Able to connect, but no route to host when trying to reach gateway
761 views
Skip to first unread message
jwow
Jan 30, 2015, 7:10:23 PM1/30/15
to tunnelbli...@googlegroups.com
Hi all,
I recently configured Tomato on my home router for OpenVPN and am trying to get it working via Tunnelblick.
I followed these instructions pretty much to a T for configuring Tomato OpenVPN:
I was surprised by the prompt for a password when connecting, but assumed it was looking for the passphrase that I used when creating the keys/certs. I'm able to connect, but when attempting to ping my internal router gateway (192.168.11.1) I get a no route to host error and can't access anything else on the Internet, either. For what it's worth, I'm in a library, but I have no problem with SSH or HTTPS, so I don't think they're blocking anything that could be causing issues with my setup. I specifically used port 443 to avoid any port blocking.
After reading some other posts, I upgraded Tunnelblick to 3.5b06 build 4211, but I get essentially the same error log as what's below.
I've tried checking and unchecking the box on my router for Client Address Pool DHCP. The guide above said to leave it unchecked, but given the error below about getting an IP, I tried checking it and restarting the service. No difference.
I feel like I'm close. Some help to push me over the edge would be great!
*Tunnelblick: OS X 10.9.5; Tunnelblick 3.4.3 (build 4055.4198); Admin user
"Sanitized" condensed configuration file for /Users/obfuscated/Library/Application Support/Tunnelblick/Configurations/my_vpn.tblk:
client
dev tap
proto udp
remote myvpn.ddns.net 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert mbp.crt
key mbp.key
comp-lzo
verb 3
================================================================================
"Sanitized" full configuration file
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote myvpn.ddns.net 443
;remote 192.168.11.1 443
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert mbp.crt
key mbp.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
================================================================================
There are no unusual files in my_vpn.tblk
================================================================================
Configuration preferences:
-routeAllTrafficThroughVpn = 1
-keychainHasPrivateKey = 1
-lastConnectionSucceeded = 1
================================================================================
Wildcard preferences:
================================================================================
Program preferences:
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
"3.4.3 (build 4055.4198)"
)
lastLaunchTime = 444296147.544898
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = my_vpn
keyboardShortcutIndex = 1
updateCheckAutomatically = 0
updateSendProfileInfo = 1
NSWindow Frame SettingsSheetWindow = 437 299 829 424 0 0 1680 1028
NSWindow Frame ConnectingWindow = 697 529 412 232 0 0 1680 1028
leftNavSelectedDisplayName = my_vpn
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 0
SUFeedURL = https://www.tunnelblick.net/appcast-s.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SULastCheckTime = 2015-01-30 07:34:57 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times
================================================================================
Tunnelblick Log:
2015-01-30 15:35:32 *Tunnelblick: openvpnstart starting OpenVPN
2015-01-30 15:35:32 *Tunnelblick: OS X 10.9.5; Tunnelblick 3.4.3 (build 4055.4198)
2015-01-30 15:35:32 *Tunnelblick: Attempting connection with my_vpn using shadow copy; Set nameserver = 1; monitoring connection
2015-01-30 15:35:32 *Tunnelblick: openvpnstart start my_vpn.tblk 1337 1 0 1 0 17266 -ptADGNWradsgnw 2.3.6
2015-01-30 15:35:33 *Tunnelblick: openvpnstart log:
Tunnelblick: Loading tap-signed.kext
Tunnelblick:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.6/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Sobfuscated-SLibrary-SApplication Support-STunnelblick-SConfigurations-Smy_vpn.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_17266.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/obfuscated/my_vpn.tblk/Contents/Resources
--config
/Library/Application Support/Tunnelblick/Users/obfuscated/my_vpn.tblk/Contents/Resources/config.ovpn
--cd
/Library/Application Support/Tunnelblick/Users/obfuscated/my_vpn.tblk/Contents/Resources
--management
127.0.0.1
1337
--management-query-passwords
--management-hold
--redirect-gateway
def1
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -a -f -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -a -f -ptADGNWradsgnw
--route-pre-down
/Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -a -f -ptADGNWradsgnw
2015-01-30 15:35:33 *Tunnelblick: Established communication with OpenVPN
2015-01-30 15:35:33 *Tunnelblick: Obtained VPN passphrase from the Keychain
2015-01-30 15:35:33 OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jan 8 2015
2015-01-30 15:35:33 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
2015-01-30 15:35:33 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2015-01-30 15:35:33 Need hold release from management interface, waiting...
