Connection reset

49 views
Skip to first unread message

huss...@gmail.com

unread,
Oct 16, 2016, 9:57:36 AM10/16/16
to tunnelblick-discuss
Hello,

I am facing lately an issue which prevents open VPN connection. I believe the problem is caused by the proxy (BlueCoat):
  1. I am using TCP 443 as this is the only opened outbound port
  2. The BlueCoat proxy and spoof the TCP connection from the WS to the VPN server/.
  3. After the three-way TCP handshake, the proxy sends a tcp reset as soon as tunnelblick tries to establish the vpn connection.  
  4. I think the proxy server sends a TCP reset if the it sees any non-http-get request after the 3-way-handshake.

Is it possible to make Tunnelblick sends a dummy http-get request to evade proxy.?


Here is the log from tunnelblick:


Tunnelblick: OS X 10.12.0; Tunnelblick 3.6.8beta10 (build 4622); prior version 3.6.8beta04 (build 4619)
2016-10-16 16:45:05 *Tunnelblick: Attempting connection with TCP443-mobily -noproxy using shadow copy; Set nameserver = 769; monitoring connection
2016-10-16 16:45:05 *Tunnelblick: openvpnstart start TCP443-mobily\ -noproxy.tblk 1337 769 0 1 0 1065264 -ptADGNWradsgnw 2.3.12
2016-10-16 16:45:05 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
    
