OS X (Snow Leopard) - openvpn.net server

[Francis McPhail]

Hi I've come across a problem which I can see a few people around the
net have reported; however there doesn't seem to be a definitive
answer for the issue.

Essentially we have the paid for OpenVPN server and have a raft of
staff using it under Windows XP, Vista, and Windows 7 without issue.
However I recently had to rebuild an Apple system and have had the
Tunnelblick application working before.

When connecting with the Tunnelblick application I am seeing the
following in the logs.

-- START TUNNELBLICK --
2010-03-10 20:44:30 *Tunnelblick: openvpnstart status #242: Error:
OpenVPN returned with status 1. Possible error in configuration file.
See "All Messages" in Console for details
-- END TUNNELBLICK --

-- START CONSOLE ALL MESSAGES --
10/03/10 8:44:30 PM openvpn[5447] Options error: this is a generic
configuration and cannot directly be used
10/03/10 8:44:30 PM openvpn[5447] Use --help for more information.
-- END CONSOLE ALL MESSAGES --

OpenVPN server spits out a single opvn file (See below.) which
contains the keys etc... I've tried the generic config, and also the
named configuration files without luck. However the same
comnfiguration files on a Windows XXX machine work without issue.

I am currently using Tunnelblick 3.0 (Build 1437), running under OS X
Snow Leopard 10.6.2 (Have tried in both 32, and 64 bit modes.)

I've included a copy of the named opvn file below for reference.

# Automatically generated OpenVPN client config file
# Generated on Wed Mar 10 19:50:15 2010 by xxxxxxxxx
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=vpn.xxxxx.com.au/Dynamic
# OVPN_ACCESS_SERVER_DYNAMIC=1
# OVPN_ACCESS_SERVER_WSHOST=vpn.xxxxx.com.au:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# MIICATCCAWqgAwIBAgIESybZ2jANBgkqhkiG9w0BAQUFADA8MTowOAYDVQQDEzFP
# cGVuVlBOIFdlYiBD

<REMOVED DATA>

# AAOBgQBV5q2GeUGrgtJetQcUEeSMuXrTY0q5xAVKOnTJrz4KCpd9Ud6Ym8k16lAU
# iCVBZinKetrA8h2YR+pmmNgsva/exRUiadgaOh3kEnGQLwWLU/NsV/NJ6ZALz9O9
# iCxiEN0k8iWO1JDcq7lq8QjNHQwdl2U0RuNyhb3+ez7I72jdRg==
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_GENERIC=1

setenv GENERIC_CONFIG
<ca>
-----BEGIN CERTIFICATE-----
MIIBszCCARygAwIBAgIESybZ1zANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP

<REMOVED DATA>

f9zgd6KFe1Ut8scdHE5BRJ4hPRhBZlx0ah1V9yPDkh4XI62sd0JAeMXnBBlzm+Em
ZR/AEqwcag==
-----END CERTIFICATE-----
</ca>
# -----BEGIN RSA SIGNATURE-----
# ElqI3k3bhAi0nP49jv/QV940NtBfpRpT9ERq2R2s6pGM12XnF/

<REMOVED DATA>

# nxkQhL1wzBBRFiIHNUxXM=
# -----END RSA SIGNATURE-----

[jkbull...gmail.com]

I use auto-generated config files for testing all the time, and they
work OK. However, mine all contain standard OpenVPN options. The non-
certificates/keys part of one of the files contains:
setenv SERVER_POLL_TIMEOUT 4
remote A.B.C.D E udp
remote F.G.H.I J tcp
dev tun
ns-cert-type server
auth-user-pass
auth-retry interact
comp-lzo
verb 5

which is the actual "configuration" data in the configuration file.
Although you say you included your "named" configuration file, it
doesn't have any of that, and, instead, has
setenv GENERIC_CONFIG

which isn't (from what I can tell) even a valid OpenVPN option. (It
has the name of the environment variable, GENERIC_CONFIG, but not a
value for it.)

Could you have posted the generic, instead of the named, configuration
file? If so, please post a (redacted) copy of a "named" configuration
file.

Also, if the configuration file works on Windows clients, and used to
work on a Mac, that narrows the problem down a bit.

* Tunnelblick 3.0 uses the most recent OpenVPN version 2.1.1. Do your
Windows clients use a different version?

* Do you know what version of Tunnelblick the Mac used to use?
(Assuming it it used Tunnelblick, of course.)

* Have you tried Tunnelblick 3.0b10, which was the "stable" version of
Tunnelblick for a long time (3.0 is only about a week old), and which
uses an older version of OpenVPN? See the Tunnelblick FAQ at
https://code.google.com/p/tunnelblick/wiki/FAQ
for info about getting old versions of Tunnelblick.

[Francis McPhail]

Ah ha.. was looking at the wrong file. Had copied the same file twice
and named it incorrectly. I've re-downloaded the named configuration
file out of the system and that works correctly without error.

It appears the generic files don't work in Tunnelblick.

We're currently using version 1.3.4 of the commercial / paid server.

> uses an older version of OpenVPN? See the Tunnelblick FAQ athttps://code.google.com/p/tunnelblick/wiki/FAQ

[jkbull...gmail.com]

OpenVPN's "generic" files are Windows only.

From OpenVPN's "How to connect to Access Server from a Mac", at
http://openvpn.net/index.php/access-server/howto-openvpn-as/183-how-to-connect-to-access-server-from-a-mac.html

"After logging in to the Access Server's Client Web Server, download
the client.ovpn file and place it in the ~/Library/Application
Support/Tunnelblick/Configurations folder on the Mac."

Their other documentation is misleading: it refers to "Generic Client
Installer (Windows Only)", but then refers to "Generic Client Profile"
without saying that it also is "Windows Only". I have emailed OpenVPN
to ask them to clarify these instructions.