2015-01-30 15:35:33 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2015-01-30 15:35:33 MANAGEMENT: CMD 'pid'
2015-01-30 15:35:33 MANAGEMENT: CMD 'state on'
2015-01-30 15:35:33 MANAGEMENT: CMD 'state'
2015-01-30 15:35:33 MANAGEMENT: CMD 'bytecount 1'
2015-01-30 15:35:33 MANAGEMENT: CMD 'hold release'
2015-01-30 15:35:33 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2015-01-30 15:35:33 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2015-01-30 15:35:33 MANAGEMENT: CMD 'password [...]'
2015-01-30 15:35:33 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2015-01-30 15:35:33 Socket Buffers: R=[196724->65536] S=[9216->65536]
2015-01-30 15:35:33 MANAGEMENT: >STATE:1422660933,RESOLVE,,,
2015-01-30 15:35:34 UDPv4 link local: [undef]
2015-01-30 15:35:34 UDPv4 link remote: [AF_INET]76.167.227.52:443
2015-01-30 15:35:34 MANAGEMENT: >STATE:1422660934,WAIT,,,
2015-01-30 15:35:34 MANAGEMENT: >STATE:1422660934,AUTH,,,
2015-01-30 15:35:34 TLS: Initial packet from [AF_INET]76.167.227.52:443, sid=8af4dbbe 98c08f42
2015-01-30 15:35:34 VERIFY OK: depth=1, CN=Easy-RSA CA
2015-01-30 15:35:34 VERIFY OK: depth=0, CN=myvpn
2015-01-30 15:35:35 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2015-01-30 15:35:35 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2015-01-30 15:35:35 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2015-01-30 15:35:35 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2015-01-30 15:35:35 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2015-01-30 15:35:35 [myvpn] Peer Connection Initiated with [AF_INET]76.167.227.52:443
2015-01-30 15:35:37 MANAGEMENT: >STATE:1422660937,GET_CONFIG,,,
2015-01-30 15:35:38 SENT CONTROL [myvpn]: 'PUSH_REQUEST' (status=1)
2015-01-30 15:35:38 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.11.1,route-gateway 192.168.11.1,redirect-gateway def1,route-gateway dhcp,ping 15,ping-restart 60'
2015-01-30 15:35:38 OPTIONS IMPORT: timers and/or timeouts modified
2015-01-30 15:35:38 OPTIONS IMPORT: route options modified
2015-01-30 15:35:38 OPTIONS IMPORT: route-related options modified
2015-01-30 15:35:38 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2015-01-30 15:35:38 TUN/TAP device /dev/tap0 opened
2015-01-30 15:35:38 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -a -f -ptADGNWradsgnw tap0 1500 1574 init
**********************************************
Start of output from client.up.tunnelblick.sh
Configuring tap DNS via OpenVPN
Retrieved from OpenVPN: name server(s) [ 192.168.11.1 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Set ServerAddresses to 192.168.11.1
Set SearchDomains to openvpn
Set DomainName to openvpn
Flushed the DNS cache via dscacheutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2015-01-30 15:35:41 *Tunnelblick: No 'connected.sh' script to execute
2015-01-30 15:35:41 /sbin/route add -net 76.167.227.52 10.128.128.128 255.255.255.255
add net 76.167.227.52: gateway 10.128.128.128
2015-01-30 15:35:41 /sbin/route add -net 0.0.0.0 192.168.11.1 128.0.0.0
add net 0.0.0.0: gateway 192.168.11.1
2015-01-30 15:35:41 /sbin/route add -net 128.0.0.0 192.168.11.1 128.0.0.0
add net 128.0.0.0: gateway 192.168.11.1
2015-01-30 15:35:41 Initialization Sequence Completed
2015-01-30 15:35:41 MANAGEMENT: >STATE:1422660941,CONNECTED,SUCCESS,,76.167.227.52
2015-01-30 15:35:46 *Tunnelblick process-network-changes: A system configuration change was ignored
2015-01-30 15:36:16 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
2015-01-30 15:36:38 [myvpn] Inactivity timeout (--ping-restart), restarting
2015-01-30 15:36:38 SIGUSR1[soft,ping-restart] received, process restarting
2015-01-30 15:36:38 MANAGEMENT: >STATE:1422660998,RECONNECTING,ping-restart,,
2015-01-30 15:36:38 *Tunnelblick: No 'reconnecting.sh' script to execute
2015-01-30 15:36:38 MANAGEMENT: CMD 'hold release'
