Tunnelblick passphrase required
717 views
Skip to first unread message
Carla Marais
Feb 14, 2024, 1:23:40 AMFeb 14
to tunnelblick-discuss
Tunnelblick updated on my MacBook and now requires a passphrase for the first time. I checked in my Keychain for a possible password saved before, but nothing. Already tried my usual passwords. Please advise.
Tunnelblick developer
Feb 14, 2024, 8:23:53 AMFeb 14
to tunnelblick-discuss
Carla Marais
Feb 15, 2024, 4:14:19 AMFeb 15
to tunnelbli...@googlegroups.com
--
You received this message because you are subscribed to a topic in the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tunnelblick-discuss/D8tMyVO-eaI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tunnelblick-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tunnelblick-discuss/72db59b5-44ff-476f-8e36-2e3842218512n%40googlegroups.com.
Tunnelblick developer
Feb 15, 2024, 9:10:47 AMFeb 15
to tunnelblick-discuss
Carlo Varnero
Feb 16, 2024, 8:30:15 AMFeb 16
to tunnelblick-discuss
Same problem on mine. Rolled back to 4.0.0beta13 and everything works
Tunnelblick developer
Feb 16, 2024, 8:36:54 AMFeb 16
to tunnelblick-discuss
Carlo Varnero: Same problem? Same answer: Please post the diagnostic info obtained by following the instructions at Read Before You Post.
Carlo Varnero
Feb 19, 2024, 3:44:10 AMFeb 19
to tunnelblick-discuss
I'm sorry but i'm unable to attach a file:
*Tunnelblick: macOS 14.3.1 (23D60); Tunnelblick 4.0.0beta15 (build 5950); prior version 4.0.0beta15 (build 5950); Admin user
git commit 392fcb8abec4c14f322f159c1392a8ea4ff616e1
The Tunnelblick.app process is not being translated (x86_64)
System Integrity Protection is enabled
Model: MacBookPro15,2
================================================================================
Configuration XXXXX ROUTE
"Sanitized" condensed configuration file for /Library/Application Support/Tunnelblick/Shared/XXXXX ROUTE.tblk:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote XXXXXXXXX 1194 udp
verify-x509-name "xxx.xxxxxx.xxx" name
auth-user-pass
pkcs12 fws-udp-1194-xxxxxx.p12
tls-auth fws-udp-1194-xxxxxx-tls.key 1
remote-cert-tls server
route-nopull
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.255
route XXX.XXX.XXX.XXx 255.255.255.255
================================================================================
Files in XXXXX ROUTE.tblk:
Contents/Resources/fws….p12
Contents/Resources/fws….key
Contents/Resources/config.ovpn
================================================================================
Configuration preferences:
-keychainHasPrivateKey = 1
-keychainHasUsernameAndPassword = 1
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
-loginWindowSecurityTokenCheckboxIsChecked = 0
-lastConnectionSucceeded = 0
================================================================================
Wildcard preferences:
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
================================================================================
Program preferences:
allowNonAdminSafeConfigurationReplacement = 1 (forced)
doNotLaunchOnLogin = 1
launchAtNextLogin = 0
tunnelblickVersionHistory = (
"4.0.0beta15 (build 5950)",
"4.0.0beta13 (build 5930)",
"4.0.0beta15 (build 5950)",
"4.0.0beta13 (build 5930)",
"4.0.0beta12 (build 5920)",
"4.0.0beta11 (build 5910)",
"4.0.0beta10 (build 5900)",
"4.0.0beta09 (build 5890)",
"4.0.0beta07 (build 5870)",
"4.0.0beta06 (build 5860)"
)
statusDisplayNumber = 0
lastLaunchTime = 730023938.364038
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = XXXXX ROUTE
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
NSWindow Frame SettingsSheetWindow = 312 127 829 548 0 0 1440 875
NSWindow Frame ConnectingWindow = 2169 432 462 238 1440 -180 1920 1055
NSWindow Frame SUStatusFrame = 2200 456 400 135 1440 -234 1920 1055
NSWindow Frame SUUpdateAlert = 410 377 620 392 0 0 1440 875
NSWindow Frame ListingWindow = 58 188 686 533 0 0 1440 875
detailsWindowFrameVersion = 5930
detailsWindowFrame = {{260, 281}, {920, 522}}
