Recently upgraded to 3.0, problems with script
78 views
Skip to first unread message
Andrew M
May 3, 2010, 9:33:53 AM5/3/10
to tunnelblick-discuss
I recently moved to Tunnelblick 3.0 from a previous version downloaded
two years ago (2.0.1 I suppose – but I've lost it now) which worked OK
all that time. I upgraded in hopes of solving a nagging problem with
the connexion dropping when not in use – but I now think it's a server
configuration issue and nothing to do with Tunnelblick.
However, the upgrade was a regression for me. I have an "up" script
and a "down" script which adjust the DNS server settings using
scutil. Under the previous Tunnelbliick they worked fine. Under
3.0, the up script works but the down script never executes. Instead
I see this in the last two lines of the log:
2010-05-03 07:00:56 /Users/ajmalton/Library/openvpn/XXXXXX.down tun0
1500 1546 10.109.1.96 10.109.0.1 init
2010-05-03 07:00:56 script failed: could not execute external program
Both scripts are unchanged since before, when they worked. Both are
executable:
-rwxr-xr-x 1 root wheel 788 May 3 06:52 XXXXXX.down*
-rwxr-xr-x 1 root wheel 1299 May 3 06:52 XXXXXX.up*
Both are doing what needs privileges. My workaround is to sudo them
in a terminal window.
Can anyone lend an idea?
--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To post to this group, send email to tunnelbli...@googlegroups.com.
To unsubscribe from this group, send email to tunnelblick-dis...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/tunnelblick-discuss?hl=en.
two years ago (2.0.1 I suppose – but I've lost it now) which worked OK
all that time. I upgraded in hopes of solving a nagging problem with
the connexion dropping when not in use – but I now think it's a server
configuration issue and nothing to do with Tunnelblick.
However, the upgrade was a regression for me. I have an "up" script
and a "down" script which adjust the DNS server settings using
scutil. Under the previous Tunnelbliick they worked fine. Under
3.0, the up script works but the down script never executes. Instead
I see this in the last two lines of the log:
2010-05-03 07:00:56 /Users/ajmalton/Library/openvpn/XXXXXX.down tun0
1500 1546 10.109.1.96 10.109.0.1 init
2010-05-03 07:00:56 script failed: could not execute external program
Both scripts are unchanged since before, when they worked. Both are
executable:
-rwxr-xr-x 1 root wheel 788 May 3 06:52 XXXXXX.down*
-rwxr-xr-x 1 root wheel 1299 May 3 06:52 XXXXXX.up*
Both are doing what needs privileges. My workaround is to sudo them
in a terminal window.
Can anyone lend an idea?
--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To post to this group, send email to tunnelbli...@googlegroups.com.
To unsubscribe from this group, send email to tunnelblick-dis...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/tunnelblick-discuss?hl=en.
jkbull...gmail.com
May 3, 2010, 3:12:01 PM5/3/10
to tunnelblick-discuss
If you post the first few lines of the log, the down script, and your
config file it would help. X out anything sensitive like IP addresses.
And what is the XXXXXX? Any odd characters?
config file it would help. X out anything sensitive like IP addresses.
And what is the XXXXXX? Any odd characters?
Andrew Malton
May 3, 2010, 5:50:41 PM5/3/10
to tunnelbli...@googlegroups.com
On May 3 2010, at 3:12 PM, jkbull...gmail.com wrote:
If you post the first few lines of the log, the down script, and yourconfig file it would help. X out anything sensitive like IP addresses.And what is the XXXXXX? Any odd characters?
log begins with connection, thus:
2010-05-03 16:49:13 *Tunnelblick: OS X 10.4.11; Tunnelblick 3.0 (build 1437); OpenVPN 2.1.1
2010-05-03 16:49:17 *Tunnelblick: Attempting connection with CONNECTION.conf; Set nameserver = 0; not monitoring connection
2010-05-03 16:49:17 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start CONNECTION.conf 1338 0 0 0 1
2010-05-03 16:49:17 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpn --management-query-passwords --cd /Users/USERNAME/Library/Application Support/Tunnelblick/Configurations --daemon --management-hold --management 127.0.0.1 1338 --config /Users/USERNAME/Library/Application Support/Tunnelblick/Configurations/CONNECTION.conf --script-security 2
2010-05-03 16:49:17 SUCCESS: pid=8943
2010-05-03 16:49:17 SUCCESS: real-time state notification set to ON
2010-05-03 16:49:17 SUCCESS: real-time log notification set to ON
2010-05-03 16:49:17 tls_timeout = 2
2010-05-03 16:49:17 renegotiate_bytes = 0
2010-05-03 16:49:17 renegotiate_packets = 0
2010-05-03 16:49:17 renegotiate_seconds = 3600
2010-05-03 16:49:17 handshake_window = 60
2010-05-03 16:49:17 transition_window = 3600
2010-05-03 16:49:17 single_session = DISABLED
2010-05-03 16:49:17 tls_exit = DISABLED
2010-05-03 16:49:17 tls_auth_file = '/Users/USERNAME/keys/KEYNAME.secret'
...
