Tunnelblick vs. MacOS Server network accounts
159 views
Skip to first unread message
sergo...@gmail.com
Apr 12, 2018, 8:25:55 AM4/12/18
to tunnelblick-discuss
Hello List,
i think i did not find any info on my issue, otherwise i'd be glad to get redirected.
I am able to establish a OpeNVP connection using the latest tunnelblick 3.7.5a on OSX 10.11.6 and have to different results:
a) using a client local account of a directoy (OD) bound machine, every works perfectly smooth.
b) using a OD-backed account (OSX Server) with a client-local home directory (i.o.w.: homedirectory is on the loca machine), things fail (late).
@ b) It's possible to establish the connection, but as soon as it succeeds, tunnelblick attempts to diconnect, never having reached the state to issue the green "connected" indicator.
At that point, the account is totally frozen, no application can be launched and the machine has to be hard resetted.
The reason is obvious: the sandbox deployed with a network bound directory seems to breag the temporary filesystem Tunneblick expects on local filesystems.
Is that guess correct?
If so: is there anything i can do in terms of disabling the sandbox feature per application, or redirecting Tinnelblick folder structures?
Any hint would be highly appreciated...
i think i did not find any info on my issue, otherwise i'd be glad to get redirected.
I am able to establish a OpeNVP connection using the latest tunnelblick 3.7.5a on OSX 10.11.6 and have to different results:
a) using a client local account of a directoy (OD) bound machine, every works perfectly smooth.
b) using a OD-backed account (OSX Server) with a client-local home directory (i.o.w.: homedirectory is on the loca machine), things fail (late).
@ b) It's possible to establish the connection, but as soon as it succeeds, tunnelblick attempts to diconnect, never having reached the state to issue the green "connected" indicator.
At that point, the account is totally frozen, no application can be launched and the machine has to be hard resetted.
The reason is obvious: the sandbox deployed with a network bound directory seems to breag the temporary filesystem Tunneblick expects on local filesystems.
Is that guess correct?
If so: is there anything i can do in terms of disabling the sandbox feature per application, or redirecting Tinnelblick folder structures?
Any hint would be highly appreciated...
Tunnelblick developer
Apr 12, 2018, 9:33:38 AM4/12/18
to tunnelbli...@googlegroups.com
At that point, the account is totally frozen, no application can be launched and the machine has to be hard resetted."
No process should be able to do that, but since parts of Tunnelblick run as root, I suppose it could be messing something up and causing this, and I can also imagine a situation where Tunnelblick causes the macOS kernel to get stuck in some kind of loop (perhaps involving circular symlinks or something similar) such that the kernel has locked some resource that is needed to launch applications.
Can you launch Activity Monitor before trying this, and then use it to see what's happening to the Tunnelblick process and any processes named "openvpn"?
The reason is obvious: the sandbox deployed with a network bound directory seems to breag the temporary filesystem Tunneblick expects on local filesystems.
Is that guess correct?
Tunnelblick does use /tmp and also the user-specific temporary directory it obtains using NSTemporaryDirectory(), so there could be the problem if either of those folders are in some way restricted.
However, that's not by design and I would be interested in what the restrictions are; perhaps Tunnelblick can work around them.
I'm not sure what you mean by "network-bound directory" and "client-local home directory" mean. Is the user's home directory in effect copied into /Users at login? Or is /Users/USERNAME a symlink to a network resource?
sergo...@gmail.com
Apr 17, 2018, 4:09:02 AM4/17/18
to tunnelblick-discuss
Hello, thank you for your immediate offer to help!
And sorry for my delay, but i first wanted to gather some experiences with the issue, as it turned out to be sort of unpredictable: from time to time all of a sudden the connection successfully gets established.
But most of the time, the connection succeeds briefly, without ever reaching the phase where the message "established" is issued by Tunnelblick, but instead an immediate attempt for disconnection is started by Tunnelblick, which then never succeeds.
At that time unfortunately no other application can be started anymore, and only a hard reset of the machine can clear that stete.
But i was able to catch parts of the Tunnelblick log, i hope it's o.k. to paste it unabbreviated?
The part which may be relevant:
2018-04-17 09:14:04 *Tunnelblick: The 'connected.sh' script failed; 'openvpnstart connected' returned error 173
If present, the TMPDIR environment variable must be set to '/var/folders/zz/zyxvpxvq6csfxvn_n00004d4000139/T/'; it is '/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/'
In terms of the filesystem of an MacOS server bound account:
there are two deployment scenarios:
1) the typical use case is a "roaming home" directory located on the osx-server:
"/Network/Servers/osxserver.thld.sld.tld/Volumes/networkhomedirectories/usershomefolder"
2) the second type is: OD managed account with home direcory local to the machine which the user logs in to.
3) Always present the MacOS sandbox functionality, which seems to pursuit the effort to keep everything in the local folder structure.
penVPN is not responding to requests to disconnect vpnuseraccount.
Tunnelblick will disconnect when OpenVPN starts responding to disconnection requests.
THIS MAY TAKE UP TO TWO MINUTES in certain unusual circumstances.
The connection will be unavailable until it is disconnected.
OpenVPN is not responding to requests to disconnect vpnuseraccount.
Tunnelblick will disconnect when OpenVPN starts responding to disconnection requests.
THIS MAY TAKE UP TO TWO MINUTES in certain unusual circumstances.
The connection will be unavailable until it is disconnected.
*Tunnelblick: OS X 10.11.6; Tunnelblick 3.7.5a (build 5011); prior version 3.7.2 (build 4850)
2018-04-17 09:13:49 *Tunnelblick: Attempting connection with vpnuseraccount using shadow copy; Set nameserver = 1025; monitoring connection
2018-04-17 09:13:49 *Tunnelblick: openvpnstart start vpnuseraccount.tblk 1337 1025 0 1 0 1098032 -ptADGNWradsgnw 2.4.4-openssl-1.0.2o
2018-04-17 09:13:49 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2o/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-SODuseraccount-SLibrary-SApplication Support-STunnelblick-SConfigurations-Svpnuseraccount.tblk-SContents-SResources-Sconfig.ovpn.1025_0_1_0_1098032.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/ODuseraccount/vpnuseraccount.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 5011 3.7.5a (build 5011)"
--verb
4
--config
/Library/Application Support/Tunnelblick/Users/ODuseraccount/vpnuseraccount.tblk/Contents/Resources/config.ovpn
--verb
4
--cd
/Library/Application Support/Tunnelblick/Users/ODuseraccount/vpnuseraccount.tblk/Contents/Resources
--management
127.0.0.1
1337
/Library/Application Support/Tunnelblick/mfpjaaclbdfmjhdeglheojaioilfjjjahohhgejp.mip
--management-query-passwords
--management-hold
--script-security
2
--route-up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2018-04-17 09:13:49 *Tunnelblick: Established communication with OpenVPN
2018-04-17 09:13:49 us=383013 Current Parameter Settings:
2018-04-17 09:13:49 us=383208 config = '/Library/Application Support/Tunnelblick/Users/ODuseraccount/vpnuseraccount.tblk/Contents/Resources/config.ovpn'
2018-04-17 09:13:49 us=383223 mode = 0
2018-04-17 09:13:49 us=383236 show_ciphers = DISABLED
2018-04-17 09:13:49 us=383248 show_digests = DISABLED
2018-04-17 09:13:49 us=383261 show_engines = DISABLED
2018-04-17 09:13:49 us=383278 genkey = DISABLED
2018-04-17 09:13:49 us=383291 key_pass_file = '[UNDEF]'
2018-04-17 09:13:49 us=383304 show_tls_ciphers = DISABLED
2018-04-17 09:13:49 us=383319 connect_retry_max = 0
2018-04-17 09:13:49 us=383332 Connection profiles [0]:
2018-04-17 09:13:49 us=383345 proto = udp
2018-04-17 09:13:49 us=383357 local = '[UNDEF]'
2018-04-17 09:13:49 us=383370 local_port = '[UNDEF]'
2018-04-17 09:13:49 us=383382 remote = 'OrganisationCN'
2018-04-17 09:13:49 us=383395 remote_port = '1194'
2018-04-17 09:13:49 us=383407 remote_float = DISABLED
2018-04-17 09:13:49 us=383420 bind_defined = DISABLED
2018-04-17 09:13:49 us=383432 bind_local = DISABLED
2018-04-17 09:13:49 us=383445 bind_ipv6_only = DISABLED