detailsWindowLeftFrame = {{0, 0}, {167, 402}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = settings
leftNavOutlineViewExpandedDisplayNames = (
)
leftNavSelectedDisplayName = XXXXX ROUTE
AdvancedWindowTabIdentifier = connectingAndDisconnecting
haveDealtWithOldTunTapPreferences = 1
haveDealtWithAlwaysShowLoginWindow = 1
haveDealtWithOldLoginItem = 1
haveDealtWithAfterDisconnect = 1
SUEnableAutomaticChecks = 1
SUScheduledCheckInterval = 86400
SULastCheckTime = 2024-02-19 08:25:38 +0000
SUHasLaunchedBefore = 1
SUSkippedVersion = 5950
================================================================================
Forced preferences:
{
allowNonAdminSafeConfigurationReplacement = 1;
}
================================================================================
Deployed forced preferences:
(None)
================================================================================
Tunnelblick Kext Policy Data:
================================================================================
Tunnelblick Log:
2024-02-19 09:28:05.687532 *Tunnelblick: macOS 14.3.1 (23D60); Tunnelblick 4.0.0beta15 (build 5950); prior version 4.0.0beta15 (build 5950)
2024-02-19 09:28:05.992337 *Tunnelblick: Cannot recognize the XXXXX ROUTE-loadTap preference value of '(null)', so Tunnelblick will not load the tap kext
2024-02-19 09:28:06.007145 *Tunnelblick: Attempting connection with XXXXX ROUTE; Set nameserver = 0x00000301; monitoring connection
2024-02-19 09:28:06.008195 *Tunnelblick: openvpnstart start XXXXX\ ROUTE.tblk 52600 0x00000301 0 3 0 0x0210c130 -ptADGNWradsgnw 2.6.9-openssl-3.0.13 <password>
2024-02-19 09:28:06.029046 *Tunnelblick: openvpnstart starting OpenVPN
2024-02-19 09:28:06.529354 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
2024-02-19 09:28:06.532277 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
2024-02-19 09:28:06.534398 OpenVPN 2.6.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]
2024-02-19 09:28:06.534453 library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
2024-02-19 09:28:06.535875 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:52600
2024-02-19 09:28:06.535939 Need hold release from management interface, waiting...
2024-02-19 09:28:06.631563 *Tunnelblick: openvpnstart log:
OpenVPN started successfully.
Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.6.9-openssl-3.0.13/openvpn
--daemon
--log-append /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SXXXXX ROUTE.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_34652464.52600.openvpn.log
--cd /Library/Application Support/Tunnelblick/Shared/XXXXX ROUTE.tblk/Contents/Resources
--machine-readable-output
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5950 4.0.0beta15 (build 5950)"
--verb 3
--config /Library/Application Support/Tunnelblick/Shared/XXXXX ROUTE.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Shared/XXXXX ROUTE.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Shared/XXXXX ROUTE.tblk/Contents/Resources
--management 127.0.0.1 52600 /Library/Application Support/Tunnelblick/Mips/XXXXX ROUTE.tblk.mip
--setenv IV_SSO webauth
--management-query-passwords
--management-hold
--script-security 2
--route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2024-02-19 09:28:06.644015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:50608
2024-02-19 09:28:06.688453 MANAGEMENT: CMD 'pid'
2024-02-19 09:28:06.688513 MANAGEMENT: CMD 'auth-retry interact'
2024-02-19 09:28:06.688545 MANAGEMENT: CMD 'state on'
2024-02-19 09:28:06.688589 MANAGEMENT: CMD 'state'
2024-02-19 09:28:06.688676 MANAGEMENT: CMD 'bytecount 1'
2024-02-19 09:28:06.689459 *Tunnelblick: Established communication with OpenVPN
2024-02-19 09:28:06.714994 *Tunnelblick: >INFO:OpenVPN Management Interface Version 5 -- type 'help' for more info
2024-02-19 09:28:06.716808 MANAGEMENT: CMD 'hold release'
2024-02-19 09:28:06.720860 *Tunnelblick: Obtained VPN username and password from the Keychain
2024-02-19 09:28:06.722278 MANAGEMENT: CMD 'username "Auth" "xxxxxxxx"'
2024-02-19 09:28:06.722326 MANAGEMENT: CMD 'password [...]'
