Tunnelblick won't disconnect

[do...@pebcak.de]

Hi,

I have a problem with the latest Tunnelblick versions (tested on stable and beta). I am able to connect to any configured OpenVPN w/o any issues. I can use the VPN as expected, but when I try to disconnect (either by clicking "Disconnect all" or by clicking the disconnect button for the specific connection) Tunnelblick won't react at all. Sometimes it shows a popup window, telling me that openvpn didn't reacht and it will try to disconnect for the next 10 seconds. Sometimes it will disconnect then, but mostly it doesn't. The only way for me to close the connection is by killing the corresponding OpenVPN process via console. I've never had this problem before - it was introduced together with the Tunnelblick update that notified about the config file changes (not sure which version this was).

I am (currently) running OpenVPN 3.4beta 08 on Mac OS X 10.7.5.

Any help is highly appreciated, as killing the processes everytime is really annoying.

Thanks

Winfried

[jkbull...gmail.com]

Thanks for your report. I'll try to help.

Please do the following, with either 3.3 or 3.4beta08 (it doesn't matter which one):

1. Launch Tunnelblick if it isn't running already
   
2. Click the Tunnelblick icon, then click "VPN Details…"
   
3. Click the "Log" tab on the right side of the window
   
4. Click to select the configuration that causes the problem in the list on the left side of the window
   
5. Click the "Connect" button
   
6. Wait until the configuration is connected
   
7. Click the "Disconnect" button
   
8. Wait three minutes for the disconnection to occur
   
9. Click the "Copy Diagnostic Info to Clipboard" button
   
10. Paste the diagnostic info into a reply
    
11. Edit the info to remove the server URL or IP address and any other information that should be kept private
    
12. Send the reply

Note: the three minute wait after requesting a disconnect is to make sure all the diagnostic info that is needed to fix this problem is available -- that OpenVPN has enough time to shut down the connection. It isn't normal to have to wait this long. Once the problem is identified and fixed, it should only take a few seconds at most.

[do...@pebcak.de]

Hi Jonathan,

thanks for the fast response. Here is the information you asked for:

(btw. the VPN didn't disconnect- even after 3 minutes and the "copy to clipboard" button didn't work neither):

2013-09-08 11:11:56 *Tunnelblick: OS X 10.7.5; Tunnelblick 3.4beta08 (build 3576); prior version 3.4beta04 (build 3555)

2013-09-08 11:11:56 *Tunnelblick: Attempting connection with XXXXXXXXXX VPN/XXXXXXXXXX VPN using shadow copy; Set nameserver = 9; not monitoring connection

2013-09-08 11:11:56 *Tunnelblick: openvpnstart start XXXXXXXXXX\ VPN/XXXXXXXXXX\ VPN.tblk 1337 9 0 1 1 305 -atADGNWradsgnw 

2013-09-08 11:11:56 *Tunnelblick: openvpnstart log:

     Loading tun.kext

     

     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

     

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn

          --cd

          /Library/Application Support/Tunnelblick/Users/doomy/XXXXXXXXXX VPN/XXXXXXXXXX VPN.tblk/Contents/Resources

          --daemon

          --management

          127.0.0.1

          1337

          --config

          /Library/Application Support/Tunnelblick/Users/doomy/XXXXXXXXXX VPN/XXXXXXXXXX VPN.tblk/Contents/Resources/config.ovpn

          --log

          /Library/Application Support/Tunnelblick/Logs/-SUsers-Sdoomy-SLibrary-SApplication Support-STunnelblick-SConfigurations-SXXXXXXXXXX VPN-SXXXXXXXXXX VPN.tblk-SContents-SResources-Sconfig.ovpn.9_0_1_1_305.1337.openvpn.log

          --management-query-passwords

          --management-hold

          --script-security

          2

          --up

          /Applications/Tunnelblick.app/Contents/Resources/client.2.up.tunnelblick.sh -w -d -f -atADGNWradsgnw

          --down

          /Applications/Tunnelblick.app/Contents/Resources/client.2.down.tunnelblick.sh -w -d -f -atADGNWradsgnw

