Problem allocating DD-WRT OpenVPN server's DNS and IP Address to Tunnelblick client

[Mache Creeger]

I am running macOS 10.13.6 and Tunnelblick 3.7.8beta01 (build 5160) - Set DNS/WINS: Set Nameserver 3.0b10 and OpenVPN version: Latest (2.5 git 57d6f10 - OpenSSL v1.1.1) . After I connect to my DD-WRT (DD-WRT v3.0-r36527 std (08/09/18)) router running an OpenVPN server, I can access the Internet and can access IP Addresses on the DD-WRT OpenVPN server LAN, but my Tunnelblick client still has the remote ISP's IP Address and DNS. I am not provided DD-WRT's DHCP allocated IP Address and DNS (listed in the configuration as 192.168.X.1). I need the 192.168.X.1 DNS to resolve DD-WRT LAN domains so I can use resources (like printers and servers) on that LAN. My current client configuration file is:

client

auth RSA-SHA256

auth-nocache

redirect-gateway def1

push "dhcp-option DNS 192.168.X.1"

# Use the same setting as you are using on

# the server.

dev tun0

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

proto udp

# The hostname/IP and port of the server.

remote home.creeger.com 80

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Try to preserve some state across restarts.

persist-key

persist-tun

# SSL/TLS parms.

ca ca.crt

cert client.crt

key client.key

tls-auth ta.key 1

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

# ns-cert-type server

remote-cert-tls server

# Enable compression on the VPN link.

# comp-lzo

compress lzo

# Allow me to change my IP address

# and/or port number (if I get a new

# local IP address at Starbucks).

float

My OpenVPN server configuration on DD-WRT is:

proto udp

dev tun0

push "route 192.168.X.0 255.255.255.0"

push "dhcp-option DNS 192.168.X.1"

keepalive 10 120

daemon

verb 5

How can I get an IP Address and DNS allocated to my Tunnelblick client from the DD-WRT OpenVPN server and not from the remote ISP?

[Tunnelblick developer]

1. Why are you using "Set DNS/WINS "Set Namserver 3.0b10" instead of The default, "Set nameserver"?
   
   
2. Please post the diagnostic info obtained by following the instructions at Read Before You Post (https://tunnelblick.net/cBeforeYouPost.html).
   

[Mache Creeger]

*Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.8beta01 (build 5160); prior version 3.7.7beta04 (build 5120); Admin user

git commit fc572c89d58d4ad4b515f37a14639c03b609bd35

Configuration Home

"Sanitized" condensed configuration file for /Users/xyz/Library/Application Support/Tunnelblick/Configurations/Home.tblk:

client

auth RSA-SHA256

auth-nocache

dev tun0

proto udp

remote XX.YY.ZZ 80

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert bucky.crt

key bucky.key

tls-auth ta.key 1

remote-cert-tls server

compress lzo

float

================================================================================

Non-Apple kexts that are loaded:

Index Refs Address            Size       Wired      Name (Version) UUID <Linked Against>

  156    3 0xffffff7f85cd6000 0x64000    0x64000    org.virtualbox.kext.VBoxDrv (5.2.18) 4B812769-A078-3E16-B9D1-DCAB645482E4 <7 5 4 3 1>

  162    0 0xffffff7f85d3a000 0x8000     0x8000     org.virtualbox.kext.VBoxUSB (5.2.18) 38AC00F1-4F4C-3101-B8E0-4F07161A728E <161 156 50 7 5 4 3 1>

  163    0 0xffffff7f85d42000 0x5000     0x5000     org.virtualbox.kext.VBoxNetFlt (5.2.18) 80DA38DE-39E0-3DE7-A207-73D55CF17079 <156 7 5 4 3 1>

  164    0 0xffffff7f85d47000 0x6000     0x6000     org.virtualbox.kext.VBoxNetAdp (5.2.18) CC938DAD-56D8-3616-B7B0-709D040CE41B <156 5 4 1>

================================================================================

Files in Home.tblk:

      Contents/Resources/ta.key

      Contents/Resources/buc….key

      Contents/Resources/ca.crt

      Contents/Resources/config.ovpn

      Contents/Resources/buc….crt

================================================================================

Configuration preferences:

autoConnect = 0

-onSystemStart = 0

useDNS = 1

-routeAllTrafficThroughVpn = 1

-runMtuTest = 0

-useRouteUpInsteadOfUp = 1

-openvpnVersion = -

-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0

-keepConnected = 1

-loggingLevel = 3

-lastConnectionSucceeded = 1

================================================================================

Wildcard preferences:

-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0

================================================================================

Program preferences:

launchAtNextLogin = 1

tunnelblickVersionHistory = (

    "3.7.8beta01 (build 5160)",

    "3.7.7beta04 (build 5120)",

    "3.7.7beta01 (build 5070)",

    "3.7.6beta04 (build 5050)",

    "3.7.6beta03 (build 5031)",

    "3.7.5a (build 5011)"

)

lastLaunchTime = 561222540.436749

showConnectedDurations = 1

lastLanguageAtLaunchWasRTL = 0

connectionWindowDisplayCriteria = showWhenConnecting

maxLogDisplaySize = 102400

lastConnectedDisplayName = Home

keyboardShortcutIndex = 1

updateCheckAutomatically = 1

updateCheckBetas = 1

NSWindow Frame SettingsSheetWindow = 228 0 829 524 0 0 1280 777 

NSWindow Frame ConnectingWindow = 445 442 389 187 0 0 1280 777 

NSWindow Frame SUUpdateAlert = 330 288 620 392 0 0 1280 777 

NSWindow Frame ListingWindow = 374 138 500 422 0 0 1280 777 

detailsWindowFrameVersion = 5160

detailsWindowFrame = {{360, 73}, {920, 468}}

detailsWindowLeftFrame = {{0, 0}, {165, 350}}

detailsWindowViewIndex = 0

detailsWindowConfigurationsTabIdentifier = settings

leftNavSelectedDisplayName = Home

AdvancedWindowTabIdentifier = connectingAndDisconnecting

haveDealtWithOldTunTapPreferences = 1

haveDealtWithOldLoginItem = 1

haveDealtWithAfterDisconnect = 1

SUEnableAutomaticChecks = 1

SUScheduledCheckInterval = 86400

SULastCheckTime = 2018-10-14 15:09:00 +0000

SUHasLaunchedBefore = 1

WebKitDefaultFontSize = 16

WebKitStandardFont = Times

================================================================================

Tunnelblick Log:

*Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.8beta01 (build 5160); prior version 3.7.7beta04 (build 5120)

2018-10-14 08:15:01 *Tunnelblick: Attempting connection with Home using shadow copy; Set nameserver = 769; monitoring connection

2018-10-14 08:15:01 *Tunnelblick: openvpnstart start Home.tblk 58460 769 0 1 0 1098544 -ptADGNWradsgnw 2.5_git_57d6f10-openssl-1.1.1

2018-10-14 08:15:02 *Tunnelblick: openvpnstart log:

     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

     

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.5_git_57d6f10-openssl-1.1.1/openvpn

          --daemon

          --log

          /Library/Application Support/Tunnelblick/Logs/-SUsers-Sxyz-SLibrary-SApplication Support-STunnelblick-SConfigurations-SHome.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1098544.58460.openvpn.log

          --cd

          /Library/Application Support/Tunnelblick/Users/xyz/Home.tblk/Contents/Resources

          --setenv

          IV_GUI_VER

          "net.tunnelblick.tunnelblick 5160 3.7.8beta01 (build 5160)"

          --verb

          3

          --config

          /Library/Application Support/Tunnelblick/Users/xyz/Home.tblk/Contents/Resources/config.ovpn

          --verb

          3

          --cd

          /Library/Application Support/Tunnelblick/Users/xyz/Home.tblk/Contents/Resources

          --management

          127.0.0.1

          58460

          /Library/Application Support/Tunnelblick/fappejolpgdhnojhdblhfggbkjfjedkjlcphkfkb.mip

          --management-query-passwords

          --management-hold

          --redirect-gateway

          def1

          --script-security

          2

          --route-up

          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

          --down

          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2018-10-14 08:15:01 OpenVPN 2.5_git_57d6f10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 29 2018

2018-10-14 08:15:01 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.10

2018-10-14 08:15:01 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:58460

2018-10-14 08:15:01 Need hold release from management interface, waiting...

2018-10-14 08:15:02 *Tunnelblick: Established communication with OpenVPN

2018-10-14 08:15:02 >INFO:OpenVPN Management Interface Version 2 -- type 'help' for more info

2018-10-14 08:15:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:58460

2018-10-14 08:15:02 MANAGEMENT: CMD 'pid'

2018-10-14 08:15:02 MANAGEMENT: CMD 'auth-retry interact'

2018-10-14 08:15:02 MANAGEMENT: CMD 'state on'

2018-10-14 08:15:02 MANAGEMENT: CMD 'state'

2018-10-14 08:15:02 MANAGEMENT: CMD 'bytecount 1'

2018-10-14 08:15:02 MANAGEMENT: CMD 'hold release'

2018-10-14 08:15:02 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2018-10-14 08:15:02 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication

2018-10-14 08:15:02 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication

2018-10-14 08:15:02 MANAGEMENT: >STATE:1539530102,RESOLVE,,,,,,

2018-10-14 08:15:02 TCP/UDP: Preserving recently used remote address: [AF_INET]69.181.41.219:80

2018-10-14 08:15:02 Socket Buffers: R=[196724->196724] S=[9216->9216]

2018-10-14 08:15:02 UDP link local: (not bound)

2018-10-14 08:15:02 UDP link remote: [AF_INET]69.181.41.219:80

2018-10-14 08:15:02 MANAGEMENT: >STATE:1539530102,WAIT,,,,,,

2018-10-14 08:15:02 MANAGEMENT: >STATE:1539530102,AUTH,,,,,,

2018-10-14 08:15:02 TLS: Initial packet from [AF_INET]69.181.41.219:80, sid=bbe12a04 cc8f7c28

2018-10-14 08:15:02 VERIFY OK: depth=1, CN=DD-WRT CA

2018-10-14 08:15:02 VERIFY KU OK

2018-10-14 08:15:02 Validating certificate extended key usage

2018-10-14 08:15:02 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

2018-10-14 08:15:02 VERIFY EKU OK

2018-10-14 08:15:02 VERIFY OK: depth=0, CN=server

2018-10-14 08:15:02 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1554', remote='link-mtu 1570'

2018-10-14 08:15:02 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'

2018-10-14 08:15:02 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'

2018-10-14 08:15:02 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

2018-10-14 08:15:02 [server] Peer Connection Initiated with [AF_INET]69.181.41.219:80

2018-10-14 08:15:03 MANAGEMENT: >STATE:1539530103,GET_CONFIG,,,,,,

2018-10-14 08:15:03 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

2018-10-14 08:15:04 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 192.168.133.0 255.255.255.0,dhcp-option DNS 192.168.133.1,route-gateway 10.0.2.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.2.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'

2018-10-14 08:15:04 OPTIONS IMPORT: timers and/or timeouts modified

2018-10-14 08:15:04 OPTIONS IMPORT: --ifconfig/up options modified

2018-10-14 08:15:04 OPTIONS IMPORT: route options modified

2018-10-14 08:15:04 OPTIONS IMPORT: route-related options modified

2018-10-14 08:15:04 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

2018-10-14 08:15:04 OPTIONS IMPORT: peer-id set

2018-10-14 08:15:04 OPTIONS IMPORT: adjusting link_mtu to 1625

2018-10-14 08:15:04 OPTIONS IMPORT: data channel crypto options modified

2018-10-14 08:15:04 Data Channel: using negotiated cipher 'AES-256-GCM'

2018-10-14 08:15:04 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2018-10-14 08:15:04 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2018-10-14 08:15:04 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)