2018-04-17 09:13:49 us=383458 connect_retry_seconds = 5
2018-04-17 09:13:49 us=383470 connect_timeout = 120
2018-04-17 09:13:49 us=383483 xormethod = 0
2018-04-17 09:13:49 us=383496 xormask = ''
2018-04-17 09:13:49 us=383508 xormasklen = 0
2018-04-17 09:13:49 us=383521 socks_proxy_server = '[UNDEF]'
2018-04-17 09:13:49 us=383534 socks_proxy_port = '[UNDEF]'
2018-04-17 09:13:49 us=383547 tun_mtu = 1500
2018-04-17 09:13:49 us=383559 tun_mtu_defined = ENABLED
2018-04-17 09:13:49 us=383572 link_mtu = 1500
2018-04-17 09:13:49 us=383584 link_mtu_defined = DISABLED
2018-04-17 09:13:49 us=383597 tun_mtu_extra = 0
2018-04-17 09:13:49 us=383609 tun_mtu_extra_defined = DISABLED
2018-04-17 09:13:49 us=383622 mtu_discover_type = -1
2018-04-17 09:13:49 us=383634 fragment = 0
2018-04-17 09:13:49 us=383647 mssfix = 1450
2018-04-17 09:13:49 us=383659 explicit_exit_notification = 1
2018-04-17 09:13:49 us=383672 Connection profiles [1]:
2018-04-17 09:13:49 us=383684 proto = tcp-client
2018-04-17 09:13:49 us=383697 local = '[UNDEF]'
2018-04-17 09:13:49 us=383709 local_port = '[UNDEF]'
2018-04-17 09:13:49 us=383722 remote = 'OrganisationCN'
2018-04-17 09:13:49 us=383735 remote_port = '1194'
2018-04-17 09:13:49 us=383747 remote_float = DISABLED
2018-04-17 09:13:49 us=383760 bind_defined = DISABLED
2018-04-17 09:13:49 us=383772 bind_local = DISABLED
2018-04-17 09:13:49 us=383785 bind_ipv6_only = DISABLED
2018-04-17 09:13:49 us=383797 connect_retry_seconds = 5
2018-04-17 09:13:49 us=383810 connect_timeout = 120
2018-04-17 09:13:49 us=383822 xormethod = 0
2018-04-17 09:13:49 us=383834 xormask = ''
2018-04-17 09:13:49 us=383847 xormasklen = 0
2018-04-17 09:13:49 us=383859 socks_proxy_server = '[UNDEF]'
2018-04-17 09:13:49 us=383872 socks_proxy_port = '[UNDEF]'
2018-04-17 09:13:49 us=383884 tun_mtu = 1500
2018-04-17 09:13:49 us=383897 tun_mtu_defined = ENABLED
2018-04-17 09:13:49 us=383909 link_mtu = 1500
2018-04-17 09:13:49 us=383922 link_mtu_defined = DISABLED
2018-04-17 09:13:49 us=383934 tun_mtu_extra = 0
2018-04-17 09:13:49 us=383947 tun_mtu_extra_defined = DISABLED
2018-04-17 09:13:49 us=383959 mtu_discover_type = -1
2018-04-17 09:13:49 us=383972 fragment = 0
2018-04-17 09:13:49 us=383984 mssfix = 1450
2018-04-17 09:13:49 us=383997 explicit_exit_notification = 0
2018-04-17 09:13:49 us=384009 Connection profiles END
2018-04-17 09:13:49 us=384025 remote_random = DISABLED
2018-04-17 09:13:49 us=384088 ipchange = '[UNDEF]'
2018-04-17 09:13:49 us=384144 dev = 'tun'
2018-04-17 09:13:49 us=384170 dev_type = '[UNDEF]'
2018-04-17 09:13:49 us=384184 dev_node = '[UNDEF]'
2018-04-17 09:13:49 us=384201 lladdr = '[UNDEF]'
2018-04-17 09:13:49 us=384214 topology = 1
2018-04-17 09:13:49 us=384228 ifconfig_local = '[UNDEF]'
2018-04-17 09:13:49 us=384243 ifconfig_remote_netmask = '[UNDEF]'
2018-04-17 09:13:49 us=384255 ifconfig_noexec = DISABLED
2018-04-17 09:13:49 us=384268 ifconfig_nowarn = DISABLED
2018-04-17 09:13:49 us=384281 ifconfig_ipv6_local = '[UNDEF]'
2018-04-17 09:13:49 us=384294 ifconfig_ipv6_netbits = 0
2018-04-17 09:13:49 us=384306 ifconfig_ipv6_remote = '[UNDEF]'
2018-04-17 09:13:49 us=384319 shaper = 0
2018-04-17 09:13:49 us=384332 mtu_test = 0
2018-04-17 09:13:49 us=384344 mlock = DISABLED
2018-04-17 09:13:49 us=384357 keepalive_ping = 0
2018-04-17 09:13:49 us=384369 keepalive_timeout = 0
2018-04-17 09:13:49 us=384382 inactivity_timeout = 0
2018-04-17 09:13:49 us=384394 ping_send_timeout = 0
2018-04-17 09:13:49 us=384407 ping_rec_timeout = 0
2018-04-17 09:13:49 us=384420 ping_rec_timeout_action = 0
2018-04-17 09:13:49 us=384432 ping_timer_remote = DISABLED
2018-04-17 09:13:49 us=384447 remap_sigusr1 = 0
2018-04-17 09:13:49 us=384460 persist_tun = ENABLED
2018-04-17 09:13:49 us=384473 persist_local_ip = DISABLED
2018-04-17 09:13:49 us=384486 persist_remote_ip = DISABLED
2018-04-17 09:13:49 us=384498 persist_key = ENABLED
2018-04-17 09:13:49 us=384511 passtos = DISABLED
2018-04-17 09:13:49 us=384524 resolve_retry_seconds = 1000000000
2018-04-17 09:13:49 us=384537 resolve_in_advance = DISABLED
2018-04-17 09:13:49 us=384549 username = '[UNDEF]'
2018-04-17 09:13:49 us=384562 groupname = '[UNDEF]'
2018-04-17 09:13:49 us=384575 chroot_dir = '[UNDEF]'
2018-04-17 09:13:49 us=384588 cd_dir = '/Library/Application Support/Tunnelblick/Users/ODuseraccount/vpnuseraccount.tblk/Contents/Resources'
2018-04-17 09:13:49 us=384601 writepid = '[UNDEF]'
2018-04-17 09:13:49 us=384614 up_script = '[UNDEF]'
2018-04-17 09:13:49 us=384627 down_script = '/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw'
2018-04-17 09:13:49 us=384640 down_pre = DISABLED
2018-04-17 09:13:49 us=384653 up_restart = DISABLED
2018-04-17 09:13:49 us=384665 up_delay = DISABLED
2018-04-17 09:13:49 us=384678 daemon = ENABLED
2018-04-17 09:13:49 us=384691 inetd = 0
2018-04-17 09:13:49 us=384704 log = ENABLED
2018-04-17 09:13:49 us=384717 suppress_timestamps = DISABLED
2018-04-17 09:13:49 us=384730 machine_readable_output = DISABLED
2018-04-17 09:13:49 us=384742 nice = 0
2018-04-17 09:13:49 us=384755 verbosity = 4
2018-04-17 09:13:49 us=384768 mute = 0
2018-04-17 09:13:49 us=384781 status_file = '[UNDEF]'
2018-04-17 09:13:49 us=384794 status_file_version = 1
2018-04-17 09:13:49 us=384807 status_file_update_freq = 60
2018-04-17 09:13:49 us=384819 occ = ENABLED
2018-04-17 09:13:49 us=384832 rcvbuf = 0
2018-04-17 09:13:49 us=384845 sndbuf = 0
2018-04-17 09:13:49 us=384858 sockflags = 0
2018-04-17 09:13:49 us=384871 fast_io = DISABLED
2018-04-17 09:13:49 us=384884 comp.alg = 2
2018-04-17 09:13:49 us=384901 comp.flags = 1
2018-04-17 09:13:49 us=384914 route_script = '/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw'
2018-04-17 09:13:49 us=384928 route_default_gateway = '[UNDEF]'
2018-04-17 09:13:49 us=384941 route_default_metric = 0
2018-04-17 09:13:49 us=384953 route_noexec = DISABLED
2018-04-17 09:13:49 us=384966 route_delay = 0
2018-04-17 09:13:49 us=384979 route_delay_window = 30
2018-04-17 09:13:49 us=384992 route_delay_defined = DISABLED
2018-04-17 09:13:49 us=385005 route_nopull = DISABLED
2018-04-17 09:13:49 us=385028 route_gateway_via_dhcp = DISABLED
2018-04-17 09:13:49 us=385041 allow_pull_fqdn = DISABLED
2018-04-17 09:13:49 us=385054 management_addr = '127.0.0.1'
2018-04-17 09:13:49 us=385068 management_port = '1337'
2018-04-17 09:13:49 us=385082 management_user_pass = '/Library/Application Support/Tunnelblick/mfpjaaclbdfmjhdeglheojaioilfjjjahohhgejp.mip'
2018-04-17 09:13:49 us=385096 management_log_history_cache = 250
2018-04-17 09:13:49 us=385110 management_echo_buffer_size = 100
2018-04-17 09:13:49 us=385123 management_write_peer_info_file = '[UNDEF]'
2018-04-17 09:13:49 us=385137 management_client_user = '[UNDEF]'
2018-04-17 09:13:49 us=385150 management_client_group = '[UNDEF]'
2018-04-17 09:13:49 us=385163 management_flags = 6
2018-04-17 09:13:49 us=385176 shared_secret_file = '[UNDEF]'
2018-04-17 09:13:49 us=385189 key_direction = 2
2018-04-17 09:13:49 us=385202 ciphername = 'AES-256-CBC'
2018-04-17 09:13:49 us=385214 ncp_enabled = ENABLED
2018-04-17 09:13:49 us=385227 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2018-04-17 09:13:49 us=385240 authname = 'SHA256'
2018-04-17 09:13:49 us=385253 prng_hash = 'SHA1'
2018-04-17 09:13:49 us=385266 prng_nonce_secret_len = 16
2018-04-17 09:13:49 us=385279 keysize = 0
2018-04-17 09:13:49 us=385291 engine = DISABLED
2018-04-17 09:13:49 us=385304 replay = ENABLED
2018-04-17 09:13:49 us=385317 mute_replay_warnings = ENABLED
2018-04-17 09:13:49 us=385330 replay_window = 64
2018-04-17 09:13:49 us=385342 replay_time = 15
2018-04-17 09:13:49 us=385355 packet_id_file = '[UNDEF]'
2018-04-17 09:13:49 us=385368 use_iv = ENABLED
2018-04-17 09:13:49 us=385381 test_crypto = DISABLED
2018-04-17 09:13:49 us=385393 tls_server = DISABLED
2018-04-17 09:13:49 us=385406 tls_client = ENABLED
2018-04-17 09:13:49 us=385419 key_method = 2
2018-04-17 09:13:49 us=385432 ca_file = '[[INLINE]]'
2018-04-17 09:13:49 us=385444 ca_path = '[UNDEF]'
2018-04-17 09:13:49 us=385457 dh_file = '[UNDEF]'
2018-04-17 09:13:49 us=385470 cert_file = '[[INLINE]]'
2018-04-17 09:13:49 us=385483 extra_certs_file = '[UNDEF]'
2018-04-17 09:13:49 us=385495 priv_key_file = '[[INLINE]]'
2018-04-17 09:13:49 us=385508 pkcs12_file = '[UNDEF]'
2018-04-17 09:13:49 us=385521 cipher_list = '[UNDEF]'
2018-04-17 09:13:49 us=385534 tls_verify = '[UNDEF]'
2018-04-17 09:13:49 us=385547 tls_export_cert = '[UNDEF]'
2018-04-17 09:13:49 us=385560 verify_x509_type = 1
2018-04-17 09:13:49 us=385573 verify_x509_name = 'C=ISO-CountryCode, ST=CityName, L=CityName, O=Organisation-VPN, OU=IT, CN=OrganisationCN, emailAddress=em...@organisation.org'
