another redirect-gateway question/problem.
I got a vserver, running openvpn flawlessly with the udp protocol, since I'm quite often in countries wich are trying to block vpn connections, I'd like to switch over to port 443 and the tcp protocol with port-share enabled.
I fail at the very first step: Switching the protocol to tcp.
Here are my configs:
proto tcp-server
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/ssl/private/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3
topology subnet
dev tun
proto tcp-client
remote [domain].net 1194 tcp-client
remote [domain].land 1194 tcp-client
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert mac.crt
key mac.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
topology subnet
pull
Server log:
Code: Select all
Jun 13 10:45:26 ovpn-ssl[11109]: TCP connection established with [AF_INET]XX.192.37.138:49706
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 TLS: Initial packet from [AF_INET]XX.192.37.138:49706, sid=d1c2b7fd 8f6d4920
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 VERIFY OK: depth=1, C=DE, ST=HH, L=Hamburg, O=SomeOrga, OU=Whatever, CN=SomeOrga CA, name=EasyRSA, emailAddress=spam[at]net
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 VERIFY OK: depth=0, C=DE, ST=HH, L=Hamburg, O=SomeOrga, OU=Whatever, CN=mac, name=EasyRSA, emailAddress=spam[at]net
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 peer info: IV_VER=2.3.16
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 peer info: IV_PLAT=mac
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 peer info: IV_PROTO=2
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jun 13 10:45:27 ovpn-ssl[11109]: XX.192.37.138:49706 [mac] Peer Connection Initiated with [AF_INET]XX.192.37.138:49706
Jun 13 10:45:27 ovpn-ssl[11109]: mac/XX.192.37.138:49706 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jun 13 10:45:27 ovpn-ssl[11109]: mac/XX.192.37.138:49706 MULTI: Learn: 10.8.0.2 -> mac/XX.192.37.138:49706
Jun 13 10:45:27 ovpn-ssl[11109]: mac/XX.192.37.138:49706 MULTI: primary virtual IP for mac/XX.192.37.138:49706: 10.8.0.2
Jun 13 10:45:29 ovpn-ssl[11109]: mac/XX.192.37.138:49706 PUSH: Received control message: 'PUSH_REQUEST'
Jun 13 10:45:29 ovpn-ssl[11109]: mac/XX.192.37.138:49706 SENT CONTROL [mac]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0' (status=1)
Jun 13 10:45:50 ovpn-ssl[11109]: mac/XX.192.37.138:49706 Connection reset, restarting [0]
Jun 13 10:45:50 ovpn-ssl[11109]: mac/XX.192.37.138:49706 SIGUSR1[soft,connection-reset] received, client-instance restarting
Code: Select all
*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.1a (build 4812); prior version 3.7.0 (build 4790); Admin user
git commit e70dc14d7a954d6fe0040b3b8c9007feb98ee29d
================================================================================
Non-Apple kexts that are loaded:
Index Refs Address Size Wired Name (Version) UUID <Linked Against>
121 1 0xffffff7f82870000 0xa000 0xa000 com.avatron.AVExVideo (1.7) E47613C0-C0D5-33F5-AD0B-DC00C1BC3ABD <88 5 4 3>
133 0 0xffffff7f80f24000 0x5000 0x5000 com.Cycling74.driver.Soundflower (1.5.1) BB3E236C-FD58-4E29-8E90-27420DD73FB5 <111 5 4 3>
136 0 0xffffff7f80e24000 0x6000 0x6000 virtualcdrw.driver (1.0) no UUID <135 134 87 16 7 5 4 3 1>
137 0 0xffffff7f8287a000 0x5000 0x5000 com.avatron.AVExFramebuffer (1.7) 78864819-AA3A-306D-809D-47E686928991 <121 88 5 4 3>
147 3 0xffffff7f832fe000 0x60000 0x60000 org.virtualbox.kext.VBoxDrv (5.0.12) 2C7E6228-04EC-3814-9A37-8A857BC13E01 <7 5 4 3 1>
149 0 0xffffff7f8335e000 0x8000 0x8000 org.virtualbox.kext.VBoxUSB (5.0.12) 79C39601-7691-33D7-A901-1BC872CD7190 <148 147 54 7 5 4 3 1>
150 0 0xffffff7f83366000 0x5000 0x5000 org.virtualbox.kext.VBoxNetFlt (5.0.12) 0B96ECAD-586F-3D80-9EBD-87E1E240941E <147 7 5 4 3 1>
151 0 0xffffff7f8336b000 0x6000 0x6000 org.virtualbox.kext.VBoxNetAdp (5.0.12) 04C34324-1819-315F-B141-A9D4DF1B25F5 <147 5 4 1>
================================================================================
There are no unusual files in mac.tblk
================================================================================
Configuration preferences:
-lastConnectionSucceeded = 1
================================================================================
Wildcard preferences:
================================================================================
Program preferences:
skipWarningThatIPAddressDidNotChangeAfterConnection = 1
skipWarningThatInternetIsNotReachable = 1
placeIconInStandardPositionInStatusBar = 1
launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