2018-10-14 08:15:04 Opened utun device utun1

2018-10-14 08:15:04 MANAGEMENT: >STATE:1539530104,ASSIGN_IP,,10.0.2.2,,,,

2018-10-14 08:15:04 /sbin/ifconfig utun1 delete

                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

2018-10-14 08:15:04 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

2018-10-14 08:15:04 /sbin/ifconfig utun1 10.0.2.2 10.0.2.2 netmask 255.255.255.0 mtu 1500 up

2018-10-14 08:15:04 /sbin/route add -net 10.0.2.0 10.0.2.2 255.255.255.0

                                        add net 10.0.2.0: gateway 10.0.2.2

2018-10-14 08:15:04 /sbin/route add -net 69.181.41.219 192.168.43.83 255.255.255.255

                                        add net 69.181.41.219: gateway 192.168.43.83

2018-10-14 08:15:04 /sbin/route add -net 0.0.0.0 10.0.2.1 128.0.0.0

                                        add net 0.0.0.0: gateway 10.0.2.1

2018-10-14 08:15:04 /sbin/route add -net 128.0.0.0 10.0.2.1 128.0.0.0

                                        add net 128.0.0.0: gateway 10.0.2.1

2018-10-14 08:15:04 MANAGEMENT: >STATE:1539530104,ADD_ROUTES,,,,,,

2018-10-14 08:15:04 /sbin/route add -net 192.168.133.0 10.0.2.1 255.255.255.0

                                        add net 192.168.133.0: gateway 10.0.2.1

                                        **********************************************

                                        Start of output from client.up.tunnelblick.sh

                                        Retrieved from OpenVPN: name server(s) [ 192.168.133.1 ], search domain(s) [  ] and SMB server(s) [  ] and using default domain name [ openvpn ]

                                        Not aggregating ServerAddresses because running on OS X 10.6 or higher

                                        Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected

                                        Saved the DNS and SMB configurations so they can be restored

                                        Changed DNS ServerAddresses setting from '2600:1010:b016:c49b::5d 192.168.43.83' to '192.168.133.1'

                                        Changed DNS SearchDomains setting from '' to 'openvpn'

                                        Changed DNS DomainName setting from '' to 'openvpn'

                                        Did not change SMB NetBIOSName setting of ''

                                        Did not change SMB Workgroup setting of ''

                                        Did not change SMB WINSAddresses setting of ''

                                        DNS servers '192.168.133.1' will be used for DNS queries when the VPN is active

                                        NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.

                                        Flushed the DNS cache via dscacheutil

                                        /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil

                                        Notified mDNSResponder that the DNS cache was flushed

                                        Setting up to monitor system configuration with process-network-changes

                                        End of output from client.up.tunnelblick.sh

                                        **********************************************

2018-10-14 08:15:07 *Tunnelblick: No 'connected.sh' script to execute

2018-10-14 08:15:07 Initialization Sequence Completed

2018-10-14 08:15:07 MANAGEMENT: >STATE:1539530107,CONNECTED,SUCCESS,10.0.2.2,69.181.41.219,80,,

================================================================================

"Sanitized" full configuration file

client

auth RSA-SHA256

auth-nocache

# Use the same setting as you are using on

# the server.

dev tun0

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

proto udp

# The hostname/IP and port of the server.

remote XX.YY.ZZ 80

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Try to preserve some state across restarts.

persist-key

persist-tun

# SSL/TLS parms.

ca ca.crt

cert bucky.crt

key bucky.key

tls-auth ta.key 1

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

# ns-cert-type server

remote-cert-tls server

# Enable compression on the VPN link.

# comp-lzo

compress lzo

# Allow me to change my IP address

# and/or port number (if I get a new

# local IP address at Starbucks).

float

================================================================================

ifconfig output:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>

inet 127.0.0.1 netmask 0xff000000 

inet6 ::1 prefixlen 128 

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 

nd6 options=201<PERFORMNUD,DAD>

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

XHC1: flags=0<> mtu 0

XHC20: flags=0<> mtu 0

XHC0: flags=0<> mtu 0

en5: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether ac:de:48:00:11:22 

inet6 fe80::aede:48ff:fe00:1122%en5 prefixlen 64 scopeid 0x7 

nd6 options=201<PERFORMNUD,DAD>

media: autoselect

status: active

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether 8c:85:90:b4:3a:23 

inet6 fe80::86e:782f:2796:ebb2%en0 prefixlen 64 secured scopeid 0x8 

inet6 2600:1010:b016:c49b:893:44a:dfe:9691 prefixlen 64 autoconf secured 

inet6 2600:1010:b016:c49b:94a9:3e67:129e:e00e prefixlen 64 autoconf temporary 

inet 192.168.43.117 netmask 0xffffff00 broadcast 192.168.43.255

nd6 options=201<PERFORMNUD,DAD>

media: autoselect

status: active

p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304

ether 0e:85:90:b4:3a:23 

media: autoselect

status: inactive

awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484

ether 52:95:b2:08:78:91 

inet6 fe80::5095:b2ff:fe08:7891%awdl0 prefixlen 64 scopeid 0xa 

nd6 options=201<PERFORMNUD,DAD>

media: autoselect

status: active

en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

options=60<TSO4,TSO6>

ether 76:00:54:d8:ae:05 

media: autoselect <full-duplex>

status: inactive

en4: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

options=60<TSO4,TSO6>

ether 76:00:54:d8:ae:04 

media: autoselect <full-duplex>

status: inactive

en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

options=60<TSO4,TSO6>

ether 76:00:54:d8:ae:01 

media: autoselect <full-duplex>

status: inactive

en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

options=60<TSO4,TSO6>

ether 76:00:54:d8:ae:00 

media: autoselect <full-duplex>

status: inactive

bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=63<RXCSUM,TXCSUM,TSO4,TSO6>

ether 76:00:54:d8:ae:01 

Configuration:

id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0

maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200

root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0

ipfilter disabled flags 0x2

member: en1 flags=3<LEARNING,DISCOVER>

        ifmaxaddr 0 port 13 priority 0 path cost 0

member: en2 flags=3<LEARNING,DISCOVER>

        ifmaxaddr 0 port 14 priority 0 path cost 0

member: en3 flags=3<LEARNING,DISCOVER>

        ifmaxaddr 0 port 11 priority 0 path cost 0

member: en4 flags=3<LEARNING,DISCOVER>

        ifmaxaddr 0 port 12 priority 0 path cost 0

nd6 options=201<PERFORMNUD,DAD>

media: <unknown type>

status: inactive

vboxnet0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether 0a:00:27:00:00:00 

utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000

inet6 fe80::3111:cf48:55b7:d286%utun0 prefixlen 64 scopeid 0x10 

nd6 options=201<PERFORMNUD,DAD>

utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500

inet 10.0.2.2 --> 10.0.2.2 netmask 0xffffff00 

================================================================================

Console Log:

