Tunnelblick VPN / OpenVPN frequently cause internet to hang

[Sean Hollen]

Apologies if I've left out any important details:

- When the Internet hangs, webpages take forever to load.

- Tunnelblick icon still says connected

- The Wifi connection still says connected

- The only way to get pages to load again is to disconnect and re-connect to Tunnelblick. This is what leads me to believe the problem is with the VPN.

- When I disconnect VPN, the webpages immediately load again. When I reconnect to VPN, then pages continue to load correctly, and I experience no hanging for a whiel, until the next "hanging incident". There are several hanging incidents a day.

- This does not seem to be related to the browser

- This does not seem to be related to the Wifi network

- I've tried a couple different Tunnelblick versions

- I haven't gleaned any important information from the Tunnelblick logs

[Tunnelblick developer]

Some questions:

• When you say " When the Internet hangs, webpages take forever to load", do they eventually load, or do they stop loading completely?
  
• Are you located somewhere that might be censoring the Internet?
  
• Does this happen a specific amount of time after the VPN is connected? (For example, 15 minutes after connecting the VPN.)
  
• Who provided your VPN configuration?

Please post Tunnelblick's "Diagnostic Info" by following the instructions at Read Before You Post, but also note carefully the time that the problem starts happening (so we can look at what's happening in the log at that time).

[Sean Hollen]

* When you say " When the Internet hangs, webpages take forever to load", do they eventually load, or do they stop loading completely?

It takes forever to load. I can't rule out that if I waited for an hour it would load eventually, but as far as I know, they never load

* Are you located somewhere that might be censoring the Internet?

No. It's 100% of of the Internet, not certain website, and I also get it on my home Internet, so my office isn't intending it. I've also lived in countries that censor the internet, and this isn't like that.

* Does this happen a specific amount of time after the VPN is connected? (For example, 15 minutes after connecting the VPN.)

It's relatively consistent lengths of time, although I haven't timed it (I don't know if that would be useful). It gives me maybe 30 minutes. Although when this first started happening, it was maybe once every few days, and it has gotten gradually worse over time.

* Who provided your VPN configuration?

My work provided it

* Please post Tunnelblick's "Diagnostic Info"

I can DM you the logs.

[Sean Hollen]

In the process of obtaining the logs, I found the following error message:

```

* DNS server address 127.0.0.1 is being used for VPN '<my-configuration>' but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

```

I think the reason I didn't see this error message previously was because I possibly had "Do not warn about this DNS problem again" checked.

[Tunnelblick developer]

The timing would be very useful. For example, if the problem happens a certain amount of time after you connect the VPN, that could indicate a problem with the VPN's renegotiation, which may happen periodically. If the problem happens a certain amount of time after the computer boots or the network interface is connected, that could indicate a problem caused by a DHCP renewal. The former is more common, so that's what I asked for first.

We don't DM; you can email the Diagnostic Info to devel...@tunnelblick.net. Security-related items such as certificates and passwords is not included – you can manually redact public IP addresses.

[Sean Hollen]

Thanks, I just emailed the logs to devel...@tunnelblick.net. The log was taken right after I disconnected due to lack of connection.

Today, I also kept notes of how long the Internet was loading before it required vpn disconnection. The times were: 56m13s, 33m58s, 24m47s, 5m23s. That's all that I recorded. I did not reboot my computer once today.

[Tunnelblick developer]

I received the diagnostic info. There is a peculiar discrepancy in the logs:

11:51:35 *Tunnelblick:  Changed DNS ServerAddresses setting from '1.1.1.1 1.0.0.1' to '8.8.8.8'
...

11:51:35 *Tunnelblick:  DNS servers '8.8.8.8' will be used for DNS queries when the VPN is active

...

2024-07-15 11:51:36.622057 *Tunnelblick: Warning: DNS server address 127.0.0.1 is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

This discrepancy (which DNS server will be used: 8.8.8.8 or 127.0.0.1) does indeed indicate that multiple network interfaces are active. That's supported by the output of ifconfig.

