redirect-gateway is not working with tcp protocol (but with udp)

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See https://forums.openvpn.net/viewtopic.php?f=30&t=21589 for an example.
Aarghh
OpenVpn Newbie
Posts: 6
Joined: Tue Jun 13, 2017 11:33 am

redirect-gateway is not working with tcp protocol (but with udp)

Postby Aarghh » Tue Jun 13, 2017 1:15 pm

Hi there,

another redirect-gateway question/problem.
I got a vserver, running openvpn flawlessly with the udp protocol, since I'm quite often in countries wich are trying to block vpn connections, I'd like to switch over to port 443 and the tcp protocol with port-share enabled.

I fail at the very first step: Switching the protocol to tcp.
Here are my configs:
Server Config
port 1194
proto tcp-server
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/ssl/private/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3
topology subnet


Client Config
client
dev tun
proto tcp-client
remote [domain].net 1194 tcp-client
remote [domain].land 1194 tcp-client
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert mac.crt
key mac.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
topology subnet
pull


The vpn gets connected, but I can't reach the Internet. I'm using the most current Tunnelblick on a Mac running Sierra (10.12.5). IPtables were in place but are (for testing purposes) configured to ACCEPT every inbound/Outbound/Forwarding traffic.

Server log:

Code: Select all

Jun 13 10:45:26  ovpn-ssl[11109]: TCP connection established with [AF_INET]XX.192.37.138:49706
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 TLS: Initial packet from [AF_INET]XX.192.37.138:49706, sid=d1c2b7fd 8f6d4920
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 VERIFY OK: depth=1, C=DE, ST=HH, L=Hamburg, O=SomeOrga, OU=Whatever, CN=SomeOrga CA, name=EasyRSA, emailAddress=spam[at]net
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 VERIFY OK: depth=0, C=DE, ST=HH, L=Hamburg, O=SomeOrga, OU=Whatever, CN=mac, name=EasyRSA, emailAddress=spam[at]net
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 peer info: IV_VER=2.3.16
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 peer info: IV_PLAT=mac
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 peer info: IV_PROTO=2
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jun 13 10:45:27  ovpn-ssl[11109]: XX.192.37.138:49706 [mac] Peer Connection Initiated with [AF_INET]XX.192.37.138:49706
Jun 13 10:45:27  ovpn-ssl[11109]: mac/XX.192.37.138:49706 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jun 13 10:45:27  ovpn-ssl[11109]: mac/XX.192.37.138:49706 MULTI: Learn: 10.8.0.2 -> mac/XX.192.37.138:49706
Jun 13 10:45:27  ovpn-ssl[11109]: mac/XX.192.37.138:49706 MULTI: primary virtual IP for mac/XX.192.37.138:49706: 10.8.0.2
Jun 13 10:45:29  ovpn-ssl[11109]: mac/XX.192.37.138:49706 PUSH: Received control message: 'PUSH_REQUEST'
Jun 13 10:45:29  ovpn-ssl[11109]: mac/XX.192.37.138:49706 SENT CONTROL [mac]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0' (status=1)
Jun 13 10:45:50  ovpn-ssl[11109]: mac/XX.192.37.138:49706 Connection reset, restarting [0]
Jun 13 10:45:50  ovpn-ssl[11109]: mac/XX.192.37.138:49706 SIGUSR1[soft,connection-reset] received, client-instance restarting


Tunnelblick log:

Code: Select all

*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.1a (build 4812); prior version 3.7.0 (build 4790); Admin user
git commit e70dc14d7a954d6fe0040b3b8c9007feb98ee29d

================================================================================

Non-Apple kexts that are loaded:

Index Refs Address            Size       Wired      Name (Version) UUID <Linked Against>
  121    1 0xffffff7f82870000 0xa000     0xa000     com.avatron.AVExVideo (1.7) E47613C0-C0D5-33F5-AD0B-DC00C1BC3ABD <88 5 4 3>
  133    0 0xffffff7f80f24000 0x5000     0x5000     com.Cycling74.driver.Soundflower (1.5.1) BB3E236C-FD58-4E29-8E90-27420DD73FB5 <111 5 4 3>
  136    0 0xffffff7f80e24000 0x6000     0x6000     virtualcdrw.driver (1.0) no UUID <135 134 87 16 7 5 4 3 1>
  137    0 0xffffff7f8287a000 0x5000     0x5000     com.avatron.AVExFramebuffer (1.7) 78864819-AA3A-306D-809D-47E686928991 <121 88 5 4 3>
  147    3 0xffffff7f832fe000 0x60000    0x60000    org.virtualbox.kext.VBoxDrv (5.0.12) 2C7E6228-04EC-3814-9A37-8A857BC13E01 <7 5 4 3 1>
  149    0 0xffffff7f8335e000 0x8000     0x8000     org.virtualbox.kext.VBoxUSB (5.0.12) 79C39601-7691-33D7-A901-1BC872CD7190 <148 147 54 7 5 4 3 1>
  150    0 0xffffff7f83366000 0x5000     0x5000     org.virtualbox.kext.VBoxNetFlt (5.0.12) 0B96ECAD-586F-3D80-9EBD-87E1E240941E <147 7 5 4 3 1>
  151    0 0xffffff7f8336b000 0x6000     0x6000     org.virtualbox.kext.VBoxNetAdp (5.0.12) 04C34324-1819-315F-B141-A9D4DF1B25F5 <147 5 4 1>

================================================================================

There are no unusual files in mac.tblk

================================================================================

Configuration preferences:

-lastConnectionSucceeded = 1

================================================================================

Wildcard preferences:


================================================================================

Program preferences:

skipWarningThatIPAddressDidNotChangeAfterConnection = 1
skipWarningThatInternetIsNotReachable = 1
placeIconInStandardPositionInStatusBar = 1
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
    "3.7.1a (build 4812)",
    "3.7.0 (build 4790)",
    "3.6.10 (build 4760)",
    "3.6.9 (build 4685)",
    "3.6.8 (build 4625)",
    "3.6.3 (build 4560)",
    "3.5.8 (build 4270.4530)",
    "3.5.7 (build 4270.4517)",
    "3.5.6 (build 4270.4505)",
    "3.5.5 (build 4270.4461)"
)
lastLaunchTime = 518944380.160635
showConnectedDurations = 1
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = mac
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
updateSendProfileInfo = 1
NSWindow Frame ConnectingWindow = 466 418 389 187 0 0 1366 745
NSWindow Frame SUUpdateAlert = 346 264 620 392 0 0 1366 745
detailsWindowFrameVersion = 4812
detailsWindowFrame = {{192, 70}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = settings
leftNavSelectedDisplayName = mac
AdvancedWindowTabIdentifier = whileConnected
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 1
SUFeedURL = https://www.tunnelblick.net/appcast-s.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SULastCheckTime = 2017-06-12 07:13:01 +0000
SULastProfileSubmissionDate = 2017-06-06 03:12:15 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 11
WebKitStandardFont = .AppleSystemUIFont
tunnelblickdHash = 982f7a7b2b98739801aa88b72712259b30dea31dbe8f2662db447888ff2ff295
tunnelblickdPlistHash = ce400d395d1801b003398461b5420021f4d591822783a04b79b2f43956d28620

================================================================================

Tunnelblick Log:

*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.1a (build 4812); prior version 3.7.0 (build 4790)
2017-06-13 13:51:42 *Tunnelblick: Attempting connection with mac; Set nameserver = 769; monitoring connection
2017-06-13 13:51:42 *Tunnelblick: openvpnstart start mac.tblk 1337 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.16-openssl-1.0.2k
2017-06-13 13:51:42 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.16-openssl-1.0.2k/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Smac.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1337.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Shared/mac.tblk/Contents/Resources
          --verb
          3
          --config
          /Library/Application Support/Tunnelblick/Shared/mac.tblk/Contents/Resources/config.ovpn
          --verb
          3
          --cd
          /Library/Application Support/Tunnelblick/Shared/mac.tblk/Contents/Resources
          --management
          127.0.0.1
          1337
          --management-query-passwords
          --management-hold
          --script-security
          2
          --up
          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --down
          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2017-06-13 13:51:42 OpenVPN 2.3.16 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on May 19 2017
2017-06-13 13:51:42 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
2017-06-13 13:51:42 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2017-06-13 13:51:42 Need hold release from management interface, waiting...
2017-06-13 13:51:42 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-06-13 13:51:42 MANAGEMENT: CMD 'pid'
2017-06-13 13:51:42 MANAGEMENT: CMD 'state on'
2017-06-13 13:51:42 MANAGEMENT: CMD 'state'
2017-06-13 13:51:42 MANAGEMENT: CMD 'bytecount 1'
2017-06-13 13:51:42 MANAGEMENT: CMD 'hold release'
2017-06-13 13:51:42 *Tunnelblick: Established communication with OpenVPN
2017-06-13 13:51:42 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-06-13 13:51:42 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2017-06-13 13:51:42 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-13 13:51:42 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-13 13:51:42 Socket Buffers: R=[131072->131072] S=[131072->131072]
2017-06-13 13:51:42 MANAGEMENT: >STATE:1497354702,RESOLVE,,,
2017-06-13 13:51:42 Attempting to establish TCP connection with [AF_INET]XYZ.XZY.XX.Z:1194 [nonblock]
2017-06-13 13:51:42 MANAGEMENT: >STATE:1497354702,TCP_CONNECT,,,
2017-06-13 13:51:42 *Tunnelblick: openvpnstart starting OpenVPN
2017-06-13 13:51:44 TCP connection established with [AF_INET]XYZ.XZY.XX.Z:1194
2017-06-13 13:51:44 TCPv4_CLIENT link local: [undef]
2017-06-13 13:51:44 TCPv4_CLIENT link remote: [AF_INET]XYZ.XZY.XX.Z:1194
2017-06-13 13:51:44 MANAGEMENT: >STATE:1497354704,WAIT,,,
2017-06-13 13:51:44 MANAGEMENT: >STATE:1497354704,AUTH,,,
2017-06-13 13:51:44 TLS: Initial packet from [AF_INET]XYZ.XZY.XX.Z:1194, sid=68d19de2 5f09070f
2017-06-13 13:51:44 VERIFY OK: depth=1, C=DE, ST=XX, L=CityA, O=SomeOrga, OU=Whatever, CN=SomeOrga CA, name=EasyRSA, emailAddress=spam[ät][domain].net
2017-06-13 13:51:44 VERIFY OK: nsCertType=SERVER
2017-06-13 13:51:44 VERIFY OK: depth=0, C=DE, ST=XX, L=CityA, O=SomeOrga, OU=Whatever, CN=server, name=EasyRSA, emailAddress=spam[ät][domain].net
2017-06-13 13:51:44 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2017-06-13 13:51:44 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-13 13:51:44 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2017-06-13 13:51:44 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-13 13:51:44 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-06-13 13:51:44 [server] Peer Connection Initiated with [AF_INET]XYZ.XZY.XX.Z:1194
2017-06-13 13:51:45 MANAGEMENT: >STATE:1497354705,GET_CONFIG,,,
2017-06-13 13:51:46 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2017-06-13 13:51:46 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0'
2017-06-13 13:51:46 OPTIONS IMPORT: timers and/or timeouts modified
2017-06-13 13:51:46 OPTIONS IMPORT: --ifconfig/up options modified
2017-06-13 13:51:46 OPTIONS IMPORT: route options modified
2017-06-13 13:51:46 OPTIONS IMPORT: route-related options modified
2017-06-13 13:51:46 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-06-13 13:51:46 OPTIONS IMPORT: peer-id set
2017-06-13 13:51:46 OPTIONS IMPORT: adjusting link_mtu to 1563
2017-06-13 13:51:46 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-06-13 13:51:46 Opened utun device utun1
2017-06-13 13:51:46 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2017-06-13 13:51:46 MANAGEMENT: >STATE:1497354706,ASSIGN_IP,,10.8.0.2,
2017-06-13 13:51:46 /sbin/ifconfig utun1 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-06-13 13:51:46 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-06-13 13:51:46 /sbin/ifconfig utun1 10.8.0.2 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
2017-06-13 13:51:46 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
                                        add net 10.8.0.0: gateway 10.8.0.2
2017-06-13 13:51:46 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1563 10.8.0.2 255.255.255.0 init
                                        **********************************************
                                        Start of output from client.up.tunnelblick.sh
                                        Retrieved from OpenVPN: name server(s) [ 208.67.222.222 208.67.220.220 ], search domain(s) [  ] and SMB server(s) [  ] and using default domain name [ openvpn ]
                                        Not aggregating ServerAddresses because running on OS X 10.6 or higher
                                        Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
                                        Saved the DNS and SMB configurations so they can be restored
                                        Changed DNS ServerAddresses setting from '192.168.2.1' to '208.67.222.222 208.67.220.220'
                                        Changed DNS SearchDomains setting from '' to 'openvpn'
                                        Changed DNS DomainName setting from 'speedport.ip' to 'openvpn'
                                        Did not change SMB NetBIOSName setting of ''
                                        Did not change SMB Workgroup setting of 'WORKGROUP'
                                        Did not change SMB WINSAddresses setting of ''
                                        DNS servers '208.67.222.222 208.67.220.220' will be used for DNS queries when the VPN is active
                                        The DNS servers include only free public DNS servers known to Tunnelblick.
                                        Flushed the DNS cache via dscacheutil
                                        /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                                        Notified mDNSResponder that the DNS cache was flushed
                                        Setting up to monitor system configuration with process-network-changes
                                        End of output from client.up.tunnelblick.sh
                                        **********************************************
2017-06-13 13:51:50 *Tunnelblick: No 'connected.sh' script to execute
2017-06-13 13:51:50 /sbin/route add -net XYZ.XZY.XX.Z 192.168.2.1 255.255.255.255
                                        add net XYZ.XZY.XX.Z: gateway 192.168.2.1
2017-06-13 13:51:50 /sbin/route add -net 0.0.0.0 10.8.0.1 128.0.0.0
                                        add net 0.0.0.0: gateway 10.8.0.1
2017-06-13 13:51:50 /sbin/route add -net 128.0.0.0 10.8.0.1 128.0.0.0
                                        add net 128.0.0.0: gateway 10.8.0.1
2017-06-13 13:51:50 Initialization Sequence Completed
2017-06-13 13:51:50 MANAGEMENT: >STATE:1497354710,CONNECTED,SUCCESS,10.8.0.2,XYZ.XZY.XX.Z
2017-06-13 13:51:55 *Tunnelblick process-network-changes: A system configuration change was ignored
2017-06-13 13:52:30 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.