2018-10-14 08:08:59 Tunnelblick[73520] Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.8beta01 (build 5160)

2018-10-14 08:09:00 Tunnelblick[73520] Removed file: /Library/Application Support/Tunnelblick/expect-disconnect.txt

2018-10-14 08:09:00 Tunnelblick[73520] Sparkle: ===== Tunnelblick =====

2018-10-14 08:09:00 Tunnelblick[73520] Sparkle: Verified appcast signature

[Mache Creeger]

With this config, DNS resolution ceased to work at all where I using the earlier DNS/WINS: Set Nameserver 3.0b10 I had a functioning (albeit the from the ISP and not from the OpenVPN server LAN) DNS. I am able to access resources on the OpenVPN server LAN but only if I use their LAN IP Address explicitly (same as before). 

[Tunnelblick developer]

If I understand you correctly, with "Set nameserver" (the second log), you don't get DNS. (You didn't let it be connected long enough to get Tunnelblick to diagnose that itself, but I'll take your word for it : )

Tunnelblick has set DNS to the address that OpenVPN specified, 192.168.133.1.

My conclusion is that that DNS server isn't working properly.

[Mache Creeger]

It certainly works as the DHCP allocated DNS for my home LAN. I am using it now. Moreover, when am away from my home LAN, run Tunnelblick on the client Mac, and connect to the home LAN OpenVPN server, the Mac says that it is using the remote ISPs DNS and not the home LAN's 192.168.133.1 DNS server. The bug here is that the Tunnelblick log says it is using the home LAN 192.168.133.1 DNS but "About this Mac" on the Apple Logo menu item says under System Report, Network that the DNS it is using is the remote ISP's DNS. 

How can that be? 

[Larry Rosenman]

I use our work server DNS (Consul/Unbound), and the options get pushed.  The Apple Menu list still shows the DHCP provided address, but the actual resolver

Used is my Consul/Unbound servers.  I know this because we use a private domain that is not resolvable publicly.

 

So, I’d ignore what the system report says, and trust what TunnelBlick says.

 

Also “scutil –dns” gives the right answer:

[lrosenman:~] $ scutil --dns

DNS configuration

 

resolver #1

  search domain[0] : w2

  search domain[1] : aws.w2

  search domain[2] : azure.w2

  search domain[3] : node.aws.w2

  search domain[4] : node.azure.w2

  search domain[5] : lerctr.org

  nameserver[0] : 172.31.0.102

  nameserver[1] : 172.31.1.242

  nameserver[2] : 172.31.6.37

  flags    : Request A records, Request AAAA records

  reach    : 0x00000002 (Reachable)

 

resolver #2

  domain   : local

  options  : mdns

  timeout  : 5

  flags    : Request A records, Request AAAA records

  reach    : 0x00000000 (Not Reachable)

  order    : 300000

 

resolver #3

  domain   : 254.169.in-addr.arpa

  options  : mdns

  timeout  : 5

  flags    : Request A records, Request AAAA records

  reach    : 0x00000000 (Not Reachable)

  order    : 300200

 

resolver #4

  domain   : 8.e.f.ip6.arpa

  options  : mdns

  timeout  : 5

  flags    : Request A records, Request AAAA records

  reach    : 0x00000000 (Not Reachable)

  order    : 300400

 

resolver #5

  domain   : 9.e.f.ip6.arpa

  options  : mdns

  timeout  : 5

  flags    : Request A records, Request AAAA records

  reach    : 0x00000000 (Not Reachable)

  order    : 300600

 

resolver #6

  domain   : a.e.f.ip6.arpa

  options  : mdns

  timeout  : 5

  flags    : Request A records, Request AAAA records

  reach    : 0x00000000 (Not Reachable)

  order    : 300800

 

resolver #7

  domain   : b.e.f.ip6.arpa

  options  : mdns

  timeout  : 5

  flags    : Request A records, Request AAAA records

  reach    : 0x00000000 (Not Reachable)

  order    : 301000

 

DNS configuration (for scoped queries)

 

resolver #1

  search domain[0] : w2

  search domain[1] : aws.w2

  search domain[2] : azure.w2

  search domain[3] : node.aws.w2

  search domain[4] : node.azure.w2

  search domain[5] : lerctr.org

  nameserver[0] : 172.31.0.102

  nameserver[1] : 172.31.1.242

  nameserver[2] : 172.31.6.37

  if_index : 6 (en0)

  flags    : Scoped, Request A records, Request AAAA records

  reach    : 0x00000002 (Reachable)

[lrosenman:~] $

 

 

--

Larry Rosenman                     http://www.lerctr.org/~ler

Phone: +1 214-642-9640             E-Mail: larr...@gmail.com

US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.
Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

[Mache Creeger]

