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 11:57:28 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 11:58:20 Tunnelblick[196] OK to go to sleep
2014-04-26 12:06:12 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 12:06:12 Tunnelblick[196] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 12:14:08 Tunnelblick[196] DEBUG: Updater: systemVersion 10.8.5 satisfies minimumSystemVersion 10.4.0
2014-04-26 12:14:08 Tunnelblick[196] DEBUG: Updater: systemVersion 10.8.5 satisfies minimumSystemVersion 10.4.0
2014-04-26 12:14:29 Tunnelblick[196] setShutdownVariables: invoked, but have already set them
2014-04-26 12:14:29 Tunnelblick[196] applicationShouldTerminate: termination because of restart; delayed until 'shutdownTunnelblick' finishes
2014-04-26 12:14:29 Tunnelblick[196] Finished shutting down Tunnelblick; allowing termination
2014-04-26 12:16:32 Tunnelblick[193] Set program update feedURL to https://www.tunnelblick.net/appcast-s.rss
2014-04-26 12:16:33 Tunnelblick[193] DEBUG: Updater: systemVersion 10.8.5 satisfies minimumSystemVersion 10.4.0
2014-04-26 12:16:33 Tunnelblick[193] DEBUG: Updater: systemVersion 10.8.5 satisfies minimumSystemVersion 10.4.0
2014-04-26 12:17:15 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 12:17:15 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 12:17:53 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 12:17:53 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 12:21:13 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 12:21:13 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 13:24:47 Tunnelblick[193] OK to go to sleep
2014-04-26 13:27:33 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 13:27:33 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 13:28:05 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 13:28:05 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
2014-04-26 13:38:00 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'username'
2014-04-26 13:38:00 Tunnelblick[193] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-flexlab' account = 'password'
jkbull...gmail.com
Apr 26, 2014, 8:15:13 AM4/26/14
to tunnelbli...@googlegroups.com
When you say you "I restored my certificates like after each server update", do you mean you did that on your server? Or that you updated the certificates on your client (the computer running Tunnelblick)? Either way, you should double-check that you did that properly.
On the client, the best way to replace certificates is to modify your .tblk and then reinstall it. If you manually replace the certificates instead, you need to replace the certificates in
/Users/bodo/Library/Application Support/Tunnelblick/Configurations/flexlab.tblk/Contents/Resources/,
not in
/Library/Application Support/Tunnelblick/Users/bodo/flexlab.tblk/Contents/Resources/
-- if you change the wrong certificates, they will be overwritten the next time you
Beyond that, I think you'll have to ask some OpenVPN experts about this:
I did notice the earlier error in the log that I'm puzzled by:
2014-04-26 13:38:00 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=TW/ST=Taiwan/L=Taipei/O=Synology_Inc./OU=Certificate_Authority/CN=Synology_Inc._CA/emailAddress=product@synology.com
2014-04-26 13:38:00 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed2014-04-26 13:38:00 TLS Error: TLS object -> incoming plaintext read error2014-04-26 13:38:00 TLS Error: TLS handshake failed
I interpret this as saying that the info coming from the server did not verify properly.
My understanding is that the "self signed certificate" complaint is misleading. It is not that there is a self-signed certificate in the chain, it is that the verify failed and there just happens to be a self-signed certificate in the chain (which is sometimes the cause of a verification error, but is probably not the cause in this case). It is not that the verification failed because a self-signed certificate is in the chain.
2014-04-26 13:38:00 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=TW/ST=Taiwan/L=Taipei/O=Synology_Inc./OU=Certificate_Authority/CN=Synology_Inc._CA/emailAddress=product@synology.com
2014-04-26 13:38:00 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2014-04-26 13:38:00 TLS Error: TLS object -> incoming plaintext read error
2014-04-26 13:38:00 TLS Error: TLS handshake failed
2014-04-26 13:38:00 SIGUSR1[soft,tls-error] received, process restarting
2014-04-26 13:38:00 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
2014-04-26 13:38:00 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2014-04-26 13:38:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2014-04-26 13:38:00 LZO compression initialized
2014-04-26 13:38:00 UDPv4 link local (bound): [undef]:1194
2014-04-26 13:38:00 UDPv4 link remote: 10.0.1.5:1194
2014-04-26 13:38:00 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=TW/ST=Taiwan/L=Taipei/O=Synology_Inc./OU=Certificate_Authority/CN=Synology_Inc._CA/emailAddress=product@synology.com
Justin Case
Apr 26, 2014, 8:20:32 AM4/26/14
to tunnelbli...@googlegroups.com
Hmpf, so no help so far. I am really puzzled. So the Unroutable packets are just a symptom, not a problem?