My suggestion is to try putting a check in the "Disable secondary network interfaces" checkbox.

=======================

Also, you might want to bring these entries to the attention of your VPN administrators:

2024-07-15 11:51:29.197853 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

...

2024-07-15 11:51:30.055065 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

[Sean Hollen]

Hey,

I checked the "Disable secondary network interfaces" checkbox, and that seemed to work to some extent. Errors are less often now, when before they were every 30 minutes.

However, I now get a different error which I think is connected. On my Mac, there's an exclamation mark over the Wifi symbol. It says, "Wifi: Not Configured". This occurs maybe every 3 hours.

It seems like it needs to change to a secondary network interface, but can't? The only way I've to get the internet working again is to disconnect, untoggle the "Disable secondary", and reconnect (I can re-toggle the disable secondary right afterwards). Sometimes it's particularly difficult, giving me the spinning wheel, and I need to force quit Tunnelblick.

Btw, I see mention of 127.0.0.1 in my /etc/hosts, which itself I don't think is a problem, but maybe this address has special significance? I don't know much about server addresses.

>

Also, you might want to bring these entries to the attention of your VPN administrators:

2024-07-15 11:51:29.197853 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

...

2024-07-15 11:51:30.055065 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

<

Do you think these errors are related to my main issue, or just unrelated irregularities?

[Tunnelblick developer]

I think what's happening now is (assuming your primary network interface is Wi-Fi):

1. At some point your Wi-Fi becomes unavailable (you see the exclamation mark).
   
2. Because (now) all other network interfaces are disabled (by Tunnelblick), your computer has no connection to the Internet.
   
3. OpenVPN can't communicate with the VPN server, so it attempts to reconnect to the VPN server, but, because there is no Internet connection it can't, so it attempts to reconnect again and again.
   
4. Because of a bug in Tunnelblick 4.0.1 (which is fixed in Tunnelblick 5.0.1beta01 and higher), OpenVPN tries to reconnect thousands or tens of thousands of times per second, which causes Tunnelblick to hang, and you see the "spinning wheel".
   

3. and 4. only happen if OpenVPN realizes that it can't communicate with the server, which happens some time after the loss of the Wi-Fi connection. If you disconnect the VPN before that happens, you won't get the "spinning wheel".

Two recommendations:

• Update to Tunnelblick 6.0beta04 so Tunnelblick stops hanging. It's reasonably stable and will be the basis for our next stable release.
  
• Turn Wi-Fi off, then back on again, when the Wi-Fi symbol in the menu/status bar shows an exclamation mark. See if the exclamation mark disappears.
  

These may not solve the main problem, but should make it easier to recover from the main problem so it can be investigated further.

An important question is: why does your Wi-Fi disconnect? Please describe what device provides Wi-Fi, and anything that might be causing the Wi-Fi to stop working: are you moving your computer to another location? Connecting so many other devices to Wi-Fi that it refuses to renew your computer's DHCP lease?

======

127.0.0.1 is a special address for your computer. Unless you've installed or enabled a DNS server/resolver on your computer, it should never be used for DNS. The only other thing I can think of is that, when you have no Internet connection at all, macOS falls back to using your own computer as the DNS server.

======

The other two issues I pointed out are not related to the main issue, but they are configuration choices that lessen the security of your VPN, so I recommend that you should bring them to the attention of your company's IT department. (The second one is more important; the first one may not be a problem if their VPN server is set up so it does not use compression.)

[Sean Hollen]

I did not experience the problem for some period of time, so I haven't responded. But I'm experiencing it again.

I upgraded to 6.0beta05 (build 6090). Even with that, I cannot check "disable secondary network interfaces", because it produces the problem with the exclamation point over the wifi symbol. This happens shortly after connecting to Tunnelblick. When this happens, I cannot turn wifi off and then back on again, because in the mac wifi settings, the wifi is toggled "off" (and the toggle is grayed out, so I can't click it).

When "disable secondary network interfaces" is not checked, I can connect, but then I'm getting the original error. I can email a recent copy of my logs to devel...@tunnelblick.net if that would be useful, just let me know.

