Openvpn installed by brew on Mac OsX, connection successfully established but don't seem have access to the web

[nicolas.la...@gmail.com]

Hello, if someone could give me a hand here please, I'm running on a Macbook Pro with Mavericks and latest updates.

I installed OpenVPN by Homebrew because I would try to get it working through the terminal.

I subscribed to a VPN server, so I got my "ovpn" file, my "key" file and my "ca" file.

This is my config file (ovpn file):

client

remote nl5.vpnfacile.net 443

dev tun

proto tcp

nobind

persist-key

persist-tun

tls-auth ta.key 1

ca ca.crt

cipher AES-256-CBC

keysize 256

link-mtu 1560

comp-lzo

auth-user-pass

verb 3

When I'm trying to connect to the Vpn server, by:

sudo kextload tun.kext

sudo openvpn *.ovpn

I'm getting this:

Wed Jan 28 11:20:58 2015 OpenVPN 2.3.6 x86_64-apple-darwin13.4.0 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec  2 2014

Wed Jan 28 11:20:58 2015 library versions: OpenSSL 1.0.2 22 Jan 2015, LZO 2.08

Enter Auth Username:Ninitage

Enter Auth Password:

Wed Jan 28 11:21:13 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Wed Jan 28 11:21:13 2015 WARNING: file 'ta.key' is group or others accessible

Wed Jan 28 11:21:13 2015 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

Wed Jan 28 11:21:13 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Jan 28 11:21:13 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Jan 28 11:21:13 2015 Socket Buffers: R=[131072->65536] S=[131072->65536]

Wed Jan 28 11:21:13 2015 Attempting to establish TCP connection with [AF_INET]185.56.161.130:443 [nonblock]

Wed Jan 28 11:21:14 2015 TCP connection established with [AF_INET]185.56.161.130:443

Wed Jan 28 11:21:14 2015 TCPv4_CLIENT link local: [undef]

Wed Jan 28 11:21:14 2015 TCPv4_CLIENT link remote: [AF_INET]185.56.161.130:443

Wed Jan 28 11:21:14 2015 TLS: Initial packet from [AF_INET]185.56.161.130:443, sid=72995fae 9a2e7f7a

Wed Jan 28 11:21:14 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Wed Jan 28 11:21:15 2015 VERIFY OK: depth=1, C=NL, ST=NL, L=Amsterdam, O=VPNFacile, CN=VPNFacile CA, emailAddress=te...@vpnfacile.net

Wed Jan 28 11:21:15 2015 VERIFY OK: depth=0, C=NL, ST=NL, L=Amsterdam, O=VPNFacile, CN=server, emailAddress=te...@vpnfacile.net

Wed Jan 28 11:21:15 2015 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Wed Jan 28 11:21:15 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Jan 28 11:21:15 2015 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Wed Jan 28 11:21:15 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Wed Jan 28 11:21:15 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Wed Jan 28 11:21:15 2015 [server] Peer Connection Initiated with [AF_INET]185.56.161.130:443

Wed Jan 28 11:21:18 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Wed Jan 28 11:21:18 2015 PUSH: Received control message: 'PUSH_REPLY,dhcp-option WINS 10.14.0.1,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.14.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.14.0.186 10.14.0.185'

Wed Jan 28 11:21:18 2015 OPTIONS IMPORT: timers and/or timeouts modified

Wed Jan 28 11:21:18 2015 OPTIONS IMPORT: --ifconfig/up options modified

Wed Jan 28 11:21:18 2015 OPTIONS IMPORT: route options modified

Wed Jan 28 11:21:18 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Wed Jan 28 11:21:18 2015 Opening utun (connect(AF_SYS_CONTROL)): Resource busy

Wed Jan 28 11:21:18 2015 Opened utun device utun1

Wed Jan 28 11:21:18 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Wed Jan 28 11:21:18 2015 /sbin/ifconfig utun1 delete

ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

Wed Jan 28 11:21:18 2015 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

Wed Jan 28 11:21:18 2015 /sbin/ifconfig utun1 10.14.0.186 10.14.0.185 mtu 1500 netmask 255.255.255.255 up