          --up-restart

2013-09-08 11:11:56 *Tunnelblick: Established communication with OpenVPN

2013-09-08 11:11:56 *Tunnelblick: openvpnstart starting OpenVPN:

                    *                    /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Library/Application Support/Tunnelblick/Users/doomy/XXXXXXXXXX VPN/XXXXXXXXXX VPN.tblk/Contents/Resources --daemon --management 127.0.0.1 1337 --config /Library/Application Support/Tunnelblick/Users/doomy/XXXXXXXXXX VPN/XXXXXXXXXX VPN.tblk/Contents/Resources/config.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Sdoomy-SLibrary-SApplication Support-STunnelblick-SConfigurations-SXXXXXXXXXX VPN-SXXXXXXXXXX VPN.tblk-SContents-SResources-Sconfig.ovpn.9_0_1_1_305.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.2.up.tunnelblick.sh -w -d -f -atADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.2.down.tunnelblick.sh -w -d -f -atADGNWradsgnw --up-restart

2013-09-08 11:11:56 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Aug 20 2013

2013-09-08 11:11:56 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

2013-09-08 11:11:56 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

2013-09-08 11:11:56 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2013-09-08 11:11:58 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

2013-09-08 11:11:58 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

2013-09-08 11:11:58 LZO compression initialized

2013-09-08 11:11:58 RESOLVE: NOTE: vpn.XXXXXXXXXX.com resolves to 17 addresses

2013-09-08 11:11:58 UDPv4 link local (bound): [undef]:1194

2013-09-08 11:11:58 UDPv4 link remote: XX.XX.XX.XX:1194

2013-09-08 11:11:59 [stingray.cleverbridge.com] Peer Connection Initiated with XX.XX.XX.XX:1194

2013-09-08 11:12:01 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:10: ip-win32 (2.2.1)

2013-09-08 11:12:01 TUN/TAP device /dev/tun0 opened

2013-09-08 11:12:01 /sbin/ifconfig tun0 delete

                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

2013-09-08 11:12:01 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

2013-09-08 11:12:01 /sbin/ifconfig tun0 10.0.29.33 10.0.29.34 mtu 1500 netmask 255.255.255.255 up

2013-09-08 11:12:01 /Applications/Tunnelblick.app/Contents/Resources/client.2.up.tunnelblick.sh -w -d -f -atADGNWradsgnw tun0 1500 1562 10.0.29.33 10.0.29.34 init

                                        add net 10.0.XX.0: gateway 10.0.29.34

2013-09-08 11:12:01 *Tunnelblick: No 'connected.sh' script to execute

                                        add net 10.XX.XX.0: gateway 10.0.29.34

                                        add net 10.XX.XX.0: gateway 10.0.29.34

                                        add net 10.XX.XX.0: gateway 10.0.29.34

                                        add net 10.XX.XX.0: gateway 10.0.29.34

                                        add net 10.XX.XX.0: gateway 10.0.29.34

                                        add net 10.XX.XX.0: gateway 10.0.29.34

                                        add net 10.XX.XX.0: gateway 10.0.29.34

                                        add net 10.XX.XX.0: gateway 10.0.29.34

                                        add net 10.XX.XX.0: gateway 10.0.29.34

2013-09-08 11:12:01 Initialization Sequence Completed
2013-09-08 11:12:13 *Tunnelblick: Disconnecting; 'disconnect' button pressed
2013-09-08 11:12:13 *Tunnelblick: Disconnecting using 'killall'

Thanks
Winfried

[jkbull...gmail.com]

Thanks for supplying the Tunnelblick log. So Tunnelblick "freezes" and won't respond to the "Copy…"  button -- even worse!

I notice you are not using the standard "Set DNS/WINS" setting of "Set nameserver". Using that setting may solve the problem, and it should supply additional diagnostic info, so please re-do the procedure listed earlier with that setting.

If that doesn't solve the problem, after killing Tunnelblick (and any copies of the process "openvpn") perform the procedure listed earlier but skip steps 5-8 (in other words, don't connect). That will supply the rest of the information. If you do it soon after a connect/disconnect, the Console log info should include the log from the connect/disconnect sequence that you did earlier.

Remember to X out the URL and/or IP address of the server and any other private info.