================================================================================

ifconfig output:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
   options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
   inet 127.0.0.1 netmask 0xff000000
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
   nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   ether 28:37:37:19:ec:2e
   inet 192.168.2.113 netmask 0xffffff00 broadcast 192.168.2.255
   media: autoselect
   status: active
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
   options=60<TSO4,TSO6>
   ether b2:00:11:f8:d2:c0
   media: autoselect <full-duplex>
   status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   options=63<RXCSUM,TXCSUM,TSO4,TSO6>
   ether b2:00:11:f8:d2:c0
   Configuration:
      id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
      maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
      root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
      ipfilter disabled flags 0x2
   member: en1 flags=3<LEARNING,DISCOVER>
           ifmaxaddr 0 port 5 priority 0 path cost 0
   media: <unknown type>
   status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
   ether 0a:37:37:19:ec:2e
   media: autoselect
   status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
   inet6 fe80::1ca1:8b46:1df6:ee9%utun0 prefixlen 64 scopeid 0x8
   nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
   inet 10.8.0.2 --> 10.8.0.2 netmask 0xffffff00

================================================================================

Console Log:

2017-06-13 13:52:30 Tunnelblick[10700] currentIPInfo(Name): IP address info could not be fetched within 35.0 seconds; the error was 'Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={NSUnderlyingError=0x608000a5e9c0 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "The request timed out." UserInfo={NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, _kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4, NSLocalizedDescription=The request timed out.}}, NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, _kCFStreamErrorDomainKey=4, _kCFStreamErrorCodeKey=-2102, NSLocalizedDescription=The request timed out.}'; the response was '(null)'



Am I missing something? Anyone got a working config for tcp vpn over port 443?