2024-02-19 09:28:06.722498 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-19 09:28:47.824206 MANAGEMENT: CMD 'password [...]'
2024-02-19 09:28:47.824273 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-02-19 09:28:47.824989 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
2024-02-19 09:28:47.825013 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
2024-02-19 09:28:47.825022 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2024-02-19 09:28:47.825201 SIGUSR1[soft,private-key-password-failure] received, process restarting
2024-02-19 09:28:47.825213 MANAGEMENT: >STATE:1708331327,RECONNECTING,private-key-password-failure,,,,,
2024-02-19 09:29:25.656457 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization
2024-02-19 09:29:25.961909 *Tunnelblick: Disconnecting using 'kill'
2024-02-19 09:29:26.108708 MANAGEMENT: CMD 'hold release'
2024-02-19 09:29:26.129021 MANAGEMENT: Client disconnected
2024-02-19 09:29:26.129057 ERROR: could not read Auth username/password/ok/string from management interface
2024-02-19 09:29:26.129078 Exiting due to fatal error
2024-02-19 09:29:27.711799 *Tunnelblick: Expected disconnection occurred.
================================================================================
Installer log:
Tunnelblick installer started 2024-02-19 09:25:22.133398; getuid() = 501; geteuid() = 0; getgid() = 20; getegid() = 20
currentDirectoryPath = '/'; 1 arguments:
0x0003
Determined username 'xxxxxxx' from getuid(): 501
renamex_np() tests succeeded for /Applications
renamex_np() tests succeeded for /Library/Application Support/Tunnelblick
renamex_np() tests succeeded for /Users/xxxxxxx/Library/Application Support/Tunnelblick/Configurations
Moved /Applications/Tunnelblick.app to the Trash
Copied /Volumes/Tunnelblick/Tunnelblick.app to /Applications/Tunnelblick.app
Removed any 'com.apple.quarantine' extended attributes
Changed ownership of /Applications/Tunnelblick.app and its contents from 501:80 to 0:0
Removed any 'com.apple.quarantine' extended attributes
Need to replace and/or reload 'tunnelblickd':
daemonHashesMatch = NO
plistHashesMatch = YES
activePlistMatches = YES
Replaced /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist
Used launchctl to load tunnelblickd
Tunnelblick installer succeeded
================================================================================
Down log:
09:25:05 *Tunnelblick: **********************************************
09:25:05 *Tunnelblick: Start of output from client.down.tunnelblick.sh
09:25:06 *Tunnelblick: WARNING: Not restoring network settings because no saved Tunnelblick DNS information was found.
09:25:06 *Tunnelblick: Flushed the DNS cache with dscacheutil -flushcache
09:25:06 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
09:25:06 *Tunnelblick: Notified mDNSResponderHelper that the DNS cache was flushed
09:25:06 *Tunnelblick: End of output from client.down.tunnelblick.sh
09:25:06 *Tunnelblick: **********************************************
================================================================================
Previous down log:
17:14:42 *Tunnelblick: **********************************************
17:14:42 *Tunnelblick: Start of output from client.down.tunnelblick.sh
17:14:42 *Tunnelblick: Cancelled monitoring system configuration changes
17:14:42 *Tunnelblick: Restored State:DNS
17:14:42 *Tunnelblick: Restored Setup:DNS
17:14:42 *Tunnelblick: Restored State:SMB
17:14:42 *Tunnelblick: Restored DNS and SMB settings
17:14:42 *Tunnelblick: Re-enabled IPv6 (automatic) for "USB 10/100/1000 LAN"
17:14:42 *Tunnelblick: Re-enabled IPv6 (automatic) for "Wi-Fi"
17:14:42 *Tunnelblick: Re-enabled IPv6 (automatic) for "Thunderbolt Bridge"
17:14:42 *Tunnelblick: Re-enabled IPv6 (automatic) for "NordVPN NordLynx"
17:14:42 *Tunnelblick: Re-enabled IPv6 (automatic) for "xxxxx"
17:14:43 *Tunnelblick: Re-enabled IPv6 (automatic) for "wg_xxxxxx"
17:14:43 *Tunnelblick: Flushed the DNS cache with dscacheutil -flushcache
17:14:43 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
17:14:43 *Tunnelblick: End of output from client.down.tunnelblick.sh
17:14:43 *Tunnelblick: **********************************************
================================================================================
Network services:
An asterisk (*) denotes that a network service is disabled.