We know from previous investigation that there's a problem of "secondary network interfaces". Do you have any tips for how I could go about diagnosing what those secondary interfaces are? It is interesting to me that the problem went away and came back, because I think there's some other process on my computer which is interfering. If I knew what it was, I could look into eliminating that. But I'm not good at diagnosing network interfaces.

Thanks.

[Tunnelblick Developer]

Even with that, I cannot check "disable secondary network interfaces", because it produces the problem with the exclamation point over the wifi symbol. This happens shortly after connecting to Tunnelblick.

If you mean that you always get the exclamation point over the wifi symbol a few seconds after you click "Connect", maybe Wi-Fi is not your primary network interface, so Tunnelblick is disabling it because it is a secondary interface.

The easiest way to find out is to do it (check "disable secondary network interfaces" and click connect), then get the Diagnostic Info. It will include info about exactly what interfaces are disabled in the section that starts "*Tunnelblick:  Start of output from client.up.tunnelblick.sh". There should be several lines that list what interfaces are being disabled. If it disables "Wi-Fi", then the problem is that some other interface is being used as your primary interface, so maybe you have two Internet interfaces. System Settings >> Network will list all the interfaces. The one that isn't disabled is the one that is "Primary".

-----------------

Note that if Tunnelblick is disabling Wi-Fi, it is disabling it, not turning it off. To re-enable it, you can go to System Settings >> Network, Control-click the blue "Wi-Fi" icon, then click "Make Service Active". The exclamation point should disappear.

[Sean Hollen]

It does indeed disable “Wi-Fi”. Logs below.

When I connect with “disable secondary network interfaces”, and look in system settings, it marks all of my networks as “inactive” except for “Firewall”. So I suppose the Firewall is “primary”. But naturally I’m somewhat reluctant to disable the firewall.

Maybe there is a problem with my firewall. However, the Firewall remains active when I disconnect from Tunneblick, and I never get the issues with hanging when not connected to VPN, so there is some association with Tunnelblick.

10:45:53 *Tunnelblick:  **********************************************
10:45:53 *Tunnelblick:  Start of output from client.up.tunnelblick.sh
10:45:55 *Tunnelblick:  Disabled IPv6 for 'AX88179A'
10:45:55 *Tunnelblick:  Disabled 'AX88179A'
10:45:55 *Tunnelblick:  Disabled 'Wi-Fi'
10:45:55 *Tunnelblick:  Disabled 'iPhone USB'
10:45:55 *Tunnelblick:  Disabled 'Thunderbolt Bridge'
10:45:55 *Tunnelblick:  Retrieved from OpenVPN: name server(s) [ 8.8.8.8 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
10:45:55 *Tunnelblick:  Not aggregating ServerAddresses because running on macOS 10.6 or higher
10:45:55 *Tunnelblick:  Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
10:45:56 *Tunnelblick:  Saved the DNS and SMB configurations so they can be restored
10:45:56 *Tunnelblick:  Changed DNS ServerAddresses setting from '' to '8.8.8.8'
10:45:56 *Tunnelblick:  Changed DNS SearchDomains setting from '' to 'openvpn'
10:45:56 *Tunnelblick:  Changed DNS DomainName setting from '' to 'openvpn'
10:45:56 *Tunnelblick:  Did not change SMB NetBIOSName setting of ''
10:45:56 *Tunnelblick:  Did not change SMB Workgroup setting of ''
10:45:56 *Tunnelblick:  Did not change SMB WINSAddresses setting of ''
10:45:56 *Tunnelblick:  DNS servers '8.8.8.8' will be used for DNS queries when the VPN is active
10:45:56 *Tunnelblick:  The DNS servers include only free public DNS servers known to Tunnelblick.
10:45:56 *Tunnelblick:  Flushed the DNS cache via dscacheutil
10:45:56 *Tunnelblick:  /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
10:45:56 *Tunnelblick:  Notified mDNSResponder that the DNS cache was flushed
10:45:56 *Tunnelblick:  Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
10:45:56 *Tunnelblick:  Setting up to monitor system configuration with process-network-changes
10:45:56 *Tunnelblick:  End of output from client.up.tunnelblick.sh
10:45:56 *Tunnelblick:  **********************************************

[Tunnelblick Developer]

No, Firewall is not primary; although it's listed in "Network", it isn't a network service and wouldn't be primary or secondary. Tunnelblick would never disable it in any case.

