Unable to connect openvpn through tunnelblick

1,138 views
Skip to first unread message

dsdubai

unread,
Mar 29, 2010, 2:41:58 PM3/29/10
to tunnelblick-discuss
Apologies if this is a simple fix. I'm brand new to the Mac and not
massively technical although I do understand the basics of VPNs, GUIs
etc.

Have been trying to sort my connection out for three days and it
appears that support from VPN UK has dried up. Even getting to this
point has taken quite a few hours, have tried searching for a thread
that has covered this but no joy.

Anyway, I have tunnelblick installed, I have the vpnuk files in my
config file. When I try to connect I get the script below...

2010-03-29 19:29:46 SUCCESS: pid=4423
2010-03-29 19:29:46 SUCCESS: real-time state notification set to ON
2010-03-29 19:29:46 SUCCESS: real-time log notification set to ON
2010-03-29 19:29:46 OpenVPN 2.1.1 i386-apple-darwin10.2.0 [SSL] [LZO2]
[PKCS11] built on Feb 24 2010
2010-03-29 19:29:46 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2010-03-29 19:29:46 waiting...
2010-03-29 19:29:46 MANAGEMENT: Client connected from 127.0.0.1:1337
2010-03-29 19:29:46 MANAGEMENT: CMD 'pid'
2010-03-29 19:29:46 MANAGEMENT: CMD 'state on'
2010-03-29 19:29:46 MANAGEMENT: CMD 'log on all'
2010-03-29 19:29:46 END
2010-03-29 19:29:46 MANAGEMENT: CMD 'hold release'
2010-03-29 19:29:46 SUCCESS: hold release succeeded
2010-03-29 19:29:46 'Auth' password cannot be read from a file

I do have a username and password from vpnuk. I opened up the vpnuk-
password.txt file and tried manually typing them in here. This didn't
work, at no other time have I been asked for the username/password.

The config files I have are

ta.key
vpnuk-ca.crt
vpnuk-password.txt
vpnuk.ovpn

I am sure this is a really simple fix. Thanks in advance to anybody
who can help a novice who doesn't like to waste people's time unless
he is genuinely flummoxed.

jkbull...gmail.com

unread,
Mar 29, 2010, 6:01:06 PM3/29/10
to tunnelblick-discuss
Without seeing the contents of your configuration file (vpnuk.ovpn),
this is just a guess, but:

I think you can remove the line containing "ask-pass" from your
configuration file (vpnuk.ovpn), which will make Tunnelblick ask you
for the password in a pop-up window when you try to connect.
Tunnelblick lets you save this password in the Keychain.

I think there may be two different things: a password that comes from
the vpnuk-password.txt file, and a separate, different username and
password. I'm guessing you'll be asked for the one, and then the
other.

Please post to let us know how it goes. If you have more problems,
feel free to ask -- that's what the discussion group is for (although
it would be nice if vpnuk.com would support their own products!). If
you're having problems, it would help if you post the full vpnuk.ovpn.
(If you do, X out anything that should be kept private, like VPN
server addresses). And the first few lines of the log, that start with
"*Tunnelblick", to show what version and options you're using.

For background, take a look at Tunnelblick Issue 91, at
http://code.google.com/p/tunnelblick/issues/detail?id=91

Tunnelblick's built-in copy of OpenVPN _is_ built with the defaults,
which *disables* OpenVPN's "ask-pass" option. It is described in the
OpenVPN man page as

"--askpass [file]
Get certificate password from console or file before we daemonize.

For the extremely security conscious, it is possible to protect
your private key with a password. Of course this means that every time
the OpenVPN daemon is started you must be there to type the password.
The --askpass option allows you to start OpenVPN from the command
line. It will query you for a password before it daemonizes. To
protect a private key with a password you should omit the -nodes
option when you use the openssl command line tool to manage
certificates and private keys.

If file is specified, read the password from the first line of
file. Keep in mind that storing your password in a file to a certain
extent invalidates the extra security provided by using an encrypted
key (Note: OpenVPN will only read passwords from a file if it has been
built with the --enable-password-save configure option, or on Windows
by defining ENABLE_PASSWORD_SAVE in config-win32.h)."

dsdubai

unread,
Mar 30, 2010, 9:37:28 AM3/30/10
to tunnelblick-discuss
Many thanks for the reply, totally agree that support should be more
forthcoming from vpnuk.com. they started off fine and then nothing,
even tried their live messenger style help-page.

Anyway, this is what is listed in my vpnuk.ovpn file

client
fast-io
dev tun
proto tcp

nobind
remote shared40.vpnuk.net 443
route-method exe
route-delay 2
resolv-retry infinite

persist-key
persist-tun

auth-user-pass vpnuk-password.txt
ca vpnuk-ca.crt
tls-auth ta.key 1

comp-lzo
verb 3

I removed the line auth-user-pass vpnuk-password.txt. Is the one you
meant?

