I have issues trying to get my MAC OS client to connect to my OpenVPN server.
I have generated the same key, ca, and client.crt and it is working on my other 2 clients. client1 client2 and client 3. Client 3 is the Mac OS and it is not connecting. On the server side I see the following when doing a openvpn status
"jan 03 12:47:47 localhost.localdomain openvpn[6642]: Wed Jan 3 12:47:47 2018 andy/64.x.x.x:45646 Authenticate/Decrypt packet error: packet HMAC authentication failed."
He gets a tun1 interface, and an IP, but he can not ping other hosts let alone access them on the network. The other clients with the same ca/keys work fine and are able to access the network.
He is also getting strange errrors:
2018-01-03 12:08:02 TLS: Initial packet from [AF_INET]67.x.x.x:1194, sid=e55eb0f3 999b910b
2018-01-03 12:08:03 VERIFY OK: depth=1, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=WOWINC CA, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:08:03 VERIFY OK: depth=0, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:08:03 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1557'
2018-01-03 12:08:03 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
2018-01-03 12:08:03 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2018-01-03 12:08:03 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:08:03 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:08:03 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:08:03 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:08:03 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:08:03 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:08:03 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-01-03 12:08:03 [server] Peer Connection Initiated with [AF_INET]67.x.x.x:1194
The client's file is:
client
dev tun
proto udp
remote 67.X.X.X 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca ca.crt
cert andy.crt
key andy.key
server conf:
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
;client-to-client
;duplicate-cn
keepalive 10 120
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
Issues with MAC OS connecting using tunnelblick
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
Wraiith
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Jan 03, 2018 8:04 pm
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Issues with MAC OS connecting using tunnelblick
The log above appears to show a successful connection.
Please post your complete logs as per this thread:
HOWTO: Request Help ! {2}
Please post your complete logs as per this thread:
HOWTO: Request Help ! {2}
-
Wraiith
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Jan 03, 2018 8:04 pm
Re: Issues with MAC OS connecting using tunnelblick
Server:
uname -a
[root@localhost openvpn]# uname -a
Linux localhost.localdomain 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
ifconfig
[root@localhost openvpn]# ifconfig
eno16780032: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.10.249 netmask 255.255.255.0 broadcast 10.1.10.255
inet6 2603:300b:72d:d700:20c:29ff:fef2:ecb7 prefixlen 64 scopeid 0x0<global>
inet6 fe80::20c:29ff:fef2:ecb7 prefixlen 64 scopeid 0x20<link>
inet6 2603:300b:72d:d700::2bab prefixlen 128 scopeid 0x0<global>
ether 00:0c:29:f2:ec:b7 txqueuelen 1000 (Ethernet)
RX packets 1428752 bytes 978712683 (933.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1183510 bytes 949691535 (905.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno33559296: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.10.7 netmask 255.255.255.0 broadcast 10.1.10.255
inet6 2603:300b:72d:d700::b8fb prefixlen 128 scopeid 0x0<global>
inet6 2603:300b:72d:d700:20c:29ff:fef2:ecc1 prefixlen 64 scopeid 0x0<global>
inet6 fe80::20c:29ff:fef2:ecc1 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:f2:ec:c1 txqueuelen 1000 (Ethernet)
RX packets 127156 bytes 10627464 (10.1 MiB)
RX errors 0 dropped 76 overruns 0 frame 0
TX packets 10007 bytes 1727362 (1.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 25 bytes 2354 (2.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25 bytes 2354 (2.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 481232 bytes 110875122 (105.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 677141 bytes 786700689 (750.2 MiB)
TX errors 0 dropped 123 overruns 0 carrier 0 collisions 0
server.conf
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
;client-to-client
;duplicate-cn
keepalive 10 120
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
Server logs:
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:26:05 localhost.localdomain openvpn[6642]: Thu Jan 4 10:26:05 2018 andy/64.233.207.30:27151 [andy] Inactivity timeout (--ping-restart), restarting
Jan 04 10:26:05 localhost.localdomain openvpn[6642]: Thu Jan 4 10:26:05 2018 andy/64.233.207.30:27151 SIGUSR1[soft,ping-restart] received, client-instance restarting
Client:
astephenson$ uname -a
Darwin CODN-C02ML4S-MBs-MacBook-Pro.local 16.7.0 Darwin Kernel Version 16.7.0: Mon Nov 13 21:56:25 PST 2017; root:xnu-3789.72.11~1/RELEASE_X86_64 x86_64
stephenson [10:22 AM]
CODN-C02ML4S-MBs-MacBook-Pro:openvpn1 astephenson$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 3c:15:c2:c5:52:54
inet6 fe80::c72:a443:8d28:bda6%en0 prefixlen 64 secured scopeid 0x4
inet 10.113.64.160 netmask 0xfffffe00 broadcast 10.113.65.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 72:00:03:75:75:a0
media: autoselect <full-duplex>