2018-04-17 09:13:49 us=385586 crl_file = '[UNDEF]'
2018-04-17 09:13:49 us=385599 ns_cert_type = 1
2018-04-17 09:13:49 us=385612 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385625 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385638 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385651 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385664 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385676 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385689 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385702 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385715 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385728 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385740 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385753 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385766 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385779 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385791 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385804 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385817 remote_cert_eku = 'TLS Web Server Authentication'
2018-04-17 09:13:49 us=385830 ssl_flags = 0
2018-04-17 09:13:49 us=385843 tls_timeout = 2
2018-04-17 09:13:49 us=385868 renegotiate_bytes = -1
2018-04-17 09:13:49 us=385881 renegotiate_packets = 0
2018-04-17 09:13:49 us=385894 renegotiate_seconds = 0
2018-04-17 09:13:49 us=385907 handshake_window = 60
2018-04-17 09:13:49 us=385920 transition_window = 3600
2018-04-17 09:13:49 us=385933 single_session = DISABLED
2018-04-17 09:13:49 us=385946 push_peer_info = DISABLED
2018-04-17 09:13:49 us=385958 tls_exit = DISABLED
2018-04-17 09:13:49 us=385971 tls_auth_file = '[[INLINE]]'
2018-04-17 09:13:49 us=385984 tls_crypt_file = '[UNDEF]'
2018-04-17 09:13:49 us=385997 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386010 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386023 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386036 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386049 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386062 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386075 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386088 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386101 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386113 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386126 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386139 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386152 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386165 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386178 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386191 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386205 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386218 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386231 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386244 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386257 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386270 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386283 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386296 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386309 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386322 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386335 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386348 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386361 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386374 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386387 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386400 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386413 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386426 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386439 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386452 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386465 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386478 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386491 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386504 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386517 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386530 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386542 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386555 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386574 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386587 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386600 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386613 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386635 pkcs11_pin_cache_period = -1
2018-04-17 09:13:49 us=386649 pkcs11_id = '[UNDEF]'
2018-04-17 09:13:49 us=386662 pkcs11_id_management = DISABLED
2018-04-17 09:13:49 us=386680 server_network = 0.0.0.0
2018-04-17 09:13:49 us=386694 server_netmask = 0.0.0.0
2018-04-17 09:13:49 us=386712 server_network_ipv6 = ::
2018-04-17 09:13:49 us=386725 server_netbits_ipv6 = 0
2018-04-17 09:13:49 us=386739 server_bridge_ip = 0.0.0.0
2018-04-17 09:13:49 us=386753 server_bridge_netmask = 0.0.0.0
2018-04-17 09:13:49 us=386767 server_bridge_pool_start = 0.0.0.0
2018-04-17 09:13:49 us=386781 server_bridge_pool_end = 0.0.0.0
2018-04-17 09:13:49 us=386794 ifconfig_pool_defined = DISABLED
2018-04-17 09:13:49 us=386808 ifconfig_pool_start = 0.0.0.0
2018-04-17 09:13:49 us=386822 ifconfig_pool_end = 0.0.0.0
2018-04-17 09:13:49 us=386836 ifconfig_pool_netmask = 0.0.0.0
2018-04-17 09:13:49 us=386849 ifconfig_pool_persist_filename = '[UNDEF]'
2018-04-17 09:13:49 us=386862 ifconfig_pool_persist_refresh_freq = 600
2018-04-17 09:13:49 us=386875 ifconfig_ipv6_pool_defined = DISABLED
2018-04-17 09:13:49 us=386889 ifconfig_ipv6_pool_base = ::
2018-04-17 09:13:49 us=386902 ifconfig_ipv6_pool_netbits = 0
2018-04-17 09:13:49 us=386915 n_bcast_buf = 256
2018-04-17 09:13:49 us=386928 tcp_queue_limit = 64
2018-04-17 09:13:49 us=386941 real_hash_size = 256
2018-04-17 09:13:49 us=386954 virtual_hash_size = 256
2018-04-17 09:13:49 us=386966 client_connect_script = '[UNDEF]'
2018-04-17 09:13:49 us=386979 learn_address_script = '[UNDEF]'
2018-04-17 09:13:49 us=386993 client_disconnect_script = '[UNDEF]'
2018-04-17 09:13:49 us=387006 client_config_dir = '[UNDEF]'
2018-04-17 09:13:49 us=387018 ccd_exclusive = DISABLED
2018-04-17 09:13:49 us=387032 tmp_dir = '/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/'
2018-04-17 09:13:49 us=387045 push_ifconfig_defined = DISABLED
2018-04-17 09:13:49 us=387059 push_ifconfig_local = 0.0.0.0
2018-04-17 09:13:49 us=387073 push_ifconfig_remote_netmask = 0.0.0.0
2018-04-17 09:13:49 us=387086 push_ifconfig_ipv6_defined = DISABLED
2018-04-17 09:13:49 us=387100 push_ifconfig_ipv6_local = ::/0
2018-04-17 09:13:49 us=387113 push_ifconfig_ipv6_remote = ::
2018-04-17 09:13:49 us=387126 enable_c2c = DISABLED
2018-04-17 09:13:49 us=387139 duplicate_cn = DISABLED
2018-04-17 09:13:49 us=387152 cf_max = 0
2018-04-17 09:13:49 us=387164 cf_per = 0
2018-04-17 09:13:49 us=387177 max_clients = 1024
2018-04-17 09:13:49 us=387190 max_routes_per_client = 256
2018-04-17 09:13:49 us=387203 auth_user_pass_verify_script = '[UNDEF]'
2018-04-17 09:13:49 us=387216 auth_user_pass_verify_script_via_file = DISABLED
2018-04-17 09:13:49 us=387229 auth_token_generate = DISABLED
2018-04-17 09:13:49 us=387242 auth_token_lifetime = 0
2018-04-17 09:13:49 us=387255 port_share_host = '[UNDEF]'
2018-04-17 09:13:49 us=387268 port_share_port = '[UNDEF]'
2018-04-17 09:13:49 us=387281 client = ENABLED
2018-04-17 09:13:49 us=387293 pull = ENABLED
2018-04-17 09:13:49 us=387306 auth_user_pass_file = 'stdin'
2018-04-17 09:13:49 us=387322 OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Mar 27 2018
2018-04-17 09:13:49 us=387342 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
2018-04-17 09:13:49 us=389904 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2018-04-17 09:13:49 us=390019 Need hold release from management interface, waiting...
2018-04-17 09:13:49 us=726216 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2018-04-17 09:13:49 us=764850 MANAGEMENT: CMD 'pid'
2018-04-17 09:13:49 us=765045 MANAGEMENT: CMD 'state on'
2018-04-17 09:13:49 us=765174 MANAGEMENT: CMD 'state'
2018-04-17 09:13:49 us=765375 MANAGEMENT: CMD 'bytecount 1'
2018-04-17 09:13:49 us=772118 MANAGEMENT: CMD 'hold release'
2018-04-17 09:13:55 us=701072 MANAGEMENT: CMD 'username "Auth" "vpnuseraccount"'
2018-04-17 09:13:55 us=704207 MANAGEMENT: CMD 'password [...]'