Wed Jan 28 11:21:18 2015 /sbin/route add -net 185.56.161.130 192.168.0.254 255.255.255.255

add net 185.56.161.130: gateway 192.168.0.254

Wed Jan 28 11:21:18 2015 /sbin/route add -net 0.0.0.0 10.14.0.185 128.0.0.0

add net 0.0.0.0: gateway 10.14.0.185

Wed Jan 28 11:21:18 2015 /sbin/route add -net 128.0.0.0 10.14.0.185 128.0.0.0

add net 128.0.0.0: gateway 10.14.0.185

Wed Jan 28 11:21:18 2015 /sbin/route add -net 10.14.0.1 10.14.0.185 255.255.255.255

add net 10.14.0.1: gateway 10.14.0.185

Wed Jan 28 11:21:18 2015 Initialization Sequence Completed

It seems connected, but when I look in Safari or try to ping Google nothing happens, It's look like It was not connected.

It doesn't seem to come from the firewall, once disabled, still not working.

It seems to have an issue with the Tun device, but If I unload It or reload It, nothing changes.

And another trouble, I don't find the OpenVPN log file.... Where should it be?

If I'm using Tunnelblick, It's working perfectly... But as I said above, I would try to get it working through the terminal.

I don't understand what's wrong here...

Please help me, Thanks....

[jkbull...gmail.com]

Some comments:

(1) You don't need tuntap on OS X 10.6.8 or higher when using OpenVPN 2.3.something or higher, because OpenVPN will automatically use the "utun" device built into OS X. You can see that happening here:

Wed Jan 28 11:21:18 2015 Opened utun device utun1

(2) You can ignore the

Wed Jan 28 11:21:18 2015 /sbin/ifconfig utun1 delete

ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

message. It shows up because there was no existing utun1 device (which is correct) and is normal. That's why the following message appears:

Wed Jan 28 11:21:18 2015 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

(3) It is possible that a loaded tun kext interferes with using the utun device. So make sure the tun kext is unloaded when you try to connect to the VPN. The OpenVPN log should then start mentioning "utun0" instead of "utun1".

(4) Probably the reason you can't reach websites is a DNS problem. The setup you have gets instructions to use a DNS server from the OpenVPN server (in the "PUSH_REPLY"). The server tells the client (your computer) to use 8.8.8.8 and 8.8.4.4 (both are for Google Public DNS) while the VPN is connected. However, without doing anything else, that instruction will be ignored. OpenVPN (on OS X, anyway) doesn't deal with DNS and WINS itself, it assumes you have a helper script (usually an "up" script) that processes the request and sets up DNS and WINS on your computer as instructed. Tunnelblick includes several scripts to do just that; which one (or none) is specified by Tunnelblick's "Set DNS/WINS" setting.

When you are connected to the VPN, your DNS requests will not appear to come from your computer, they will appear to come from the OpenVPN server. If you have (as is typical) DNS set to your ISP's DNS servers, those servers will not respond to DNS requests from outside of their own network. The OpenVPN server is outside of their network, so they will ignore the DNS requests, and you won't be able to browse to "www.google.com" (but you should be able to browse to site by IP address instead of name).

A solution to this is to manually set your DNS to public DNS servers before connecting to the VPN. There is a list of servers at http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm.

(5) A simpler solution is to, well, use Tunnelblick! If you want to control it from the command line or Automator, use AppleScript (see https://code.google.com/p/tunnelblick/wiki/cAppleScriptSupport).

Wed Jan 28 11:21:15 2015 VERIFY OK: depth=1, C=NL, ST=NL, L=Amsterdam, O=VPNFacile, CN=VPNFacile CA, emailAddress=tech@vpnfacile.net

Wed Jan 28 11:21:15 2015 VERIFY OK: depth=0, C=NL, ST=NL, L=Amsterdam, O=VPNFacile, CN=server, emailAddress=tech@vpnfacile.net

[nicolas.la...@gmail.com]

Hi, Thank you so much! That was the solution, after configuring safari, It's working perfectly.

Really good job, I understand really better what's happened now, and I understand better how that's working as well.

Thank you.