It appears you have an additional network interface, "AX88179A", and perhaps other network devices. So my question is: how do you connect to the Internet? For example, do you connect with both a wired Ethernet connection and Wi-Fi? With more than one wired interface? Through a "dock"?

Please do the following: click on System Settings >> Network, then Command-click on Wi-Fi and click "Set Service Order", and post the list of services shown, in the order in which they appear.

[Sean Hollen]

You're correct, I am sometimes connected to ethernet, but I usually connect via office Wifi. However, I get this issue even if I'm only connecting through Wifi, and not using ethernet.

Network
USB 10/100/1000 LAN (sometimes connected, sometimes not)
Wi-Fi (connected)
Filters (inactive)
Firewall (active)

Other Services
AX88179A (not connected)
iPhone USB (not connected)
Thunderbolt Bridge (not connected)

If it matters, I often connect earbuds and a smart mouse to bluetooth. I don't use a dock. The only other things I plug into my computer are for charging.

Google says AX88179A is a USB Ethernet Controller, but anyway, each of the times I've checked it said "not connected".

[Tunnelblick Developer]

Please post the "Service Order" list (per my earlier post) when you are connected via Ethernet (with or without Wi-Fi) – I want to see if your Ethernet connection uses "AX88179A" or "USB 10/100/1000 LAN" (or both!?).

[Tunnelblick Developer]

Or, if easier, copy/paste

     /usr/sbin/networksetup  -listnetworkserviceorder

into /Applications/Utilities/Terminal and post the output

[Sean Hollen]

Confusingly to me, it appears that your command is giving me the same results regardless of whether or not I have the Ethernet plugged in. Anyway, this is my current output.

An asterisk (*) denotes that a network service is disabled.

(1) USB 10/100/1000 LAN

(Hardware Port: USB 10/100/1000 LAN, Device: en8)

(2) AX88179A

(Hardware Port: AX88179A, Device: en10)

(3) Wi-Fi

(Hardware Port: Wi-Fi, Device: en0)

(4) iPhone USB

(Hardware Port: iPhone USB, Device: en7)

(5) Thunderbolt Bridge

(Hardware Port: Thunderbolt Bridge, Device: bridge0)

[Tunnelblick Developer]

Thanks. I think there's a problem with the way Tunnelblick disables secondary network interfaces, so I'm looking into that.

[Tunnelblick Developer]

I found two dumbfounding problems with the way Tunnelblick disables secondary network interfaces:

1. If an interface was disabled (by the user), Tunnelblick would re-enable it when the VPN disconnects.
   
2. It disabled all interfaces except the first interface listed by network service order, instead of all interfaces except the primary interface

Both problems will be fixed in the next beta release.

Until the next beta is released, I think a workaround for the problem you've described would be for you to turn off Wi-Fi when you are connected via Ethernet. (And un-check the "Disable secondary network interfaces" checkbox.)

Once you are using the next beta, you can check the "Disable secondary network interfaces" checkbox and leave Wi-Fi on all the time.

[Sean Hollen]

Thanks for working on this. I upgraded my version of Tunnelblick.

I didn't get the results, because I didn't have to use a VPN for a while, but I recently started using VPN again. Unfortunately, I still get the issue described above with the latest version.

However, I also believe the issue is not with Tunnelblick, but with OpenVPN. I tried using OpenVPN Connect, and I found a pretty similar issue.

I can provide you my logs again if that is helpful. That may help to confirm whether it is actually a Tunnelblick issue.

[Tunnelblick Developer]

It's likely caused by a combination of your Internet connection being unreliable and your OpenVPN configuration file and the OpenVPN options pushed from your VPN server to your computer. Consult OpenVPN experts. You can find some links on our Support page.