[do...@pebcak.de]

Hi Jonathan,

so here is what happend.

I tried all possible nameserver settings. If I choose Option 1, it will connect not set the right

namesever and it will not react on the "disconnect" action. If I choose option 2 and 3 (with

monitor network connection" checked, it will connect, won't set the right name server, but it

will react on the disconnect action. The tunnelblick icon gets black again… unfortunately

the openvpn process is still running and so a re-connect won't work, as it thinks that it's 

already connected. If I choose option 4, it will connect, set the right nameserver but won't

disconnect again. Option 5 does the same as 1.

I also tried to get the diagnostics logs copied to the clipboard using the suggested actions,

but it won't copy anything into the clipboard, even if the tunnelblick process was just started.

I just tried re-installing the whole thing, but this also didn't help.

Any other suggestions?

Winni

[jkbull...gmail.com]

I'm sorry you are having so much trouble. There are several other things to try; please be patient -- I'd like to get to the bottom of this, too.

As a first step, please post your configuration file. You have a Shared configuration, which makes that a pain, so first make it "Private". (Select the configuration, then click on the little "gear" icon at the bottom of the list of configurations, then click "Make Configuration Private"). Then you can click the "gear" icon again and click "Edit OpenVPN Configuration File". The file will be opened in TextEdit; you can copy it and paste it into a reply and edit out any sensitive info.

[jkbull...gmail.com]

I missed something in your last post:

On Sunday, September 8, 2013 6:54:44 AM UTC-4, do...@pebcak.de wrote:

I also tried to get the diagnostics logs copied to the clipboard using the suggested actions,

but it won't copy anything into the clipboard, even if the tunnelblick process was just started.

Do you mean you can launch Tunnelblick and -- without trying to connect -- the "Copy Diagnostic Info to Clipboard" doesn't work? If it does, that will include the configuration file and recent Console log entries.

[do...@pebcak.de]

Hi Jonathan,

> As a first step, please post your configuration file. You have a Shared configuration, which makes that a pain, so first 

> make it "Private". (Select the configuration, then click on the little "gear" icon at the bottom of the list of configurations, 

> then click "Make Configuration Private"). Then you can click the "gear" icon again and click "Edit OpenVPN Configuration

> File". The file will be opened in TextEdit; you can copy it and paste it into a reply and edit out any sensitive info.

> 

my configuration is not shared. When I follow the steps you suggested, it offers me to make my configuration

shared- not to make it private.

> Do you mean you can launch Tunnelblick and -- without trying to connect -- the "Copy Diagnostic Info to Clipboard" 

> doesn't work? If it does, that will include the configuration file and recent Console log entries.

> 

Yes, if I start a clean new Tunnelblick instance and I click on "Copy diagnostic info to clipboard" without trying to connect,

it will not copy anything.

Here is my configuration:

==================== 8< ===============================

## Client Configuration for XXXXXXXXXXX VPN Gateway

## 

## Clientname: XXXXXXXXXXX

## This is a client config

client

## Encryption device to use

dev tun

## Protocol and server

proto udp

remote vpn.XXXXXXXXXXX.com 1194

## SSL settings

ca cacert.pem

cert XXXXXXXXXXX_cert.pem

key XXXXXXXXXXX_key.pem

## HMAC Firewall

## (0 on server / 1 on client)

tls-auth ta.key 1

## Cipher settings

;cipher BF-CBC

cipher AES-128-CBC

## Enable compression

comp-lzo

## MTU fix

fragment 1400

mssfix

## Everything else is retrieved by the server

pull

==================== >8 ===============================

Thanks for your patience and assistance :)

Winni

PS: Sorry if I provide some menu names or setting names wrong, I am using a german

version of Tunnelblick, so I try to translate them correspondingly.

[jkbull...gmail.com]

Thanks. The configuration looks OK. But something is very wrong, of course!

Your English is excellent, no problem there.

Sorry -- I the log entry incorrectly and thought you had a Shared configuration. My mistake.

Please try to get Tunnelblick entries from the Console Log contents as follows:

Launch the Console application, located at /Applications/Utilities/Console.app. The Console application is built into all versions of OS X.