USB 10/100/1000 LAN
Wi-Fi
Thunderbolt Bridge
NordVPN NordLynx
xxxxx
wg_xxxxxxx
Wi-Fi Power (en0): On
================================================================================
ifconfig output:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en6: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether ac:de:48:00:11:22
inet6 fe80::aede:48ff:fe00:1122%en6 prefixlen 64 scopeid 0x4
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (100baseTX <full-duplex>)
status: active
ap1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
ether 3a:f9:d3:94:df:88
inet6 fe80::38f9:d3ff:fe94:df88%ap1 prefixlen 64 scopeid 0x5
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=400<CHANNEL_IO>
ether 38:f9:d3:94:df:88
inet6 fe80::c36:6e4f:9ba2:758a%en0 prefixlen 64 secured scopeid 0x6
inet 192.168.2.3 netmask 0xffffff00 broadcast 192.168.2.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=460<TSO4,TSO6,CHANNEL_IO>
ether 82:50:68:a1:64:01
media: autoselect <full-duplex>
status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=460<TSO4,TSO6,CHANNEL_IO>
ether 82:50:68:a1:64:00
media: autoselect <full-duplex>
status: inactive
en4: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=460<TSO4,TSO6,CHANNEL_IO>
ether 82:50:68:a1:64:04
media: autoselect <full-duplex>
status: inactive
en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=460<TSO4,TSO6,CHANNEL_IO>
ether 82:50:68:a1:64:05
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 82:50:68:a1:64:01
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x0
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 7 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 8 priority 0 path cost 0
member: en3 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 10 priority 0 path cost 0
member: en4 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 9 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
awdl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
ether ee:82:aa:99:74:f6
inet6 fe80::ec82:aaff:fe99:74f6%awdl0 prefixlen 64 scopeid 0xc
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
llw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=400<CHANNEL_IO>
ether ee:82:aa:99:74:f6
inet6 fe80::ec82:aaff:fe99:74f6%llw0 prefixlen 64 scopeid 0xd
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet6 fe80::de13:e9e9:31d4:b598%utun0 prefixlen 64 scopeid 0xe
nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
inet6 fe80::c710:4fa6:799d:559b%utun1 prefixlen 64 scopeid 0xf
nd6 options=201<PERFORMNUD,DAD>
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::cbd0:e3d9:9087:1ab4%utun2 prefixlen 64 scopeid 0x10
nd6 options=201<PERFORMNUD,DAD>
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1000
inet6 fe80::ce81:b1c:bd2c:69e%utun3 prefixlen 64 scopeid 0x11
nd6 options=201<PERFORMNUD,DAD>
utun5: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
inet6 fe80::64ac:1f35:8c1c:c004%utun5 prefixlen 64 scopeid 0x13
nd6 options=201<PERFORMNUD,DAD>
================================================================================
Non-Apple kexts that are loaded:
Index Refs Address Size Wired Name (Version) UUID <Linked Against>
================================================================================
Quit Log:
2024-02-19 09:25:26.203012 applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes)
2024-02-19 09:25:26.231034 shutDownTunnelblick: started.
2024-02-19 09:25:26.231574 shutDownTunnelblick: Starting cleanup.
2024-02-19 09:25:26.231961 cleanup: Entering cleanup
2024-02-19 09:25:26.232303 cleanup aborted because Tunnelblick did not finish launching
2024-02-19 09:25:26.232713 shutDownTunnelblick: Cleanup finished.