2010-05-03 16:49:23 /sbin/route add -net 10.109.0.0 10.109.0.1 255.255.0.0
2010-05-03 16:49:23 /sbin/route add -net 10.201.0.0 10.109.0.1 255.255.0.0
2010-05-03 16:49:23 /sbin/route add -net 10.110.0.0 10.109.0.1 255.255.0.0
2010-05-03 16:49:23 /sbin/route add -net 10.113.0.0 10.109.0.1 255.255.0.0
2010-05-03 16:49:23 /sbin/route add -net 192.168.0.0 10.109.0.1 255.255.0.0
2010-05-03 16:49:23 GID set to nobody
2010-05-03 16:49:23 UID set to nobody
2010-05-03 16:49:23 Initialization Sequence Completed
2010-05-03 16:49:23 IP-NUMBER
(the add's above are of private numbers, of course.)
log ends with disconnection, thus:
2010-05-03 16:49:41 event_wait : Interrupted system call (code=4)
2010-05-03 16:49:41 TCP/UDP: Closing socket
2010-05-03 16:49:41 /sbin/route delete -net 192.168.0.0 10.109.0.1 255.255.0.0
2010-05-03 16:49:41 ERROR: OS X route delete command failed: external program exited with error status: 77
2010-05-03 16:49:41 /sbin/route delete -net 10.113.0.0 10.109.0.1 255.255.0.0
2010-05-03 16:49:41 ERROR: OS X route delete command failed: external program exited with error status: 77
2010-05-03 16:49:41 /sbin/route delete -net 10.110.0.0 10.109.0.1 255.255.0.0
2010-05-03 16:49:41 ERROR: OS X route delete command failed: external program exited with error status: 77
2010-05-03 16:49:41 /sbin/route delete -net 10.201.0.0 10.109.0.1 255.255.0.0
2010-05-03 16:49:41 ERROR: OS X route delete command failed: external program exited with error status: 77
2010-05-03 16:49:41 /sbin/route delete -net 10.109.0.0 10.109.0.1 255.255.0.0
2010-05-03 16:49:41 ERROR: OS X route delete command failed: external program exited with error status: 77
2010-05-03 16:49:41 Closing TUN/TAP interface
2010-05-03 16:49:41 /Users/USERNAME/Library/openvpn/CONNECTION.down tun0 1500 1546 10.109.1.96 10.109.0.1 init
2010-05-03 16:49:42 script failed: could not execute external program
The down script /Users/USERNAME/Library/openvpn/CONNECTION.down :
#!/bin/sh -e
trap "" TSTP
trap "" HUP
trap "" INT
export PATH="/bin:/sbin:/usr/sbin:/usr/bin"
PSID=$( (scutil | grep PrimaryService | sed -e 's/.*PrimaryService : //')<< EOF
open
get State:/Network/Global/IPv4
d.show
quit
EOF
)
if [ ! -e /tmp/openvpn_dns_${PSID} ]; then
exit 0
fi
if [ ! -e /tmp/openvpn_domain_${PSID} ]; then
exit 0
fi
scutil << EOF
open
d.init
d.add ServerAddresses * `cat /tmp/openvpn_dns_${PSID}`
d.add DomainName `cat /tmp/openvpn_domain_${PSID}`
set State:/Network/Service/${PSID}/DNS
quit
EOF
rm /tmp/openvpn_dns_${PSID} /tmp/openvpn_domain_${PSID}
exit 0
My workaround is to sudo the above script, which does what I would have expected. It seems as though Tunnelblick is failing to run it as root – but it runs the up script OK, and that needs root privilege also.
The config file:
client
dev tun0
proto udp
remote IP-NUMBER 12109
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /opt/conf/home-vpn/current/etc/ssl/ca.servers.sensors.crt.pem
cert /opt/conf/home-vpn/current/etc/ssl/USER.crt.pem
key /opt/conf/home-vpn/current/etc/ssl/USER.key.pem
;ns-cert-type server
tls-client
tls-auth /Users/ajmalton/keys/cyclops.secret
comp-lzo
tun-mtu 1500
fragment 1300
mssfix 1300
pull
verb 5
;mute 20
up /Users/USERNAME/Library/openvpn/CONNECTION.up
down /Users/USERNAME/Library/openvpn/CONNECTION.down
I didn't write the above conifg, some kind of sysadmin did – I don't understand all of it.
Thanks for all help.
--
Andrew J. Malton
Waterloo, Ontario
jkbull...gmail.com
May 3, 2010, 6:44:20 PM5/3/10
to tunnelblick-discuss
The problem is the following two lines in the config:
user nobody
group nobody
They cause OpenVPN to drop root and run as nobody:nobody after getting
the VPN set up and running the up script. But that means that when
OpenVPN runs the down script, it runs it as nobody instead of as root,
so you get the error.
Two solutions:
(1) remove the two lines from the config, or
(2) use "openvpn-down-root.so". See the section about it in "Using
Tunnelblick" at
http://code.google.com/p/tunnelblick/wiki/UsingTunnelblick#Using_openvpn-down-root.so
user nobody
group nobody
They cause OpenVPN to drop root and run as nobody:nobody after getting
the VPN set up and running the up script. But that means that when
OpenVPN runs the down script, it runs it as nobody instead of as root,
so you get the error.
Two solutions:
(1) remove the two lines from the config, or
(2) use "openvpn-down-root.so". See the section about it in "Using
Tunnelblick" at
http://code.google.com/p/tunnelblick/wiki/UsingTunnelblick#Using_openvpn-down-root.so
Andrew Malton
May 4, 2010, 1:14:51 PM5/4/10
to tunnelbli...@googlegroups.com
Well, that was easy. Thanks!
It seems to have solved (certainly has reduced) the dropping-connection problmem also.
--
Andrew J. Malton
Waterloo, Ontario
Reply all
Reply to author
Forward
0 new messages