$ scutil --dns

DNS configuration

resolver #1

  search domain[0] : XX.COM

  nameserver[0] : 192.168.133.1

  if_index : 8 (en0)

  flags    : Request A records

  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2

  domain   : local

  options  : mdns

  timeout  : 5

  flags    : Request A records

  reach    : 0x00000000 (Not Reachable)

  order    : 300000

resolver #3

  domain   : 254.169.in-addr.arpa

  options  : mdns

  timeout  : 5

  flags    : Request A records

  reach    : 0x00000000 (Not Reachable)

  order    : 300200

resolver #4

  domain   : 8.e.f.ip6.arpa

  options  : mdns

  timeout  : 5

  flags    : Request A records

  reach    : 0x00000000 (Not Reachable)

  order    : 300400

resolver #5

  domain   : 9.e.f.ip6.arpa

  options  : mdns

  timeout  : 5

  flags    : Request A records

  reach    : 0x00000000 (Not Reachable)

  order    : 300600

resolver #6

  domain   : a.e.f.ip6.arpa

  options  : mdns

  timeout  : 5

  flags    : Request A records

  reach    : 0x00000000 (Not Reachable)

  order    : 300800

resolver #7

  domain   : b.e.f.ip6.arpa

  options  : mdns

  timeout  : 5

  flags    : Request A records

  reach    : 0x00000000 (Not Reachable)

  order    : 301000

DNS configuration (for scoped queries)

resolver #1

  search domain[0] : XX.COM

  nameserver[0] : 192.168.133.1

  if_index : 8 (en0)

  flags    : Scoped, Request A records

  reach    : 0x00020002 (Reachable,Directly Reachable Address)

I still do not get DNS to resolve any domains, either internal to my LAN or external to the Internet with this configuration. Somehow the DNS queries are not being either routed or responded to under OpenVPN but work fine when OpenVPN is not being used. 

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-discuss+unsub...@googlegroups.com.

[Larry Rosenman]

(coming in late)

 

What options do you have for DNS in the tunnelblick config both basic and advanced for that connection?

 

 

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

[Mache Creeger]

Running the OpenVPN config I get this

$ nslookup ibm.com

;; connection timed out; no servers could be reached

Without OpenVPN I get this

$ nslookup ibm.com

Server: 2600:1010:b016:c49b::64

Address: 2600:1010:b016:c49b::64#53

Non-authoritative answer:

Name: ibm.com

Address: 129.42.38.10

[Mache Creeger]

I tried it your way, no change when I try to access ibm.com web page I get a pop-up windows that says WARNING, After connecting to Home, DNS does not appear to be working.

This may mean that your VPN is not configured correctly.

When I run nslookup ibm.com it just hangs. 

[Larry Rosenman]

Hrm.  I’m at a loss, here, as that config is literally what I’m running here, and I also have lots of users using the same config with my nameservers / vpn server.

 

 

 

--

Larry Rosenman                     http://www.lerctr.org/~ler

Phone: +1 214-642-9640             E-Mail: larr...@gmail.com

US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106

 

From: "tunnelbli...@googlegroups.com" <tunnelbli...@googlegroups.com> on behalf of Mache Creeger <machec...@gmail.com>
Reply-To: "tunnelbli...@googlegroups.com" <tunnelbli...@googlegroups.com>
Date: Sunday, October 14, 2018 at 1:03 PM
To: tunnelblick-discuss <tunnelbli...@googlegroups.com>
Subject: Re: [tunnelblick-discuss] Re: Problem allocating DD-WRT OpenVPN server's DNS and IP Address to Tunnelblick client

 

I tried it your way, no change when I try to access ibm.com web page I get a pop-up windows that says WARNING, After connecting to Home, DNS does not appear to be working.

 

This may mean that your VPN is not configured correctly.

 

When I run nslookup ibm.com it just hangs. 

On Sunday, October 14, 2018 at 10:53:40 AM UTC-7, Mache Creeger wrote:

Running the OpenVPN config I get this

 

$ nslookup ibm.com

;; connection timed out; no servers could be reached

 

Without OpenVPN I get this

 

$ nslookup ibm.com

Server: 2600:1010:b016:c49b::64

Address: 2600:1010:b016:c49b::64#53

 

Non-authoritative answer:

Name: ibm.com

Address: 129.42.38.10

On Sunday, October 14, 2018 at 10:45:18 AM UTC-7, Mache Creeger wrote:

 

 

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

[Tunnelblick developer]

Try "Set DNS (alternate 2)". It uses additional macOS commands to set the nameserver. It's experimental, but it would be interesting if it changes things. (I don't expect it to).

Otherwise, as I wrote earlier, it looks like the DNS the OpenVPN server is sending is wrong.

Try setting DNS manually to 8.8.8.8 (Google). Tunnelblick won't override the manual setting (unless told to do so in the Advanced settings).

[Mache Creeger]

Maybe its some weird interaction with the OpenVPN server on DD-WRT. 

Here is my config

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-discuss+unsub...@googlegroups.com.

Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-discuss+unsub...@googlegroups.com.

[Tunnelblick developer]

If DD-WRT is acting as both the OpenVPN server and the DNS server, perhaps DD-WRT it isn't forwarding the packets from OpenVPN to the DNS server.

[Mache Creeger]

OK, I have some iptables commands on DD-WRT. 

iptables -I FORWARD 1 --source 192.168.133.1/24 -j ACCEPT

iptables -I INPUT 1 -p udp --dport 80 -j ACCEPT
iptables -I INPUT 3 -i tun0 -j ACCEPT
iptables -I FORWARD 3 -i tun0 -o tun0 -j ACCEPT
iptables -I FORWARD 1 --source 10.0.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Is there routing information that would tell us? Can you suggest some CLI commands that I could run on the router?

[Larry Rosenman]

I don’t see anything there for port 53 (both tcp and udp).

 

 

 

--

Larry Rosenman                     http://www.lerctr.org/~ler

Phone: +1 214-642-9640             E-Mail: larr...@gmail.com

US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106

 

From: "tunnelbli...@googlegroups.com" <tunnelbli...@googlegroups.com> on behalf of Mache Creeger <machec...@gmail.com>
Reply-To: "tunnelbli...@googlegroups.com" <tunnelbli...@googlegroups.com>
Date: Sunday, October 14, 2018 at 3:19 PM
To: tunnelblick-discuss <tunnelbli...@googlegroups.com>
Subject: Re: [tunnelblick-discuss] Re: Problem allocating DD-WRT OpenVPN server's DNS and IP Address to Tunnelblick client

 

OK, I have some iptables commands on DD-WRT. 