2018-04-17 09:13:55 us=705018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2018-04-17 09:13:55 us=705118 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-04-17 09:13:55 us=708053 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-04-17 09:13:55 us=708156 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-04-17 09:13:55 us=708265 LZO compression initializing
2018-04-17 09:13:55 us=708631 Control Channel MTU parms [ L:1622 D:1172 EF:78 EB:0 ET:0 EL:3 ]
2018-04-17 09:13:55 us=708779 MANAGEMENT: >STATE:1523949235,RESOLVE,,,,,,
2018-04-17 09:13:56 us=247223 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2018-04-17 09:13:56 us=247479 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2018-04-17 09:13:56 us=247695 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2018-04-17 09:13:56 us=252888 TCP/UDP: Preserving recently used remote address: [AF_INET]IP.Remote.VPN.Server:1194
2018-04-17 09:13:56 us=256263 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-04-17 09:13:56 us=256370 UDP link local: (not bound)
2018-04-17 09:13:56 us=256507 UDP link remote: [AF_INET]IP.Remote.VPN.Server:1194
2018-04-17 09:13:56 us=256800 MANAGEMENT: >STATE:1523949236,WAIT,,,,,,
2018-04-17 09:13:56 us=295711 MANAGEMENT: >STATE:1523949236,AUTH,,,,,,
2018-04-17 09:13:56 us=295869 TLS: Initial packet from [AF_INET]IP.Remote.VPN.Server:1194, sid=7f57b649 b1eab638
2018-04-17 09:13:56 us=296293 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-04-17 09:13:56 us=306567 VERIFY OK: depth=1, C=ISO-CountryCode, ST=CityName, L=CityName, O=Organisation-VPN, OU=IT, CN=Organisation-VPN CA, name=EasyRSA, emailAddress=em...@organisation.org
2018-04-17 09:13:56 us=307739 VERIFY OK: nsCertType=SERVER
2018-04-17 09:13:56 us=307854 Validating certificate extended key usage
2018-04-17 09:13:56 us=309636 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2018-04-17 09:13:56 us=309714 VERIFY EKU OK
2018-04-17 09:13:56 us=309792 VERIFY X509NAME OK: C=ISO-CountryCode, ST=CityName, L=CityName, O=Organisation-VPN, OU=IT, CN=OrganisationCN, emailAddress=em...@organisation.org
2018-04-17 09:13:56 us=309869 VERIFY OK: depth=0, C=ISO-CountryCode, ST=CityName, L=CityName, O=Organisation-VPN, OU=IT, CN=OrganisationCN, emailAddress=em...@organisation.org
2018-04-17 09:13:56 us=506350 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-04-17 09:13:56 us=506578 [OrganisationCN] Peer Connection Initiated with [AF_INET]IP.Remote.VPN.Server:1194
2018-04-17 09:13:57 us=677934 MANAGEMENT: >STATE:1523949237,GET_CONFIG,,,,,,
2018-04-17 09:13:57 us=678251 SENT CONTROL [OrganisationCN]: 'PUSH_REQUEST' (status=1)
2018-04-17 09:13:57 us=683011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS IP.DNS.Remote.Network,dhcp-option DOMAIN organisation.org,sndbuf 393216,rcvbuf 393216,route-gateway 172.29.0.1,topology subnet,ping 10,ping-restart 30,redirect-gateway def1,compress lz4,ifconfig 172.29.18.236 255.255.192.0,peer-id 62,cipher AES-256-GCM'
2018-04-17 09:13:57 us=683275 OPTIONS IMPORT: timers and/or timeouts modified
2018-04-17 09:13:57 us=683373 OPTIONS IMPORT: compression parms modified
2018-04-17 09:13:57 us=683473 LZ4 compression initializing
2018-04-17 09:13:57 us=683581 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2018-04-17 09:13:57 us=683689 Socket Buffers: R=[196724->393216] S=[9216->393216]
2018-04-17 09:13:57 us=683781 OPTIONS IMPORT: --ifconfig/up options modified
2018-04-17 09:13:57 us=683871 OPTIONS IMPORT: route options modified
2018-04-17 09:13:57 us=683962 OPTIONS IMPORT: route-related options modified
2018-04-17 09:13:57 us=684053 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-04-17 09:13:57 us=684144 OPTIONS IMPORT: peer-id set
2018-04-17 09:13:57 us=684236 OPTIONS IMPORT: adjusting link_mtu to 1625
2018-04-17 09:13:57 us=684370 OPTIONS IMPORT: data channel crypto options modified
2018-04-17 09:13:57 us=684504 Data Channel: using negotiated cipher 'AES-256-GCM'
2018-04-17 09:13:57 us=684609 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
2018-04-17 09:13:57 us=684881 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-04-17 09:13:57 us=684982 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-04-17 09:13:57 us=686789 Opened utun device utun0
2018-04-17 09:13:57 us=687224 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2018-04-17 09:13:57 us=687325 MANAGEMENT: >STATE:1523949237,ASSIGN_IP,,172.29.18.236,,,,
2018-04-17 09:13:57 us=687416 /sbin/ifconfig utun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-04-17 09:13:57 us=737731 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-04-17 09:13:57 us=737939 /sbin/ifconfig utun0 172.29.18.236 172.29.18.236 netmask 255.255.192.0 mtu 1500 up
2018-04-17 09:13:57 us=747104 /sbin/route add -net 172.29.0.0 172.29.18.236 255.255.192.0
add net 172.29.0.0: gateway 172.29.18.236
2018-04-17 09:13:57 us=789176 /sbin/route add -net IP.Remote.VPN.Server 20.40.0.1 255.255.255.255
add net IP.Remote.VPN.Server: gateway 20.40.0.1
2018-04-17 09:13:57 us=798743 /sbin/route add -net 0.0.0.0 172.29.0.1 128.0.0.0
add net 0.0.0.0: gateway 172.29.0.1
2018-04-17 09:13:57 us=808083 /sbin/route add -net 128.0.0.0 172.29.0.1 128.0.0.0
add net 128.0.0.0: gateway 172.29.0.1
**********************************************
Start of output from client.up.tunnelblick.sh
Retrieved from OpenVPN: name server(s) [ IP.DNS.Remote.Network ], domain name [ organisation.org ], search domain(s) [ ], and SMB server(s) [ ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'organisation.org' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '20.40.2.100' to 'IP.DNS.Remote.Network'
Changed DNS SearchDomains setting from 'osx.sld.tld sld.tld' to 'organisation.org'
Changed DNS DomainName setting from '' to 'organisation.org'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of ''
DNS servers 'IP.DNS.Remote.Network' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
2018-04-17 09:14:04 *Tunnelblick: The 'connected.sh' script failed; 'openvpnstart connected' returned error 173
If present, the TMPDIR environment variable must be set to '/var/folders/zz/zyxvpxvq6csfxvn_n00004d4000139/T/'; it is '/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/'
Complete environment = {
"COMMAND_MODE" = unix2003;
HOME = "/Network/Servers/ODServer.tld.sld.tld/Volumes/DATA1/lnah/ODuseraccount";
LOGNAME = ODuseraccount;
PATH = "/usr/bin:/bin:/usr/sbin:/sbin";
SHELL = "/bin/bash";
TMPDIR = "/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/";
USER = ODuseraccount;
"__CF_USER_TEXT_ENCODING" = "0x0:0:0";
}
2018-04-17 09:14:04 *Tunnelblick: Disconnecting because the 'connected.sh' script failed
2018-04-17 09:14:04 *Tunnelblick: The 'pre-disconnect.sh' script failed; 'openvpnstart preDisconnect' returned error 173
If present, the TMPDIR environment variable must be set to '/var/folders/zz/zyxvpxvq6csfxvn_n00004d4000139/T/'; it is '/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/'
Complete environment = {
"COMMAND_MODE" = unix2003;
HOME = "/Network/Servers/ODServer.tld.sld.tld/Volumes/DATA1/lnah/ODuseraccount";
LOGNAME = ODuseraccount;
PATH = "/usr/bin:/bin:/usr/sbin:/sbin";
SHELL = "/bin/bash";
TMPDIR = "/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/";
USER = ODuseraccount;
"__CF_USER_TEXT_ENCODING" = "0x0:0:0";
}
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2018-04-17 09:13:49 *Tunnelblick: openvpnstart starting OpenVPN
2018-04-17 09:14:01 us=815816 Initialization Sequence Completed
2018-04-17 09:14:01 us=815993 MANAGEMENT: >STATE:1523949241,CONNECTED,SUCCESS,172.29.18.236,IP.Remote.VPN.Server,1194,,
2018-04-17 09:14:04 *Tunnelblick: Disconnecting using 'kill'
2018-04-17 09:14:06 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-04-17 09:16:30 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2018-04-17 09:17:00 *Tunnelblick: The 'pre-disconnect.sh' script failed; 'openvpnstart preDisconnect' returned error -1
2018-04-17 09:17:00 *Tunnelblick: Disconnecting using 'kill'
And sorry for my delay, but i first wanted to gather some experiences with the issue, as it turned out to be sort of unpredictable: from time to time all of a sudden the connection successfully gets established.
But most of the time, the connection succeeds briefly, without ever reaching the phase where the message "established" is issued by Tunnelblick, but instead an immediate attempt for disconnection is started by Tunnelblick, which then never succeeds.
At that time unfortunately no other application can be started anymore, and only a hard reset of the machine can clear that stete.
But i was able to catch parts of the Tunnelblick log, i hope it's o.k. to paste it unabbreviated?
The part which may be relevant:
2018-04-17 09:14:04 *Tunnelblick: The 'connected.sh' script failed; 'openvpnstart connected' returned error 173
If present, the TMPDIR environment variable must be set to '/var/folders/zz/zyxvpxvq6csfxvn_n00004d4000139/T/'; it is '/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/'
In terms of the filesystem of an MacOS server bound account:
there are two deployment scenarios:
1) the typical use case is a "roaming home" directory located on the osx-server:
"/Network/Servers/osxserver.thld.sld.tld/Volumes/networkhomedirectories/usershomefolder"
2) the second type is: OD managed account with home direcory local to the machine which the user logs in to.
