No longer able to access other machines on the VPN network
316 views
Skip to first unread message
bgwallace
Jun 19, 2017, 1:41:09 PM6/19/17
to tunnelblick-discuss
Team,
Several months ago I setup Tunnelblick and OpenVPN server on Tomato. Eventually, I was able to get everything working the way I wanted, but for some reason (and without any changes I can recall other than Tunnelblick upgrades) I'm no longer able to ping or access services on other machines on my VPN network though I am still able to access Internet sites. Any help towards troubleshooting this would be great and very much appreciated.
FYI, it's possible I configured things in a strange way to begin with but I've purposefully configured OpenVPN not to change the apparent public IP address of the connected client. I would like to keep things configured this way if possible.
I've included the Tunnelblick client connect and disconnect logging below, but please let me know if you have any questions or need anything else to debug the problem.
Thanks again,
Brad
*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.1a (build 4812); prior version 3.7.1 (build 4811); Admin user
git commit e70dc14d7a954d6fe0040b3b8c9007feb98ee29d
Configuration server.duckdns.org
"Sanitized" condensed configuration file for /Users/user/Library/Application Support/Tunnelblick/Configurations/server.duckdns.org.tblk:
client
dev tap
proto udp
remote server.duckdns.org 1194
resolv-retry infinite
reneg-sec 0
remote-cert-tls server
nobind
persist-key
persist-tun
ca ca.crt
verify-x509-name CN=server.duckdns.org subject
auth SHA256
auth-user-pass
auth-nocache
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
tls-auth static.key 1
cipher AES-256-CBC
comp-lzo adaptive
verb 3
================================================================================
Non-Apple kexts that are loaded:
Index Refs Address Size Wired Name (Version) UUID <Linked Against>
134 0 0xffffff7f81032000 0xf000 0xf000 com.displaylink.driver.DisplayLinkDriver (3.0.0 (79478)) 07280D3E-6FA6-3F12-93A0-EB2FDD8B27A8 <86 5 4 3>
================================================================================
There are no unusual files in server.duckdns.org.tblk
================================================================================
Configuration preferences:
useDNS = 1
-useRouteUpInsteadOfUp = 1
-keychainHasUsernameAndPassword = 1
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
-keepConnected = 1
-lastConnectionSucceeded = 1
-tunnelDownSoundName = Basso
-tunnelUpSoundName = Morse
-prependDomainNameToSearchDomains = 0
================================================================================
Wildcard preferences:
================================================================================
Program preferences:
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
"3.7.1a (build 4812)",
"3.7.1 (build 4811)",
"3.7.0 (build 4790)",
"3.6.10 (build 4760)",
"3.6.9 (build 4685)",
"3.6.8 (build 4625)",
"3.6.7c (build 4606)",
"3.6.7a (build 4603)",
"3.6.7 (build 4602)",
"3.6.6 (build 4582)"
)
lastLaunchTime = 519535607.976811
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = server.duckdns.org
keyboardShortcutIndex = 1
updateAutomatically = 0
updateCheckAutomatically = 1
updateSendProfileInfo = 1
NSWindow Frame ConnectingWindow = 525 530 389 187 0 0 1440 877
NSWindow Frame SUStatusFrame = 520 573 400 129 0 0 1440 877
NSWindow Frame SUUpdateAlert = 410 376 620 392 0 0 1440 877
NSWindow Frame ListingWindow = 367 303 500 422 0 0 1440 877
detailsWindowFrameVersion = 4812
detailsWindowFrame = {{260, 319}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = log
leftNavSelectedDisplayName = server.duckdns.org
AdvancedWindowTabIdentifier = sounds
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 1
SUFeedURL = https://www.tunnelblick.net/appcast-s.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SUAutomaticallyUpdate = 0
SULastCheckTime = 2017-06-19 03:26:48 +0000
SULastProfileSubmissionDate = 2017-06-16 12:08:22 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 11
WebKitStandardFont = .AppleSystemUIFont
tunnelblickdHash = 982f7a7b2b98739801aa88b72712259b30dea31dbe8f2662db447888ff2ff295
tunnelblickdPlistHash = ce400d395d1801b003398461b5420021f4d591822783a04b79b2f43956d28620
================================================================================
Tunnelblick Log:
*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.1a (build 4812); prior version 3.7.1 (build 4811)
2017-06-19 13:25:08 *Tunnelblick: Attempting connection with server.duckdns.org using shadow copy; Set nameserver = 769; monitoring connection
2017-06-19 13:25:08 *Tunnelblick: openvpnstart start server.duckdns.org.tblk 1339 769 0 1 0 1098098 -ptADGNWradsgnw 2.3.16-openssl-1.0.2k
2017-06-19 13:25:08 *Tunnelblick: openvpnstart log:
Loading tap-signed.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.16-openssl-1.0.2k/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Suser-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sserver.duckdns.org.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1098098.1339.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/user/server.duckdns.org.tblk/Contents/Resources
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/user/server.duckdns.org.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/user/server.duckdns.org.tblk/Contents/Resources
--management
127.0.0.1
1339
--management-query-passwords
--management-hold
--script-security
2
--route-up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
--route-pre-down
/Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
2017-06-19 13:25:08 *Tunnelblick: openvpnstart starting OpenVPN
2017-06-19 13:25:08 *Tunnelblick: Established communication with OpenVPN
2017-06-19 13:25:08 *Tunnelblick: Obtained VPN username and password from the Keychain
2017-06-19 13:25:08 OpenVPN 2.3.16 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on May 19 2017
2017-06-19 13:25:08 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
2017-06-19 13:25:08 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1339
2017-06-19 13:25:08 Need hold release from management interface, waiting...
2017-06-19 13:25:08 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1339
2017-06-19 13:25:08 MANAGEMENT: CMD 'pid'
2017-06-19 13:25:08 MANAGEMENT: CMD 'state on'
2017-06-19 13:25:08 MANAGEMENT: CMD 'state'
2017-06-19 13:25:08 MANAGEMENT: CMD 'bytecount 1'
2017-06-19 13:25:08 MANAGEMENT: CMD 'hold release'
2017-06-19 13:25:08 MANAGEMENT: CMD 'username "Auth" “user”’
2017-06-19 13:25:08 MANAGEMENT: CMD 'password [...]'
2017-06-19 13:25:08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-06-19 13:25:08 Control Channel Authentication: using 'static.key' as a OpenVPN static key file
2017-06-19 13:25:08 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-19 13:25:08 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-19 13:25:08 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-06-19 13:25:08 MANAGEMENT: >STATE:1497893108,RESOLVE,,,
2017-06-19 13:25:08 UDPv4 link local: [undef]
2017-06-19 13:25:08 UDPv4 link remote: [AF_INET]104.188.5.196:1194
2017-06-19 13:25:08 MANAGEMENT: >STATE:1497893108,WAIT,,,
2017-06-19 13:25:08 MANAGEMENT: >STATE:1497893108,AUTH,,,
2017-06-19 13:25:08 TLS: Initial packet from [AF_INET]104.188.5.196:1194, sid=b18530ad 0beb463b
2017-06-19 13:25:09 VERIFY OK: depth=1, CN=server.duckdns.org
2017-06-19 13:25:09 Validating certificate key usage
2017-06-19 13:25:09 ++ Certificate has key usage 00a0, expects 00a0
2017-06-19 13:25:09 VERIFY KU OK
2017-06-19 13:25:09 Validating certificate extended key usage
2017-06-19 13:25:09 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-06-19 13:25:09 VERIFY EKU OK
2017-06-19 13:25:09 VERIFY X509NAME OK: CN=server.duckdns.org
2017-06-19 13:25:09 VERIFY OK: depth=0, CN=server.duckdns.org
2017-06-19 13:25:09 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2017-06-19 13:25:09 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-19 13:25:09 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2017-06-19 13:25:09 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-19 13:25:09 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA256, 2048 bit RSA
2017-06-19 13:25:09 [server.duckdns.org] Peer Connection Initiated with [AF_INET]104.188.5.196:1194
2017-06-19 13:25:10 MANAGEMENT: >STATE:1497893110,GET_CONFIG,,,
2017-06-19 13:25:11 SENT CONTROL [server.duckdns.org]: 'PUSH_REQUEST' (status=1)
2017-06-19 13:25:11 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN local,dhcp-option DNS 192.168.24.1,dhcp-option WINS 192.168.24.1,route-gateway dhcp,ping 15,ping-restart 60'
2017-06-19 13:25:11 OPTIONS IMPORT: timers and/or timeouts modified
2017-06-19 13:25:11 OPTIONS IMPORT: route-related options modified
2017-06-19 13:25:11 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-06-19 13:25:11 TUN/TAP device /dev/tap0 opened
**********************************************
Start of output from client.up.tunnelblick.sh
Did 'ipconfig set "tap0" DHCP'
Configuring tap DNS via DHCP asynchronously
End of output from client.up.tunnelblick.sh
**********************************************
2017-06-19 13:25:13 Initialization Sequence Completed
2017-06-19 13:25:13 MANAGEMENT: >STATE:1497893113,CONNECTED,SUCCESS,,104.188.5.196
Sleeping for 3 seconds to wait for DHCP to finish setup.
Sleeping for 4 seconds to wait for DHCP to finish setup.
WARNING: No DNS information received from OpenVPN via DHCP, so no network/DNS configuration changes need to be made.
WARNING: Will NOT monitor for other network configuration changes.
DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active
The DNS servers include only free public DNS servers known to Tunnelblick.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
2017-06-19 13:25:13 *Tunnelblick: No 'connected.sh' script to execute
Sleeping for 0 seconds to wait for DHCP to finish setup.
Sleeping for 1 seconds to wait for DHCP to finish setup.
Sleeping for 2 seconds to wait for DHCP to finish setup.
2017-06-19 13:25:18 *Tunnelblick: This computer's apparent public IP address (24.142.253.164) was unchanged after the connection was made
2017-06-19 13:26:10 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2017-06-19 13:26:10 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2017-06-19 13:26:10 *Tunnelblick: Disconnecting using 'kill'
2017-06-19 13:26:10 event_wait : Interrupted system call (code=4)
2017-06-19 13:26:10 /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1602 init
**********************************************
Start of output from client.route-pre-down.tunnelblick.sh
WARNING: No saved Tunnelblick DNS configuration found; not doing anything.
End of output from client.route-pre-down.tunnelblick.sh
**********************************************
2017-06-19 13:26:11 Closing TUN/TAP interface
2017-06-19 13:26:11 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1602 init
**********************************************
Start of output from client.down.tunnelblick.sh
WARNING: Not restoring DNS settings because no saved Tunnelblick DNS information was found.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
End of output from client.down.tunnelblick.sh
**********************************************
2017-06-19 13:26:12 SIGTERM[hard,] received, process exiting
2017-06-19 13:26:12 MANAGEMENT: >STATE:1497893172,EXITING,SIGTERM,,
2017-06-19 13:26:13 *Tunnelblick: No 'post-disconnect.sh' script to execute
2017-06-19 13:26:13 *Tunnelblick: Expected disconnection occurred.
================================================================================
"Sanitized" full configuration file
##############################################
# Client-side OpenVPN 2.37 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Official man page located at the link below.
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-2 1194
remote server.duckdns.org 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Disable client-initiated renegotiation of data channel key.
# Server will initiate the renegotiation.
reneg-sec 0
# Require that peer certificate was signed with an
# explicit key usage and extended key usage based on
# RFC3280 TLS rules.
# This is a useful security option for clients, to ensure
# that the host they connect to is a designated server.
# Used in place of tls-remote.
remote-cert-tls server
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
;cert client.crt
;key client.key
# Accept connections only if a host's X.509 name matches
# the specified name. The remote host must also pass all
# other tests of verification.
verify-x509-name CN=server.duckdns.org subject
# Use the much more secure 256-bit SHA256 encryption algorithm
# to secure data channel messages rather than the default and
# much less secure 160-bit SHA1 encryption algorithm.
auth SHA256
# Authenticate with server using username/password.
auth-user-pass
# Don't cache username and password in virtual memory.
auth-nocache
# Prevent TLS version downgrade attacks by forcing v1.2.
tls-version-min 1.2
# Prevent TLS cipher downgrade attacks by allowing only
# the strongest ciphers to be used.
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
# Use the server’s static key to establish extra HMAC authentication
# with the server.
# “1” indicates this is the Outgoing end of the connection (client).
# “0” is specified by the server which indicates it is the Incoming end
# of the connection.
tls-auth static.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo
comp-lzo adaptive
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
================================================================================
ifconfig output:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether a4:5e:60:e6:37:2b
inet6 fe80::1020:5503:d91a:722f%en0 prefixlen 64 secured scopeid 0x4
inet 172.31.99.32 netmask 0xfffffe00 broadcast 172.31.99.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 6a:00:00:50:f4:40
media: autoselect <full-duplex>
status: inactive
en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 6a:00:00:50:f4:41
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 6a:00:00:50:f4:40
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 5 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 6 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 06:5e:60:e6:37:2b
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether ee:ba:f2:cb:4b:0b
inet6 fe80::ecba:f2ff:fecb:4b0b%awdl0 prefixlen 64 scopeid 0x9
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::7407:a3ff:6a47:737c%utun0 prefixlen 64 scopeid 0xa
nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
inet6 fe80::759c:9986:12da:3340%utun1 prefixlen 64 scopeid 0xb
inet6 fdf2:53ba:c443:d597:759c:9986:12da:3340 prefixlen 64
nd6 options=201<PERFORMNUD,DAD>
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
inet6 fe80::3969:b831:50d0:fad4%utun2 prefixlen 64 scopeid 0xc
nd6 options=201<PERFORMNUD,DAD>
================================================================================
Console Log:
2017-06-19 13:08:21 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'username'
2017-06-19 13:08:21 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'password'
2017-06-19 13:12:30 Tunnelblick[670] BUG in libdispatch client: kevent[EVFILT_MACHPORT] monitored resource vanished before the source cancel handler was invoked
2017-06-19 13:13:15 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'username'
2017-06-19 13:13:15 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'password'
2017-06-19 13:17:55 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'username'
2017-06-19 13:17:55 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'password'
2017-06-19 13:18:14 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'username'
2017-06-19 13:18:14 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'password'
2017-06-19 13:19:59 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'username'
2017-06-19 13:19:59 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'password'
2017-06-19 13:23:54 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'username'
2017-06-19 13:23:54 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'password'
2017-06-19 13:25:08 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'username'
2017-06-19 13:25:08 Tunnelblick[670] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-server.duckdns.org' account = 'password'
Tunnelblick developer
Jun 19, 2017, 2:55:51 PM6/19/17
to tunnelblick-discuss
The server is telling Tunnelblick to use specific DNS info, and is also saying use DHCP to get gateway info:
PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN local,dhcp-option DNS 192.168.24.1,dhcp-option WINS 192.168.24.1,route-gateway dhcp,ping 15,ping-restart 60'
but Tunnelblick is not getting any DNS info in response to its DHCP request:
Did 'ipconfig set "tap0" DHCP'Configuring tap DNS via DHCP asynchronously
...
WARNING: No DNS information received from OpenVPN via DHCP, so no network/DNS configuration changes need to be made.WARNING: Will NOT monitor for other network configuration changes.DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active
Tunnelblick's up script does not correctly detect deal with this situation. It has never has, so I don't understand why your VPN used to work. (The up script incorrectly assumes that you are getting both the gateway info and the DNS info from DHCP.)