"3.7.1a (build 4812)",
"3.7.0 (build 4790)",
"3.6.10 (build 4760)",
"3.6.9 (build 4685)",
"3.6.8 (build 4625)",
"3.6.3 (build 4560)",
"3.5.8 (build 4270.4530)",
"3.5.7 (build 4270.4517)",
"3.5.6 (build 4270.4505)",
"3.5.5 (build 4270.4461)"
)
lastLaunchTime = 518944380.160635
showConnectedDurations = 1
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = mac
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
updateSendProfileInfo = 1
NSWindow Frame ConnectingWindow = 466 418 389 187 0 0 1366 745
NSWindow Frame SUUpdateAlert = 346 264 620 392 0 0 1366 745
detailsWindowFrameVersion = 4812
detailsWindowFrame = {{192, 70}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = settings
leftNavSelectedDisplayName = mac
AdvancedWindowTabIdentifier = whileConnected
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 1
SUFeedURL = https://www.tunnelblick.net/appcast-s.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SULastCheckTime = 2017-06-12 07:13:01 +0000
SULastProfileSubmissionDate = 2017-06-06 03:12:15 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 11
WebKitStandardFont = .AppleSystemUIFont
tunnelblickdHash = 982f7a7b2b98739801aa88b72712259b30dea31dbe8f2662db447888ff2ff295
tunnelblickdPlistHash = ce400d395d1801b003398461b5420021f4d591822783a04b79b2f43956d28620
================================================================================
Tunnelblick Log:
*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.1a (build 4812); prior version 3.7.0 (build 4790)
2017-06-13 13:51:42 *Tunnelblick: Attempting connection with mac; Set nameserver = 769; monitoring connection
2017-06-13 13:51:42 *Tunnelblick: openvpnstart start mac.tblk 1337 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.16-openssl-1.0.2k
2017-06-13 13:51:42 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.16-openssl-1.0.2k/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Smac.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Shared/mac.tblk/Contents/Resources
--verb
3
--config
/Library/Application Support/Tunnelblick/Shared/mac.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Shared/mac.tblk/Contents/Resources
--management
127.0.0.1
1337
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2017-06-13 13:51:42 OpenVPN 2.3.16 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on May 19 2017
2017-06-13 13:51:42 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
2017-06-13 13:51:42 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2017-06-13 13:51:42 Need hold release from management interface, waiting...
2017-06-13 13:51:42 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-06-13 13:51:42 MANAGEMENT: CMD 'pid'
2017-06-13 13:51:42 MANAGEMENT: CMD 'state on'
2017-06-13 13:51:42 MANAGEMENT: CMD 'state'
2017-06-13 13:51:42 MANAGEMENT: CMD 'bytecount 1'
2017-06-13 13:51:42 MANAGEMENT: CMD 'hold release'
2017-06-13 13:51:42 *Tunnelblick: Established communication with OpenVPN
2017-06-13 13:51:42 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-06-13 13:51:42 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2017-06-13 13:51:42 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-13 13:51:42 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-13 13:51:42 Socket Buffers: R=[131072->131072] S=[131072->131072]
2017-06-13 13:51:42 MANAGEMENT: >STATE:1497354702,RESOLVE,,,
2017-06-13 13:51:42 Attempting to establish TCP connection with [AF_INET]XYZ.XZY.XX.Z:1194 [nonblock]
2017-06-13 13:51:42 MANAGEMENT: >STATE:1497354702,TCP_CONNECT,,,
2017-06-13 13:51:42 *Tunnelblick: openvpnstart starting OpenVPN
2017-06-13 13:51:44 TCP connection established with [AF_INET]XYZ.XZY.XX.Z:1194
2017-06-13 13:51:44 TCPv4_CLIENT link local: [undef]
2017-06-13 13:51:44 TCPv4_CLIENT link remote: [AF_INET]XYZ.XZY.XX.Z:1194
2017-06-13 13:51:44 MANAGEMENT: >STATE:1497354704,WAIT,,,
2017-06-13 13:51:44 MANAGEMENT: >STATE:1497354704,AUTH,,,
2017-06-13 13:51:44 TLS: Initial packet from [AF_INET]XYZ.XZY.XX.Z:1194, sid=68d19de2 5f09070f
2017-06-13 13:51:44 VERIFY OK: depth=1, C=DE, ST=XX, L=CityA, O=SomeOrga, OU=Whatever, CN=SomeOrga CA, name=EasyRSA, emailAddress=spam[ät][domain].net
2017-06-13 13:51:44 VERIFY OK: nsCertType=SERVER
2017-06-13 13:51:44 VERIFY OK: depth=0, C=DE, ST=XX, L=CityA, O=SomeOrga, OU=Whatever, CN=server, name=EasyRSA, emailAddress=spam[ät][domain].net
2017-06-13 13:51:44 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2017-06-13 13:51:44 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-13 13:51:44 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2017-06-13 13:51:44 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-06-13 13:51:44 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-06-13 13:51:44 [server] Peer Connection Initiated with [AF_INET]XYZ.XZY.XX.Z:1194