3) Always present the MacOS sandbox functionality, which seems to pursuit the effort to keep everything in the local folder structure.
May that be an issue, when Tunnelblick usually works perfectly fine for pure local accounts with all the folders on the local system drive?
Here the log capture:
<LOG>
penVPN is not responding to requests to disconnect vpnuseraccount.
Tunnelblick will disconnect when OpenVPN starts responding to disconnection requests.
THIS MAY TAKE UP TO TWO MINUTES in certain unusual circumstances.
The connection will be unavailable until it is disconnected.
OpenVPN is not responding to requests to disconnect vpnuseraccount.
Tunnelblick will disconnect when OpenVPN starts responding to disconnection requests.
THIS MAY TAKE UP TO TWO MINUTES in certain unusual circumstances.
The connection will be unavailable until it is disconnected.
*Tunnelblick: OS X 10.11.6; Tunnelblick 3.7.5a (build 5011); prior version 3.7.2 (build 4850)
2018-04-17 09:13:49 *Tunnelblick: Attempting connection with vpnuseraccount using shadow copy; Set nameserver = 1025; monitoring connection
2018-04-17 09:13:49 *Tunnelblick: openvpnstart start vpnuseraccount.tblk 1337 1025 0 1 0 1098032 -ptADGNWradsgnw 2.4.4-openssl-1.0.2o
2018-04-17 09:13:49 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2o/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-SODuseraccount-SLibrary-SApplication Support-STunnelblick-SConfigurations-Svpnuseraccount.tblk-SContents-SResources-Sconfig.ovpn.1025_0_1_0_1098032.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/ODuseraccount/vpnuseraccount.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 5011 3.7.5a (build 5011)"
--verb
4
--config
/Library/Application Support/Tunnelblick/Users/ODuseraccount/vpnuseraccount.tblk/Contents/Resources/config.ovpn
--verb
4
--cd
/Library/Application Support/Tunnelblick/Users/ODuseraccount/vpnuseraccount.tblk/Contents/Resources
--management
127.0.0.1
1337
/Library/Application Support/Tunnelblick/mfpjaaclbdfmjhdeglheojaioilfjjjahohhgejp.mip
--management-query-passwords
--management-hold
--script-security
2
--route-up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2018-04-17 09:13:49 *Tunnelblick: Established communication with OpenVPN
2018-04-17 09:13:49 us=383013 Current Parameter Settings:
2018-04-17 09:13:49 us=383208 config = '/Library/Application Support/Tunnelblick/Users/ODuseraccount/vpnuseraccount.tblk/Contents/Resources/config.ovpn'
2018-04-17 09:13:49 us=383223 mode = 0
2018-04-17 09:13:49 us=383236 show_ciphers = DISABLED
2018-04-17 09:13:49 us=383248 show_digests = DISABLED
2018-04-17 09:13:49 us=383261 show_engines = DISABLED
2018-04-17 09:13:49 us=383278 genkey = DISABLED
2018-04-17 09:13:49 us=383291 key_pass_file = '[UNDEF]'
2018-04-17 09:13:49 us=383304 show_tls_ciphers = DISABLED
2018-04-17 09:13:49 us=383319 connect_retry_max = 0
2018-04-17 09:13:49 us=383332 Connection profiles [0]:
2018-04-17 09:13:49 us=383345 proto = udp
2018-04-17 09:13:49 us=383357 local = '[UNDEF]'
2018-04-17 09:13:49 us=383370 local_port = '[UNDEF]'
2018-04-17 09:13:49 us=383382 remote = 'OrganisationCN'
2018-04-17 09:13:49 us=383395 remote_port = '1194'
2018-04-17 09:13:49 us=383407 remote_float = DISABLED
2018-04-17 09:13:49 us=383420 bind_defined = DISABLED
2018-04-17 09:13:49 us=383432 bind_local = DISABLED
2018-04-17 09:13:49 us=383445 bind_ipv6_only = DISABLED
2018-04-17 09:13:49 us=383458 connect_retry_seconds = 5
2018-04-17 09:13:49 us=383470 connect_timeout = 120
2018-04-17 09:13:49 us=383483 xormethod = 0
2018-04-17 09:13:49 us=383496 xormask = ''
2018-04-17 09:13:49 us=383508 xormasklen = 0
2018-04-17 09:13:49 us=383521 socks_proxy_server = '[UNDEF]'
2018-04-17 09:13:49 us=383534 socks_proxy_port = '[UNDEF]'
2018-04-17 09:13:49 us=383547 tun_mtu = 1500
2018-04-17 09:13:49 us=383559 tun_mtu_defined = ENABLED
2018-04-17 09:13:49 us=383572 link_mtu = 1500
2018-04-17 09:13:49 us=383584 link_mtu_defined = DISABLED
2018-04-17 09:13:49 us=383597 tun_mtu_extra = 0
2018-04-17 09:13:49 us=383609 tun_mtu_extra_defined = DISABLED
2018-04-17 09:13:49 us=383622 mtu_discover_type = -1
2018-04-17 09:13:49 us=383634 fragment = 0
2018-04-17 09:13:49 us=383647 mssfix = 1450
2018-04-17 09:13:49 us=383659 explicit_exit_notification = 1
2018-04-17 09:13:49 us=383672 Connection profiles [1]:
2018-04-17 09:13:49 us=383684 proto = tcp-client
2018-04-17 09:13:49 us=383697 local = '[UNDEF]'
2018-04-17 09:13:49 us=383709 local_port = '[UNDEF]'
2018-04-17 09:13:49 us=383722 remote = 'OrganisationCN'
2018-04-17 09:13:49 us=383735 remote_port = '1194'
2018-04-17 09:13:49 us=383747 remote_float = DISABLED
2018-04-17 09:13:49 us=383760 bind_defined = DISABLED
2018-04-17 09:13:49 us=383772 bind_local = DISABLED
2018-04-17 09:13:49 us=383785 bind_ipv6_only = DISABLED
2018-04-17 09:13:49 us=383797 connect_retry_seconds = 5
2018-04-17 09:13:49 us=383810 connect_timeout = 120
2018-04-17 09:13:49 us=383822 xormethod = 0
2018-04-17 09:13:49 us=383834 xormask = ''
2018-04-17 09:13:49 us=383847 xormasklen = 0
2018-04-17 09:13:49 us=383859 socks_proxy_server = '[UNDEF]'
2018-04-17 09:13:49 us=383872 socks_proxy_port = '[UNDEF]'
2018-04-17 09:13:49 us=383884 tun_mtu = 1500
2018-04-17 09:13:49 us=383897 tun_mtu_defined = ENABLED
2018-04-17 09:13:49 us=383909 link_mtu = 1500
2018-04-17 09:13:49 us=383922 link_mtu_defined = DISABLED
2018-04-17 09:13:49 us=383934 tun_mtu_extra = 0
2018-04-17 09:13:49 us=383947 tun_mtu_extra_defined = DISABLED
2018-04-17 09:13:49 us=383959 mtu_discover_type = -1
2018-04-17 09:13:49 us=383972 fragment = 0
2018-04-17 09:13:49 us=383984 mssfix = 1450
2018-04-17 09:13:49 us=383997 explicit_exit_notification = 0
2018-04-17 09:13:49 us=384009 Connection profiles END
2018-04-17 09:13:49 us=384025 remote_random = DISABLED
2018-04-17 09:13:49 us=384088 ipchange = '[UNDEF]'
2018-04-17 09:13:49 us=384144 dev = 'tun'
2018-04-17 09:13:49 us=384170 dev_type = '[UNDEF]'
2018-04-17 09:13:49 us=384184 dev_node = '[UNDEF]'
2018-04-17 09:13:49 us=384201 lladdr = '[UNDEF]'
2018-04-17 09:13:49 us=384214 topology = 1
2018-04-17 09:13:49 us=384228 ifconfig_local = '[UNDEF]'
2018-04-17 09:13:49 us=384243 ifconfig_remote_netmask = '[UNDEF]'
2018-04-17 09:13:49 us=384255 ifconfig_noexec = DISABLED
2018-04-17 09:13:49 us=384268 ifconfig_nowarn = DISABLED
2018-04-17 09:13:49 us=384281 ifconfig_ipv6_local = '[UNDEF]'
2018-04-17 09:13:49 us=384294 ifconfig_ipv6_netbits = 0
2018-04-17 09:13:49 us=384306 ifconfig_ipv6_remote = '[UNDEF]'
2018-04-17 09:13:49 us=384319 shaper = 0
2018-04-17 09:13:49 us=384332 mtu_test = 0
2018-04-17 09:13:49 us=384344 mlock = DISABLED
2018-04-17 09:13:49 us=384357 keepalive_ping = 0
2018-04-17 09:13:49 us=384369 keepalive_timeout = 0
2018-04-17 09:13:49 us=384382 inactivity_timeout = 0
2018-04-17 09:13:49 us=384394 ping_send_timeout = 0
2018-04-17 09:13:49 us=384407 ping_rec_timeout = 0
2018-04-17 09:13:49 us=384420 ping_rec_timeout_action = 0
2018-04-17 09:13:49 us=384432 ping_timer_remote = DISABLED
2018-04-17 09:13:49 us=384447 remap_sigusr1 = 0
2018-04-17 09:13:49 us=384460 persist_tun = ENABLED
2018-04-17 09:13:49 us=384473 persist_local_ip = DISABLED
2018-04-17 09:13:49 us=384486 persist_remote_ip = DISABLED
2018-04-17 09:13:49 us=384498 persist_key = ENABLED
2018-04-17 09:13:49 us=384511 passtos = DISABLED
2018-04-17 09:13:49 us=384524 resolve_retry_seconds = 1000000000
2018-04-17 09:13:49 us=384537 resolve_in_advance = DISABLED
2018-04-17 09:13:49 us=384549 username = '[UNDEF]'
2018-04-17 09:13:49 us=384562 groupname = '[UNDEF]'
2018-04-17 09:13:49 us=384575 chroot_dir = '[UNDEF]'
2018-04-17 09:13:49 us=384588 cd_dir = '/Library/Application Support/Tunnelblick/Users/ODuseraccount/vpnuseraccount.tblk/Contents/Resources'
2018-04-17 09:13:49 us=384601 writepid = '[UNDEF]'
2018-04-17 09:13:49 us=384614 up_script = '[UNDEF]'
2018-04-17 09:13:49 us=384627 down_script = '/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw'
2018-04-17 09:13:49 us=384640 down_pre = DISABLED
2018-04-17 09:13:49 us=384653 up_restart = DISABLED
2018-04-17 09:13:49 us=384665 up_delay = DISABLED
2018-04-17 09:13:49 us=384678 daemon = ENABLED
2018-04-17 09:13:49 us=384691 inetd = 0
2018-04-17 09:13:49 us=384704 log = ENABLED
2018-04-17 09:13:49 us=384717 suppress_timestamps = DISABLED
2018-04-17 09:13:49 us=384730 machine_readable_output = DISABLED
2018-04-17 09:13:49 us=384742 nice = 0
2018-04-17 09:13:49 us=384755 verbosity = 4
2018-04-17 09:13:49 us=384768 mute = 0
2018-04-17 09:13:49 us=384781 status_file = '[UNDEF]'
2018-04-17 09:13:49 us=384794 status_file_version = 1
2018-04-17 09:13:49 us=384807 status_file_update_freq = 60