2024-02-19 09:25:26.233266 Finished shutting down Tunnelblick; allowing termination
================================================================================
Traces Log:
================================================================================
Console Log:
git commit 392fcb8abec4c14f322f159c1392a8ea4ff616e1
The Tunnelblick.app process is not being translated (x86_64)
System Integrity Protection is enabled
Model: MacBookPro15,2
================================================================================
Configuration XXXXX ROUTE
"Sanitized" condensed configuration file for /Library/Application Support/Tunnelblick/Shared/XXXXX ROUTE.tblk:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote XXXXXXXXX 1194 udp
verify-x509-name "xxx.xxxxxx.xxx" name
auth-user-pass
pkcs12 fws-udp-1194-xxxxxx.p12
tls-auth fws-udp-1194-xxxxxx-tls.key 1
remote-cert-tls server
route-nopull
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.0
route XXX.XXX.XXX.XXx 255.255.255.255
route XXX.XXX.XXX.XXx 255.255.255.255
================================================================================
Files in XXXXX ROUTE.tblk:
Contents/Resources/fws….p12
Contents/Resources/fws….key
Contents/Resources/config.ovpn
================================================================================
Configuration preferences:
-keychainHasPrivateKey = 1
-keychainHasUsernameAndPassword = 1
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
-loginWindowSecurityTokenCheckboxIsChecked = 0
-lastConnectionSucceeded = 0
================================================================================
Wildcard preferences:
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
================================================================================
Program preferences:
allowNonAdminSafeConfigurationReplacement = 1 (forced)
doNotLaunchOnLogin = 1
launchAtNextLogin = 0
tunnelblickVersionHistory = (
"4.0.0beta15 (build 5950)",
"4.0.0beta13 (build 5930)",
"4.0.0beta15 (build 5950)",
"4.0.0beta13 (build 5930)",
"4.0.0beta12 (build 5920)",
"4.0.0beta11 (build 5910)",
"4.0.0beta10 (build 5900)",
"4.0.0beta09 (build 5890)",
"4.0.0beta07 (build 5870)",
"4.0.0beta06 (build 5860)"
)
statusDisplayNumber = 0
lastLaunchTime = 730023938.364038
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = XXXXX ROUTE
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
NSWindow Frame SettingsSheetWindow = 312 127 829 548 0 0 1440 875
NSWindow Frame ConnectingWindow = 2169 432 462 238 1440 -180 1920 1055
NSWindow Frame SUStatusFrame = 2200 456 400 135 1440 -234 1920 1055
NSWindow Frame SUUpdateAlert = 410 377 620 392 0 0 1440 875
NSWindow Frame ListingWindow = 58 188 686 533 0 0 1440 875
detailsWindowFrameVersion = 5930
detailsWindowFrame = {{260, 281}, {920, 522}}
detailsWindowLeftFrame = {{0, 0}, {167, 402}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = settings
leftNavOutlineViewExpandedDisplayNames = (
)
leftNavSelectedDisplayName = XXXXX ROUTE
AdvancedWindowTabIdentifier = connectingAndDisconnecting
haveDealtWithOldTunTapPreferences = 1
haveDealtWithAlwaysShowLoginWindow = 1
haveDealtWithOldLoginItem = 1
haveDealtWithAfterDisconnect = 1
SUEnableAutomaticChecks = 1
SUScheduledCheckInterval = 86400
SULastCheckTime = 2024-02-19 08:25:38 +0000
SUHasLaunchedBefore = 1
SUSkippedVersion = 5950
================================================================================
Forced preferences:
{
allowNonAdminSafeConfigurationReplacement = 1;
}
================================================================================
Deployed forced preferences:
(None)
================================================================================
Tunnelblick Kext Policy Data:
================================================================================
Tunnelblick Log:
2024-02-19 09:28:05.687532 *Tunnelblick: macOS 14.3.1 (23D60); Tunnelblick 4.0.0beta15 (build 5950); prior version 4.0.0beta15 (build 5950)
2024-02-19 09:28:05.992337 *Tunnelblick: Cannot recognize the XXXXX ROUTE-loadTap preference value of '(null)', so Tunnelblick will not load the tap kext
2024-02-19 09:28:06.007145 *Tunnelblick: Attempting connection with XXXXX ROUTE; Set nameserver = 0x00000301; monitoring connection
2024-02-19 09:28:06.008195 *Tunnelblick: openvpnstart start XXXXX\ ROUTE.tblk 52600 0x00000301 0 3 0 0x0210c130 -ptADGNWradsgnw 2.6.9-openssl-3.0.13 <password>
2024-02-19 09:28:06.029046 *Tunnelblick: openvpnstart starting OpenVPN
2024-02-19 09:28:06.529354 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
2024-02-19 09:28:06.532277 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
2024-02-19 09:28:06.534398 OpenVPN 2.6.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]
2024-02-19 09:28:06.534453 library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
2024-02-19 09:28:06.535875 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:52600
2024-02-19 09:28:06.535939 Need hold release from management interface, waiting...
2024-02-19 09:28:06.631563 *Tunnelblick: openvpnstart log:
OpenVPN started successfully.
Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.6.9-openssl-3.0.13/openvpn
--daemon
--log-append /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SXXXXX ROUTE.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_34652464.52600.openvpn.log
--cd /Library/Application Support/Tunnelblick/Shared/XXXXX ROUTE.tblk/Contents/Resources
--machine-readable-output
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5950 4.0.0beta15 (build 5950)"
--verb 3
--config /Library/Application Support/Tunnelblick/Shared/XXXXX ROUTE.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Shared/XXXXX ROUTE.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Shared/XXXXX ROUTE.tblk/Contents/Resources
--management 127.0.0.1 52600 /Library/Application Support/Tunnelblick/Mips/XXXXX ROUTE.tblk.mip
--setenv IV_SSO webauth
--management-query-passwords
--management-hold
--script-security 2
--route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2024-02-19 09:28:06.644015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:50608
2024-02-19 09:28:06.688453 MANAGEMENT: CMD 'pid'
2024-02-19 09:28:06.688513 MANAGEMENT: CMD 'auth-retry interact'
2024-02-19 09:28:06.688545 MANAGEMENT: CMD 'state on'
2024-02-19 09:28:06.688589 MANAGEMENT: CMD 'state'
2024-02-19 09:28:06.688676 MANAGEMENT: CMD 'bytecount 1'
2024-02-19 09:28:06.689459 *Tunnelblick: Established communication with OpenVPN
2024-02-19 09:28:06.714994 *Tunnelblick: >INFO:OpenVPN Management Interface Version 5 -- type 'help' for more info
2024-02-19 09:28:06.716808 MANAGEMENT: CMD 'hold release'
2024-02-19 09:28:06.720860 *Tunnelblick: Obtained VPN username and password from the Keychain
2024-02-19 09:28:06.722278 MANAGEMENT: CMD 'username "Auth" "xxxxxxxx"'
2024-02-19 09:28:06.722326 MANAGEMENT: CMD 'password [...]'
2024-02-19 09:28:06.722498 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-19 09:28:47.824206 MANAGEMENT: CMD 'password [...]'
2024-02-19 09:28:47.824273 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-02-19 09:28:47.824989 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
2024-02-19 09:28:47.825013 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
2024-02-19 09:28:47.825022 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2024-02-19 09:28:47.825201 SIGUSR1[soft,private-key-password-failure] received, process restarting
2024-02-19 09:28:47.825213 MANAGEMENT: >STATE:1708331327,RECONNECTING,private-key-password-failure,,,,,
2024-02-19 09:29:25.656457 *Tunnelblick: Disconnecting; user cancelled authorization or there was an error obtaining authorization
2024-02-19 09:29:25.961909 *Tunnelblick: Disconnecting using 'kill'
2024-02-19 09:29:26.108708 MANAGEMENT: CMD 'hold release'
2024-02-19 09:29:26.129021 MANAGEMENT: Client disconnected
2024-02-19 09:29:26.129057 ERROR: could not read Auth username/password/ok/string from management interface
2024-02-19 09:29:26.129078 Exiting due to fatal error
2024-02-19 09:29:27.711799 *Tunnelblick: Expected disconnection occurred.
================================================================================
Installer log:
Tunnelblick installer started 2024-02-19 09:25:22.133398; getuid() = 501; geteuid() = 0; getgid() = 20; getegid() = 20
currentDirectoryPath = '/'; 1 arguments:
0x0003
Determined username 'xxxxxxx' from getuid(): 501
renamex_np() tests succeeded for /Applications
renamex_np() tests succeeded for /Library/Application Support/Tunnelblick
renamex_np() tests succeeded for /Users/xxxxxxx/Library/Application Support/Tunnelblick/Configurations
Moved /Applications/Tunnelblick.app to the Trash
Copied /Volumes/Tunnelblick/Tunnelblick.app to /Applications/Tunnelblick.app
Removed any 'com.apple.quarantine' extended attributes
Changed ownership of /Applications/Tunnelblick.app and its contents from 501:80 to 0:0
Removed any 'com.apple.quarantine' extended attributes
Need to replace and/or reload 'tunnelblickd':
daemonHashesMatch = NO
plistHashesMatch = YES
activePlistMatches = YES
Replaced /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist
Used launchctl to load tunnelblickd
Tunnelblick installer succeeded
================================================================================
Down log:
09:25:05 *Tunnelblick: **********************************************
09:25:05 *Tunnelblick: Start of output from client.down.tunnelblick.sh
09:25:06 *Tunnelblick: WARNING: Not restoring network settings because no saved Tunnelblick DNS information was found.
