No IP change when tunneling into Netgear router & no server certificate method selected
412 views
Skip to first unread message
losi...@gmail.com
Jan 15, 2017, 3:34:04 PM1/15/17
to tunnelblick-discuss
Hey all,
I've just recently setup the OpenVPN feature on our Netgear R6400 router. Using the non-windows config files I'm able to tunnel in using Tunnelblick on my Mac but there are a few error messages in the log that I want to clear up. I made sure to check the "Before you post" section and remove any non standard DNS addresses and setup the recommended settings.
It seems like the VPN connection is establishing because my local mac settings are updating to the target location settings. I'm also able to ping computers in the target site. This is great but it seems like my VPN connection is not hardened very well. The log mentions that "No server certificate verification method has been enabled." Which might be because the Netgear router doesn't offer the option of creating a certificate. After the connection establishes I get the following popup:
Note: I have modified the domain names and ip addresses of the domain controllers, router (both local and the public ip) and the DNS servers for privacy concerns. Thank you for all your help!
BEGINNING OF LOG ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.9 (build 4685); Admin user
git commit 6a738c42db959d53f7f2cd156aa79eb61b8856d9
Configuration NETGEAR-VPN
"Sanitized" condensed configuration file for /Library/Application Support/Tunnelblick/Shared/NETGEAR-VPN.tblk:
client
dev tap
proto udp
remote 12.123.12.123 12345 (*edited to preserve provacy*)
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 5
================================================================================
Non-Apple kexts that are loaded:
Index Refs Address Size Wired Name (Version) UUID <Linked Against>
================================================================================
There are no unusual files in NETGEAR-VPN.tblk
================================================================================
Configuration preferences:
-lastConnectionSucceeded = 1
================================================================================
Wildcard preferences:
================================================================================
Program preferences:
placeIconInStandardPositionInStatusBar = 1
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
"3.6.9 (build 4685)"
)
lastLaunchTime = 506147971.473884
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = NETGEAR-VPN
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
updateSendProfileInfo = 0
NSWindow Frame SettingsSheetWindow = 362 132 829 524 0 0 1280 777
NSWindow Frame ConnectingWindow = 445 443 389 187 0 0 1280 777
detailsWindowFrameVersion = 4685
detailsWindowFrame = {{207, 164}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = log
leftNavSelectedDisplayName = NETGEAR-VPN
AdvancedWindowTabIdentifier = connectingAndDisconnecting
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 1
SUFeedURL = https://www.tunnelblick.net/appcast-s.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 0
SULastCheckTime = 2017-01-15 04:39:32 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times
================================================================================
Tunnelblick Log:
*Tunnelblick: OS X 10.11.6; Tunnelblick 3.6.9 (build 4685)
2017-01-15 13:39:12 *Tunnelblick: Attempting connection with NETGEAR-VPN; Set nameserver = 769; monitoring connection
2017-01-15 13:39:12 *Tunnelblick: openvpnstart start NETGEAR-VPN.tblk 1337 769 0 3 0 1065330 -ptADGNWradsgnw 2.3.12-openssl-1.0.2j
2017-01-15 13:39:12 *Tunnelblick: openvpnstart log:
Loading tap-signed.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.12-openssl-1.0.2j/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SNETGEAR--VPN.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065330.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Shared/NETGEAR-VPN.tblk/Contents/Resources
--verb
3
--config
/Library/Application Support/Tunnelblick/Shared/NETGEAR-VPN.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Shared/NETGEAR-VPN.tblk/Contents/Resources
--management
127.0.0.1
1337
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
--route-pre-down
/Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
2017-01-15 13:39:12 *Tunnelblick: Established communication with OpenVPN
2017-01-15 13:39:12 OpenVPN 2.3.12 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Nov 17 2016
2017-01-15 13:39:12 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
2017-01-15 13:39:12 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2017-01-15 13:39:12 Need hold release from management interface, waiting...