2015-01-30 15:36:38 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2015-01-30 15:36:38 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2015-01-30 15:36:38 Socket Buffers: R=[196724->65536] S=[9216->65536]
2015-01-30 15:36:38 MANAGEMENT: >STATE:1422660998,RESOLVE,,,
2015-01-30 15:37:00 *Tunnelblick: Disconnecting; notification window disconnect button pressed
2015-01-30 15:37:00 *Tunnelblick: Disconnecting using 'kill'
2015-01-30 15:37:02 *Tunnelblick: Disconnecting; notification window disconnect button pressed
2015-01-30 15:37:02 *Tunnelblick: Disconnecting using 'kill'
2015-01-30 15:37:02 *Tunnelblick: Disconnecting; notification window disconnect button pressed
2015-01-30 15:37:02 *Tunnelblick: Disconnecting using 'kill'
2015-01-30 15:37:03 *Tunnelblick: Disconnecting; notification window disconnect button pressed
2015-01-30 15:37:03 *Tunnelblick: Disconnecting using 'kill'
2015-01-30 15:37:03 *Tunnelblick: Disconnecting; notification window disconnect button pressed
2015-01-30 15:37:03 *Tunnelblick: Disconnecting using 'kill'
2015-01-30 15:37:08 RESOLVE: Cannot resolve host address: myvpn.ddns.net: nodename nor servname provided, or not known
2015-01-30 15:37:08 MANAGEMENT: >STATE:1422661028,RESOLVE,,,
2015-01-30 15:37:38 RESOLVE: Cannot resolve host address: myvpn.ddns.net: nodename nor servname provided, or not known
2015-01-30 15:38:13 RESOLVE: Cannot resolve host address: myvpn.ddns.net: nodename nor servname provided, or not known
2015-01-30 15:38:48 RESOLVE: Cannot resolve host address: myvpn.ddns.net: nodename nor servname provided, or not known
2015-01-30 15:39:23 RESOLVE: Cannot resolve host address: myvpn.ddns.net: nodename nor servname provided, or not known
2015-01-30 15:39:58 RESOLVE: Cannot resolve host address: myvpn.ddns.net: nodename nor servname provided, or not known
2015-01-30 15:40:33 RESOLVE: Cannot resolve host address: myvpn.ddns.net: nodename nor servname provided, or not known
2015-01-30 15:41:05 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2015-01-30 15:41:05 *Tunnelblick: Disconnecting using 'kill'
2015-01-30 15:41:08 RESOLVE: signal received during DNS resolution attempt
2015-01-30 15:41:08 /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -a -f -ptADGNWradsgnw tap0 1500 1574 init
**********************************************
Start of output from client.route-pre-down.tunnelblick.sh
No action by client.route-pre-down.tunnelblick.sh is needed because this TAP connection does not use DHCP via the TAP device.
End of output from client.route-pre-down.tunnelblick.sh
**********************************************
2015-01-30 15:41:08 /sbin/route delete -net 76.167.227.52 10.128.128.128 255.255.255.255
delete net 76.167.227.52: gateway 10.128.128.128
2015-01-30 15:41:08 /sbin/route delete -net 0.0.0.0 192.168.11.1 128.0.0.0
delete net 0.0.0.0: gateway 192.168.11.1
2015-01-30 15:41:08 /sbin/route delete -net 128.0.0.0 192.168.11.1 128.0.0.0
delete net 128.0.0.0: gateway 192.168.11.1
2015-01-30 15:41:08 Closing TUN/TAP interface
2015-01-30 15:41:08 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -a -f -ptADGNWradsgnw tap0 1500 1574 init
**********************************************
Start of output from client.down.tunnelblick.sh
Cancelled monitoring of system configuration changes
Restored the DNS and SMB configurations
Flushed the DNS cache via dscacheutil
Notified mDNSResponder that the DNS cache was flushed
End of output from client.down.tunnelblick.sh
**********************************************
2015-01-30 15:41:09 SIGTERM[hard,init_instance] received, process exiting
2015-01-30 15:41:09 MANAGEMENT: >STATE:1422661269,EXITING,init_instance,,
2015-01-30 15:41:10 *Tunnelblick: No 'post-disconnect.sh' script to execute
2015-01-30 15:41:10 *Tunnelblick: Expected disconnection occurred.
