Error: "After 30.0 seconds, gave up trying to fetch IP [...]"
4,403 views
Skip to first unread message
hermann
Jan 9, 2015, 7:51:58 AM1/9/15
to
I receive error messages from Tunnelblick when I'm connected to my VPN. I didn't changed anything, the VPN-Provider don't know whats going on. When the error appears (see screenshot) I'm still able to use the VPN but the connection seems "stalled" or unstable...Can you help?
--------------------------------------------------------------------------
xxxxx
--------------------------------------------------------------------------
xxxxx
jkbull...gmail.com
Jan 9, 2015, 9:25:55 AM1/9/15
to tunnelbli...@googlegroups.com
If you really didn't change anything, then the problem is probably with the VPN provider or the path to their VPN server (your ISP, for example).
That said, here are three comments:
redirect-gateway def1
2. Your configuration (I assume supplied by the VPN provider) is peculiar. Many of the configuration options are unusual and can cause problems with packets being lost (which may be what is happening here). Some of them may be inappropriate for OS X (they may be for Windows clients, I think). The unusual options are:
sndbuf size 1655368rcvbuf size 1655368hand-window 37mssfix 1400
3. The VPN server does not "push" any configuration information -- that is unusual as well.
On Friday, January 9, 2015 at 7:51:58 AM UTC-5, hermann wrote:
I receive error messages from Tunnelblick when I'm connected to my VPN. I didn't changed anything, the VPN-Provider don't know whats going on. When the error appears (see screenshot) I'm still able to use the VPN but the connection seems "stalled" or unstable...Can you help?
--------------------------------------------------------------------------
*Tunnelblick: OS X 10.10.1; Tunnelblick 3.5beta02 (build 4165); prior version 3.4.2 (build 4055.4161); Admin user
Configuration Balancer_1_4
"Sanitized" condensed configuration file for /Library/Application Support/Tunnelblick/Shared/Balancer_1_4.tblk:
client
dev tun
resolv-retry 16
nobind
float
sndbuf size 1655368
rcvbuf size 1655368
remote-random
<connection>
remote raw-balancer-dynamic.cryptostorm.net 443 udp
</connection>
<connection>
remote raw-balancer-dynamic.cryptostorm.org 443 udp
</connection>
<connection>
remote raw-balancer-dynamic.cryptostorm.nu 443 udp
</connection>
<connection>
remote raw-balancer-dynamic.cstorm.pw 443 udp
</connection>
comp-lzo no
down-pre
allow-pull-fqdn
explicit-exit-notify 3
hand-window 37
mssfix 1400
auth-user-pass
<ca>
[Security-related line(s) omitted]
