Can't connect to my OPENVPN Server using TunnelBlick on Mac

[mat...@gmail.com]

Hi There,

The connection between Openvpn Clien on Windows 7 PC and my Server run smoothly.

When I try to use the exact same config file on Mac Os with Tunnel blick I have a TLS Handshake Error.

Server Side Config :

port 1195

proto udp

dev tun

ca "c:\\openvpn\\config\\ca.crt"

cert "c:\\openvpn\\config\\server-jlf.crt"

key "c:\\openvpn\\config\\server-jlf.key"  # This file should be kept secret

dh "c:\\openvpn\\config\\dh1024.pem"

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 10.0.2.11"

push "dhcp-option DNS 8.8.8.8"

tls-auth ta.key 0 # This file is secret

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3

crl-verify "c:\\openvpn\\config\\crl.pem"

Server Log:

TLS Error: incoming packet authentication failed from [AF_INET]X.X.X.X:50307

Authenticate/Decrypt packet error: packet HMAC authentication failed

Client Side Config :

client

dev tun

proto udp

remote X.X.X.X 1195

resolv-retry infinite

nobind

persist-key

persist-tun

push block-outside-dns 

tls-auth ta.key 1

comp-lzo

verb 3

<ca>

-----BEGIN CERTIFICATE-----

XXXXX

-----END CERTIFICATE-----

</ca>

<cert>

-----BEGIN CERTIFICATE-----

XXXXX

-----END CERTIFICATE-----

</cert>

<key>

-----BEGIN RSA PRIVATE KEY-----

XXXXX

-----END RSA PRIVATE KEY-----

</key>

Client Error Log:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

TLS Error: TLS handshake failed

If Anyone can help ?

[jkbull...gmail.com]

The server doesn't like the client's ta.key. Perhaps the key is bad, or perhaps it is on a revocation list.

This is an OpenVPN problem, not a Tunnelblick problem. You should consult OpenVPN experts:

• OpenVPN FAQ
• OpenVPN HOWTO
• OpenVPN 2.3 Man Page
• OpenVPN Documentation
• OpenVPN Users Forum
• OpenVPN Users Mailing List

[mat...@gmail.com]

I disagree as the exact same configuration file works on Windows 7.

So it seems that settings must be different for Tunnelblick. 

[jkbull...gmail.com]

As I wrote, it is a problem with the key. It isn't a problem with the configuration.

It may seem to you that the "settings" must be different for Tunnelblick, but they aren't, because the "settings" have nothing to do with Tunnelblick, and Tunnelblick has nothing to do with the "settings". The "settings" for the TLS handshake come from the OpenVPN configuration file and keys. They have nothing to do with Tunnelblick, and Tunnelblick has nothing to do with them.

Because you didn't post the info requested in Before You Post to the Tunnelblick Discussion Group, I can't tell if you are using a recent version of Tunnelblick. An very old version of Tunnelblick could contain an old version of OpenSSL, which might not support the particular TLS encryption specified by your configurations. That's the only way I can think of that Tunnelblick could be causing a problem.

I should not have written that it this "an OpenVPN problem". It isn't – it is a problem with the keys. But OpenVPN people are the ones who are experts in setting up OpenVPN servers/clients and dealing with keys, so I stand by my advice to contact OpenVPN experts.

[omeed...@gmail.com]

Sorry to bring up an old post but my search terms brought me here and I thought it might benefit other future users to bring this up and perhaps you guys can share your expertise on this:

I had the same issue as OP (i don't have the log any longer), and was advised that "block-outside-dns" was a Windows-only function in the configuration file. Upon deleting it, I was getting a successful connection

Can you confirm that "block-outside-dns" shouldn't be in a Mac configuration file?

[Tunnelblick developer]

(The OP had a completely different problem, related to the encryption keys; in the future, please start a new thread with a meaningful title.)

The "--block-outside-dns" option is an OpenVPN option, so you should consult OpenVPN experts about this, but from my understanding the option is only effective on Windows.

My testing shows that the option should not be in an OpenVPN configuration file that is being used on macOS:

When the option is included in a client's configuration file, you get the same message:

Options error: Unrecognized option or missing or extra parameter(s) in .../config.ovpn:13: block-outside-dns (2.4_beta1)

OpenVPN refuses to connect.

However, when the option is "pushed" to a client by an OpenVPN server, OpenVPN logs a similar message:

2016-11-18 15:50:22 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.4_beta1)

and OpenVPN actually does connect properly. In other words, although it says "Options error", it really is an "Options warning".