OS X route delete command failed
2,160 views
Skip to first unread message
Tobias Ottenweller
May 23, 2011, 1:53:49 PM5/23/11
to tunnelblick-discuss
hello,
I'm having some trouble with disconnecting from a VPN. The wired thing
is that this only happens at one (of my two) VPNs. Both have pretty
much the same configuration.
Here is the log:
2011-05-23 19:49:05 *Tunnelblick: OS X 10.6.7; Tunnelblick 3.1.7
(build 2190.2413); OpenVPN 2.1.4
2011-05-23 19:49:07 *Tunnelblick: Attempting connection with
xx.xx.xx.xx; Set nameserver = 3; monitoring connection
2011-05-23 19:49:07 *Tunnelblick: /Applications/Tunnelblick.app/
Contents/Resources/openvpnstart start xx.xx.xx.xx.tblk 1337 3 0 0 0 49
2011-05-23 19:49:08 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2]
[PKCS11] built on Mar 1 2011
2011-05-23 19:49:08 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2011-05-23 19:49:08 Need hold release from management interface,
waiting...
2011-05-23 19:49:08 MANAGEMENT: Client connected from 127.0.0.1:1337
2011-05-23 19:49:08 MANAGEMENT: CMD 'pid'
2011-05-23 19:49:08 MANAGEMENT: CMD 'state on'
2011-05-23 19:49:08 MANAGEMENT: CMD 'state'
2011-05-23 19:49:08 MANAGEMENT: CMD 'hold release'
2011-05-23 19:49:08 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2011-05-23 19:49:08 PLUGIN_INIT: POST /Applications/Tunnelblick.app/
Contents/Resources/openvpn-down-root.so '[/Applications/
Tunnelblick.app/Contents/Resources/openvpn-down-root.so] [/
Applications/Tunnelblick.app/Contents/Resources/
client.down.tunnelblick.sh] [-m] [-w] [-d]' intercepted=PLUGIN_UP|
PLUGIN_DOWN
2011-05-23 19:49:08 LZO compression initialized
2011-05-23 19:49:08 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:
0 ET:0 EL:0 ]
2011-05-23 19:49:08 Socket Buffers: R=[262140->65536] S=[131070-
>65536]
2011-05-23 19:49:08 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:
135 ET:0 EL:0 AF:3/1 ]
2011-05-23 19:49:08 Local Options hash (VER=V4): 'bc07730e'
2011-05-23 19:49:08 Expected Remote Options hash (VER=V4): 'b695cb4a'
2011-05-23 19:49:08 NOTE: UID/GID downgrade will be delayed because of
--client, --pull, or --up-delay
2011-05-23 19:49:08 Attempting to establish TCP connection with
xx.xx.xx.xx:XXX [nonblock]
2011-05-23 19:49:08 MANAGEMENT: >STATE:1306172948,TCP_CONNECT,,,
2011-05-23 19:49:08 *Tunnelblick: openvpnstart: /Applications/
Tunnelblick.app/Contents/Resources/openvpn --cd /Users/XXXXX/Library/
Application Support/Tunnelblick/Configurations/xx.xx.xx.xx.tblk/
Contents/Resources --daemon --management 127.0.0.1 1337 --config /
Users/XXXXX/Library/Application Support/Tunnelblick/Configurations/
xx.xx.xx.xx.tblk/Contents/Resources/config.ovpn --log /Library/
Application Support/Tunnelblick/Logs/-SUsers-SXXXXX-SLibrary-
SApplication Support-STunnelblick-SConfigurations-Sxx.xx.xx.xx.tblk-
SContents-SResources-Sconfig.ovpn.3_0_0_0_49.1337.openvpn.log --
management-query-passwords --management-hold --script-security 2 --up /
Applications/Tunnelblick.app/Contents/Resources/
client.up.tunnelblick.sh -m -w -d --plugin /Applications/
Tunnelblick.app/Contents/Resources/openvpn-down-root.so /Applications/
Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d
--up-restart
2011-05-23 19:49:09 TCP connection established with xx.xx.xx.xx:XXX
2011-05-23 19:49:09 TCPv4_CLIENT link local: [undef]
2011-05-23 19:49:09 TCPv4_CLIENT link remote: xx.xx.xx.xx:XXX
2011-05-23 19:49:09 MANAGEMENT: >STATE:1306172949,WAIT,,,
2011-05-23 19:49:09 MANAGEMENT: >STATE:1306172949,AUTH,,,
2011-05-23 19:49:09 TLS: Initial packet from xx.xx.xx.xx:XXX,
sid=fa66bfe0 afa8d490
2011-05-23 19:49:10 VERIFY OK: depth=1, /C=DE/ST=DE
2011-05-23 19:49:10 VERIFY OK: nsCertType=SERVER
2011-05-23 19:49:10 VERIFY OK: depth=0, /C=DE/ST=DE/L=Berlin/
O=XXXXX.XX/CN=xx.xx.xx.xx/emailAddress=ma...@XXXXXX.XX
2011-05-23 19:49:11 Data Channel Encrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
2011-05-23 19:49:11 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2011-05-23 19:49:11 Data Channel Decrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
2011-05-23 19:49:11 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2011-05-23 19:49:11 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-
AES256-SHA, 1024 bit RSA
2011-05-23 19:49:11 [xx.xx.xx.xx] Peer Connection Initiated with
xx.xx.xx.xx:XXX
2011-05-23 19:49:12 MANAGEMENT: >STATE:1306172952,GET_CONFIG,,,
2011-05-23 19:49:13 SENT CONTROL [xx.xx.xx.xx]:
'PUSH_REQUEST' (status=1)
2011-05-23 19:49:13 PUSH: Received control message:
'PUSH_REPLY,redirect-gateway,dhcp-option DNS 8.8.8.8,route 10.22.0.0
255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig
10.22.0.6 10.22.0.5'
2011-05-23 19:49:13 OPTIONS IMPORT: timers and/or timeouts modified
2011-05-23 19:49:13 OPTIONS IMPORT: --ifconfig/up options modified
2011-05-23 19:49:13 OPTIONS IMPORT: route options modified
2011-05-23 19:49:13 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
2011-05-23 19:49:13 ROUTE default_gateway=192.168.2.1
2011-05-23 19:49:13 TUN/TAP device /dev/tun0 opened
2011-05-23 19:49:13 MANAGEMENT: >STATE:1306172953,ASSIGN_IP,,
10.22.0.6,
2011-05-23 19:49:13 /sbin/ifconfig tun0 delete
2011-05-23 19:49:13 NOTE: Tried to delete pre-existing tun/tap
instance -- No Problem if failure
2011-05-23 19:49:13 /sbin/ifconfig tun0 10.22.0.6 10.22.0.5 mtu 1500
netmask 255.255.255.255 up
2011-05-23 19:49:13 PLUGIN_CALL: POST /Applications/Tunnelblick.app/
Contents/Resources/openvpn-down-root.so/PLUGIN_UP status=0
2011-05-23 19:49:13 /Applications/Tunnelblick.app/Contents/Resources/
client.up.tunnelblick.sh -m -w -d tun0 1500 1560 10.22.0.6 10.22.0.5
init
No such key
2011-05-23 19:49:13 /sbin/route add -net xx.xx.xx.xx 192.168.2.1
255.255.255.255
route: writing to routing
socket: File exists
add net xx.xx.xx.xx: gateway
192.168.2.1: File exists
2011-05-23 19:49:13 /sbin/route delete -net 0.0.0.0 192.168.2.1
0.0.0.0
delete net 0.0.0.0: gateway
192.168.2.1
2011-05-23 19:49:13 /sbin/route add -net 0.0.0.0 10.22.0.5 0.0.0.0
add net 0.0.0.0: gateway
10.22.0.5
2011-05-23 19:49:13 MANAGEMENT: >STATE:1306172953,ADD_ROUTES,,,
2011-05-23 19:49:13 WARNING: potential route subnet conflict between
local LAN [10.22.0.0/255.255.255.0] and remote VPN
[10.22.0.0/255.255.255.0]
2011-05-23 19:49:13 /sbin/route add -net 10.22.0.0 10.22.0.5
255.255.255.0