On 26.04.2014, at 14:15, "jkbull...gmail.com" <jkbu...@gmail.com> wrote:
> When you say you "I restored my certificates like after each server update", do you mean you did that on your server? Or that you updated the certificates on your client (the computer running Tunnelblick)? Either way, you should double-check that you did that properly.
> On the client, the best way to replace certificates is to modify your .tblk and then reinstall it. If you manually replace the certificates instead, you need to replace the certificates in
> /Users/bodo/Library/Application Support/Tunnelblick/Configurations/flexlab.tblk/Contents/Resources/,
> not in
> /Library/Application Support/Tunnelblick/Users/bodo/flexlab.tblk/Contents/Resources/
> -- if you change the wrong certificates, they will be overwritten the next time you
> I did notice the earlier error in the log that I'm puzzled by:
>
> 2014-04-26 13:38:00 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 2014-04-26 13:38:00 TLS Error: TLS object -> incoming plaintext read error
> 2014-04-26 13:38:00 TLS Error: TLS handshake failed
>
> I interpret this as saying that the info coming from the server did not verify properly.
>
> My understanding is that the "self signed certificate" complaint is misleading. It is not that there is a self-signed certificate in the chain, it is that the verify failed and there just happens to be a self-signed certificate in the chain (which is sometimes the cause of a verification error, but is probably not the cause in this case). It is not that the verification failed because a self-signed certificate is in the chain.
OK that is the vert that comes with the NAS management software of Synology.
> 2014-04-26 13:38:00 TLS Error: TLS object -> incoming plaintext read error
> 2014-04-26 13:38:00 TLS Error: TLS handshake failed
>
> I interpret this as saying that the info coming from the server did not verify properly.
>
> My understanding is that the "self signed certificate" complaint is misleading. It is not that there is a self-signed certificate in the chain, it is that the verify failed and there just happens to be a self-signed certificate in the chain (which is sometimes the cause of a verification error, but is probably not the cause in this case). It is not that the verification failed because a self-signed certificate is in the chain.
jkbull...gmail.com
Apr 26, 2014, 9:55:43 AM4/26/14
to tunnelbli...@googlegroups.com
On Saturday, April 26, 2014 8:20:32 AM UTC-4, Justin Case wrote:
Hmpf, so no help so far.
Sorry :-(
I am really puzzled. So the Unroutable packets are just a symptom, not a problem?
I think so. Maybe there is a problem in OpenVPN when it retries after the certificate verification fails. But that's just a guess.
One other idea -- you could try OpenVPN 2.3.2 and/or 2.3.3 instead of 2.2.1. Or you could try them in Tunnelblick 3.4beta24.
OK that is the vert that comes with the NAS management software of Synology.
If Synology updated their server, maybe they updated the client certificates you need to use to communicate with the server?
Other than that, this sure sounds like a Synology problem: you changed the server and now can't communicate with it.
Justin Case
Apr 26, 2014, 9:59:37 AM4/26/14
to tunnelbli...@googlegroups.com
On 26.04.2014, at 15:55, "jkbull...gmail.com" <jkbu...@gmail.com> wrote:
>
> If Synology updated their server, maybe they updated the client certificates you need to use to communicate with the server?
>
> Other than that, this sure sounds like a Synology problem: you changed the server and now can't communicate with it.
>
I next try is reinstalling the server and using the stock certs as they come with the server.
>
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "tunnelblick-discuss" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/tunnelblick-discuss/fAjyF8bWsTk/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to tunnelblick-dis...@googlegroups.com.
> Visit this group at http://groups.google.com/group/tunnelblick-discuss.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages