Several months ago I setup Tunnelblick and OpenVPN server on Tomato. Eventually, I was able to get everything working the way I wanted, but for some reason (and without any changes I can recall other than Tunnelblick upgrades) I'm no longer able to ping or access services on other machines on my VPN network though I am still able to access Internet sites. Any help towards troubleshooting this would be great and very much appreciated.
FYI, it's possible I configured things in a strange way to begin with but I've purposefully configured OpenVPN not to change the apparent public IP address of the connected client. I would like to keep things configured this way if possible.
I've included the Tunnelblick client connect and disconnect logging below, but please let me know if you have any questions or need anything else to debug the problem.
*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.1a (build 4812); prior version 3.7.1 (build 4811); Admin user
git commit e70dc14d7a954d6fe0040b3b8c9007feb98ee29d
"Sanitized" condensed configuration file for /Users/user/Library/Application Support/Tunnelblick/Configurations/server.duckdns.org.tblk:
client
dev tap
proto udp
resolv-retry infinite
reneg-sec 0
remote-cert-tls server
nobind
persist-key
persist-tun
ca ca.crt
auth SHA256
auth-user-pass
auth-nocache
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
tls-auth static.key 1
cipher AES-256-CBC
comp-lzo adaptive
verb 3
================================================================================
Non-Apple kexts that are loaded:
Index Refs Address Size Wired Name (Version) UUID <Linked Against>
134 0 0xffffff7f81032000 0xf000 0xf000 com.displaylink.driver.DisplayLinkDriver (3.0.0 (79478)) 07280D3E-6FA6-3F12-93A0-EB2FDD8B27A8 <86 5 4 3>
================================================================================
There are no unusual files in server.duckdns.org.tblk
================================================================================
Configuration preferences:
useDNS = 1
-useRouteUpInsteadOfUp = 1
-keychainHasUsernameAndPassword = 1
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
-keepConnected = 1
-lastConnectionSucceeded = 1
-tunnelDownSoundName = Basso
-tunnelUpSoundName = Morse
-prependDomainNameToSearchDomains = 0
================================================================================
Wildcard preferences:
================================================================================
Program preferences:
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
"3.7.1a (build 4812)",
"3.7.1 (build 4811)",
"3.7.0 (build 4790)",
"3.6.10 (build 4760)",
"3.6.9 (build 4685)",
"3.6.8 (build 4625)",
"3.6.7c (build 4606)",
"3.6.7a (build 4603)",
"3.6.7 (build 4602)",
"3.6.6 (build 4582)"
)
lastLaunchTime = 519535607.976811
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
keyboardShortcutIndex = 1
updateAutomatically = 0
updateCheckAutomatically = 1
updateSendProfileInfo = 1
NSWindow Frame ConnectingWindow = 525 530 389 187 0 0 1440 877
NSWindow Frame SUStatusFrame = 520 573 400 129 0 0 1440 877
NSWindow Frame SUUpdateAlert = 410 376 620 392 0 0 1440 877
NSWindow Frame ListingWindow = 367 303 500 422 0 0 1440 877
detailsWindowFrameVersion = 4812
detailsWindowFrame = {{260, 319}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = log
AdvancedWindowTabIdentifier = sounds
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 1
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SUAutomaticallyUpdate = 0
SULastCheckTime = 2017-06-19 03:26:48 +0000
SULastProfileSubmissionDate = 2017-06-16 12:08:22 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 11
WebKitStandardFont = .AppleSystemUIFont
tunnelblickdHash = 982f7a7b2b98739801aa88b72712259b30dea31dbe8f2662db447888ff2ff295
tunnelblickdPlistHash = ce400d395d1801b003398461b5420021f4d591822783a04b79b2f43956d28620
================================================================================
Tunnelblick Log:
*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.1a (build 4812); prior version 3.7.1 (build 4811)
2017-06-19 13:25:08 *Tunnelblick: Attempting connection with
server.duckdns.org using shadow copy; Set nameserver = 769; monitoring connection
2017-06-19 13:25:08 *Tunnelblick: openvpnstart start server.duckdns.org.tblk 1339 769 0 1 0 1098098 -ptADGNWradsgnw 2.3.16-openssl-1.0.2k
2017-06-19 13:25:08 *Tunnelblick: openvpnstart log:
Loading tap-signed.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.16-openssl-1.0.2k/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Suser-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sserver.duckdns.org.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1098098.1339.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/user/server.duckdns.org.tblk/Contents/Resources
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/user/server.duckdns.org.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/user/server.duckdns.org.tblk/Contents/Resources
--management
127.0.0.1
1339
--management-query-passwords
--management-hold
--script-security
2
--route-up
--down
--route-pre-down
2017-06-19 13:25:08 *Tunnelblick: openvpnstart starting OpenVPN
2017-06-19 13:25:08 *Tunnelblick: Established communication with OpenVPN
2017-06-19 13:25:08 *Tunnelblick: Obtained VPN username and password from the Keychain
2017-06-19 13:25:08 OpenVPN 2.3.16 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on May 19 2017
2017-06-19 13:25:08 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
2017-06-19 13:25:08 MANAGEMENT: TCP Socket listening on [AF_INET]
127.0.0.1:13392017-06-19 13:25:08 Need hold release from management interface, waiting...
2017-06-19 13:25:08 MANAGEMENT: Client connected from [AF_INET]
127.0.0.1:13392017-06-19 13:25:08 MANAGEMENT: CMD 'pid'
2017-06-19 13:25:08 MANAGEMENT: CMD 'state on'
2017-06-19 13:25:08 MANAGEMENT: CMD 'state'
2017-06-19 13:25:08 MANAGEMENT: CMD 'bytecount 1'
2017-06-19 13:25:08 MANAGEMENT: CMD 'hold release'
2017-06-19 13:25:08 MANAGEMENT: CMD 'username "Auth" “user”’
2017-06-19 13:25:08 MANAGEMENT: CMD 'password [...]'
2017-06-19 13:25:08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-06-19 13:25:08 Control Channel Authentication: using 'static.key' as a OpenVPN static key file
2017-06-19 13:25:08 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-19 13:25:08 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-19 13:25:08 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-06-19 13:25:08 MANAGEMENT: >STATE:1497893108,RESOLVE,,,
2017-06-19 13:25:08 UDPv4 link local: [undef]
2017-06-19 13:25:08 MANAGEMENT: >STATE:1497893108,WAIT,,,
2017-06-19 13:25:08 MANAGEMENT: >STATE:1497893108,AUTH,,,
2017-06-19 13:25:08 TLS: Initial packet from [AF_INET]
104.188.5.196:1194, sid=b18530ad 0beb463b
2017-06-19 13:25:09 Validating certificate key usage
2017-06-19 13:25:09 ++ Certificate has key usage 00a0, expects 00a0
2017-06-19 13:25:09 VERIFY KU OK
2017-06-19 13:25:09 Validating certificate extended key usage
2017-06-19 13:25:09 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-06-19 13:25:09 VERIFY EKU OK
2017-06-19 13:25:09 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2017-06-19 13:25:09 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-19 13:25:09 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2017-06-19 13:25:09 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2017-06-19 13:25:09 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA256, 2048 bit RSA
2017-06-19 13:25:10 MANAGEMENT: >STATE:1497893110,GET_CONFIG,,,
2017-06-19 13:25:11 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN local,dhcp-option DNS 192.168.24.1,dhcp-option WINS 192.168.24.1,route-gateway dhcp,ping 15,ping-restart 60'
2017-06-19 13:25:11 OPTIONS IMPORT: timers and/or timeouts modified
2017-06-19 13:25:11 OPTIONS IMPORT: route-related options modified
2017-06-19 13:25:11 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-06-19 13:25:11 TUN/TAP device /dev/tap0 opened
**********************************************
Did 'ipconfig set "tap0" DHCP'
Configuring tap DNS via DHCP asynchronously
**********************************************
2017-06-19 13:25:13 Initialization Sequence Completed
2017-06-19 13:25:13 MANAGEMENT: >STATE:1497893113,CONNECTED,SUCCESS,,104.188.5.196
Sleeping for 3 seconds to wait for DHCP to finish setup.
Sleeping for 4 seconds to wait for DHCP to finish setup.
WARNING: No DNS information received from OpenVPN via DHCP, so no network/DNS configuration changes need to be made.
WARNING: Will NOT monitor for other network configuration changes.
DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active
The DNS servers include only free public DNS servers known to Tunnelblick.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
2017-06-19 13:25:13 *Tunnelblick: No 'connected.sh' script to execute
Sleeping for 0 seconds to wait for DHCP to finish setup.
Sleeping for 1 seconds to wait for DHCP to finish setup.
Sleeping for 2 seconds to wait for DHCP to finish setup.
2017-06-19 13:25:18 *Tunnelblick: This computer's apparent public IP address (24.142.253.164) was unchanged after the connection was made
2017-06-19 13:26:10 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2017-06-19 13:26:10 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2017-06-19 13:26:10 *Tunnelblick: Disconnecting using 'kill'
2017-06-19 13:26:10 event_wait : Interrupted system call (code=4)
**********************************************
WARNING: No saved Tunnelblick DNS configuration found; not doing anything.
**********************************************
2017-06-19 13:26:11 Closing TUN/TAP interface
2017-06-19 13:26:11 /Applications/Tunnelblick.app/Contents/Resources/
client.down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1602 init
**********************************************
WARNING: Not restoring DNS settings because no saved Tunnelblick DNS information was found.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
**********************************************
2017-06-19 13:26:12 SIGTERM[hard,] received, process exiting
2017-06-19 13:26:12 MANAGEMENT: >STATE:1497893172,EXITING,SIGTERM,,
2017-06-19 13:26:13 *Tunnelblick: No 'post-disconnect.sh' script to execute
2017-06-19 13:26:13 *Tunnelblick: Expected disconnection occurred.
================================================================================
"Sanitized" full configuration file
##############################################
# Client-side OpenVPN 2.37 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Official man page located at the link below.
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Disable client-initiated renegotiation of data channel key.
# Server will initiate the renegotiation.
reneg-sec 0
# Require that peer certificate was signed with an
# explicit key usage and extended key usage based on
# RFC3280 TLS rules.
# This is a useful security option for clients, to ensure
# that the host they connect to is a designated server.
# Used in place of tls-remote.
remote-cert-tls server
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
;cert client.crt
;key client.key
# Accept connections only if a host's X.509 name matches
# the specified name. The remote host must also pass all
# other tests of verification.
# Use the much more secure 256-bit SHA256 encryption algorithm
# to secure data channel messages rather than the default and
# much less secure 160-bit SHA1 encryption algorithm.
auth SHA256
# Authenticate with server using username/password.
auth-user-pass
# Don't cache username and password in virtual memory.
auth-nocache
# Prevent TLS version downgrade attacks by forcing v1.2.
tls-version-min 1.2
# Prevent TLS cipher downgrade attacks by allowing only
# the strongest ciphers to be used.
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
# Use the server’s static key to establish extra HMAC authentication
# with the server.
# “1” indicates this is the Outgoing end of the connection (client).
# “0” is specified by the server which indicates it is the Incoming end
# of the connection.
tls-auth static.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo
comp-lzo adaptive
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
================================================================================
ifconfig output:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether a4:5e:60:e6:37:2b
inet6 fe80::1020:5503:d91a:722f%en0 prefixlen 64 secured scopeid 0x4
inet 172.31.99.32 netmask 0xfffffe00 broadcast 172.31.99.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 6a:00:00:50:f4:40
media: autoselect <full-duplex>
status: inactive
en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 6a:00:00:50:f4:41
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 6a:00:00:50:f4:40
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 5 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 6 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 06:5e:60:e6:37:2b
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether ee:ba:f2:cb:4b:0b
inet6 fe80::ecba:f2ff:fecb:4b0b%awdl0 prefixlen 64 scopeid 0x9
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::7407:a3ff:6a47:737c%utun0 prefixlen 64 scopeid 0xa
nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
inet6 fe80::759c:9986:12da:3340%utun1 prefixlen 64 scopeid 0xb
inet6 fdf2:53ba:c443:d597:759c:9986:12da:3340 prefixlen 64
nd6 options=201<PERFORMNUD,DAD>
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
inet6 fe80::3969:b831:50d0:fad4%utun2 prefixlen 64 scopeid 0xc
nd6 options=201<PERFORMNUD,DAD>
================================================================================
Console Log:
2017-06-19 13:12:30 Tunnelblick[670] BUG in libdispatch client: kevent[EVFILT_MACHPORT] monitored resource vanished before the source cancel handler was invoked