2017-01-15 13:39:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-01-15 13:39:12 MANAGEMENT: CMD 'pid'
2017-01-15 13:39:12 MANAGEMENT: CMD 'state on'
2017-01-15 13:39:12 MANAGEMENT: CMD 'state'
2017-01-15 13:39:12 MANAGEMENT: CMD 'bytecount 1'
2017-01-15 13:39:12 MANAGEMENT: CMD 'hold release'
2017-01-15 13:39:12 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2017-01-15 13:39:12 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-01-15 13:39:12 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-01-15 13:39:12 UDPv4 link local: [undef]
2017-01-15 13:39:12 UDPv4 link remote: [AF_INET]70.164.44.146:12974
2017-01-15 13:39:12 MANAGEMENT: >STATE:1484509152,WAIT,,,
2017-01-15 13:39:12 MANAGEMENT: >STATE:1484509152,AUTH,,,
2017-01-15 13:39:12 TLS: Initial packet from [AF_INET]70.164.44.146:12974, sid=877d5041 f20735d2
2017-01-15 13:39:12 *Tunnelblick: openvpnstart starting OpenVPN
2017-01-15 13:39:13 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=ma...@netgear.com
2017-01-15 13:39:13 VERIFY OK: depth=0, C=TW, ST=TW, O=netgear, OU=netgear, CN=netgear, emailAddress=ma...@netgear.com
2017-01-15 13:39:14 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2017-01-15 13:39:14 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-01-15 13:39:14 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2017-01-15 13:39:14 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-01-15 13:39:14 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2017-01-15 13:39:14 [netgear] Peer Connection Initiated with [AF_INET]70.164.44.146:12974
2017-01-15 13:39:15 MANAGEMENT: >STATE:1484509155,GET_CONFIG,,,
2017-01-15 13:39:16 SENT CONTROL [netgear]: 'PUSH_REQUEST' (status=1)
2017-01-15 13:39:21 SENT CONTROL [netgear]: 'PUSH_REQUEST' (status=1)
2017-01-15 13:39:26 SENT CONTROL [netgear]: 'PUSH_REQUEST' (status=1)
2017-01-15 13:39:28 PUSH: Received control message: 'PUSH_REPLY,route [IP OF ROUTER] 255.255.255.0 [DEFAULT GATEWAY],route-gateway dhcp,ping 10,ping-restart 120'
2017-01-15 13:39:28 OPTIONS IMPORT: timers and/or timeouts modified
2017-01-15 13:39:28 OPTIONS IMPORT: route options modified
2017-01-15 13:39:28 OPTIONS IMPORT: route-related options modified
2017-01-15 13:39:28 TUN/TAP device /dev/tap0 opened
2017-01-15 13:39:28 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1590 init
**********************************************
Start of output from client.up.tunnelblick.sh
Did 'ipconfig set "tap0" DHCP'
Configuring tap DNS via DHCP asynchronously
End of output from client.up.tunnelblick.sh
**********************************************
2017-01-15 13:39:30 MANAGEMENT: >STATE:1484509170,ADD_ROUTES,,,
2017-01-15 13:39:30 /sbin/route add -net [IP OF ROUTER] [GATEWAY IP] 255.255.255.0
route: writing to routing socket: Can't assign requested address
add net [ROUTER IP]: gateway [GATEWAY IP]: Can't assign requested address
2017-01-15 13:39:30 Initialization Sequence Completed
2017-01-15 13:39:30 MANAGEMENT: >STATE:1484509170,CONNECTED,SUCCESS,,[STATIC IP ISSUED BY ISP]
2017-01-15 13:39:30 *Tunnelblick: No 'connected.sh' script to execute
2017-01-15 13:39:31 Extracted DHCP router address: [IP OF ROUTER]
Sleeping for 0 seconds to wait for DHCP to finish setup.
Sleeping for 1 seconds to wait for DHCP to finish setup.
Sleeping for 2 seconds to wait for DHCP to finish setup.
