Tunnelblick VPN / OpenVPN frequently cause internet to hang

[Sean Hollen]

Apologies if I've left out any important details:

- When the Internet hangs, webpages take forever to load.

- Tunnelblick icon still says connected

- The Wifi connection still says connected

- The only way to get pages to load again is to disconnect and re-connect to Tunnelblick. This is what leads me to believe the problem is with the VPN.

- When I disconnect VPN, the webpages immediately load again. When I reconnect to VPN, then pages continue to load correctly, and I experience no hanging for a whiel, until the next "hanging incident". There are several hanging incidents a day.

- This does not seem to be related to the browser

- This does not seem to be related to the Wifi network

- I've tried a couple different Tunnelblick versions

- I haven't gleaned any important information from the Tunnelblick logs

[Tunnelblick developer]

Some questions:

• When you say " When the Internet hangs, webpages take forever to load", do they eventually load, or do they stop loading completely?
  
• Are you located somewhere that might be censoring the Internet?
  
• Does this happen a specific amount of time after the VPN is connected? (For example, 15 minutes after connecting the VPN.)
  
• Who provided your VPN configuration?

Please post Tunnelblick's "Diagnostic Info" by following the instructions at Read Before You Post, but also note carefully the time that the problem starts happening (so we can look at what's happening in the log at that time).

[Sean Hollen]

* When you say " When the Internet hangs, webpages take forever to load", do they eventually load, or do they stop loading completely?

It takes forever to load. I can't rule out that if I waited for an hour it would load eventually, but as far as I know, they never load

* Are you located somewhere that might be censoring the Internet?

No. It's 100% of of the Internet, not certain website, and I also get it on my home Internet, so my office isn't intending it. I've also lived in countries that censor the internet, and this isn't like that.

* Does this happen a specific amount of time after the VPN is connected? (For example, 15 minutes after connecting the VPN.)

It's relatively consistent lengths of time, although I haven't timed it (I don't know if that would be useful). It gives me maybe 30 minutes. Although when this first started happening, it was maybe once every few days, and it has gotten gradually worse over time.

* Who provided your VPN configuration?

My work provided it

* Please post Tunnelblick's "Diagnostic Info"

I can DM you the logs.

[Sean Hollen]

In the process of obtaining the logs, I found the following error message:

```

* DNS server address 127.0.0.1 is being used for VPN '<my-configuration>' but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

```

I think the reason I didn't see this error message previously was because I possibly had "Do not warn about this DNS problem again" checked.

[Tunnelblick developer]

The timing would be very useful. For example, if the problem happens a certain amount of time after you connect the VPN, that could indicate a problem with the VPN's renegotiation, which may happen periodically. If the problem happens a certain amount of time after the computer boots or the network interface is connected, that could indicate a problem caused by a DHCP renewal. The former is more common, so that's what I asked for first.

We don't DM; you can email the Diagnostic Info to devel...@tunnelblick.net. Security-related items such as certificates and passwords is not included – you can manually redact public IP addresses.

[Sean Hollen]

Thanks, I just emailed the logs to devel...@tunnelblick.net. The log was taken right after I disconnected due to lack of connection.

Today, I also kept notes of how long the Internet was loading before it required vpn disconnection. The times were: 56m13s, 33m58s, 24m47s, 5m23s. That's all that I recorded. I did not reboot my computer once today.

[Tunnelblick developer]

I received the diagnostic info. There is a peculiar discrepancy in the logs:

11:51:35 *Tunnelblick:  Changed DNS ServerAddresses setting from '1.1.1.1 1.0.0.1' to '8.8.8.8'
...

11:51:35 *Tunnelblick:  DNS servers '8.8.8.8' will be used for DNS queries when the VPN is active

...

2024-07-15 11:51:36.622057 *Tunnelblick: Warning: DNS server address 127.0.0.1 is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

This discrepancy (which DNS server will be used: 8.8.8.8 or 127.0.0.1) does indeed indicate that multiple network interfaces are active. That's supported by the output of ifconfig.

My suggestion is to try putting a check in the "Disable secondary network interfaces" checkbox.

=======================

Also, you might want to bring these entries to the attention of your VPN administrators:

2024-07-15 11:51:29.197853 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

...

2024-07-15 11:51:30.055065 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

[Sean Hollen]

Hey,

I checked the "Disable secondary network interfaces" checkbox, and that seemed to work to some extent. Errors are less often now, when before they were every 30 minutes.

However, I now get a different error which I think is connected. On my Mac, there's an exclamation mark over the Wifi symbol. It says, "Wifi: Not Configured". This occurs maybe every 3 hours.

It seems like it needs to change to a secondary network interface, but can't? The only way I've to get the internet working again is to disconnect, untoggle the "Disable secondary", and reconnect (I can re-toggle the disable secondary right afterwards). Sometimes it's particularly difficult, giving me the spinning wheel, and I need to force quit Tunnelblick.

Btw, I see mention of 127.0.0.1 in my /etc/hosts, which itself I don't think is a problem, but maybe this address has special significance? I don't know much about server addresses.

>

Also, you might want to bring these entries to the attention of your VPN administrators:

2024-07-15 11:51:29.197853 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

...

2024-07-15 11:51:30.055065 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

<

Do you think these errors are related to my main issue, or just unrelated irregularities?

[Tunnelblick developer]

I think what's happening now is (assuming your primary network interface is Wi-Fi):

1. At some point your Wi-Fi becomes unavailable (you see the exclamation mark).
   
2. Because (now) all other network interfaces are disabled (by Tunnelblick), your computer has no connection to the Internet.
   
3. OpenVPN can't communicate with the VPN server, so it attempts to reconnect to the VPN server, but, because there is no Internet connection it can't, so it attempts to reconnect again and again.
   
4. Because of a bug in Tunnelblick 4.0.1 (which is fixed in Tunnelblick 5.0.1beta01 and higher), OpenVPN tries to reconnect thousands or tens of thousands of times per second, which causes Tunnelblick to hang, and you see the "spinning wheel".
   

3. and 4. only happen if OpenVPN realizes that it can't communicate with the server, which happens some time after the loss of the Wi-Fi connection. If you disconnect the VPN before that happens, you won't get the "spinning wheel".

Two recommendations:

• Update to Tunnelblick 6.0beta04 so Tunnelblick stops hanging. It's reasonably stable and will be the basis for our next stable release.
  
• Turn Wi-Fi off, then back on again, when the Wi-Fi symbol in the menu/status bar shows an exclamation mark. See if the exclamation mark disappears.
  

These may not solve the main problem, but should make it easier to recover from the main problem so it can be investigated further.

An important question is: why does your Wi-Fi disconnect? Please describe what device provides Wi-Fi, and anything that might be causing the Wi-Fi to stop working: are you moving your computer to another location? Connecting so many other devices to Wi-Fi that it refuses to renew your computer's DHCP lease?

======

127.0.0.1 is a special address for your computer. Unless you've installed or enabled a DNS server/resolver on your computer, it should never be used for DNS. The only other thing I can think of is that, when you have no Internet connection at all, macOS falls back to using your own computer as the DNS server.

======

The other two issues I pointed out are not related to the main issue, but they are configuration choices that lessen the security of your VPN, so I recommend that you should bring them to the attention of your company's IT department. (The second one is more important; the first one may not be a problem if their VPN server is set up so it does not use compression.)