Stuck reconnecting
197 views
Skip to first unread message
Harald Vogt
Jul 15, 2023, 7:03:10 AM7/15/23
to tunnelblick-discuss
Hi,
Tried to connect to home server (openwrt 2.x) but are getting the following over and over.
2023-07-15 06:07:06.869031 MANAGEMENT: >STATE:1689394026,TCP_CONNECT,,,,,,
2023-07-15 06:07:06.891096 TCP connection established with [AF_INET]84.107.223.202:443
2023-07-15 06:07:06.891224 TCP_CLIENT link local: (not bound)
2023-07-15 06:07:06.891297 TCP_CLIENT link remote: [AF_INET]84.107.223.202:443
2023-07-15 06:07:06.891392 MANAGEMENT: >STATE:1689394026,WAIT,,,,,,
2023-07-15 06:07:06.895367 MANAGEMENT: CMD 'hold release'
2023-07-15 06:07:06.917453 Connection reset, restarting [0]
2023-07-15 06:07:06.917685 SIGUSR1[soft,connection-reset] received, process restarting
2023-07-15 06:07:06.917742 MANAGEMENT: >STATE:1689394026,RECONNECTING,connection-
2023-07-15 06:07:06.891096 TCP connection established with [AF_INET]84.107.223.202:443
2023-07-15 06:07:06.891224 TCP_CLIENT link local: (not bound)
2023-07-15 06:07:06.891297 TCP_CLIENT link remote: [AF_INET]84.107.223.202:443
2023-07-15 06:07:06.891392 MANAGEMENT: >STATE:1689394026,WAIT,,,,,,
2023-07-15 06:07:06.895367 MANAGEMENT: CMD 'hold release'
2023-07-15 06:07:06.917453 Connection reset, restarting [0]
2023-07-15 06:07:06.917685 SIGUSR1[soft,connection-reset] received, process restarting
2023-07-15 06:07:06.917742 MANAGEMENT: >STATE:1689394026,RECONNECTING,connection-
client.ovpn
client
dev tun
proto tcp
remote xxx.duckdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 5
remote-cert-tls server
cipher 'AES-256-CBC'
comp-lzo no
dev tun
proto tcp
remote xxx.duckdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 5
remote-cert-tls server
cipher 'AES-256-CBC'
comp-lzo no
Any ideas?
Best regards,
H
Harald Vogt
Jul 21, 2023, 4:32:06 AM7/21/23
to tunnelblick-discuss
Hello,
I forgot to mention that I am connecting with the newest 3. Tunnelblick version:
2023-07-15 06:06:47.510542 *Tunnelblick: macOS 10.15.7 (19H2026); Tunnelblick 3.8.8b (build 5777); prior version 3.8.8a (build 5776)
Furthermore, my router is running dd-wrt (and not the other one, sorry) and shows the following logs.
Adnybody any clues?
Regards, Harald
Log
Serverlog:
20230721 08:20:44 N 64.62.197.143:31577 Non-OpenVPN client protocol detected
20230721 08:20:44 64.62.197.143:31577 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:20:46 I TCP connection established with [AF_INET]64.62.197.151:5637
20230721 08:20:46 N 64.62.197.151:5637 Non-OpenVPN client protocol detected
20230721 08:20:46 64.62.197.151:5637 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:20:47 I TCP connection established with [AF_INET]64.62.197.143:44991
20230721 08:20:47 N 64.62.197.143:44991 Non-OpenVPN client protocol detected
20230721 08:20:47 64.62.197.143:44991 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:22:14 I TCP connection established with [AF_INET]64.62.197.137:51309
20230721 08:22:14 N 64.62.197.137:51309 Non-OpenVPN client protocol detected
20230721 08:22:14 64.62.197.137:51309 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:23:16 I TCP connection established with [AF_INET]64.62.197.141:64847
20230721 08:23:16 N 64.62.197.141:64847 Non-OpenVPN client protocol detected
20230721 08:20:44 N 64.62.197.143:31577 Non-OpenVPN client protocol detected
20230721 08:20:44 64.62.197.143:31577 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:20:46 I TCP connection established with [AF_INET]64.62.197.151:5637
20230721 08:20:46 N 64.62.197.151:5637 Non-OpenVPN client protocol detected
20230721 08:20:46 64.62.197.151:5637 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:20:47 I TCP connection established with [AF_INET]64.62.197.143:44991
20230721 08:20:47 N 64.62.197.143:44991 Non-OpenVPN client protocol detected
20230721 08:20:47 64.62.197.143:44991 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:22:14 I TCP connection established with [AF_INET]64.62.197.137:51309
20230721 08:22:14 N 64.62.197.137:51309 Non-OpenVPN client protocol detected
20230721 08:22:14 64.62.197.137:51309 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:23:16 I TCP connection established with [AF_INET]64.62.197.141:64847
20230721 08:23:16 N 64.62.197.141:64847 Non-OpenVPN client protocol detected
Op zaterdag 15 juli 2023 om 13:03:10 UTC+2 schreef Harald Vogt:
Tunnelblick developer
Jul 21, 2023, 7:37:36 AM7/21/23
to tunnelblick-discuss
Please post your server configuration.