2017-06-13 13:51:45 MANAGEMENT: >STATE:1497354705,GET_CONFIG,,,
2017-06-13 13:51:46 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2017-06-13 13:51:46 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0'
2017-06-13 13:51:46 OPTIONS IMPORT: timers and/or timeouts modified
2017-06-13 13:51:46 OPTIONS IMPORT: --ifconfig/up options modified
2017-06-13 13:51:46 OPTIONS IMPORT: route options modified
2017-06-13 13:51:46 OPTIONS IMPORT: route-related options modified
2017-06-13 13:51:46 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-06-13 13:51:46 OPTIONS IMPORT: peer-id set
2017-06-13 13:51:46 OPTIONS IMPORT: adjusting link_mtu to 1563
2017-06-13 13:51:46 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-06-13 13:51:46 Opened utun device utun1
2017-06-13 13:51:46 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2017-06-13 13:51:46 MANAGEMENT: >STATE:1497354706,ASSIGN_IP,,10.8.0.2,
2017-06-13 13:51:46 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-06-13 13:51:46 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-06-13 13:51:46 /sbin/ifconfig utun1 10.8.0.2 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
2017-06-13 13:51:46 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
2017-06-13 13:51:46 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1563 10.8.0.2 255.255.255.0 init
**********************************************
Start of output from client.up.tunnelblick.sh
Retrieved from OpenVPN: name server(s) [ 208.67.222.222 208.67.220.220 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '192.168.2.1' to '208.67.222.222 208.67.220.220'
Changed DNS SearchDomains setting from '' to 'openvpn'
Changed DNS DomainName setting from 'speedport.ip' to 'openvpn'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of 'WORKGROUP'
Did not change SMB WINSAddresses setting of ''
DNS servers '208.67.222.222 208.67.220.220' will be used for DNS queries when the VPN is active
The DNS servers include only free public DNS servers known to Tunnelblick.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2017-06-13 13:51:50 *Tunnelblick: No 'connected.sh' script to execute
2017-06-13 13:51:50 /sbin/route add -net XYZ.XZY.XX.Z 192.168.2.1 255.255.255.255
add net XYZ.XZY.XX.Z: gateway 192.168.2.1
2017-06-13 13:51:50 /sbin/route add -net 0.0.0.0 10.8.0.1 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.1
2017-06-13 13:51:50 /sbin/route add -net 128.0.0.0 10.8.0.1 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.1
2017-06-13 13:51:50 Initialization Sequence Completed
2017-06-13 13:51:50 MANAGEMENT: >STATE:1497354710,CONNECTED,SUCCESS,10.8.0.2,XYZ.XZY.XX.Z
2017-06-13 13:51:55 *Tunnelblick process-network-changes: A system configuration change was ignored
2017-06-13 13:52:30 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
================================================================================
ifconfig output:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 28:37:37:19:ec:2e
inet 192.168.2.113 netmask 0xffffff00 broadcast 192.168.2.255
media: autoselect
status: active
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether b2:00:11:f8:d2:c0
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether b2:00:11:f8:d2:c0
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 5 priority 0 path cost 0
media: <unknown type>
status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 0a:37:37:19:ec:2e
media: autoselect
status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::1ca1:8b46:1df6:ee9%utun0 prefixlen 64 scopeid 0x8
nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.8.0.2 --> 10.8.0.2 netmask 0xffffff00
================================================================================
Console Log:
2017-06-13 13:52:30 Tunnelblick[10700] currentIPInfo(Name): IP address info could not be fetched within 35.0 seconds; the error was 'Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={NSUnderlyingError=0x608000a5e9c0 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "The request timed out." UserInfo={NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, _kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4, NSLocalizedDescription=The request timed out.}}, NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, _kCFStreamErrorDomainKey=4, _kCFStreamErrorCodeKey=-2102, NSLocalizedDescription=The request timed out.}'; the response was '(null)'
Thanks a lot for your time and effort!
Alex