add net 10.22.0.0: gateway
10.22.0.5
2011-05-23 19:49:13 GID set to nobody
2011-05-23 19:49:13 UID set to nobody
2011-05-23 19:49:13 Initialization Sequence Completed
2011-05-23 19:49:13 MANAGEMENT: >STATE:1306172953,CONNECTED,SUCCESS,
10.22.0.6,xx.xx.xx.xx
2011-05-23 19:49:13 *Tunnelblick client.up.tunnelblick.sh: Up to two
'No such key' warnings are normal and may be ignored
2011-05-23 19:49:13 *Tunnelblick client.up.tunnelblick.sh: Saved the
DNS and WINS configurations for later use
2011-05-23 19:49:13 *Tunnelblick client.up.tunnelblick.sh: Set up to
monitor system configuration with leasewatch
2011-05-23 19:49:13 *Tunnelblick: Flushed the DNS cache
2011-05-23 19:49:16 event_wait : Interrupted system call (code=4)
2011-05-23 19:49:16 TCP/UDP: Closing socket
2011-05-23 19:49:16 /sbin/route delete -net 10.22.0.0 10.22.0.5
255.255.255.0
route: must be root to alter
routing table
2011-05-23 19:49:16 ERROR: OS X route delete command failed: external
program exited with error status: 77
2011-05-23 19:49:16 /sbin/route delete -net xx.xx.xx.xx 192.168.2.1
255.255.255.255
route: must be root to alter
routing table
2011-05-23 19:49:16 ERROR: OS X route delete command failed: external
program exited with error status: 77
2011-05-23 19:49:16 /sbin/route delete -net 0.0.0.0 10.22.0.5 0.0.0.0
route: must be root to alter
routing table
2011-05-23 19:49:16 ERROR: OS X route delete command failed: external
program exited with error status: 77
2011-05-23 19:49:16 /sbin/route add -net 0.0.0.0 192.168.2.1 0.0.0.0
route: must be root to alter
routing table
2011-05-23 19:49:16 ERROR: OS X route add command failed: external
program exited with error status: 77
2011-05-23 19:49:16 Closing TUN/TAP interface
2011-05-23 19:49:16 PLUGIN_CALL: POST /Applications/Tunnelblick.app/
Contents/Resources/openvpn-down-root.so/PLUGIN_DOWN status=0
2011-05-23 19:49:16 PLUGIN_CLOSE: /Applications/Tunnelblick.app/
Contents/Resources/openvpn-down-root.so
2011-05-23 19:49:16 SIGTERM[hard,] received, process exiting
2011-05-23 19:49:16 MANAGEMENT: >STATE:1306172956,EXITING,SIGTERM,,
2011-05-23 19:49:16 *Tunnelblick client.down.tunnelblick.sh: Cancelled
monitoring of system configuration changes
2011-05-23 19:49:16 *Tunnelblick client.down.tunnelblick.sh: Restored
the DNS and WINS configurations
2011-05-23 19:49:17 *Tunnelblick: Flushed the DNS cache
greetings
I'm having some trouble with disconnecting from a VPN. The wired thing
is that this only happens at one (of my two) VPNs. Both have pretty
much the same configuration.
Here is the log:
2011-05-23 19:49:05 *Tunnelblick: OS X 10.6.7; Tunnelblick 3.1.7
(build 2190.2413); OpenVPN 2.1.4
2011-05-23 19:49:07 *Tunnelblick: Attempting connection with
xx.xx.xx.xx; Set nameserver = 3; monitoring connection
2011-05-23 19:49:07 *Tunnelblick: /Applications/Tunnelblick.app/
Contents/Resources/openvpnstart start xx.xx.xx.xx.tblk 1337 3 0 0 0 49
2011-05-23 19:49:08 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2]
[PKCS11] built on Mar 1 2011
2011-05-23 19:49:08 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2011-05-23 19:49:08 Need hold release from management interface,
waiting...