Harald Vogt
Jul 21, 2023, 4:01:44 PM7/21/23
to tunnelblick-discuss
Hello,
Below my server configuration.
OpenVPN Server/Daemon
OpenVPN Enable
Config as Server
Server mode Router (TUN)
Network 10.1.1.0
Netmask 255.255.255.0
Port 443
Tunnel Protocol TCP
Encryption Cipher AES-256 CBC
Hash Algorithm SHA256
Advanced Options Enable
TLS Cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
LZO Compression Adaptive
Redirect default Gateway Disable
Allow Client to Client Enable
Allow duplicate cn Disable
Tunnel MTU setting 1500
Tunnel UDP Fragment (Default: Disable)
Tunnel UDP MSS-FiX Disable
CCD-Dir DEFAULT file
empty
Client connect script
empty
Static Key
empty
PKCS12 Key
empty
Public Server Cert
...
CA Cert
...
Private Server Key
....
DH PEM
...
Additional config
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
server 10.1.1.0 255.255.255.0
dev tun0
keepalive 10 120
comp-lzo
tls-server
remote-cert-tls client
tls-version-min 1.2
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
port-share 192.168.1.53 8443
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
server 10.1.1.0 255.255.255.0
dev tun0
keepalive 10 120
comp-lzo
tls-server
remote-cert-tls client
tls-version-min 1.2
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
port-share 192.168.1.53 8443
TLS Auth Key
...
Certificate Revoke List
empty
Regards, Harald
Op vrijdag 21 juli 2023 om 13:37:36 UTC+2 schreef Tunnelblick developer:
Tunnelblick developer
Jul 21, 2023, 4:11:14 PM7/21/23
to tunnelblick-discuss
I'm not an expert on dd-wrt, but the configuration file looks OK to me.
However, in the "Additional config" section, putting the dh, ca, cert and key files in /tmp seems like a mistake to me. As I understand it, /tmp may be cleared on reboot, and you'd loose those keys. These are all generated once and then reused until they expire. Or does dd-wrt generate new ones each time it is booted? (That would be odd because the dh key takes many seconds to generate, maybe even minutes on a slow machine.)
Maybe those files have been deleted because of a reboot and that's why the problem is happening? I would think the server log would show that.
Harald Vogt
Jul 22, 2023, 12:45:55 AM7/22/23
to tunnelblick-discuss
Hi,
Getting the following log (a problem with tls config?):
Regards, Harald
20230722 06:40:21 I TCP connection established with [AF_INET]109.38.158.134:1396
20230722 06:40:21 109.38.158.134:1396 TLS: Initial packet from [AF_INET]109.38.158.134:1396 sid=2fed45a2 f62e8ddd
20230722 06:40:21 N 109.38.158.134:1396 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1396
20230722 06:40:21 N 109.38.158.134:1396 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1396 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:21 I TCP connection established with [AF_INET]109.38.158.134:1397
20230722 06:40:21 109.38.158.134:1397 TLS: Initial packet from [AF_INET]109.38.158.134:1397 sid=e7c9166c b9ace5a7
20230722 06:40:21 N 109.38.158.134:1397 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1397
20230722 06:40:21 N 109.38.158.134:1397 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1397 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:21 I TCP connection established with [AF_INET]109.38.158.134:1398
20230722 06:40:21 109.38.158.134:1398 TLS: Initial packet from [AF_INET]109.38.158.134:1398 sid=fb080c40 8844a53e
20230722 06:40:21 N 109.38.158.134:1398 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1398
20230722 06:40:21 N 109.38.158.134:1398 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1398 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:21 I TCP connection established with [AF_INET]109.38.158.134:1399
20230722 06:40:21 109.38.158.134:1399 TLS: Initial packet from [AF_INET]109.38.158.134:1399 sid=69c1e28f 1a2a5d59
20230722 06:40:21 N 109.38.158.134:1399 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1399
20230722 06:40:21 N 109.38.158.134:1399 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1399 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:22 I TCP connection established with [AF_INET]109.38.158.134:1400
20230722 06:40:22 109.38.158.134:1400 TLS: Initial packet from [AF_INET]109.38.158.134:1400 sid=0e028053 3fe4248c
20230722 06:40:22 N 109.38.158.134:1400 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1400
20230722 06:40:22 N 109.38.158.134:1400 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:22 109.38.158.134:1400 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:22 I TCP connection established with [AF_INET]109.38.158.134:1401
20230722 06:40:22 109.38.158.134:1401 TLS: Initial packet from [AF_INET]109.38.158.134:1401 sid=0080675d c5ebe03f
20230722 06:40:22 N 109.38.158.134:1401 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1401
20230722 06:40:22 N 109.38.158.134:1401 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:22 109.38.158.134:1401 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:22 I TCP connection established with [AF_INET]109.38.158.134:1402
20230722 06:40:22 109.38.158.134:1402 TLS: Initial packet from [AF_INET]109.38.158.134:1402 sid=e82c4223 fc2864ee
20230722 06:40:22 N 109.38.158.134:1402 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1402
20230722 06:40:22 N 109.38.158.134:1402 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:22 109.38.158.134:1402 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'state'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'state'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'state'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 NOTE: --mute triggered...