If you don't see a list of different logs to view on the left of the Console window, click "View", then "Show Log List".

If you don't see a toolbar at the top of the Console window, click "View", then "Show Toolbar".

All of Tunnelblick's messages appear in the Console log, which you can view by selecting "Console Messages" in the log list on the left of the Console window. OpenVPN may output messages which only appear when viewing "All Messages" in the log list.

There is a "Filter" text box in the upper right corner of the Console window. If you type "tunnelblick" (without the quote marks) into the text box, Console will only show messages from Tunnelblick, not from other programs.

 

[do...@pebcak.de]

Hi Jonathan,

thanks for your patience :-) Finally found the time to continue troubleshooting this issue. Here are the log entries from

the console log:

16.09.13 23:03:53,392 Tunnelblick: openvpnstart status from compareShadowCopy: 251

16.09.13 23:03:58,699 Tunnelblick: openvpnstart status from compareShadowCopy: 251

16.09.13 23:04:04,789 Tunnelblick: DEBUG: cancelAllIPCheckThreadsForConnection: Entered

16.09.13 23:04:04,789 Tunnelblick: DEBUG: cancelAllIPCheckThreadsForConnection: No active threads for connection 59531264

16.09.13 23:04:04,790 Tunnelblick: DEBUG: killAllConnectionsIncludingDaemons: has checked for active daemons

16.09.13 23:04:04,790 Tunnelblick: DEBUG: includeDaemons = 0; noUnknownOpenVPNsRunning = 1; noActiveDaemons = 1; noDownRootsActive = 1 

16.09.13 23:04:04,790 Tunnelblick: DEBUG: killAllConnectionsIncludingDaemons: will use killAll

16.09.13 23:04:04,791 Tunnelblick: DEBUG: killAllConnectionsIncludingDaemons: requested killAll

16.09.13 23:04:04,810 Tunnelblick: openvpnstart stderr from killall:

/usr owner is 502, not 0

pathIsNotSecure: pathComponentIsNotSecure(/usr, 00)

/usr/bin/killall is not secured

16.09.13 23:04:04,810 Tunnelblick: openvpnstart status from killall: 210

16.09.13 23:04:04,810 Tunnelblick: DEBUG: killAllConnectionsIncludingDaemons: killAll finished

16.09.13 23:04:09,817 Tunnelblick: Error: Timeout (5 seconds) waiting for OpenVPN process 26179 to terminate

16.09.13 23:06:06,999 Tunnelblick: DEBUG: cancelAllIPCheckThreadsForConnection: Entered

16.09.13 23:06:06,999 Tunnelblick: DEBUG: cancelAllIPCheckThreadsForConnection: No active threads for connection 59531264

16.09.13 23:06:06,999 Tunnelblick: disconnect: while disconnecting

Thanks

Winni

[jkbull...gmail.com]

Ah. That explains it. The following is the problem:

16.09.13 23:04:04,810 Tunnelblick: openvpnstart stderr from killall:

/usr owner is 502, not 0

pathIsNotSecure: pathComponentIsNotSecure(/usr, 00)

/usr/bin/killall is not secured

The ownership of one of system folders, "/usr" is faulty and insecure. It is owned by a user (#502) but it should be owned by root (#0).

Try fixing this as follows:

1. Launch /Applications/Utilities/Disk Utility
   
2. Select your boot drive in the list on the left
   
3. Click the "Repair Disk Permissions" button and wait for it to complete.

That should fix the problem. If not, it can be fixed manually, but that is more difficult and there may be other ownership/permissions issues that need to be addressed. It is best to try "Repair Disk Permissions" first because it may fix everything.

[do...@pebcak.de]

Damnit!

$ ls -ld /usr

drwxr-xr-x@ 17 macports  wheel  578  1 Okt  2012 /usr

Looks like macports messed up the whole /usr. I'll get it fixed and give it another

try. I'll give an update if this fixes the problem.

Thanks for your help so far.

Winni

[do...@pebcak.de]

Looks like that did the trick! Thanks again for you assistance!

[jkbull...gmail.com]

I am adding code to Tunnelblick to see this type of problem and complain in a more easily understandable way. It will be in the next release.