 

iptables -I FORWARD 1 --source 192.168.133.1/24 -j ACCEPT

iptables -I INPUT 1 -p udp --dport 80 -j ACCEPT

iptables -I INPUT 3 -i tun0 -j ACCEPT

iptables -I FORWARD 3 -i tun0 -o tun0 -j ACCEPT

iptables -I FORWARD 1 --source 10.0.2.0/24 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -j MASQUERADE

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT

iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

 

Is there routing information that would tell us? Can you suggest some CLI commands that I could run on the router?

On Sunday, October 14, 2018 at 11:52:35 AM UTC-7, Tunnelblick developer wrote:

If DD-WRT is acting as both the OpenVPN server and the DNS server, perhaps DD-WRT it isn't forwarding the packets from OpenVPN to the DNS server.

 

On Sunday, October 14, 2018 at 2:31:21 PM UTC-4, Mache Creeger wrote:

Maybe its some weird interaction with the OpenVPN server on DD-WRT. 

 

Here is my config

 

 

 

 

 

Error! Filename not specified.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

[Tunnelblick developer]

Getting OpenVPN -> DNS working must be common a DD-WRT issue -- if nobody helps here you might want to look for help for this from DD-WRT experts or forums.

[Mache Creeger]

I updated the firewall script with port 53, still no go. 

iptables -I INPUT -i `get_wanface` -dport 22 -j ACCEPT
iptables -I OUTPUT -i `get_wanface` -dport 53 -j ACCEPT
iptables -I FORWARD --source 192.168.133.1/24 -j ACCEPT
iptables -I INPUT -p udp --dport 80 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o tun0 -j ACCEPT
iptables -I FORWARD 1 --source 10.0.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Also the br0 to tun0 should address all ports including 52

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-discuss+unsub...@googlegroups.com.

Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-discuss+unsub...@googlegroups.com.

Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-discuss+unsub...@googlegroups.com.

[Larry Rosenman]

I’m not an IPTables expert.  As jkbullard (tunnelblick developer) says, check with the DD-WRT folks/lists/etc.

 

 

 

--

Larry Rosenman                     http://www.lerctr.org/~ler

Phone: +1 214-642-9640             E-Mail: larr...@gmail.com

US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106

 

From: "tunnelbli...@googlegroups.com" <tunnelbli...@googlegroups.com> on behalf of Mache Creeger <machec...@gmail.com>
Reply-To: "tunnelbli...@googlegroups.com" <tunnelbli...@googlegroups.com>
Date: Sunday, October 14, 2018 at 3:47 PM
To: tunnelblick-discuss <tunnelbli...@googlegroups.com>
Subject: Re: [tunnelblick-discuss] Re: Problem allocating DD-WRT OpenVPN server's DNS and IP Address to Tunnelblick client

 

I updated the firewall script with port 53, still no go. 

 

Error! Filename not specified.

 

 

Error! Filename not specified.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.

[Mache Creeger]

Updated October 24, 2018

Below are the steps I followed to get Tunnelblick 3.7.8beta01 (build 5160) on a MacBook Pro with macOS Mojave, 10.14 and/or OpenVPN for Android on Android 9 connecting to an OpenVPN server running DD-WRT v3.0-r36527 std 8/9/18 firmware on a Netgear R7000 router.  

1. Create Certificates and Keys

Create OpenVPN certificates and keys by following the directions here - https://firxworx.com/blog/it-devops/sysadmin/creating-certificates-and-keys-for-openvpn-server-with-easyrsa-on-macos/

I would suggest that one generate 4096-bit keys rather than the default 2048-bit keys. This will require changes to the vars file prior to key generation. 

This will generate an ~/EasyRSA-X.Y.Z directory. 

2. Create ta.key

SSH or Telnet to the DD-WRT router command line. 

Run the following commands

# openvpn –-genkey –-secret ta.key

# cat ta.key

Highlight the key contents and copy to TextEdit on the Mac. 

Save TextEdit ta.key file to the ~/EasyRSA-X.Y.Z/pki/private/ directory on the Mac

Delete the ta.key file on router's DD-WRT command line

# rm ta.key 

3. OpenVPN Server

On the Services, VPN area of the router's DD-WRT web configuration page add the following information. 

OpenVPN Server/Daemon

OpenVPN: Enable

Start Type: System

Config as: Server

Server mode: Router (TUN)

Network: (local private network that is different from your primary LAN - My primary LAN is 192.168.x.0 and I put in 10.x.y.0)

Netmask: 255.255.255.0

Port: (default is 1194, I put in 80, others like 443)

Tunnel Protocol: UDP

Encryption Cipher: AES-256 CBC

Hash Algorithm: SHA256

Advanced Options: Enable

TLS Cipher: None

LZO Compression: Yes

Redirect default Gateway: Enable

Allow Client to Client: Enable

Allow duplicate cn: Disable

Tunnel MTU setting: 1500

Tunnel UDP Fragment: Leave blank

Tunnel UDP MSS-Fix: Disable

CCD-Dir DEFAULT file: Leave empty

Client connect script: Leave empty

Static Key: Leave empty

PKCS12 Key: Leave empty

Public Server Cert: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/issued/server.crt file on the Mac. Make sure it only includes lines between and including -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----

CA cert: Paste the contents of ~/EasyRSA-X.Y.Z/pki/ca.crt file on the Mac. Make sure it only includes lines between and including -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----

Private Server Key: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/private/server.key file found on the Mac. Make sure it only includes lines between and including -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY-----

DH PEM: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/dh.pem file found on the Mac. Make sure it only includes lines between and including -----BEGIN DH PARAMETERS-----, -----END DH PARAMETERS-----

Additional Config:

push "route 192.168.x.0 255.255.255.0"

push "dhcp-option DNS 192.168.x.1"

TLS Auth Key: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/private/ta.key file found on the Mac. 