Have just tried connecting again and have listed the log below...

2010-03-30 14:30:04 *Tunnelblick: Attempting connection with config/
vpnuk.ovpn; Set nameserver = 1; monitoring connection
2010-03-30 14:30:04 *Tunnelblick: /Applications/Tunnelblick.app/
Contents/Resources/openvpnstart start config/vpnuk.ovpn 1337 1 0 0 0
2010-03-30 14:30:04 *Tunnelblick: /Applications/Tunnelblick.app/
Contents/Resources/openvpn --management-query-passwords --cd /Users/
davidstaff/Library/Application Support/Tunnelblick/Configurations --
daemon --management-hold --management 127.0.0.1 1337 --config /Users/
davidstaff/Library/Application Support/Tunnelblick/Configurations/
config/vpnuk.ovpn --script-security 2 --up "/Applications/
Tunnelblick.app/Contents/Resources/client.up.osx.sh" --down "/
Applications/Tunnelblick.app/Contents/Resources/client.down.osx.sh" --
up-restart
2010-03-30 14:30:04 *Tunnelblick: openvpnstart status #242: Error:
OpenVPN returned with status 1. Possible error in configuration file.
See "All Messages" in Console for details

I am a bit out of my depth, not lazy and just waiting for an answer.
Just think I have read so much now that my brain is frazzled and I'm
missing something really simple.

On Mar 29, 11:01 pm, "jkbull...gmail.com" <jkbull...@gmail.com> wrote:
> Without seeing the contents of your configuration file (vpnuk.ovpn),
> this is just a guess, but:
>
> I think you can remove the line containing "ask-pass" from your
> configuration file (vpnuk.ovpn), which will make Tunnelblick ask you
> for the password in a pop-up window when you try to connect.
> Tunnelblick lets you save this password in the Keychain.
>
> I think there may be two different things: a password that comes from
> the vpnuk-password.txt file, and a separate, different username and
> password. I'm guessing you'll be asked for the one, and then the
> other.
>
> Please post to let us know how it goes. If you have more problems,
> feel free to ask -- that's what the discussion group is for (although
> it would be nice if vpnuk.com would support their own products!). If
> you're having problems, it would help if you post the full vpnuk.ovpn.
> (If you do, X out anything that should be kept private, like VPN
> server addresses). And the first few lines of the log, that start with
> "*Tunnelblick", to show what version and options you're using.
>

> For background, take a look at Tunnelblick Issue 91, athttp://code.google.com/p/tunnelblick/issues/detail?id=91

jkbull...gmail.com

unread,
Mar 30, 2010, 10:09:49 AM3/30/10
to tunnelblick-discuss
Hmmm. So after you removed the "auth-user-pass" line it is complaining
about a possible error in your configuration file. Here are a couple
of things to try in your configuration file:

The line
> auth-user-pass vpnuk-password.txt
should be replaced with a line without the "vpnuk-password.txt". That
is, it should just be
auth-user-pass
I think I was incorrect when I said that it should be removed
completely. I think this is the problem.

The line
> route-method exe
is a Windows-only option. Remove that. This _could_ cause a problem
later in the connection sequence, but I doubt it is causing the
current problem.

The line
> fast-io
is "experimental", so you might try removing that, although I doubt
that's causing this problem.

The presence of a Windows-only option indicates that vpnuk may be used
to Windows clients and may not support Mac clients. That probably
won't be a problem, but there are things they can do with Windows
OpenVPN that Mac clients don't support.

And, just to be sure, when you edited the configuration file in
TextEdit, you saved it as "Plain Text", not "Rich Text", right?

You might also want to look at the Console Log to see specifically
what OpenVPN is complaining about (although sometimes it isn't any
more specific). To do that, launch /Applications/Utilities/
Console.app. Then select "Show Log List" if necessary, then select
"Console Log" for the highlights, or "All Messages", which will
include a lot more detail.

dsdubai

unread,
Mar 30, 2010, 12:12:03 PM3/30/10
to tunnelblick-discuss
Hi again,
I edited/removed all of the suggestions. This did allow a prompt for
username and password. Still no luck, got the following message...