2018-04-17 09:13:49 us=384819 occ = ENABLED
2018-04-17 09:13:49 us=384832 rcvbuf = 0
2018-04-17 09:13:49 us=384845 sndbuf = 0
2018-04-17 09:13:49 us=384858 sockflags = 0
2018-04-17 09:13:49 us=384871 fast_io = DISABLED
2018-04-17 09:13:49 us=384884 comp.alg = 2
2018-04-17 09:13:49 us=384901 comp.flags = 1
2018-04-17 09:13:49 us=384914 route_script = '/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw'
2018-04-17 09:13:49 us=384928 route_default_gateway = '[UNDEF]'
2018-04-17 09:13:49 us=384941 route_default_metric = 0
2018-04-17 09:13:49 us=384953 route_noexec = DISABLED
2018-04-17 09:13:49 us=384966 route_delay = 0
2018-04-17 09:13:49 us=384979 route_delay_window = 30
2018-04-17 09:13:49 us=384992 route_delay_defined = DISABLED
2018-04-17 09:13:49 us=385005 route_nopull = DISABLED
2018-04-17 09:13:49 us=385028 route_gateway_via_dhcp = DISABLED
2018-04-17 09:13:49 us=385041 allow_pull_fqdn = DISABLED
2018-04-17 09:13:49 us=385054 management_addr = '127.0.0.1'
2018-04-17 09:13:49 us=385068 management_port = '1337'
2018-04-17 09:13:49 us=385082 management_user_pass = '/Library/Application Support/Tunnelblick/mfpjaaclbdfmjhdeglheojaioilfjjjahohhgejp.mip'
2018-04-17 09:13:49 us=385096 management_log_history_cache = 250
2018-04-17 09:13:49 us=385110 management_echo_buffer_size = 100
2018-04-17 09:13:49 us=385123 management_write_peer_info_file = '[UNDEF]'
2018-04-17 09:13:49 us=385137 management_client_user = '[UNDEF]'
2018-04-17 09:13:49 us=385150 management_client_group = '[UNDEF]'
2018-04-17 09:13:49 us=385163 management_flags = 6
2018-04-17 09:13:49 us=385176 shared_secret_file = '[UNDEF]'
2018-04-17 09:13:49 us=385189 key_direction = 2
2018-04-17 09:13:49 us=385202 ciphername = 'AES-256-CBC'
2018-04-17 09:13:49 us=385214 ncp_enabled = ENABLED
2018-04-17 09:13:49 us=385227 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2018-04-17 09:13:49 us=385240 authname = 'SHA256'
2018-04-17 09:13:49 us=385253 prng_hash = 'SHA1'
2018-04-17 09:13:49 us=385266 prng_nonce_secret_len = 16
2018-04-17 09:13:49 us=385279 keysize = 0
2018-04-17 09:13:49 us=385291 engine = DISABLED
2018-04-17 09:13:49 us=385304 replay = ENABLED
2018-04-17 09:13:49 us=385317 mute_replay_warnings = ENABLED
2018-04-17 09:13:49 us=385330 replay_window = 64
2018-04-17 09:13:49 us=385342 replay_time = 15
2018-04-17 09:13:49 us=385355 packet_id_file = '[UNDEF]'
2018-04-17 09:13:49 us=385368 use_iv = ENABLED
2018-04-17 09:13:49 us=385381 test_crypto = DISABLED
2018-04-17 09:13:49 us=385393 tls_server = DISABLED
2018-04-17 09:13:49 us=385406 tls_client = ENABLED
2018-04-17 09:13:49 us=385419 key_method = 2
2018-04-17 09:13:49 us=385432 ca_file = '[[INLINE]]'
2018-04-17 09:13:49 us=385444 ca_path = '[UNDEF]'
2018-04-17 09:13:49 us=385457 dh_file = '[UNDEF]'
2018-04-17 09:13:49 us=385470 cert_file = '[[INLINE]]'
2018-04-17 09:13:49 us=385483 extra_certs_file = '[UNDEF]'
2018-04-17 09:13:49 us=385495 priv_key_file = '[[INLINE]]'
2018-04-17 09:13:49 us=385508 pkcs12_file = '[UNDEF]'
2018-04-17 09:13:49 us=385521 cipher_list = '[UNDEF]'
2018-04-17 09:13:49 us=385534 tls_verify = '[UNDEF]'
2018-04-17 09:13:49 us=385547 tls_export_cert = '[UNDEF]'
2018-04-17 09:13:49 us=385560 verify_x509_type = 1
2018-04-17 09:13:49 us=385573 verify_x509_name = 'C=ISO-CountryCode, ST=CityName, L=CityName, O=Organisation-VPN, OU=IT, CN=OrganisationCN, emailAddress=em...@organisation.org'
2018-04-17 09:13:49 us=385586 crl_file = '[UNDEF]'
2018-04-17 09:13:49 us=385599 ns_cert_type = 1
2018-04-17 09:13:49 us=385612 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385625 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385638 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385651 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385664 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385676 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385689 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385702 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385715 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385728 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385740 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385753 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385766 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385779 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385791 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385804 remote_cert_ku[i] = 0
2018-04-17 09:13:49 us=385817 remote_cert_eku = 'TLS Web Server Authentication'
2018-04-17 09:13:49 us=385830 ssl_flags = 0
2018-04-17 09:13:49 us=385843 tls_timeout = 2
2018-04-17 09:13:49 us=385868 renegotiate_bytes = -1
2018-04-17 09:13:49 us=385881 renegotiate_packets = 0
2018-04-17 09:13:49 us=385894 renegotiate_seconds = 0
2018-04-17 09:13:49 us=385907 handshake_window = 60
2018-04-17 09:13:49 us=385920 transition_window = 3600
2018-04-17 09:13:49 us=385933 single_session = DISABLED
2018-04-17 09:13:49 us=385946 push_peer_info = DISABLED
2018-04-17 09:13:49 us=385958 tls_exit = DISABLED
2018-04-17 09:13:49 us=385971 tls_auth_file = '[[INLINE]]'
2018-04-17 09:13:49 us=385984 tls_crypt_file = '[UNDEF]'
2018-04-17 09:13:49 us=385997 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386010 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386023 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386036 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386049 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386062 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386075 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386088 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386101 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386113 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386126 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386139 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386152 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386165 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386178 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386191 pkcs11_protected_authentication = DISABLED
2018-04-17 09:13:49 us=386205 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386218 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386231 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386244 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386257 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386270 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386283 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386296 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386309 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386322 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386335 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386348 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386361 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386374 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386387 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386400 pkcs11_private_mode = 00000000
2018-04-17 09:13:49 us=386413 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386426 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386439 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386452 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386465 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386478 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386491 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386504 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386517 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386530 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386542 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386555 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386574 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386587 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386600 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386613 pkcs11_cert_private = DISABLED
2018-04-17 09:13:49 us=386635 pkcs11_pin_cache_period = -1
2018-04-17 09:13:49 us=386649 pkcs11_id = '[UNDEF]'
2018-04-17 09:13:49 us=386662 pkcs11_id_management = DISABLED
2018-04-17 09:13:49 us=386680 server_network = 0.0.0.0
2018-04-17 09:13:49 us=386694 server_netmask = 0.0.0.0
2018-04-17 09:13:49 us=386712 server_network_ipv6 = ::
2018-04-17 09:13:49 us=386725 server_netbits_ipv6 = 0
2018-04-17 09:13:49 us=386739 server_bridge_ip = 0.0.0.0
2018-04-17 09:13:49 us=386753 server_bridge_netmask = 0.0.0.0
2018-04-17 09:13:49 us=386767 server_bridge_pool_start = 0.0.0.0