2011-05-23 19:49:08 MANAGEMENT: Client connected from 127.0.0.1:1337
2011-05-23 19:49:08 MANAGEMENT: CMD 'pid'
2011-05-23 19:49:08 MANAGEMENT: CMD 'state on'
2011-05-23 19:49:08 MANAGEMENT: CMD 'state'
2011-05-23 19:49:08 MANAGEMENT: CMD 'hold release'
2011-05-23 19:49:08 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2011-05-23 19:49:08 PLUGIN_INIT: POST /Applications/Tunnelblick.app/
Contents/Resources/openvpn-down-root.so '[/Applications/
Tunnelblick.app/Contents/Resources/openvpn-down-root.so] [/
Applications/Tunnelblick.app/Contents/Resources/
client.down.tunnelblick.sh] [-m] [-w] [-d]' intercepted=PLUGIN_UP|
PLUGIN_DOWN
2011-05-23 19:49:08 LZO compression initialized
2011-05-23 19:49:08 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:
0 ET:0 EL:0 ]
2011-05-23 19:49:08 Socket Buffers: R=[262140->65536] S=[131070-
>65536]
2011-05-23 19:49:08 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:
135 ET:0 EL:0 AF:3/1 ]
2011-05-23 19:49:08 Local Options hash (VER=V4): 'bc07730e'
2011-05-23 19:49:08 Expected Remote Options hash (VER=V4): 'b695cb4a'
2011-05-23 19:49:08 NOTE: UID/GID downgrade will be delayed because of
--client, --pull, or --up-delay
2011-05-23 19:49:08 Attempting to establish TCP connection with
xx.xx.xx.xx:XXX [nonblock]
2011-05-23 19:49:08 MANAGEMENT: >STATE:1306172948,TCP_CONNECT,,,
2011-05-23 19:49:08 *Tunnelblick: openvpnstart: /Applications/
Tunnelblick.app/Contents/Resources/openvpn --cd /Users/XXXXX/Library/
Application Support/Tunnelblick/Configurations/xx.xx.xx.xx.tblk/
Contents/Resources --daemon --management 127.0.0.1 1337 --config /
Users/XXXXX/Library/Application Support/Tunnelblick/Configurations/
xx.xx.xx.xx.tblk/Contents/Resources/config.ovpn --log /Library/
Application Support/Tunnelblick/Logs/-SUsers-SXXXXX-SLibrary-
SApplication Support-STunnelblick-SConfigurations-Sxx.xx.xx.xx.tblk-
SContents-SResources-Sconfig.ovpn.3_0_0_0_49.1337.openvpn.log --
management-query-passwords --management-hold --script-security 2 --up /
Applications/Tunnelblick.app/Contents/Resources/
client.up.tunnelblick.sh -m -w -d --plugin /Applications/
Tunnelblick.app/Contents/Resources/openvpn-down-root.so /Applications/
Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d
--up-restart
2011-05-23 19:49:09 TCP connection established with xx.xx.xx.xx:XXX
2011-05-23 19:49:09 TCPv4_CLIENT link local: [undef]
2011-05-23 19:49:09 TCPv4_CLIENT link remote: xx.xx.xx.xx:XXX
2011-05-23 19:49:09 MANAGEMENT: >STATE:1306172949,WAIT,,,
2011-05-23 19:49:09 MANAGEMENT: >STATE:1306172949,AUTH,,,
2011-05-23 19:49:09 TLS: Initial packet from xx.xx.xx.xx:XXX,
sid=fa66bfe0 afa8d490
2011-05-23 19:49:10 VERIFY OK: depth=1, /C=DE/ST=DE
2011-05-23 19:49:10 VERIFY OK: nsCertType=SERVER
2011-05-23 19:49:10 VERIFY OK: depth=0, /C=DE/ST=DE/L=Berlin/
O=XXXXX.XX/CN=xx.xx.xx.xx/emailAddress=ma...@XXXXXX.XX
2011-05-23 19:49:11 Data Channel Encrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
2011-05-23 19:49:11 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2011-05-23 19:49:11 Data Channel Decrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
2011-05-23 19:49:11 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2011-05-23 19:49:11 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-
AES256-SHA, 1024 bit RSA
2011-05-23 19:49:11 [xx.xx.xx.xx] Peer Connection Initiated with
xx.xx.xx.xx:XXX
2011-05-23 19:49:12 MANAGEMENT: >STATE:1306172952,GET_CONFIG,,,
2011-05-23 19:49:13 SENT CONTROL [xx.xx.xx.xx]:
'PUSH_REQUEST' (status=1)
2011-05-23 19:49:13 PUSH: Received control message:
'PUSH_REPLY,redirect-gateway,dhcp-option DNS 8.8.8.8,route 10.22.0.0
255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig
10.22.0.6 10.22.0.5'
2011-05-23 19:49:13 OPTIONS IMPORT: timers and/or timeouts modified
2011-05-23 19:49:13 OPTIONS IMPORT: --ifconfig/up options modified
2011-05-23 19:49:13 OPTIONS IMPORT: route options modified
2011-05-23 19:49:13 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
2011-05-23 19:49:13 ROUTE default_gateway=192.168.2.1