20230722 06:40:43 1 variation(s) on previous 3 message(s) suppressed by --mute
20230722 06:40:43 D MANAGEMENT: CMD 'status 2'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'status 2'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'log 500'
20230722 06:40:21 109.38.158.134:1396 TLS: Initial packet from [AF_INET]109.38.158.134:1396 sid=2fed45a2 f62e8ddd
20230722 06:40:21 N 109.38.158.134:1396 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1396
20230722 06:40:21 N 109.38.158.134:1396 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1396 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:21 I TCP connection established with [AF_INET]109.38.158.134:1397
20230722 06:40:21 109.38.158.134:1397 TLS: Initial packet from [AF_INET]109.38.158.134:1397 sid=e7c9166c b9ace5a7
20230722 06:40:21 N 109.38.158.134:1397 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1397
20230722 06:40:21 N 109.38.158.134:1397 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1397 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:21 I TCP connection established with [AF_INET]109.38.158.134:1398
20230722 06:40:21 109.38.158.134:1398 TLS: Initial packet from [AF_INET]109.38.158.134:1398 sid=fb080c40 8844a53e
20230722 06:40:21 N 109.38.158.134:1398 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1398
20230722 06:40:21 N 109.38.158.134:1398 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1398 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:21 I TCP connection established with [AF_INET]109.38.158.134:1399
20230722 06:40:21 109.38.158.134:1399 TLS: Initial packet from [AF_INET]109.38.158.134:1399 sid=69c1e28f 1a2a5d59
20230722 06:40:21 N 109.38.158.134:1399 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1399
20230722 06:40:21 N 109.38.158.134:1399 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1399 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:22 I TCP connection established with [AF_INET]109.38.158.134:1400
20230722 06:40:22 109.38.158.134:1400 TLS: Initial packet from [AF_INET]109.38.158.134:1400 sid=0e028053 3fe4248c
20230722 06:40:22 N 109.38.158.134:1400 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1400
20230722 06:40:22 N 109.38.158.134:1400 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:22 109.38.158.134:1400 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:22 I TCP connection established with [AF_INET]109.38.158.134:1401
20230722 06:40:22 109.38.158.134:1401 TLS: Initial packet from [AF_INET]109.38.158.134:1401 sid=0080675d c5ebe03f
20230722 06:40:22 N 109.38.158.134:1401 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1401
20230722 06:40:22 N 109.38.158.134:1401 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:22 109.38.158.134:1401 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:22 I TCP connection established with [AF_INET]109.38.158.134:1402
20230722 06:40:22 109.38.158.134:1402 TLS: Initial packet from [AF_INET]109.38.158.134:1402 sid=e82c4223 fc2864ee
20230722 06:40:22 N 109.38.158.134:1402 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1402
20230722 06:40:22 N 109.38.158.134:1402 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:22 109.38.158.134:1402 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'state'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'state'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'state'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 NOTE: --mute triggered...
20230722 06:40:43 1 variation(s) on previous 3 message(s) suppressed by --mute
20230722 06:40:43 D MANAGEMENT: CMD 'status 2'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'status 2'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'log 500'
Op vrijdag 21 juli 2023 om 22:11:14 UTC+2 schreef Tunnelblick developer:
Tunnelblick developer
Jul 22, 2023, 8:28:44 AM7/22/23
to tunnelblick-discuss
Yes, that looks like a TLS problem, perhaps caused by a problem with the files in /tmp as I wrote earlier.
This is a problem with OpenVPN, not a problem with Tunnelblick. You should ask for help from dd-wrt experts or OpenVPN experts (see our Support page).
Harald Vogt
Jul 25, 2023, 2:23:01 AM7/25/23
to tunnelblick-discuss
Hi,
First of all, thanks for helping and the guidance!
I looked into the tls config and please find the working versions below.
Regards, Harald
server.conf (dd-wrt)
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.53"
push "dhcp-option DNS 192.168.1.53"
push "redirect-gateway def1"
server 10.1.1.0 255.255.255.0
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
dev tun0
keepalive 10 120
comp-lzo
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
port-share 192.168.1.53 8443
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
port-share 192.168.1.53 8443
client.conf (tunnelblick)
client
dev tun0
proto tcp
remote XXX.duckdns.org 443
remote-cert-tls server
cipher 'AES-256-CBC'
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
comp-lzo no
key-direction 1
dev tun0
proto tcp
remote XXX.duckdns.org 443
remote-cert-tls server
cipher 'AES-256-CBC'
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
comp-lzo no
key-direction 1
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
tls-auth tlsauth.key 1
Op zaterdag 22 juli 2023 om 14:28:44 UTC+2 schreef Tunnelblick developer:
Reply all
Reply to author
Forward
0 new messages