</ca>
ns-cert-type server
auth SHA512
cipher AES-256-CBC
replay-window 128 30
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
tls-client
key-method 2
================================================================================
"Sanitized" full configuration file
# this is the cryptostorm.is client settings file, versioning...
# cstorm_mac_dynamic_1-4 - post-heartbleed
# it is intended to provide connection to a dynamically loadbalanced pool of cs machines worldwide
# DNS resolver redundancy provided by TLD-striped, randomised lookup queries
# Chelsea Manning is indeed a badassed chick: #FreeChelsea!
# also... FuckTheNSA - for reals
client
dev tun
resolv-retry 16
nobind
float
# txqueuelen 686
# expanded packet queue plane, to improve throughput on high-capacity sessions
# NOTE: keep this item commented out if using Viscosity as a client; see viscosity.cryptostorm.org
sndbuf size 1655368
rcvbuf size 1655368
# increase pre-ring packet buffering cache, to improve high-throughput session performance
remote-random
# randomizes selection of connection profile from list below, for redundancy against...
# DNS blacklisting-based session blocking attacks
<connection>
remote raw-balancer-dynamic.cryptostorm.net 443 udp
</connection>
<connection>
remote raw-balancer-dynamic.cryptostorm.org 443 udp
</connection>
<connection>
remote raw-balancer-dynamic.cryptostorm.nu 443 udp
</connection>
<connection>
remote raw-balancer-dynamic.cstorm.pw 443 udp
</connection>
comp-lzo no
# specifies refusal of link-layer compression defaults
# we prefer compression be handled elsewhere in the OSI layers
# see forum for ongoing discussion - https://cryptostorm.org/viewtopic.php?f=38&t=5981
down-pre
# runs client-side "down" script prior to shutdown, to help minimise risk...
# of session termination packet leakage
allow-pull-fqdn
# allows client to pull DNS names from server
# we don't use but may in future leakblock integration
explicit-exit-notify 3
# attempts to notify exit node when client session is terminated
# strengthens MiTM protections for orphan sessions
hand-window 37
# specified duration (in seconds) to wait for the session handshake to complete
# a renegotiation taking longer than this has a problem, & should be aborted
mssfix 1400
# congruent with server-side --fragment directive
auth-user-pass
# passes up, via bootstrapped TLS, SHA512 hashed token value to authenticate to darknet
# auth-retry interact
# 'interact' is an experimental parameter not yet in our production build.
<ca>
[Security-related line(s) omitted]
</ca>
# confirms via RSA-based public-key crypto that server instance is legitimately cryptostorm
# does NOT identify client, and is used solely as part of anti-Man In The Middle (MiTM) hardening
ns-cert-type server
# requires TLS-level confirmation of categorical state of server-side certificate for MiTM hardening.
auth SHA512
# data channel HMAC generation
# heavy processor load from this parameter, but the benefit is big gains in packet-level...
# integrity checks, & protection against packet injections / MiTM attack vectors
cipher AES-256-CBC
# data channel stream cipher methodology
# we are actively testing CBC alternatives & will deploy once well-tested...
# cipher libraries support our choice - AES-GCM is looking good currently
replay-window 128 30
# settings which determine when to throw out UDP datagrams that are out of order...
# either temporally or via sequence number
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
# implements 'perfect forward secrecy' via TLS 1.x & its ephemeral Diffie-Hellman...
# see our forum for extensive discussion of ECDHE v. DHE & tradeoffs wrt ECC curve choice
# http://ecc.cryptostorm.org
tls-client
key-method 2
# specification of entropy source to be used in initial generation of TLS keys as part of session bootstrap
# log devnull.txt
# verb 0
# mute 1
# commented out for OSX sessions as they do not play nicely with our local nomenclature syntax yet
================================================================================
There are no unusual files in Balancer_1_4.tblk
================================================================================
Configuration preferences:
useDNS = 1
-routeAllTrafficThroughVpn = 1
-keychainHasUsernameAndPassword = 1
-keepConnected = 0
-lastConnectionSucceeded = 1
================================================================================
Wildcard preferences:
================================================================================
Program preferences:
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
"3.5beta02 (build 4165)",
"3.4.2 (build 4055.4161)"
)
lastLaunchTime = 442499931.377771
showConnectedDurations = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = Balancer_1_4
installationUID (not shown)
keyboardShortcutIndex = 1
updateAutomatically = 1
updateCheckAutomatically = 1
updateSendProfileInfo = 1
NSWindow Frame ConnectingWindow = 525 527 389 187 0 0 1440 877
detailsWindowFrameVersion = 4165
detailsWindowFrame = {{303, 347}, {920, 467}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
leftNavSelectedDisplayName = Balancer_1_4
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 1
SUFeedURL = https://www.tunnelblick.net/appcast-b.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SUAutomaticallyUpdate = 1
SULastCheckTime = 2015-01-09 12:38:51 +0000
SULastProfileSubmissionDate = 2015-01-03 19:23:09 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 11
WebKitStandardFont = .Helvetica Neue DeskInterface
================================================================================