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SUsers-Shusseinbahaidarah-SLibrary-SApplication Support-STunnelblick-SConfigurations-STCP443--mobily --noproxy.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1065264.1337.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Users/husseinbahaidarah/TCP443-mobily -noproxy.tblk/Contents/Resources
          --verb
          3
          --config
          /Library/Application Support/Tunnelblick/Users/husseinbahaidarah/TCP443-mobily -noproxy.tblk/Contents/Resources/config.ovpn
          --verb
          3
          --cd
          /Library/Application Support/Tunnelblick/Users/husseinbahaidarah/TCP443-mobily -noproxy.tblk/Contents/Resources
          --management
          127.0.0.1
          1337
          --management-query-passwords
          --management-hold
          --script-security
          2
          --up
          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --down
          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2016-10-16 16:45:05 *Tunnelblick: Established communication with OpenVPN
2016-10-16 16:45:05 OpenVPN 2.3.12 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Sep 29 2016
2016-10-16 16:45:05 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
2016-10-16 16:45:05 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2016-10-16 16:45:05 Need hold release from management interface, waiting...
2016-10-16 16:45:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2016-10-16 16:45:05 MANAGEMENT: CMD 'pid'
2016-10-16 16:45:05 MANAGEMENT: CMD 'state on'
2016-10-16 16:45:05 MANAGEMENT: CMD 'state'
2016-10-16 16:45:05 MANAGEMENT: CMD 'bytecount 1'
2016-10-16 16:45:05 MANAGEMENT: CMD 'hold release'
2016-10-16 16:45:05 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2016-10-16 16:45:05 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2016-10-16 16:45:05 Socket Buffers: R=[131072->131072] S=[131072->131072]
2016-10-16 16:45:05 MANAGEMENT: >STATE:1476625505,RESOLVE,,,
2016-10-16 16:45:05 *Tunnelblick: openvpnstart starting OpenVPN
2016-10-16 16:45:06 Attempting to establish TCP connection with [AF_INET]x.x.x.x:443 [nonblock]
2016-10-16 16:45:06 MANAGEMENT: >STATE:1476625506,TCP_CONNECT,,,
2016-10-16 16:45:07 TCP connection established with [AF_INET]x.x.x.x:443
2016-10-16 16:45:07 TCPv4_CLIENT link local: [undef]
2016-10-16 16:45:07 TCPv4_CLIENT link remote: [AF_INET]x.x.x.x:443
2016-10-16 16:45:07 MANAGEMENT: >STATE:1476625507,WAIT,,,
2016-10-16 16:45:07 Connection reset, restarting [0]
2016-10-16 16:45:07 SIGUSR1[soft,connection-reset] received, process restarting
2016-10-16 16:45:07 MANAGEMENT: >STATE:1476625507,RECONNECTING,connection-reset,,
2016-10-16 16:45:07 MANAGEMENT: CMD 'hold release'
2016-10-16 16:45:07 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2016-10-16 16:45:07 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2016-10-16 16:45:07 Socket Buffers: R=[131072->131072] S=[131072->131072]
2016-10-16 16:45:07 MANAGEMENT: >STATE:1476625507,RESOLVE,,,
2016-10-16 16:45:07 Attempting to establish TCP connection with [AF_INET]x.x.x.x:443 [nonblock]
2016-10-16 16:45:07 MANAGEMENT: >STATE:1476625507,TCP_CONNECT,,,
2016-10-16 16:45:08 TCP connection established with [AF_INET]x.x.x.x:443
2016-10-16 16:45:08 TCPv4_CLIENT link local: [undef]
2016-10-16 16:45:08 TCPv4_CLIENT link remote: [AF_INET]x.x.x.x:443
2016-10-16 16:45:08 MANAGEMENT: >STATE:1476625508,WAIT,,,
2016-10-16 16:45:08 Connection reset, restarting [0]
2016-10-16 16:45:08 SIGUSR1[soft,connection-reset] received, process restarting
2016-10-16 16:45:08 MANAGEMENT: >STATE:1476625508,RECONNECTING,connection-reset,,
2016-10-16 16:45:08 MANAGEMENT: CMD 'hold release'
2016-10-16 16:45:08 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2016-10-16 16:45:08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2016-10-16 16:45:08 Socket Buffers: R=[131072->131072] S=[131072->131072]
2016-10-16 16:45:08 MANAGEMENT: >STATE:1476625508,RESOLVE,,,
2016-10-16 16:45:08 Attempting to establish TCP connection with [AF_INET]x.x.x.x:443 [nonblock]
2016-10-16 16:45:08 MANAGEMENT: >STATE:1476625508,TCP_CONNECT,,,
2016-10-16 16:45:09 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2016-10-16 16:45:09 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2016-10-16 16:45:09 *Tunnelblick: Disconnecting using 'kill'
2016-10-16 16:45:09 SIGTERM[hard,init_instance] received, process exiting
2016-10-16 16:45:09 MANAGEMENT: >STATE:1476625509,EXITING,init_instance,,
2016-10-16 16:45:10 *Tunnelblick: No 'post-disconnect.sh' script to execute
2016-10-16 16:45:10 *Tunnelblick: Expected disconnection occurred.

Tunnelblick developer

unread,
Oct 16, 2016, 10:19:11 AM10/16/16
to tunnelblick-discuss, huss...@gmail.com
If I understand this correctly, this is something that would have to be changed in OpenVPN, not in Tunnelblick.

It is OpenVPN, not Tunnelblick, that establishes the TCP connection to the VPN server and then negotiates with the server to set up the VPN. Tunnelblick can't "insert" an http-get request between those two steps; that would have to be done in OpenVPN.

However, this may not be the correct way to solve the problem you are having. OpenVPN has support for http and socks proxies. See the "--http-proxy server " and "--socks-proxy" options and the other options related to them on the OpenVPN 2.3 man page. Note that Tunnelblick may not support passing username/password credentials for the proxy through the management interface; you may have to use an "authfile".

huss...@gmail.com

unread,
Oct 16, 2016, 11:56:29 AM10/16/16
to tunnelblick-discuss, huss...@gmail.com
I have tried the proxy and it did not work. I guess I need to contact openvpn support.

thanks for help

Tunnelblick developer

unread,
Oct 16, 2016, 12:03:24 PM10/16/16
to tunnelblick-discuss, huss...@gmail.com
Try the following (from the Tunnelblick Support page):
There's also a book, OpenVPN Cookbook, which might have some examples.
Reply all
Reply to author
Forward
0 new messages