2018-04-17 09:13:49 us=386781 server_bridge_pool_end = 0.0.0.0
2018-04-17 09:13:49 us=386794 ifconfig_pool_defined = DISABLED
2018-04-17 09:13:49 us=386808 ifconfig_pool_start = 0.0.0.0
2018-04-17 09:13:49 us=386822 ifconfig_pool_end = 0.0.0.0
2018-04-17 09:13:49 us=386836 ifconfig_pool_netmask = 0.0.0.0
2018-04-17 09:13:49 us=386849 ifconfig_pool_persist_filename = '[UNDEF]'
2018-04-17 09:13:49 us=386862 ifconfig_pool_persist_refresh_freq = 600
2018-04-17 09:13:49 us=386875 ifconfig_ipv6_pool_defined = DISABLED
2018-04-17 09:13:49 us=386889 ifconfig_ipv6_pool_base = ::
2018-04-17 09:13:49 us=386902 ifconfig_ipv6_pool_netbits = 0
2018-04-17 09:13:49 us=386915 n_bcast_buf = 256
2018-04-17 09:13:49 us=386928 tcp_queue_limit = 64
2018-04-17 09:13:49 us=386941 real_hash_size = 256
2018-04-17 09:13:49 us=386954 virtual_hash_size = 256
2018-04-17 09:13:49 us=386966 client_connect_script = '[UNDEF]'
2018-04-17 09:13:49 us=386979 learn_address_script = '[UNDEF]'
2018-04-17 09:13:49 us=386993 client_disconnect_script = '[UNDEF]'
2018-04-17 09:13:49 us=387006 client_config_dir = '[UNDEF]'
2018-04-17 09:13:49 us=387018 ccd_exclusive = DISABLED
2018-04-17 09:13:49 us=387032 tmp_dir = '/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/'
2018-04-17 09:13:49 us=387045 push_ifconfig_defined = DISABLED
2018-04-17 09:13:49 us=387059 push_ifconfig_local = 0.0.0.0
2018-04-17 09:13:49 us=387073 push_ifconfig_remote_netmask = 0.0.0.0
2018-04-17 09:13:49 us=387086 push_ifconfig_ipv6_defined = DISABLED
2018-04-17 09:13:49 us=387100 push_ifconfig_ipv6_local = ::/0
2018-04-17 09:13:49 us=387113 push_ifconfig_ipv6_remote = ::
2018-04-17 09:13:49 us=387126 enable_c2c = DISABLED
2018-04-17 09:13:49 us=387139 duplicate_cn = DISABLED
2018-04-17 09:13:49 us=387152 cf_max = 0
2018-04-17 09:13:49 us=387164 cf_per = 0
2018-04-17 09:13:49 us=387177 max_clients = 1024
2018-04-17 09:13:49 us=387190 max_routes_per_client = 256
2018-04-17 09:13:49 us=387203 auth_user_pass_verify_script = '[UNDEF]'
2018-04-17 09:13:49 us=387216 auth_user_pass_verify_script_via_file = DISABLED
2018-04-17 09:13:49 us=387229 auth_token_generate = DISABLED
2018-04-17 09:13:49 us=387242 auth_token_lifetime = 0
2018-04-17 09:13:49 us=387255 port_share_host = '[UNDEF]'
2018-04-17 09:13:49 us=387268 port_share_port = '[UNDEF]'
2018-04-17 09:13:49 us=387281 client = ENABLED
2018-04-17 09:13:49 us=387293 pull = ENABLED
2018-04-17 09:13:49 us=387306 auth_user_pass_file = 'stdin'
2018-04-17 09:13:49 us=387322 OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Mar 27 2018
2018-04-17 09:13:49 us=387342 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
2018-04-17 09:13:49 us=389904 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2018-04-17 09:13:49 us=390019 Need hold release from management interface, waiting...
2018-04-17 09:13:49 us=726216 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2018-04-17 09:13:49 us=764850 MANAGEMENT: CMD 'pid'
2018-04-17 09:13:49 us=765045 MANAGEMENT: CMD 'state on'
2018-04-17 09:13:49 us=765174 MANAGEMENT: CMD 'state'
2018-04-17 09:13:49 us=765375 MANAGEMENT: CMD 'bytecount 1'
2018-04-17 09:13:49 us=772118 MANAGEMENT: CMD 'hold release'
2018-04-17 09:13:55 us=701072 MANAGEMENT: CMD 'username "Auth" "vpnuseraccount"'
2018-04-17 09:13:55 us=704207 MANAGEMENT: CMD 'password [...]'
2018-04-17 09:13:55 us=705018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2018-04-17 09:13:55 us=705118 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-04-17 09:13:55 us=708053 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-04-17 09:13:55 us=708156 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-04-17 09:13:55 us=708265 LZO compression initializing
2018-04-17 09:13:55 us=708631 Control Channel MTU parms [ L:1622 D:1172 EF:78 EB:0 ET:0 EL:3 ]
2018-04-17 09:13:55 us=708779 MANAGEMENT: >STATE:1523949235,RESOLVE,,,,,,
2018-04-17 09:13:56 us=247223 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2018-04-17 09:13:56 us=247479 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2018-04-17 09:13:56 us=247695 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2018-04-17 09:13:56 us=252888 TCP/UDP: Preserving recently used remote address: [AF_INET]IP.Remote.VPN.Server:1194
2018-04-17 09:13:56 us=256263 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-04-17 09:13:56 us=256370 UDP link local: (not bound)
2018-04-17 09:13:56 us=256507 UDP link remote: [AF_INET]IP.Remote.VPN.Server:1194
2018-04-17 09:13:56 us=256800 MANAGEMENT: >STATE:1523949236,WAIT,,,,,,
2018-04-17 09:13:56 us=295711 MANAGEMENT: >STATE:1523949236,AUTH,,,,,,
2018-04-17 09:13:56 us=295869 TLS: Initial packet from [AF_INET]IP.Remote.VPN.Server:1194, sid=7f57b649 b1eab638
2018-04-17 09:13:56 us=296293 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-04-17 09:13:56 us=306567 VERIFY OK: depth=1, C=ISO-CountryCode, ST=CityName, L=CityName, O=Organisation-VPN, OU=IT, CN=Organisation-VPN CA, name=EasyRSA, emailAddress=em...@organisation.org
2018-04-17 09:13:56 us=307739 VERIFY OK: nsCertType=SERVER
2018-04-17 09:13:56 us=307854 Validating certificate extended key usage
2018-04-17 09:13:56 us=309636 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2018-04-17 09:13:56 us=309714 VERIFY EKU OK
2018-04-17 09:13:56 us=309792 VERIFY X509NAME OK: C=ISO-CountryCode, ST=CityName, L=CityName, O=Organisation-VPN, OU=IT, CN=OrganisationCN, emailAddress=em...@organisation.org
2018-04-17 09:13:56 us=309869 VERIFY OK: depth=0, C=ISO-CountryCode, ST=CityName, L=CityName, O=Organisation-VPN, OU=IT, CN=OrganisationCN, emailAddress=em...@organisation.org
2018-04-17 09:13:56 us=506350 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-04-17 09:13:56 us=506578 [OrganisationCN] Peer Connection Initiated with [AF_INET]IP.Remote.VPN.Server:1194
2018-04-17 09:13:57 us=677934 MANAGEMENT: >STATE:1523949237,GET_CONFIG,,,,,,
2018-04-17 09:13:57 us=678251 SENT CONTROL [OrganisationCN]: 'PUSH_REQUEST' (status=1)
2018-04-17 09:13:57 us=683011 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS IP.DNS.Remote.Network,dhcp-option DOMAIN organisation.org,sndbuf 393216,rcvbuf 393216,route-gateway 172.29.0.1,topology subnet,ping 10,ping-restart 30,redirect-gateway def1,compress lz4,ifconfig 172.29.18.236 255.255.192.0,peer-id 62,cipher AES-256-GCM'
2018-04-17 09:13:57 us=683275 OPTIONS IMPORT: timers and/or timeouts modified
2018-04-17 09:13:57 us=683373 OPTIONS IMPORT: compression parms modified
2018-04-17 09:13:57 us=683473 LZ4 compression initializing
2018-04-17 09:13:57 us=683581 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2018-04-17 09:13:57 us=683689 Socket Buffers: R=[196724->393216] S=[9216->393216]
2018-04-17 09:13:57 us=683781 OPTIONS IMPORT: --ifconfig/up options modified
2018-04-17 09:13:57 us=683871 OPTIONS IMPORT: route options modified
2018-04-17 09:13:57 us=683962 OPTIONS IMPORT: route-related options modified
2018-04-17 09:13:57 us=684053 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-04-17 09:13:57 us=684144 OPTIONS IMPORT: peer-id set
2018-04-17 09:13:57 us=684236 OPTIONS IMPORT: adjusting link_mtu to 1625
2018-04-17 09:13:57 us=684370 OPTIONS IMPORT: data channel crypto options modified
2018-04-17 09:13:57 us=684504 Data Channel: using negotiated cipher 'AES-256-GCM'
2018-04-17 09:13:57 us=684609 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
2018-04-17 09:13:57 us=684881 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-04-17 09:13:57 us=684982 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-04-17 09:13:57 us=686789 Opened utun device utun0
2018-04-17 09:13:57 us=687224 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2018-04-17 09:13:57 us=687325 MANAGEMENT: >STATE:1523949237,ASSIGN_IP,,172.29.18.236,,,,
2018-04-17 09:13:57 us=687416 /sbin/ifconfig utun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-04-17 09:13:57 us=737731 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-04-17 09:13:57 us=737939 /sbin/ifconfig utun0 172.29.18.236 172.29.18.236 netmask 255.255.192.0 mtu 1500 up
2018-04-17 09:13:57 us=747104 /sbin/route add -net 172.29.0.0 172.29.18.236 255.255.192.0
add net 172.29.0.0: gateway 172.29.18.236
2018-04-17 09:13:57 us=789176 /sbin/route add -net IP.Remote.VPN.Server 20.40.0.1 255.255.255.255
add net IP.Remote.VPN.Server: gateway 20.40.0.1
2018-04-17 09:13:57 us=798743 /sbin/route add -net 0.0.0.0 172.29.0.1 128.0.0.0
add net 0.0.0.0: gateway 172.29.0.1
2018-04-17 09:13:57 us=808083 /sbin/route add -net 128.0.0.0 172.29.0.1 128.0.0.0
add net 128.0.0.0: gateway 172.29.0.1
**********************************************
Start of output from client.up.tunnelblick.sh
