Windows 7 remote client working, Mac OS client not

[JMac87]

I'm running into a brick wall trying to get any Mac computer to fully connect to our VPN. It connects without issue, but then I cannot ping any host except other remote VPN clients.

Our Setup:
Server: OpenVPN 2.3.11 server (on pfSense 2.3.2-RELEASE-p1)
Example Remote Client: Mac OS Sierra (10.12.2) running Tunnelblick 3.7.1beta01 (build 4800)

VPN IP Range for remote clients: 10.8.15.0/24

Local IP ranges for the main office they are connecting to:
10.8.10.0/24
10.8.11.0/24
10.8.12.0/24

External IP used (changed for security, example only):
1.1.1.130

OpenVPN server config:

Code: Select all

[2.3.2-RELEASE][root@fw]/var/etc/openvpn: cat server1.conf
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 1.1.1.130
tls-server
server 10.8.15.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.mydomain.org' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 10.8.10.0 255.255.255.0"
push "route 10.8.11.0 255.255.255.0"
push "route 10.8.12.0 255.255.255.0"
push "dhcp-option DNS 10.8.12.4"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
topology subnet

An example client config:

Code: Select all

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote 1.1.1.130 1194 udp
verify-x509-name "vpn.mydomain.org" name
ns-cert-type server
comp-lzo adaptive

<certs omitted>

Now here's the interesting part....Windows clients work just fine! They can ping any host in the subnets being pushed to them. I've attached a route list for a Windows client below:

The client's VPN IP is 10.8.15.2

For comparison, here is the routing table on a Mac:

The client's VPN IP is 10.8.15.3

What strikes me as weird here are the routes to itself...(10.8.15/24 and 10.8.15.3 both having a gateway of 10.8.15.3). Is this just an odd way of saying "on-link" like Windows does?

The only part of the client log that jumps out at me on a Mac is this:

Right before the highlighted bt t says it can't assign requested address.

No errors in the OpenVPN server log on pfSense.

To wrap things up....Windows remote clients who are using the VPN have no issues pinging any local IP in the main office. Mac clients cannot ping any local IPs in the main office, but they can ping other remote VPN clients.

Ideas? I'm fresh out.

[JMac87]

This is also affecting Linux clients as well.

Anyone seen this? Windows clients work fine.

[JMac87]

We've further narrowed down the problem...

This affects Windows as well. We found the issue to be that the first client who connects to the VPN will work fine, but all subsequent clients have the issue I described above.

Ideas?

[TinCanTech]

Do you use the same client certificate for all your clients ?

[JMac87]

Do you use the same client certificate for all your clients ?

Nope, each client has their own config and cert.

[TinCanTech]

Try --ccd-exclusive

[JMac87]

Try --ccd-exclusive

Doing so effectively made it worse. I can connect 1 client, but any subsequent clients fail. It's different than before, they can't even authenticate:

Code: Select all

Feb 07 09:52:25 2017 AUTH: Received control message: AUTH_FAILED
Tue Feb 07 09:52:25 2017 SIGUSR1[soft,auth-failure] received, process restarting
Tue Feb 07 09:52:30 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.130:1194
Tue Feb 07 09:52:30 2017 UDP link local (bound): [AF_INET][undef]:1194
Tue Feb 07 09:52:30 2017 UDP link remote: [AF_INET]1.1.1.130:1194
Tue Feb 07 09:52:32 2017 [vpn.mydomain.org] Peer Connection Initiated with [AF_INET]1.1.1.130:1194
Tue Feb 07 09:52:34 2017 AUTH: Received control message: AUTH_FAILED
Tue Feb 07 09:52:34 2017 SIGUSR1[soft,auth-failure] received, process restarting
Tue Feb 07 09:52:39 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.130:1194
Tue Feb 07 09:52:39 2017 UDP link local (bound): [AF_INET][undef]:1194
Tue Feb 07 09:52:39 2017 UDP link remote: [AF_INET]1.1.1.130:1194
Tue Feb 07 09:52:41 2017 [vpn.mydomain.org] Peer Connection Initiated with [AF_INET]1.1.1.130:1194
Tue Feb 07 09:52:42 2017 AUTH: Received control message: AUTH_FAILED
Tue Feb 07 09:52:42 2017 SIGUSR1[soft,auth-failure] received, process restarting

[JMac87]

Bump.

Any ideas on this? This is severely hampering our remote workers...since only 1 client can connect. Please help

[JMac87]

I found the issue....

There was a test VLAN added in pfSense with the same IP as the OpenVPN server. Disabling that fixed everything.

Wow. >:(