09:25:06 *Tunnelblick: Flushed the DNS cache with dscacheutil -flushcache
09:25:06 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
09:25:06 *Tunnelblick: Notified mDNSResponderHelper that the DNS cache was flushed
09:25:06 *Tunnelblick: End of output from client.down.tunnelblick.sh
09:25:06 *Tunnelblick: **********************************************
================================================================================
Previous down log:
17:14:42 *Tunnelblick: **********************************************
17:14:42 *Tunnelblick: Start of output from client.down.tunnelblick.sh
17:14:42 *Tunnelblick: Cancelled monitoring system configuration changes
17:14:42 *Tunnelblick: Restored State:DNS
17:14:42 *Tunnelblick: Restored Setup:DNS
17:14:42 *Tunnelblick: Restored State:SMB
17:14:42 *Tunnelblick: Restored DNS and SMB settings
17:14:42 *Tunnelblick: Re-enabled IPv6 (automatic) for "USB 10/100/1000 LAN"
17:14:42 *Tunnelblick: Re-enabled IPv6 (automatic) for "Wi-Fi"
17:14:42 *Tunnelblick: Re-enabled IPv6 (automatic) for "Thunderbolt Bridge"
17:14:42 *Tunnelblick: Re-enabled IPv6 (automatic) for "NordVPN NordLynx"
17:14:42 *Tunnelblick: Re-enabled IPv6 (automatic) for "xxxxx"
17:14:43 *Tunnelblick: Re-enabled IPv6 (automatic) for "wg_xxxxxx"
17:14:43 *Tunnelblick: Flushed the DNS cache with dscacheutil -flushcache
17:14:43 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
17:14:43 *Tunnelblick: End of output from client.down.tunnelblick.sh
17:14:43 *Tunnelblick: **********************************************
================================================================================
Network services:
An asterisk (*) denotes that a network service is disabled.
USB 10/100/1000 LAN
Wi-Fi
Thunderbolt Bridge
NordVPN NordLynx
xxxxx
wg_xxxxxxx
Wi-Fi Power (en0): On
================================================================================
ifconfig output:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en6: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether ac:de:48:00:11:22
inet6 fe80::aede:48ff:fe00:1122%en6 prefixlen 64 scopeid 0x4
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (100baseTX <full-duplex>)
status: active
ap1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
ether 3a:f9:d3:94:df:88
inet6 fe80::38f9:d3ff:fe94:df88%ap1 prefixlen 64 scopeid 0x5
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=400<CHANNEL_IO>
ether 38:f9:d3:94:df:88
inet6 fe80::c36:6e4f:9ba2:758a%en0 prefixlen 64 secured scopeid 0x6
inet 192.168.2.3 netmask 0xffffff00 broadcast 192.168.2.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=460<TSO4,TSO6,CHANNEL_IO>
ether 82:50:68:a1:64:01
media: autoselect <full-duplex>
status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=460<TSO4,TSO6,CHANNEL_IO>
ether 82:50:68:a1:64:00
media: autoselect <full-duplex>
status: inactive
en4: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=460<TSO4,TSO6,CHANNEL_IO>
ether 82:50:68:a1:64:04
media: autoselect <full-duplex>
status: inactive
en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=460<TSO4,TSO6,CHANNEL_IO>
ether 82:50:68:a1:64:05
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 82:50:68:a1:64:01
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x0
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 7 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 8 priority 0 path cost 0
member: en3 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 10 priority 0 path cost 0
member: en4 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 9 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
awdl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
ether ee:82:aa:99:74:f6
inet6 fe80::ec82:aaff:fe99:74f6%awdl0 prefixlen 64 scopeid 0xc
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
llw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=400<CHANNEL_IO>
ether ee:82:aa:99:74:f6
inet6 fe80::ec82:aaff:fe99:74f6%llw0 prefixlen 64 scopeid 0xd
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet6 fe80::de13:e9e9:31d4:b598%utun0 prefixlen 64 scopeid 0xe
nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
inet6 fe80::c710:4fa6:799d:559b%utun1 prefixlen 64 scopeid 0xf
nd6 options=201<PERFORMNUD,DAD>
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::cbd0:e3d9:9087:1ab4%utun2 prefixlen 64 scopeid 0x10
nd6 options=201<PERFORMNUD,DAD>
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1000
inet6 fe80::ce81:b1c:bd2c:69e%utun3 prefixlen 64 scopeid 0x11
nd6 options=201<PERFORMNUD,DAD>
utun5: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
inet6 fe80::64ac:1f35:8c1c:c004%utun5 prefixlen 64 scopeid 0x13
nd6 options=201<PERFORMNUD,DAD>
================================================================================
Non-Apple kexts that are loaded:
Index Refs Address Size Wired Name (Version) UUID <Linked Against>
================================================================================
Quit Log:
2024-02-19 09:25:26.203012 applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes)
2024-02-19 09:25:26.231034 shutDownTunnelblick: started.