But the first thing to find out is whether this is a routing problem or an DNS problem. Try accessing the other servers on the VPN via their IP address instead of by name.
- If that works, the problem is that Tunnelblick isn't setting up DNS to use 192.168.24.1. Try using some of the other "Set DNS/WINS" setting in Tunnelblick. They use different up/down scripts that do different things.
- If that doesn't work, then there's a routing problem, which would not surprise me because there are apparently no changes to routing being done by OpenVPN (Tunnelblick doesn't touch routing, only OpenVPN does that). I'm not enough of an expert to know if that's OK or not, or how to fix it if it is the problem.
bgwallace
Jun 19, 2017, 8:03:24 PM6/19/17
to tunnelblick-discuss
Thanks for the help. I'm unable to access other machines using the IP address. What's interesting is that I don't seem to be getting an IP from the OpenVPN server. Below is the ifconfig info for my wireless interface (en0) and the VPN (tap0) interface when connected to VPN and also when connected directly to the LAN. Also, you can see when I'm connected to VPN I can't ping the gateway but when connected directly to the LAN I can. Any ideas on what might be going on here?
Thanks again,
Brad
Brad
VPN Connected Logging
——————————-
Brads-MacBook-Pro:Desktop bgwallace$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether a4:5e:60:e6:37:2b
inet6 fe80::1020:5503:d91a:722f%en0 prefixlen 64 secured scopeid 0x4
inet 172.20.10.2 netmask 0xfffffff0 broadcast 172.20.10.15
inet6 2600:1004:b02f:b820:14e4:1155:1b3e:cd02 prefixlen 64 autoconf secured
inet6 2600:1004:b02f:b820:31a5:e34f:a5c8:a20b prefixlen 64 autoconf temporary
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
Brads-MacBook-Pro:Desktop bgwallace$ ifconfig tap0
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether de:85:5b:d8:35:a6
inet 169.254.85.236 netmask 0xffff0000 broadcast 169.254.255.255
media: autoselect
status: active
open (pid 3884)
Brads-MacBook-Pro:Desktop bgwallace$ ping -c 4 192.168.24.1
PING 192.168.24.1 (192.168.24.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
--- 192.168.24.1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
LAN Connected Logging
——————————
Brads-MacBook-Pro:Desktop bgwallace$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether a4:5e:60:e6:37:2b
inet6 fe80::1020:5503:d91a:722f%en0 prefixlen 64 secured scopeid 0x4
inet 192.168.24.14 netmask 0xffffff00 broadcast 192.168.24.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
Brads-MacBook-Pro:Desktop bgwallace$ ifconfig tap0
ifconfig: interface tap0 does not exist
Brads-MacBook-Pro:Desktop bgwallace$ ping -c 4 192.168.24.1
PING 192.168.24.1 (192.168.24.1): 56 data bytes
64 bytes from 192.168.24.1: icmp_seq=0 ttl=64 time=1.491 ms
64 bytes from 192.168.24.1: icmp_seq=1 ttl=64 time=2.168 ms
64 bytes from 192.168.24.1: icmp_seq=2 ttl=64 time=0.895 ms
64 bytes from 192.168.24.1: icmp_seq=3 ttl=64 time=1.762 ms
--- 192.168.24.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.895/1.579/2.168/0.463 ms
sundial....@gmail.com
Jun 21, 2017, 12:39:47 PM6/21/17
to tunnelblick-discuss
It could also be that "client-to-client" is missing from the server configuration. Without it, participants on the OpenVPN server do not see each other.
bgwallace
Jun 21, 2017, 1:12:16 PM6/21/17
to tunnelblick-discuss
Thanks Mike for your help. I can check that when I get home, but would a missing client-to-client option prevent the client from being able to ping the DHCP server? I wouldn't think so and I may be missing something here as I'm not the sharpest tool with OpenVPN, but based on the ifconfig logging I shared previously it looks to me like the main issue is that the client may not be getting an IP from DHCP server 192.168.24.1 when connected through the OpenVPN server.