At the bottom of the web page, first click on Save, and when the page comes back, click on  Apply Settings

Go to Services, Services web configuration page

Find the Additional DNSMasq Options window

Add the following statement. 

interface=tun2

Click on Save, and after the page comes back click on Apply Settings

Go to Administration, Commands web page

Add the following command to the Firewall. 

iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE

Once you added this statement click on Save Firewall. 

When the web page comes back, click on Administration, Management

At the bottom of the page click on the red Router Reboot button and reboot the router. Wait 3 minutes for the router to complete its reboot. 

4. Tunnelblick on the Mac

Install Tunnelblick on the Mac

Launch Tunnelblick on the Mac. 

Create a folder on your Desktop with the <session_name>. I called mine Home.

Add the following statements to TextEdit. 

client

auth RSA-SHA256

cipher AES-256-CBC

auth-nocache

# Use the same setting as you are using on the server.

dev tun2

# Are we connecting to a TCP or UDP server?  Use the same setting as on the server.

proto udp

tun-mtu 1500

# The hostname/IP and port of the server.

remote <internet domain of OpenVPN server> <port that was defined on the DD-WRT OpenVPN web configuration page>

resolv-retry infinite

# Most clients don't need to bind to a specific local port number.

nobind

# Try to preserve some state across restarts.

persist-key

persist-tun

# SSL/TLS parmeters

ca ca.crt

cert <client_name1>.crt

key <client_name1>.key

tls-auth ta.key 1

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

# http://openvpn.net/howto.html#mitm

# ns-cert-type server

remote-cert-tls server

# Enable compression on the VPN link.

# comp-lzo

compress lzo

# Allow me to change my IP address and/or port number (if I get a new local IP address at Starbucks).

float

Save the file with the name <session_name>.conf to the <session_name> desktop folder

Copy to the Desktop <session_name> folder:

~/EasyRSA-X.Y.Z/pki/private/ta.key

~/EasyRSA-X.Y.Z/pki/private/<client_name1>.key

~/EasyRSA-X.Y.Z/pki/issued/<client_name1>.crt

~/EasyRSA-X.Y.Z/pki/ca.crt

Once all the files are in the folder rename the <session_name> folder to <session_name>.tblk

The folder will then convert itself to a file. 

Click and drag that file to the Tunnelblick icon at the top of the screen. When you see a + show up, release the click. 

Add the session to ALL users of the Mac

Delete the <session_name>.tblk file from the Desktop.

Click on the Tunnelblick icon at the top of the screen on the Mac and click on VPN Details. 

Highlight the <session_name>.

In the VPN Details screen click on the gear icon at the bottom left of the window. 

Scroll down and click on Make Configuration Private. 

Type in the Mac password when requested. 

Log into a WiFi link that is not on your local LAN. For testing I use my smartphone hotspot. Click on Tunnelblick icon and click on Connect to start up VPN. 

5. OpenVPN on Android

Install OpenVPN for Android (OfA) from the Play Store

Copy the following files from your Mac laptop to a USB thumb drive. 

~/EasyRSA-X.Y.Z/pki/private/ta.key

~/EasyRSA-X.Y.Z/pki/private/<client_name2>.key

~/EasyRSA-X.Y.Z/pki/issued/<client_name2>.crt

~/EasyRSA-X.Y.Z/pki/ca.crt

Transfer those files to the internal storage of the Android mobile device. 

Open OfA

At the top portion of the screen tap on SETTINGS

Show log window: Checked

OpenVPN 3 Core: Checked

Connect on boot: Unchecked

Reconnect on network change: Checked

Pause VPN connection after screen off: Checked

At the top right portion of the screen tap the circle plus icon

Edit the profile by taping the pencil icon to the right of its name

Go to the BASIC tab

Name the profile. I use Home

Check LZO Compression

For the CA Certificate select the path to the ca.crt file

For the Client Certificate select the path to the <client_name2>.crt file

For the Client Certificate Key select the path to the <client_name2>.key file

Go to the SERVER tab

Server Address: <internet domain of OpenVPN server>

Server Port: <port that was defined on the DD-WRT OpenVPN web configuration page>

Protocol: UDP

Proxy: None

Connect Timeout: 120

Custom Options: Unchecked

Go to the IP AND DNS tab

Pull Settings: Enabled

No local binding: Checked

Override DNS Settings by Server: Unchecked

Go to ROUTING Tab

Ignore pushed routes: Unchecked

Bypass VPN for local networks: Unchecked

IPv4

Use default Route: Checked

IPv6

Use default Route: Unchecked

Go to the AUTHENTICATION/ENCRYPTION tab

Expect TLS server certificate: Checked

Certificate Hostname Check: Checked

Remote certificate subject

RDN (common name)

-- Leave Blank --

X.509 Username Field

-- Leave Blank --

TLS Authentication/Encryption

Use TLS Authentication: Enabled

TLS Auth File: Select the path to the ta.key file

TLS Direction: 1

Encryption

Encryption Cypher: AES-256-CBC

Go to the ADVANCED tab

Client behavior

Persistent tun: Checked

Push Peer info: Unchecked

Random Host Prefix: Unchecked

Allow floating server: Checked

Payload options

Override MSS value of TCP payload: Unchecked

Tunnel MTU (mtu-mtu): Using default (1500) MTU

Custom Options

persist-key

auth SHA256

Reconnection settings

Connection retries

Unlimited reconnection retries

Seconds between connections

2 s

Maximum time between connection attempts

300 s

To test, turn off WiFi on phone

Exit out of OfA edit mode to main screen. Tape profile name to connect to OpenVPN server.  

[Tunnelblick developer]

Thanks, Mache, for posting such detailed instructions.

On Wednesday, October 17, 2018 at 9:36:09 PM UTC-4, Mache Creeger wrote:

Below are the steps I followed to get Tunnelblick 3.7.8beta01 (build 5160) on a MacBook Pro with macOS Mojave, 10.14 connecting to an OpenVPN server running DD-WRT v3.0-r36527 std 8/9/18 firmware on a Netgear R7000 router.  

1. Create Certificates and Keys

Create OpenVPN certificates and keys by following the directions here - https://firxworx.com/blog/it-devops/sysadmin/creating-certificates-and-keys-for-openvpn-server-with-easyrsa-on-macos/

This will generate an EasyRSA-X.Y.Z directory. 