2011-05-23 19:49:13 TUN/TAP device /dev/tun0 opened
2011-05-23 19:49:13 MANAGEMENT: >STATE:1306172953,ASSIGN_IP,,
10.22.0.6,
2011-05-23 19:49:13 /sbin/ifconfig tun0 delete
2011-05-23 19:49:13 NOTE: Tried to delete pre-existing tun/tap
instance -- No Problem if failure
2011-05-23 19:49:13 /sbin/ifconfig tun0 10.22.0.6 10.22.0.5 mtu 1500
netmask 255.255.255.255 up
2011-05-23 19:49:13 PLUGIN_CALL: POST /Applications/Tunnelblick.app/
Contents/Resources/openvpn-down-root.so/PLUGIN_UP status=0
2011-05-23 19:49:13 /Applications/Tunnelblick.app/Contents/Resources/
client.up.tunnelblick.sh -m -w -d tun0 1500 1560 10.22.0.6 10.22.0.5
init
No such key
2011-05-23 19:49:13 /sbin/route add -net xx.xx.xx.xx 192.168.2.1
255.255.255.255
route: writing to routing
socket: File exists
add net xx.xx.xx.xx: gateway
192.168.2.1: File exists
2011-05-23 19:49:13 /sbin/route delete -net 0.0.0.0 192.168.2.1
0.0.0.0
delete net 0.0.0.0: gateway
192.168.2.1
2011-05-23 19:49:13 /sbin/route add -net 0.0.0.0 10.22.0.5 0.0.0.0
add net 0.0.0.0: gateway
10.22.0.5
2011-05-23 19:49:13 MANAGEMENT: >STATE:1306172953,ADD_ROUTES,,,
2011-05-23 19:49:13 WARNING: potential route subnet conflict between
local LAN [10.22.0.0/255.255.255.0] and remote VPN
[10.22.0.0/255.255.255.0]
2011-05-23 19:49:13 /sbin/route add -net 10.22.0.0 10.22.0.5
255.255.255.0
add net 10.22.0.0: gateway
10.22.0.5
2011-05-23 19:49:13 GID set to nobody
2011-05-23 19:49:13 UID set to nobody
2011-05-23 19:49:13 Initialization Sequence Completed
2011-05-23 19:49:13 MANAGEMENT: >STATE:1306172953,CONNECTED,SUCCESS,
10.22.0.6,xx.xx.xx.xx
2011-05-23 19:49:13 *Tunnelblick client.up.tunnelblick.sh: Up to two
'No such key' warnings are normal and may be ignored
2011-05-23 19:49:13 *Tunnelblick client.up.tunnelblick.sh: Saved the
DNS and WINS configurations for later use
2011-05-23 19:49:13 *Tunnelblick client.up.tunnelblick.sh: Set up to
monitor system configuration with leasewatch
2011-05-23 19:49:13 *Tunnelblick: Flushed the DNS cache
2011-05-23 19:49:16 event_wait : Interrupted system call (code=4)
2011-05-23 19:49:16 TCP/UDP: Closing socket
2011-05-23 19:49:16 /sbin/route delete -net 10.22.0.0 10.22.0.5
255.255.255.0
route: must be root to alter
routing table
2011-05-23 19:49:16 ERROR: OS X route delete command failed: external
program exited with error status: 77
2011-05-23 19:49:16 /sbin/route delete -net xx.xx.xx.xx 192.168.2.1
255.255.255.255
route: must be root to alter
routing table
2011-05-23 19:49:16 ERROR: OS X route delete command failed: external
program exited with error status: 77
2011-05-23 19:49:16 /sbin/route delete -net 0.0.0.0 10.22.0.5 0.0.0.0
route: must be root to alter
routing table
2011-05-23 19:49:16 ERROR: OS X route delete command failed: external
program exited with error status: 77
2011-05-23 19:49:16 /sbin/route add -net 0.0.0.0 192.168.2.1 0.0.0.0
route: must be root to alter
routing table
2011-05-23 19:49:16 ERROR: OS X route add command failed: external
program exited with error status: 77
2011-05-23 19:49:16 Closing TUN/TAP interface
2011-05-23 19:49:16 PLUGIN_CALL: POST /Applications/Tunnelblick.app/
Contents/Resources/openvpn-down-root.so/PLUGIN_DOWN status=0
2011-05-23 19:49:16 PLUGIN_CLOSE: /Applications/Tunnelblick.app/
Contents/Resources/openvpn-down-root.so
2011-05-23 19:49:16 SIGTERM[hard,] received, process exiting
2011-05-23 19:49:16 MANAGEMENT: >STATE:1306172956,EXITING,SIGTERM,,
2011-05-23 19:49:16 *Tunnelblick client.down.tunnelblick.sh: Cancelled
monitoring of system configuration changes
2011-05-23 19:49:16 *Tunnelblick client.down.tunnelblick.sh: Restored
the DNS and WINS configurations
2011-05-23 19:49:17 *Tunnelblick: Flushed the DNS cache
greetings
jkbull...gmail.com
May 23, 2011, 5:05:10 PM5/23/11
to tunnelbli...@googlegroups.com
The problem appears to be related to the openvpn-downroot plugin being used. When it is used, OpenVPN can't restore routes when disconnecting, and you get the "ERROR: OS X route add command failed" messages.