Please let me know if you have any questions and thanks again!
Brad
bgwallace
Jun 22, 2017, 10:38:05 PM6/22/17
to tunnelblick-discuss
Tunnelblick developer,
Thanks,
Just checking in to see if you or anyone else at Tunnelblick can provide additional assistance with this issue.
Thanks,
Brad
Tunnelblick developer
Jun 23, 2017, 8:43:40 AM6/23/17
to tunnelblick-discuss
Attached is a replacement "up" script that may work. It is the same as the standard "up" script, except:
- It processes DNS changes requested by OpenVPN before doing DHCP (instead of ignoring them); and
- It increases the time allowed for DHCP requests before timing out.
(I'm not sure the timeout increase is necessary but it will only cause a delay if there is no DHCP response, which shouldn't happen for you. It may not be a good idea in general, though.)
To use the script, copy the file into your .tblk. You can copy it directly into
/Users/user/Library/Application Support/Tunnelblick/Configurations/server.duckdns.org.tblk/Contents/Resources
(In Finder, Control-click on "server.duckdns.org.tblk" and select "Show Package Contents" to get to the "Contents" folder.)
The script inside the .tblk will be used instead of the normal script.
You'll be asked for a computer admin username/password the first time you connect after adding the script.
To undo this, just move the script from server.duckdns.org.tblk/Contents/Resources to the Trash.
bgwallace
Jun 25, 2017, 11:01:11 PM6/25/17
to tunnelblick-discuss
Tunnelblick developer,
Thank you for taking the time to look into this issue. Unfortunately, the custom up script doesn't resolve the issue and I'm also unable to access Internet sites with it as well. I'm including the updated connect/disconnect logs and also the ifconfig/ping logs in case that's helpful. Thanks again and please let me know if there's anything else you need.
Regards,
Brad
2017-06-25 22:47:19 *Tunnelblick: openvpnstart starting OpenVPN
*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.1b (build 4813); prior version 3.7.1a (build 4812)
2017-06-25 22:47:19 *Tunnelblick: Attempting connection with server.duckdns.org using shadow copy; Set nameserver = 769; monitoring connection
2017-06-25 22:47:19 *Tunnelblick: openvpnstart start server.duckdns.org.tblk 1338 769 0 1 0 1098098 -ptADGNWradsgnw 2.3.17-openssl-1.0.2k
2017-06-25 22:47:20 *Tunnelblick: openvpnstart log:
Loading tap-signed.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.17-openssl-1.0.2k/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Suser-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sserver.duckdns.org.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1098098.1338.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/user/server.duckdns.org.tblk/Contents/Resources
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/user/server.duckdns.org.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/user/server.duckdns.org.tblk/Contents/Resources
--management
127.0.0.1
1338
--management-query-passwords
--management-hold
--script-security
2
--route-up
"/Library/Application Support/Tunnelblick/Users/user/server.duckdns.org.tblk/Contents/Resources/up.tunnelblick.sh" -9 -a -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
--route-pre-down
/Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
2017-06-25 22:47:19 OpenVPN 2.3.17 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jun 21 2017
2017-06-25 22:47:19 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
2017-06-25 22:47:19 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338
2017-06-25 22:47:19 Need hold release from management interface, waiting...
2017-06-25 22:47:20 *Tunnelblick: Established communication with OpenVPN
2017-06-25 22:47:20 *Tunnelblick: Obtained VPN username and password from the Keychain
2017-06-25 22:47:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338
2017-06-25 22:47:20 MANAGEMENT: CMD 'pid'
2017-06-25 22:47:20 MANAGEMENT: CMD 'state on'
2017-06-25 22:47:20 MANAGEMENT: CMD 'state'
2017-06-25 22:47:20 MANAGEMENT: CMD 'bytecount 1'
2017-06-25 22:47:20 MANAGEMENT: CMD 'hold release'
2017-06-25 22:47:20 MANAGEMENT: CMD 'username "Auth" "user"'
2017-06-25 22:47:20 MANAGEMENT: CMD 'password [...]'