Tunnelblick Log:
2015-01-09 13:38:56 *Tunnelblick: OS X 10.10.1; Tunnelblick 3.5beta02 (build 4165); prior version 3.4.2 (build 4055.4161)
2015-01-09 13:38:56 *Tunnelblick: Attempting connection with Balancer_1_4; Set nameserver = 1; monitoring connection
2015-01-09 13:38:56 *Tunnelblick: openvpnstart start Balancer_1_4.tblk 1337 1 0 3 0 17200 -ptADGNWradsgnw 2.3.6
2015-01-09 13:38:56 *Tunnelblick: openvpnstart starting OpenVPN
2015-01-09 13:38:57 *Tunnelblick: openvpnstart log:
Tunnelblick:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.6/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SBalancer_1_4.tblk-SContents-SResources-Sconfig.ovpn.1_0_3_0_17200.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Shared/Balancer_1_4.tblk/Contents/Resources
--config
/Library/Application Support/Tunnelblick/Shared/Balancer_1_4.tblk/Contents/Resources/config.ovpn
--cd
/Library/Application Support/Tunnelblick/Shared/Balancer_1_4.tblk/Contents/Resources
--management
127.0.0.1
1337
--management-query-passwords
--management-hold
--redirect-gateway
def1
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw
2015-01-09 13:38:57 *Tunnelblick: Established communication with OpenVPN
2015-01-09 13:38:57 *Tunnelblick: Obtained VPN username and password from the Keychain
2015-01-09 13:38:57 Option 'explicit-exit-notify' in /Library/Application Support/Tunnelblick/Shared/Balancer_1_4.tblk/Contents/Resources/config.ovpn:49 is ignored by previous <connection> blocks
2015-01-09 13:38:57 Option 'mssfix' in /Library/Application Support/Tunnelblick/Shared/Balancer_1_4.tblk/Contents/Resources/config.ovpn:57 is ignored by previous <connection> blocks
2015-01-09 13:38:57 OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec 2 2014
2015-01-09 13:38:57 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
2015-01-09 13:38:57 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2015-01-09 13:38:58 UDPv4 link local: [undef]
2015-01-09 13:38:58 UDPv4 link remote: [AF_INET]23.19.35.14:443
2015-01-09 13:38:58 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2015-01-09 13:39:04 [server] Peer Connection Initiated with [AF_INET]23.19.35.14:443
2015-01-09 13:39:07 Opened utun device utun0
2015-01-09 13:39:07 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2015-01-09 13:39:07 /sbin/ifconfig utun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2015-01-09 13:39:07 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2015-01-09 13:39:07 /sbin/ifconfig utun0 10.33.0.6 10.33.0.6 netmask 255.255.0.0 mtu 1500 up
add net 10.33.0.0: gateway 10.33.0.6
2015-01-09 13:39:07 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw utun0 1500 1602 10.33.0.6 255.255.0.0 init
**********************************************
Start of output from client.up.tunnelblick.sh
Retrieved from OpenVPN: name server(s) [ 213.73.91.35 213.138.101.252 80.237.196.2 194.150.168.168 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Set ServerAddresses to 213.73.91.35 213.138.101.252 80.237.196.2 194.150.168.168
Set SearchDomains to openvpn
Set DomainName to openvpn
Flushed the DNS cache via dscacheutil
Will flush the DNS cache via discoveryutil udnsflushcaches...
Flushed the DNS cache via discoveryutil udnsflushcaches
Will flush the DNS cache via discoveryutil mdnsflushcache...
Flushed the DNS cache via discoveryutil mdnsflushcache
No matching processes were found
mDNSResponder not running. Not notifying it that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
add net 23.19.35.14: gateway 192.168.1.1
add net 0.0.0.0: gateway 10.33.0.1
add net 128.0.0.0: gateway 10.33.0.1
2015-01-09 13:39:10 *Tunnelblick: No 'connected.sh' script to execute
2015-01-09 13:39:10 Initialization Sequence Completed
2015-01-09 13:39:34 *Tunnelblick process-network-changes: A system configuration change was ignored
2015-01-09 13:39:45 *Tunnelblick process-network-changes: A system configuration change was ignored
2015-01-09 13:39:46 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
2015-01-09 13:40:16 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's IP address after connecting.
2015-01-09 13:40:37 *Tunnelblick process-network-changes: A system configuration change was ignored
2015-01-09 13:41:37 *Tunnelblick process-network-changes: A system configuration change was ignored
2015-01-09 13:42:13 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2015-01-09 13:42:13 *Tunnelblick: Disconnecting using 'kill'
2015-01-09 13:42:13 event_wait : Interrupted system call (code=4)
delete net 23.19.35.14: gateway 192.168.1.1
delete net 0.0.0.0: gateway 10.33.0.1
delete net 128.0.0.0: gateway 10.33.0.1
2015-01-09 13:42:13 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw utun0 1500 1602 10.33.0.6 255.255.0.0 init
**********************************************
Start of output from client.down.tunnelblick.sh
Cancelled monitoring of system configuration changes
Restored the DNS and SMB configurations
Flushed the DNS cache via dscacheutil
Will flush the DNS cache via discoveryutil udnsflushcaches...
Flushed the DNS cache via discoveryutil udnsflushcaches
Will flush the DNS cache via discoveryutil mdnsflushcache...
Flushed the DNS cache via discoveryutil mdnsflushcache
No matching processes were found
mDNSResponder not running. Not notifying it that the DNS cache was flushed
End of output from client.down.tunnelblick.sh
**********************************************
2015-01-09 13:42:13 SIGTERM[hard,] received, process exiting
2015-01-09 13:42:13 *Tunnelblick: No 'post-disconnect.sh' script to execute
2015-01-09 13:42:13 *Tunnelblick: Expected disconnection occurred.