You didn't post you configuration file, but I'm guessing that at one time it had "user nobody" and "group nobody". Even after you take those lines out, Tunnelblick 3.1.7 still loads the openvpn-downroot plugin if the preference for it is set. So you should remove the preference, following the directions in https://groups.google.com/forum/#!msg/tunnelblick-discuss/rOpsNIoyOmY/OwQYsP4FDMEJ.
Or you could try Tunnelblick 3.2beta14. It notices that you don't have the "user nobody" and "group nobody", and removes the preference for you.
Tobias Ottenweller
Jun 1, 2011, 5:10:46 AM6/1/11
to tunnelblick-discuss
Sorry for not posting my configuration file.
I tried the the 3.2beta 14 - the same problem. There also have and
always had 'user nobody' and 'group nobody' in my configuration.
Maybe there is a problem somewhere else.
**** CONFIGURATION ****
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote XXX.XXX.XXX.XXX XXX
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC # AES
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
**** END CONFIGURATION ****
On May 23, 11:05 pm, "jkbull...gmail.com" <jkbull...@gmail.com> wrote:
> The problem appears to be related to the openvpn-downroot plugin being used.
> When it is used, OpenVPN can't restore routes when disconnecting, and you
> get the "ERROR: OS X route add command failed" messages.
>
> You didn't post you configuration file, but I'm guessing that at one time it
> had "user nobody" and "group nobody". Even after you take those lines out,
> Tunnelblick 3.1.7 still loads the openvpn-downroot plugin if the preference
> for it is set. So you should remove the preference, following the directions
> inhttps://groups.google.com/forum/#!msg/tunnelblick-discuss/rOpsNIoyOmY...
> .
I tried the the 3.2beta 14 - the same problem. There also have and
always had 'user nobody' and 'group nobody' in my configuration.
Maybe there is a problem somewhere else.
**** CONFIGURATION ****
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote XXX.XXX.XXX.XXX XXX
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC # AES
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
**** END CONFIGURATION ****
On May 23, 11:05 pm, "jkbull...gmail.com" <jkbull...@gmail.com> wrote:
> The problem appears to be related to the openvpn-downroot plugin being used.
> When it is used, OpenVPN can't restore routes when disconnecting, and you
> get the "ERROR: OS X route add command failed" messages.
>
> You didn't post you configuration file, but I'm guessing that at one time it
> had "user nobody" and "group nobody". Even after you take those lines out,
> Tunnelblick 3.1.7 still loads the openvpn-downroot plugin if the preference
> for it is set. So you should remove the preference, following the directions
> .
jkbull...gmail.com
Jun 1, 2011, 7:23:27 AM6/1/11
to tunnelbli...@googlegroups.com
Ah, I see -- you do have user/group commends in the configuration file. I thought you had removed them.
My understanding is that:
- Even with the down-root plugin, using user nobody/ group nobody will cause problems if OpenVPN does routing commands. When down-root is used, it allows the down script to run as root, but OpenVPN continues to run as nobody. Thus OpenVPN cannot restore the routes.
- The solution is to either remove user nobody/ group nobody from the configuration file (and remove the preference), or do the routing in your own, customized up/down script. The standard scripts scripts may be overridden by including "up.tunnelblick.sh" and "down.tunnelblick.sh" scripts in aTunnelblick VPN Configuration. (The "standard scripts" are the scripts used when you have "Set nameserver" selected.)
Reply all
Reply to author
Forward
0 new messages