2017-06-25 22:47:20 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-06-25 22:47:20 Control Channel Authentication: using 'static.key' as a OpenVPN static key file
2017-06-25 22:47:20 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-25 22:47:20 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-25 22:47:20 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-06-25 22:47:20 MANAGEMENT: >STATE:1498445240,RESOLVE,,,
2017-06-25 22:47:20 UDPv4 link local: [undef]
2017-06-25 22:47:20 UDPv4 link remote: [AF_INET]104.188.5.196:1194
2017-06-25 22:47:20 MANAGEMENT: >STATE:1498445240,WAIT,,,
2017-06-25 22:47:20 MANAGEMENT: >STATE:1498445240,AUTH,,,
2017-06-25 22:47:20 TLS: Initial packet from [AF_INET]104.188.5.196:1194, sid=518d4e35 1ac50f57
2017-06-25 22:47:21 VERIFY OK: depth=1, CN=server.duckdns.org
2017-06-25 22:47:21 Validating certificate key usage
2017-06-25 22:47:21 ++ Certificate has key usage 00a0, expects 00a0
2017-06-25 22:47:21 VERIFY KU OK
2017-06-25 22:47:21 Validating certificate extended key usage
2017-06-25 22:47:21 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-06-25 22:47:21 VERIFY EKU OK
2017-06-25 22:47:21 VERIFY X509NAME OK: CN=server.duckdns.org
2017-06-25 22:47:21 VERIFY OK: depth=0, CN=server.duckdns.org
2017-06-25 22:47:21 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2017-06-25 22:47:21 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-25 22:47:21 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2017-06-25 22:47:21 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-25 22:47:21 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA256, 2048 bit RSA
2017-06-25 22:47:21 [server.duckdns.org] Peer Connection Initiated with [AF_INET]104.188.5.196:1194
2017-06-25 22:47:22 MANAGEMENT: >STATE:1498445242,GET_CONFIG,,,
2017-06-25 22:47:23 SENT CONTROL [server.duckdns.org]: 'PUSH_REQUEST' (status=1)
2017-06-25 22:47:23 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN local,dhcp-option DNS 192.168.24.1,dhcp-option WINS 192.168.24.1,route-gateway dhcp,ping 15,ping-restart 60'
2017-06-25 22:47:23 OPTIONS IMPORT: timers and/or timeouts modified
2017-06-25 22:47:23 OPTIONS IMPORT: route-related options modified
2017-06-25 22:47:23 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-06-25 22:47:23 TUN/TAP device /dev/tap0 opened
**********************************************
Start of output from up.tunnelblick.sh
Configuring tap DNS via OpenVPN **before** using DHCP
Retrieved from OpenVPN: name server(s) [ 192.168.24.1 ], domain name [ local ], search domain(s) [ ], and SMB server(s) [ 192.168.24.1 ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Not aggregating WINSAddresses because running on OS X 10.6 or higher
Setting search domains to 'local' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from 'fe80::103d:f2db:3723:dfac 172.20.10.1' to '192.168.24.1'
Changed DNS SearchDomains setting from '' to 'local'
Changed DNS DomainName setting from '' to 'local'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Changed SMB WINSAddresses setting from '' to '192.168.24.1'
DNS servers '192.168.24.1' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
Did 'ipconfig set "tap0" DHCP'
Configuring tap DNS via DHCP asynchronously
End of output from up.tunnelblick.sh
**********************************************
2017-06-25 22:47:26 Initialization Sequence Completed
2017-06-25 22:47:26 MANAGEMENT: >STATE:1498445246,CONNECTED,SUCCESS,,104.188.5.196
Sleeping for 0 seconds to wait for DHCP to finish setup.
Sleeping for 1 seconds to wait for DHCP to finish setup.
Sleeping for 2 seconds to wait for DHCP to finish setup.
Sleeping for 3 seconds to wait for DHCP to finish setup.