2. Create ta.key

SSH or Telnet to the DD-WRT router command line. 

Run the following commands

# openvpn –-genkey –-secret ta.key

# cat ta.key

Highlight the key and copy it to TextEdit on the Mac. 

proto udp 

dev tun0 

push "redirect-gateway def1"

push "route 192.168.x.0 255.255.255.0" -- This is the primary LAN of the router

push "dhcp-option DNS 192.168.x.1" -- This is the DNS for the LAN, on my LAN its the router

keepalive 10 120

daemon

verb 5

Note** - This configuration may have some redundant statements but I know it works. Optimize at your own risk. 

TLS Auth Key: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/private/ta.key file found on the Mac. 

At the bottom of the web page, first click on Save, and when the page comes back, click on  Apply Settings

Go to Services, Services web configuration page

Find the Additional DNSMasq Options window

Add the following statement. 

interface=tun0

Click on Save, and after the page comes back click on Apply Settings

Go to Administration, Commands web page

Add the following commands to the Firewall. 

iptables -I FORWARD --source 192.168.x.1/24 -j ACCEPT -- This address has the LAN address of the router

iptables -I INPUT -p udp --dport <X> -j ACCEPT -- Port number <X> that was chosen in the Services, VPN configuration page

iptables -I INPUT -i tun0 -j ACCEPT 

iptables -I FORWARD -i tun0 -o tun0 -j ACCEPT 

iptables -I FORWARD 1 --source 10.x.y.0/24 -j ACCEPT -- This address has the address of the VPN as stated on the Services, VPN OpenVPN configurations

iptables -t nat -A POSTROUTING -s 10.x.y.0/24 -j MASQUERADE  -- This address has the address of the VPN as stated on the Services, VPN OpenVPN configurations

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT 

iptables -I FORWARD -i tun0 -o br0 -j ACCEPT 

iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE

Note it might be possible to successfully run by deleting all or some of the above Firewall statements except the last one. I know that it works as published and optimizations are left as an exercise to the reader. 

Once you added these statements click on Save Firewall. 

When the web page comes back, click on Administration, Management

At the bottom of the page click on the red Router Reboot button and reboot the router. Wait 3 minutes for the router to complete its reboot. 

4. Tunnelblick on the Mac

Install Tunnelblick on the Mac

Launch Tunnelblick on the Mac. 

Create a folder on your Desktop with the <session_name>. I called mine Home.

Add the following statements to TextEdit. 

client

auth RSA-SHA256

cipher AES-256-CBC

auth-nocache

# Use the same setting as you are using on

# the server.

dev tun0

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

proto udp

tun-mtu 1500

# The hostname/IP and port of the server.

remote <internet domain of OpenVPN server> -- <port that was defined on the DD-WRT OpenVPN web configuration page>

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Try to preserve some state across restarts.

persist-key

persist-tun

# SSL/TLS parms.

ca ca.crt

cert <client_name>.crt

key <client_name>.key

tls-auth ta.key 1

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

# http://openvpn.net/howto.html#mitm

# ns-cert-type server

remote-cert-tls server

# Enable compression on the VPN link.

# comp-lzo

compress lzo

# Allow me to change my IP address

# and/or port number (if I get a new

# local IP address at Starbucks).

float

Save the file with the name <session_name>.conf to the desktop folder

Add to that folder, the ca.crt, <client_name>.crt, <client_name>.key, and ta.key

Once all the files are in the folder rename the folder to <session_name>.tblk

The folder will then convert itself to a file. 

Click and drag that file to the Tunnelblick icon at the top of the screen. When you see a + show up, release the click. 

Add the session to ALL users of the Mac

Delete the <session_name>.tblk file from the Desktop.

Click on the Tunnelblick icon at the top of the screen on the Mac and click on VPN Details. 

Highlight the <session_name>.

In the VPN Details screen click on the gear icon at the bottom left of the page. 

Scroll down and click on Make Configuration Private. 

Type in the Mac password when requested. 

Log into a WiFi link that is not on your local LAN. For testing I use my smartphone hotspot. Click on Tunnelblick icon and click on Connect to start up VPN. 

Use the Internet over VPN. 

On Saturday, October 13, 2018 at 11:31:04 PM UTC-7, Mache Creeger wrote:

I am running macOS 10.13.6 and Tunnelblick 3.7.8beta01 (build 5160) - Set DNS/WINS: Set Nameserver 3.0b10 and OpenVPN version: Latest (2.5 git 57d6f10 - OpenSSL v1.1.1) . After I connect to my DD-WRT (DD-WRT v3.0-r36527 std (08/09/18)) router running an OpenVPN server, I can access the Internet and can access IP Addresses on the DD-WRT OpenVPN server LAN, but my Tunnelblick client still has the remote ISP's IP Address and DNS. I am not provided DD-WRT's DHCP allocated IP Address and DNS (listed in the configuration as 192.168.X.1). I need the 192.168.X.1 DNS to resolve DD-WRT LAN domains so I can use resources (like printers and servers) on that LAN. My current client configuration file is:

client

auth RSA-SHA256

auth-nocache

redirect-gateway def1

push "dhcp-option DNS 192.168.X.1"

# Use the same setting as you are using on

# the server.

dev tun0

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

proto udp

# The hostname/IP and port of the server.

remote home.creeger.com 80

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Try to preserve some state across restarts.

persist-key

persist-tun

# SSL/TLS parms.

ca ca.crt

cert client.crt

key client.key

tls-auth ta.key 1

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

# ns-cert-type server

remote-cert-tls server

# Enable compression on the VPN link.

# comp-lzo

compress lzo

# Allow me to change my IP address

# and/or port number (if I get a new

# local IP address at Starbucks).

float

[Mache Creeger]

I updated / optimized my OpenVPN How To configuration guide for the DD-WRT OpenVPN server, the macos Tunnelblick client, and OpenVPN for Android client that was posted earlier in this thread.