2024-02-19 09:25:26.231574 shutDownTunnelblick: Starting cleanup.
2024-02-19 09:25:26.231961 cleanup: Entering cleanup
2024-02-19 09:25:26.232303 cleanup aborted because Tunnelblick did not finish launching
2024-02-19 09:25:26.232713 shutDownTunnelblick: Cleanup finished.
2024-02-19 09:25:26.233266 Finished shutting down Tunnelblick; allowing termination
================================================================================
Traces Log:
================================================================================
Console Log:
Tunnelblick developer
Feb 19, 2024, 9:46:57 AMFeb 19
to tunnelblick-discuss
Here's the log entry that describes an error:
2024-02-19 09:28:47.824989 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
I think the problem is similar to the problem described in VPN doesn't connect and switches between "Authorizing" and "Waiting for server response".
Please read it and try the fix. I'd appreciate it if you post back what happens; I will add this (different) error message to that report.
Carlo Varnero
Feb 26, 2024, 8:06:22 AMFeb 26
to tunnelblick-discuss
After updating configuration file and certificate beta15 is able to connect successfully.
Thank you
Carlo
Andrew Daugherity
Mar 11, 2024, 6:50:38 PMMar 11
to tunnelblick-discuss
It's worth noting that this error (OpenSSL unsupported RC2-40-CBC) and the repeated passphrase prompts can occur even when the server and all of the certs/keys use proper ciphers, but the PKCS#12 bundle containing the certs & keys uses legacy ciphers. This behavior also occurs with GUI frontends on other platforms, including the Windows OpenVPN GUI and the GNOME Network Manager plugin. And on all of these, you have no indication what the real problem is until you check the log...
Notably, the default .p12 output of all OpenSSL versions except OpenSSL 3 (OpenSSL <= 1.1, LibreSSL, etc.) uses legacy ciphers RC2-40/3DES/SHA1 which OpenSSL 3 refuses to load without the -legacy option. It is possible to generate an OpenSSL 3-compliant .p12 bundle on OpenSSL 1.1 with the appropriate options; I submitted such a patch to EasyRSA. (It's been merged but not yet included in any release.)
This was the case in my setup and after I created a new .p12 file with the same contents but using AES-256/SHA256 it now works with OpenVPN 2.6 + OpenSSL 3.
A workaround is to extract the certs & keys and use the appropriate separate config file options (ca, cert, key instead of p12). But as you say, it's really up to the server administrator to supply clients with compatible credentials.
-Andrew
Tunnelblick developer
Mar 11, 2024, 7:11:12 PMMar 11
to tunnelblick-discuss
Thanks, Andrew! I have cross-posted a copy of your report to Issue #791, which is also about this problem.
Florian Gritsch
Apr 2, 2024, 7:12:24 AMApr 2
to tunnelblick-discuss
after updated today from Tunnelblick 3.8.8g (build 5779.3) to 4.0.1 a password is required after I try to connect to my vpn. The password was stored in my keys. Even when I delete my key and type the correct passphrase, it is not accepted. I had to install the 3.8.3 version again. The 5.0.0beta2 version also not accept the password.
Do you need any logs?
regards, Florian
Tunnelblick developer
Apr 2, 2024, 7:57:40 AMApr 2
to tunnelblick-discuss
See Tunnelblick 4.
If you still have a problem after taking the steps described there, please post the diagnostic info obtained by following the instructions at Read Before You Post.
Reply all
Reply to author
Forward
0 new messages