================================================================================
Console Log:
2015-01-30 15:27:34 Tunnelblick[26229] Can't find Keychain item to delete for service = 'Tunnelblick-Auth-my_vpn' account = 'privateKey' because it does not exist
2015-01-30 15:28:18 Tunnelblick[26229] currentIPInfo(Name): IP address info could not be fetched within 30.0 seconds
2015-01-30 15:28:48 Tunnelblick[26229] currentIPInfo(Address): IP address info could not be fetched within 30.0 seconds
2015-01-30 15:30:27 Tunnelblick[26229] startDisconnectingUserKnows: while already disconnecting 'my_vpn'; OpenVPN state = 'RESOLVE'
2015-01-30 15:30:49 Tunnelblick[26229] startDisconnectingUserKnows: while already disconnecting 'my_vpn'; OpenVPN state = 'DISCONNECTING'
2015-01-30 15:35:33 Tunnelblick[26229] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-my_vpn' account = 'privateKey'
2015-01-30 15:36:16 Tunnelblick[26229] currentIPInfo(Name): IP address info could not be fetched within 30.0 seconds
2015-01-30 15:36:46 Tunnelblick[26229] currentIPInfo(Address): IP address info could not be fetched within 30.0 seconds
2015-01-30 15:37:02 Tunnelblick[26229] startDisconnectingUserKnows: while already disconnecting 'my_vpn'; OpenVPN state = 'DISCONNECTING'
2015-01-30 15:37:02 Tunnelblick[26229] startDisconnectingUserKnows: while already disconnecting 'my_vpn'; OpenVPN state = 'DISCONNECTING'
2015-01-30 15:37:03 Tunnelblick[26229] startDisconnectingUserKnows: while already disconnecting 'my_vpn'; OpenVPN state = 'DISCONNECTING'
2015-01-30 15:37:03 Tunnelblick[26229] startDisconnectingUserKnows: while already disconnecting 'my_vpn'; OpenVPN state = 'DISCONNECTING'
2015-01-30 15:41:05 Tunnelblick[26229] startDisconnectingUserKnows: while already disconnecting 'my_vpn'; OpenVPN state = 'RESOLVE'
================================================================================
Non-Apple kexts that are loaded:
Index Refs Address Size Wired Name (Version) <Linked Against>
57 1 0xffffff7f80b22000 0x46000 0x46000 com.Logitech.Control Center.HID Driver (3.9.1) <56 54 34 28 5 4 3>
58 0 0xffffff7f80b78000 0x18000 0x18000 com.Logitech.Unifying.HID Driver (1.3.1) <57 54 34 28 5 4 3>
104 0 0xffffff7f80e75000 0x4000 0x4000 com.jft.driver.PdaNetDrv (1.0.64) <36 5 4 3 1>
122 3 0xffffff7f823f0000 0x57000 0x57000 org.virtualbox.kext.VBoxDrv (4.3.16) <7 5 4 3 1>
123 0 0xffffff7f82447000 0x8000 0x8000 org.virtualbox.kext.VBoxUSB (4.3.16) <122 42 34 7 5 4 3 1>
124 0 0xffffff7f8244f000 0x5000 0x5000 org.virtualbox.kext.VBoxNetFlt (4.3.16) <122 7 5 4 3 1>
125 0 0xffffff7f82454000 0x6000 0x6000 org.virtualbox.kext.VBoxNetAdp (4.3.16) <122 5 4 1>
126 0 0xffffff7f8245a000 0x22000 0x22000 org.pqrs.driver.Karabiner (10.6.0) <28 5 4 3 1>
Reply all
Reply to author
Forward
0 new messages