Retrieved from OpenVPN: name server(s) [ IP.DNS.Remote.Network ], domain name [ organisation.org ], search domain(s) [ ], and SMB server(s) [ ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'organisation.org' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '20.40.2.100' to 'IP.DNS.Remote.Network'
Changed DNS SearchDomains setting from 'osx.sld.tld sld.tld' to 'organisation.org'
Changed DNS DomainName setting from '' to 'organisation.org'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of ''
DNS servers 'IP.DNS.Remote.Network' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
2018-04-17 09:14:04 *Tunnelblick: The 'connected.sh' script failed; 'openvpnstart connected' returned error 173
If present, the TMPDIR environment variable must be set to '/var/folders/zz/zyxvpxvq6csfxvn_n00004d4000139/T/'; it is '/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/'
Complete environment = {
"COMMAND_MODE" = unix2003;
HOME = "/Network/Servers/ODServer.tld.sld.tld/Volumes/DATA1/lnah/ODuseraccount";
LOGNAME = ODuseraccount;
PATH = "/usr/bin:/bin:/usr/sbin:/sbin";
SHELL = "/bin/bash";
TMPDIR = "/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/";
USER = ODuseraccount;
"__CF_USER_TEXT_ENCODING" = "0x0:0:0";
}
2018-04-17 09:14:04 *Tunnelblick: Disconnecting because the 'connected.sh' script failed
2018-04-17 09:14:04 *Tunnelblick: The 'pre-disconnect.sh' script failed; 'openvpnstart preDisconnect' returned error 173
If present, the TMPDIR environment variable must be set to '/var/folders/zz/zyxvpxvq6csfxvn_n00004d4000139/T/'; it is '/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/'
Complete environment = {
"COMMAND_MODE" = unix2003;
HOME = "/Network/Servers/ODServer.tld.sld.tld/Volumes/DATA1/lnah/ODuseraccount";
LOGNAME = ODuseraccount;
PATH = "/usr/bin:/bin:/usr/sbin:/sbin";
SHELL = "/bin/bash";
TMPDIR = "/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/";
USER = ODuseraccount;
"__CF_USER_TEXT_ENCODING" = "0x0:0:0";
}
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2018-04-17 09:13:49 *Tunnelblick: openvpnstart starting OpenVPN
2018-04-17 09:14:01 us=815816 Initialization Sequence Completed
2018-04-17 09:14:01 us=815993 MANAGEMENT: >STATE:1523949241,CONNECTED,SUCCESS,172.29.18.236,IP.Remote.VPN.Server,1194,,
2018-04-17 09:14:04 *Tunnelblick: Disconnecting using 'kill'
2018-04-17 09:14:06 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-04-17 09:16:30 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2018-04-17 09:17:00 *Tunnelblick: The 'pre-disconnect.sh' script failed; 'openvpnstart preDisconnect' returned error -1
2018-04-17 09:17:00 *Tunnelblick: Disconnecting using 'kill'
</LOG>
Tunnelblick developer
Apr 17, 2018, 6:38:46 AM4/17/18
to tunnelblick-discuss
Thanks for all the info. The immediate cause of the problem does have to do with temporary directories. Although I don't know anything about the "sandboxing" feature you mention, that does seem a likely cause.
This log entry:
The 'connected.sh' script failed; 'openvpnstart connected' returned error 173
If present, the TMPDIR environment variable must be set to '/var/folders/zz/zyxvpxvq6csfxvn_n00004d4000139/T/'; it is '/var/folders/74/lpr9wq057pq9bm3tt61kvz60000139/T/'
shows what is causing Tunnelblick to try to restart the connection. Tunnelblick runs the "connected.sh" script that is in your configuration as root. For security reasons, Tunnelblick checks that the TMPDIR environment variable that it will start a script with points to the place that it expects it to: the place that the NSTemporaryDirectory() system call returns. The two locations are different, so Tunnelblick thinks something odd (maybe some kind of attack) is going on, so it tries to disconnect the VPN. (Tunnelblick itself doesn't use the TMPDIR variable, so it isn't a security issue for Tunnelblick itself – it's trying to prevent a security issue with the script). The timing of this is consistent with your description that the problem happens late in the process of connection.
So I think that explains what triggers the disconnect attempt. However, the same thing happens when the "pre-disconnect.sh" script is run, so Tunnelblick can't disconnect, either!
I don't know anything about the "sandboxing" but from the name and the above situation with temporary directories, I gather that the sandboxing involves isolating processes from each other, and I can imagine that that might involve giving different processes different temporary directories (so they can't snoop on or modify other processes' data held in temporary directories).
One solution might be to change Tunnelblick's response to the mismatch of temporary directories. Instead of disconnecting, perhaps Tunnelblick could just change the value of the TMPDIR environment variable for the script to the value returned by NSTemporaryDirectory(). I want to consider that more fully before making the change, however, and I will not be able to do that for the next couple of days.
I still don't understand why the account "locks up", but perhaps it has to do with a cycle of connecting the VPN, trying and failing to disconnect, and then retrying to disconnect. Or perhaps the sandboxing prevents some other critical thing from happening. Either way, I'm hoping that if we fix the mismatch of the temporary directories the lockup will stop happening. (I still don't think macOS should ever let such a thing happen, but we have to work with what we've got.)
sergo...@gmail.com
Apr 19, 2018, 3:50:56 AM4/19/18
to tunnelblick-discuss
Hello,
thank your for your detailed explanation, it helps to understand what's goin on.
In order to put it into perspective: one can encounter these issues also with Firefox, MSOne Note, ADOBE partially MSOutlook and even some MacOS applications in contexts of using the OS keychain technology. These issues kick in the very moment the user logs in to an account with it's home directory hosted on a network share (no matter which protocol: AFP, SMB).
Applications on network homes worked absolutely smoothly until APPLE introduced that "sandboxing" technology, which i think you understood absolutely right: isolating processes.
Apparently it's "inherited" from iOS and works on MacOS with no issues for client local accounts as it does on iOS.
And it is a very attractive security facility in general, so hopefully it will stay.
It just looks like APPLE does not invest too much effort to make it also work as flawless in contexts of OSX-/MacOS Server, i.o.w.: network homes.
Or it seems to be hard to tackle for multiple 3rd party developers, maybe because the API is hard to handle...
That's the operational background of this issue, as i understand it with my limited insights.
And i mention it so you better can estimate whether it pays to invest to enable Tunnelblick to cope with it.
From my/our perspective this would be great!
And as APPLE never officially deprecated the utilization of network homes, and things tend to improve on the long ... ;-)
If i can help you with testing in a real world "production" scenario, i'll be glad to do so!
thank your for your detailed explanation, it helps to understand what's goin on.
In order to put it into perspective: one can encounter these issues also with Firefox, MSOne Note, ADOBE partially MSOutlook and even some MacOS applications in contexts of using the OS keychain technology. These issues kick in the very moment the user logs in to an account with it's home directory hosted on a network share (no matter which protocol: AFP, SMB).
Applications on network homes worked absolutely smoothly until APPLE introduced that "sandboxing" technology, which i think you understood absolutely right: isolating processes.
Apparently it's "inherited" from iOS and works on MacOS with no issues for client local accounts as it does on iOS.
And it is a very attractive security facility in general, so hopefully it will stay.
It just looks like APPLE does not invest too much effort to make it also work as flawless in contexts of OSX-/MacOS Server, i.o.w.: network homes.
Or it seems to be hard to tackle for multiple 3rd party developers, maybe because the API is hard to handle...
That's the operational background of this issue, as i understand it with my limited insights.
And i mention it so you better can estimate whether it pays to invest to enable Tunnelblick to cope with it.
From my/our perspective this would be great!
And as APPLE never officially deprecated the utilization of network homes, and things tend to improve on the long ... ;-)
If i can help you with testing in a real world "production" scenario, i'll be glad to do so!
Reply all
Reply to author
Forward
0 new messages