Retrieved from DHCP/BOOTP packet: name server(s) [ DNS SERVER ], domain name [ DOMAIN NAME ], search domain(s) [ ] and SMB server(s) [ ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'DOMAIN' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '172.20.10.1 fe80::8b0:f472:4ba2:e3b4' to 'IP OF DOMAIN CONTROLLER'
Changed DNS SearchDomains setting from '' to 'DOMAIN NAME'
Changed DNS DomainName setting from '' to 'DOMAIN NAME'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of ''
DNS servers 'IP OF DOMAIN DNS SERVER' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
2017-01-15 13:39:36 *Tunnelblick: This computer's apparent public IP address ([12.123.123.123]) was unchanged after the connection was made
2017-01-15 13:39:42 *Tunnelblick process-network-changes: A system configuration change was ignored
2017-01-15 13:40:31 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2017-01-15 13:40:32 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2017-01-15 13:40:32 *Tunnelblick: Disconnecting using 'kill'
2017-01-15 13:40:32 event_wait : Interrupted system call (code=4)
2017-01-15 13:40:32 /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1590 init
**********************************************
Start of output from client.route-pre-down.tunnelblick.sh
WARNING: Ignoring change of Network Primary Service from 00C821F8-8845-4CEC-B04A-2A72EB4F78B7 to RestoreIpv6Services :
00C821F8-8845-4CEC-B04A-2A72EB4F78B7
Cancelled monitoring of system configuration changes
Released the DHCP lease via ipconfig set "tap0" NONE.
End of output from client.route-pre-down.tunnelblick.sh
**********************************************
2017-01-15 13:40:32 /sbin/route delete -net [IP OF ROUTER] [GATEWAY IP] 255.255.255.0
route: writing to routing socket: not in table
delete net [ROUTER IP]: gateway [GATEWAY IP]: not in table
2017-01-15 13:40:32 Closing TUN/TAP interface
2017-01-15 13:40:32 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1590 init
**********************************************
Start of output from client.down.tunnelblick.sh
Restored the DNS and SMB configurations
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
End of output from client.down.tunnelblick.sh
**********************************************
2017-01-15 13:40:32 SIGTERM[hard,] received, process exiting
2017-01-15 13:40:32 MANAGEMENT: >STATE:1484509232,EXITING,SIGTERM,,
2017-01-15 13:40:32 *Tunnelblick: No 'post-disconnect.sh' script to execute
2017-01-15 13:40:32 *Tunnelblick: Expected disconnection occurred.
Tunnelblick developer
Jan 15, 2017, 3:49:36 PM1/15/17
to tunnelblick-discuss, losi...@gmail.com
Several issues:
2017-01-15 13:39:12 WARNING: No server certificate verification method has been enabled. Seehttp://openvpn.net/howto.html#mitm for more info.
2017-01-15 13:39:12 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
That's fine and expected. Tunnelblick uses user-defined scripts such as client.up.tunnelblick.sh to handle DNS, so it uses OpenVPN's --script-security option to allow that.
2017-01-15 13:39:36 *Tunnelblick: This computer's apparent public IP address ([12.123.123.123]) was unchanged after the connection was made
Your VPN is set up so that only traffic to the tunnel will go through the tunnel. Try checking "Route all IPv4 traffic through the VPN" on the "Settings" tab of the "Configurations" panel of Tunnelblick's "VPN Details" window. Be sure to select the configuration(s) that you want the change to apply to before checking the box.
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
See http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf for details.
losi...@gmail.com
Jan 15, 2017, 9:10:38 PM1/15/17
to tunnelblick-discuss, losi...@gmail.com
Thank you very much for the reply!
Question about the certificate verification method. I got pretty deep into generating the CA, server and client certs but then realized that if my netgear router is acting as the OpenVPN server that i'm trying to connect to there is no way for me to add the server certificate into this process.
Please correct me if my thinking is wrong. The reason I believe the netgear router is acting as the pseudo server is because that's how I generated the config files for the client side openVPN connection.
I applied the change to "route all IPv4 traffic through the VPN" but I'm still getting the error that the IP hasn't changed. Any other ideas?
Tunnelblick developer
Jan 16, 2017, 7:22:13 AM1/16/17
to tunnelblick-discuss, losi...@gmail.com
As far as the certificates go, you need to consult Netgear to find out if you can do anything about this. I don't have any specific knowledge about this -- perhaps someone else using a Netgear router can help.
There isn't much I can suggest about the IP address not changing without the full diagnostic info (redacted as necessary, of course).
cecilhb...@gmail.com
Feb 4, 2017, 6:34:34 PM2/4/17
to tunnelblick-discuss, losi...@gmail.com
Hi,
Did you get resolved the issue of the IP address not changing?
I also just got a Netgear R6400 and I'm trying to VPN with OpenVPN from my MacBook Pro and I'm having the exact same issue.
I would appreciate if you would share any resolution to this issue.
Thanks!
Reply all
Reply to author
Forward
0 new messages