Thanks a lot for your time and effort!

Alex

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2705
Joined: Fri Jun 03, 2016 1:17 pm

Re: redirect-gateway is not working with tcp protocol (but with udp)

Postby TinCanTech » Tue Jun 13, 2017 3:04 pm

Changing the VPN port & protocol should have no effect on client data over the VPN itself.

Perhaps you have forgotten either IP_Forwarding or iptables masquerading ..

Have a review of this:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

Aarghh
OpenVpn Newbie
Posts: 6
Joined: Tue Jun 13, 2017 11:33 am

Re: redirect-gateway is not working with tcp protocol (but with udp)

Postby Aarghh » Thu Jun 15, 2017 1:33 pm

Hey, thanks for your response,

I'm sorry to disappoint you, but IP-Forwarding is enabled:

Code: Select all

# cat /proc/sys/net/ipv4/ip_forward
1
# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1


iptables look like this right now:

Code: Select all

iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 9931 packets, 574K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1448 packets, 106K bytes)
 pkts bytes target     prot opt in     out     source               destination
  306 14931 MASQUERADE  all  --  *      venet0  10.8.0.0/24          0.0.0.0/0
    0     0 MASQUERADE  all  --  *      venet0:0  10.8.0.0/24          0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1448 packets, 106K bytes)
 pkts bytes target     prot opt in     out     source               destination


My ifconfig is as follows:

Code: Select all

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:7742083 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7742083 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3089319624 (3.0 GB)  TX bytes:3089319624 (3.0 GB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:814596 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1350514 errors:0 dropped:465 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:61945345 (61.9 MB)  TX bytes:1607012489 (1.6 GB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1993 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:146808 (146.8 KB)  TX bytes:0 (0.0 B)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: ::2/128 Scope:Compat
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:110039176 errors:0 dropped:0 overruns:0 frame:0
          TX packets:218967263 errors:0 dropped:88527 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:53815593921 (53.8 GB)  TX bytes:61675747263 (61.6 GB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:[IP-Address]  P-t-P:[IP-Address]  Bcast:[IP-Address]  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:[2nd IP-Address]  P-t-P:[2nd IP-Address]  Bcast:[2nd IP-Address]  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1


Any further suggestions? The Openvpn Server is only logging to syslog, correct?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2705
Joined: Fri Jun 03, 2016 1:17 pm

Re: redirect-gateway is not working with tcp protocol (but with udp)

Postby TinCanTech » Thu Jun 15, 2017 1:41 pm

Aarghh wrote:tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:814596 errors:0 dropped:0 overruns:0 frame:0
TX packets:1350514 errors:0 dropped:465 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:61945345 (61.9 MB) TX bytes:1607012489 (1.6 GB)

tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1993 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:146808 (146.8 KB) TX bytes:0 (0.0 B)
You understand TCPIP Subnets right ?

Aarghh
OpenVpn Newbie
Posts: 6
Joined: Tue Jun 13, 2017 11:33 am

Re: redirect-gateway is not working with tcp protocol (but with udp)

Postby Aarghh » Fri Jun 16, 2017 9:58 am

Obviously not. Thanks for pointing me in the right direction in an elaborate way! ;)

Searching for the misconfig now...

Aarghh
OpenVpn Newbie
Posts: 6
Joined: Tue Jun 13, 2017 11:33 am

Re: redirect-gateway is not working with tcp protocol (but with udp)

Postby Aarghh » Fri Jun 16, 2017 10:22 am

Heureka!!

Thanks a lot! It was such a dumb mistake.. I apparently daemonized another openvpn process manually.. Though, there was a second openvpn instance running.
If someone else is running into something similiar, try to find the process wich is keeping the interface up:

lsof /dev/net/tun

Feeling a bit embarrassed now...

Alex

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2705
Joined: Fri Jun 03, 2016 1:17 pm

Re: redirect-gateway is not working with tcp protocol (but with udp)

Postby TinCanTech » Fri Jun 16, 2017 10:40 am

We all make mistakes .. thanks for letting us know you solved it 8-)


Return to “Configuration”

Who is online

Users browsing this forum: No registered users and 2 guests