Sleeping for 4 seconds to wait for DHCP to finish setup.
Sleeping for 5 seconds to wait for DHCP to finish setup.
Sleeping for 6 seconds to wait for DHCP to finish setup.
WARNING: No DNS information received from OpenVPN via DHCP, so no network/DNS configuration changes need to be made.
WARNING: Will NOT monitor for other network configuration changes.
DNS servers '192.168.24.1' were set manually
DNS servers '192.168.24.1' will be used for DNS queries when the VPN is active
/Library/Application Support/Tunnelblick/Users/user/server.duckdns.org.tblk/Contents/Resources/up.tunnelblick.sh: line 1219: knownPublicDnsServers: readonly variable
2017-06-25 22:47:27 *Tunnelblick: No 'connected.sh' script to execute
2017-06-25 22:47:32 *Tunnelblick: This computer's apparent public IP address (174.194.14.200) was unchanged after the connection was made
2017-06-25 22:48:31 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2017-06-25 22:48:32 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2017-06-25 22:48:32 *Tunnelblick: Disconnecting using 'kill'
2017-06-25 22:48:32 event_wait : Interrupted system call (code=4)
2017-06-25 22:48:32 /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1602 init
**********************************************
Start of output from client.route-pre-down.tunnelblick.sh
WARNING: Ignoring change of Network Primary Service from 0463D932-4C6E-4B71-9F3B-9C25FF8F71D0 to RestoreIpv6Services :
0463D932-4C6E-4B71-9F3B-9C25FF8F71D0
Cancelled monitoring of system configuration changes
Released the DHCP lease via ipconfig set "tap0" NONE.
End of output from client.route-pre-down.tunnelblick.sh
**********************************************
2017-06-25 22:48:32 Closing TUN/TAP interface
2017-06-25 22:48:32 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1602 init
**********************************************
Start of output from client.down.tunnelblick.sh
Restored the DNS and SMB configurations
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
End of output from client.down.tunnelblick.sh
**********************************************
2017-06-25 22:48:32 SIGTERM[hard,] received, process exiting
2017-06-25 22:48:32 MANAGEMENT: >STATE:1498445312,EXITING,SIGTERM,,
2017-06-25 22:48:33 *Tunnelblick: No 'post-disconnect.sh' script to execute
2017-06-25 22:48:33 *Tunnelblick: Expected disconnection occurred.
ifconfig/ping logs
-----------------------
Brads-MacBook-Pro:~ bgwallace$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether a4:5e:60:e6:37:2b
inet6 fe80::1033:733e:f172:2315%en0 prefixlen 64 secured scopeid 0x4
inet 172.20.10.2 netmask 0xfffffff0 broadcast 172.20.10.15
inet6 2600:1004:b05a:bab6:8f:b155:ca3:a142 prefixlen 64 autoconf secured
inet6 2600:1004:b05a:bab6:a9ff:ff1f:f172:9a3e prefixlen 64 autoconf temporary
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
Brads-MacBook-Pro:~ bgwallace$ ifconfig tap0
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether f2:3a:86:6e:7f:23
inet 169.254.110.85 netmask 0xffff0000 broadcast 169.254.255.255
media: autoselect
status: active
open (pid 6673)
Brads-MacBook-Pro:~ bgwallace$ ping -c 4 192.168.24.1
PING 192.168.24.1 (192.168.24.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
--- 192.168.24.1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
bgwallace
Jun 29, 2017, 11:41:23 PM6/29/17
to tunnelblick-discuss
Hey Tunnelblick developer,
Regards,
Just checking in to see if you have any other thoughts or ideas in response to my previous email. Thank you again.
Regards,
Brad
bgwallace
Jul 5, 2017, 12:03:12 AM7/5/17
to tunnelblick-discuss
Hey Tunneblick Team, can you please provide an update on if and when an enhancement can be delivered to fix this issue or if there are any other troubleshooting steps I should try?
Thanks,
Brad
Brad
Reply all
Reply to author
Forward
0 new messages