010-03-30 16:53:32 *Tunnelblick: Attempting connection with config/


vpnuk.ovpn; Set nameserver = 1; monitoring connection

2010-03-30 16:53:32 *Tunnelblick: /Applications/Tunnelblick.app/


Contents/Resources/openvpnstart start config/vpnuk.ovpn 1337 1 0 0 0

2010-03-30 16:53:32 *Tunnelblick: /Applications/Tunnelblick.app/


Contents/Resources/openvpn --management-query-passwords --cd /Users/
davidstaff/Library/Application Support/Tunnelblick/Configurations --
daemon --management-hold --management 127.0.0.1 1337 --config /Users/
davidstaff/Library/Application Support/Tunnelblick/Configurations/
config/vpnuk.ovpn --script-security 2 --up "/Applications/
Tunnelblick.app/Contents/Resources/client.up.osx.sh" --down "/
Applications/Tunnelblick.app/Contents/Resources/client.down.osx.sh" --
up-restart

2010-03-30 16:53:32 SUCCESS: pid=5250
2010-03-30 16:53:32 SUCCESS: real-time state notification set to ON
2010-03-30 16:53:32 SUCCESS: real-time log notification set to ON
2010-03-30 16:53:32 OpenVPN 2.1.1 i386-apple-darwin10.2.0 [SSL] [LZO2]


[PKCS11] built on Feb 24 2010

2010-03-30 16:53:32 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2010-03-30 16:53:32 waiting...
2010-03-30 16:53:32 MANAGEMENT: Client connected from 127.0.0.1:1337
2010-03-30 16:53:32 MANAGEMENT: CMD 'pid'
2010-03-30 16:53:32 MANAGEMENT: CMD 'state on'
2010-03-30 16:53:32 MANAGEMENT: CMD 'log on all'
2010-03-30 16:53:32 END
2010-03-30 16:53:32 MANAGEMENT: CMD 'hold release'
2010-03-30 16:53:32 SUCCESS: hold release succeeded
2010-03-30 16:53:32 MANAGEMENT: CMD 'username "Auth" "vpnuk25548"'
2010-03-30 16:53:32 but not yet verified
2010-03-30 16:53:32 MANAGEMENT: CMD 'password [...]'
2010-03-30 16:53:32 but not yet verified
2010-03-30 16:53:32 WARNING: No server certificate verification method
has been enabled. See http://openvpn.net/howto.html#mitm for more
info.
2010-03-30 16:53:32 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2010-03-30 16:53:32 Cannot load CA certificate file vpnuk-ca.crt path
(null) (SSL_CTX_load_verify_locations): error:02001002:system
library:fopen:No such file or directory: error:2006D080:BIO
routines:BIO_new_file:no such file: error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib

I went to that url above http://openvpn.net/howto.html#mitm but didn't
really get it.

I also looked at console messages, the most recent log looks like this

Tunnelblick [4388] Creating 'Launch Tunnelblick' link in
Configurations folder; links to/Applications/Tunnelblick.app

Tunnelblick [5201] Configuration file /users/davidstaff/Library/
Application Support/Tunnelblick/Configurations/config/vpnuk.ovpn needs
ownership permissions repair

Tunnelblick [5201] Changed ownership and permissions of configuration
file/Users/davidstaff/Library/Application Support/Tunnelblick/
Configurations/config/vpnuk.ovpn to 0:0 and 644

Tunnelblick [5201] Error:Process 5220 does not exist
Tunnelblick [5201] Error:Process 5237 does not exist
Tunnelblick [5201] Error:Process 5250 does not exist

jkbull...gmail.com

unread,
Mar 30, 2010, 12:49:24 PM3/30/10
to tunnelblick-discuss
It looks like you may not have the files in their proper places.

Put the two other files (ta.key and vpnuk-ca.crt) in the config folder
(the one that already has vpnuk.ovpn).

That is, all in the folder
/Users/davidstaff/Library/Application Support/Tunnelblick/
Configurations/config

Or you can put them all (including vpnuk.ovpn) outside of the config
folder, in
Users/davidstaff/Library/Application Support/Tunnelblick/
Configurations
directly.

dsdubai

unread,
Mar 30, 2010, 2:56:19 PM3/30/10
to tunnelblick-discuss
Hi,
All 4 files are already in that folder.

Maybe I'll just take the hit on the monthly subscription and look
elsewhere. Can you recommend a hassle free openvpn that works with a
Mac and is supported well. I used to use witopia on my PC.

Thanks for all your help.

jkbull...gmail.com

unread,
Mar 30, 2010, 3:04:35 PM3/30/10
to tunnelblick-discuss
Just figured it out (this latest problem, anyway, that it can't find
the .crt file), sorry I didn't get it two messages ago:

It can't find the vpnuk-ca.crt file because it is in the config
subfolder but is referencing it as if it were in the main /
Configurations folder. All references in the configuration file are
relative to /Configurations, not to /Configurations/config.

So take all four files out of the "config" subfolder (i.e., keep them
in the .../Configurations folder).

You are close! Don't give up yet!

dsdubai

unread,
Mar 30, 2010, 3:22:48 PM3/30/10
to tunnelblick-discuss
Fantastic, seem to be sorted. Appreciate all your help, can't thank
you enough.
Reply all
Reply to author
Forward
0 new messages