================================================================================
Console Log:
2015-01-09 13:37:23 Tunnelblick[357] Set program update feedURL to https://www.tunnelblick.net/appcast-b.rss
2015-01-09 13:37:32 Tunnelblick[357] DEBUG: Updater: systemVersion 10.10.1 satisfies minimumSystemVersion 10.4.0
2015-01-09 13:37:32 Tunnelblick[357] DEBUG: Updater: systemVersion 10.10.1 satisfies minimumSystemVersion 10.4.0
2015-01-09 13:37:54 kernel[0] hfs: mounted Tunnelblick on device disk2s1
2015-01-09 13:37:56 kernel[0] hfs: unmount initiated on Tunnelblick on device disk2s1
2015-01-09 13:38:22 Tunnelblick[357] setShutdownVariables: invoked, but have already set them
2015-01-09 13:38:22 Tunnelblick[357] applicationShouldTerminate: termination because of restart; delayed until 'shutdownTunnelblick' finishes
2015-01-09 13:38:22 Tunnelblick[357] Finished shutting down Tunnelblick; allowing termination
2015-01-09 13:38:51 Tunnelblick[280] Set program update feedURL to https://www.tunnelblick.net/appcast-b.rss
2015-01-09 13:38:52 Tunnelblick[280] DEBUG: Updater: systemVersion 10.10.1 satisfies minimumSystemVersion 10.4.0
2015-01-09 13:38:52 Tunnelblick[280] DEBUG: Updater: systemVersion 10.10.1 satisfies minimumSystemVersion 10.4.0
2015-01-09 13:38:57 Tunnelblick[280] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-Balancer_1_4' account = 'username'
2015-01-09 13:38:57 Tunnelblick[280] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-Balancer_1_4' account = 'password'
2015-01-09 13:39:46 Tunnelblick[280] currentIPInfo(Name): IP address info could not be fetched within 30.0 seconds
2015-01-09 13:40:16 Tunnelblick[280] currentIPInfo(Address): IP address info could not be fetched within 30.0 seconds
================================================================================
Non-Apple kexts that are loaded:
Index Refs Address Size Wired Name (Version) <Linked Against>
53 0 0xffffff7f80b6b000 0x48000 0x48000 at.obdev.nke.LittleSnitch (4234) <5 4 3 1>
130 0 0xffffff7f82e16000 0xa000 0xa000 com.cisco.kext.acsock (1.1.0) <5 4 1>
hermann
Jan 9, 2015, 10:15:58 AM1/9/15
to tunnelbli...@googlegroups.com
Thanks for answering!
I have already checked the "Route all IPv4 traffic through the VPN" box.
Which parameters are appropriate for OS X? (sndbuf, rcvbuf size, hand-window, mssfix) The ovpn-file is indeed supplied by the provider. You can consider the ovpn files in beta-status.
I have already checked the "Route all IPv4 traffic through the VPN" box.
Which parameters are appropriate for OS X? (sndbuf, rcvbuf size, hand-window, mssfix) The ovpn-file is indeed supplied by the provider. You can consider the ovpn files in beta-status.
hermann
Jan 9, 2015, 10:19:05 AM1/9/15
to tunnelbli...@googlegroups.com
I've unchecked the box "Check if the apparent public IP address changed after connecting", which solves the "30 seconds" error message and the popup message (screenshot in inital post)
jkbull...gmail.com
Jan 9, 2015, 11:43:01 AM1/9/15
to tunnelbli...@googlegroups.com
Un-checking the box means that most (almost all) traffic does NOT go through the VPN. The default for OpenVPN is to send only traffic destined for the VPN through the VPN. So if you connect the VPN and go to google.com, the google.com traffic does not go through the VPN.
So with it un-checked (unless "redirect-gateway def1" is in the configuration file or is pushed by the server), the IP check does not go through the VPN. All it is saying is that setting up the VPN did not mess up traffic that doesn't go through the VPN.
In some situations you want only traffic destined for the VPN to go through the VPN, but in most cases you want everything to go through the VPN. Your choice.
As to which parameters are appropriate for your situation (your network, OS X, etc.), you should consult OpenVPN experts:
As to which parameters are appropriate for your situation (your network, OS X, etc.), you should consult OpenVPN experts:
hermann
Jan 9, 2015, 1:26:36 PM1/9/15
to
Thanks for your time and advice!
Reply all
Reply to author
Forward
0 new messages