status: inactive
en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 72:00:03:75:75:a1
media: autoselect <full-duplex>
status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 0e:15:c2:c5:52:54
media: autoselect
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 72:00:03:75:75:a0
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 5 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 6 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether 3e:8d:b2:d6:ca:b0
inet6 fe80::3c8d:b2ff:fed6:cab0%awdl0 prefixlen 64 scopeid 0x9
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::92ac:a815:ffea:ed1c%utun0 prefixlen 64 scopeid 0xa
nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.8.0.14 --> 10.8.0.13 netmask 0xffffffff
CODN-C02ML4S-MBs-MacBook-Pro:openvpn1 astephenson$
client.ovpn file:
client
dev tun
proto udp
remote 67.x.x.x. 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca ca.crt
cert andy.crt
key andy.key
Client Log file:
**********************************************************
Tunnelblick Log:
*Tunnelblick: OS X 10.12.6; Tunnelblick 3.7.4b (build 4921)
2018-01-03 12:08:02 *Tunnelblick: Attempting connection with lab1 using shadow copy; Set nameserver = 769; monitoring connection
2018-01-03 12:08:02 *Tunnelblick: openvpnstart start lab1.tblk 1337 769 0 1 0 1066288 -ptADGNWradsgnw 2.3.18-openssl-1.0.2n
2018-01-03 12:08:02 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.18-openssl-1.0.2n/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Sastephenson-SLibrary-SApplication Support-STunnelblick-SConfigurations-Slab1.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1066288.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/astephenson/lab1.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 4921 3.7.4b (build 4921)"
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/astephenson/lab1.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/astephenson/lab1.tblk/Contents/Resources
--management
127.0.0.1
1337
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -r -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -r -w -ptADGNWradsgnw
2018-01-03 12:08:02 *Tunnelblick: openvpnstart starting OpenVPN
2018-01-03 12:08:02 *Tunnelblick: Established communication with OpenVPN
2018-01-03 12:08:02 OpenVPN 2.3.18 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec 7 2017
2018-01-03 12:08:02 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
2018-01-03 12:08:02 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2018-01-03 12:08:02 Need hold release from management interface, waiting...
2018-01-03 12:08:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2018-01-03 12:08:02 MANAGEMENT: CMD 'pid'
2018-01-03 12:08:02 MANAGEMENT: CMD 'state on'
2018-01-03 12:08:02 MANAGEMENT: CMD 'state'
2018-01-03 12:08:02 MANAGEMENT: CMD 'bytecount 1'
2018-01-03 12:08:02 MANAGEMENT: CMD 'hold release'
2018-01-03 12:08:02 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2018-01-03 12:08:02 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-01-03 12:08:02 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-01-03 12:08:02 UDPv4 link local: [undef]
2018-01-03 12:08:02 UDPv4 link remote: [AF_INET]67.x.x.x:1194
2018-01-03 12:08:02 MANAGEMENT: >STATE:1515006482,WAIT,,,
2018-01-03 12:08:02 MANAGEMENT: >STATE:1515006482,AUTH,,,
2018-01-03 12:08:02 TLS: Initial packet from [AF_INET]67.x.x.x:1194, sid=e55eb0f3 999b910b
2018-01-03 12:08:03 VERIFY OK: depth=1, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=WOWINC CA, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:08:03 VERIFY OK: depth=0, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:08:03 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1557'
2018-01-03 12:08:03 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
2018-01-03 12:08:03 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2018-01-03 12:08:03 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:08:03 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:08:03 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:08:03 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:08:03 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:08:03 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:08:03 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-01-03 12:08:03 [server] Peer Connection Initiated with [AF_INET]67.x.x.x:1194
2018-01-03 12:08:04 MANAGEMENT: >STATE:1515006484,GET_CONFIG,,,
2018-01-03 12:08:05 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2018-01-03 12:08:05 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 0'
2018-01-03 12:08:05 OPTIONS IMPORT: timers and/or timeouts modified
2018-01-03 12:08:05 OPTIONS IMPORT: --ifconfig/up options modified
2018-01-03 12:08:05 OPTIONS IMPORT: route options modified
2018-01-03 12:08:05 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-01-03 12:08:05 OPTIONS IMPORT: peer-id set
2018-01-03 12:08:05 OPTIONS IMPORT: adjusting link_mtu to 1544
2018-01-03 12:08:05 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2018-01-03 12:08:05 Opened utun device utun1
2018-01-03 12:08:05 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2018-01-03 12:08:05 MANAGEMENT: >STATE:1515006485,ASSIGN_IP,,10.8.0.14,
2018-01-03 12:08:05 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-01-03 12:08:05 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-01-03 12:08:05 /sbin/ifconfig utun1 10.8.0.14 10.8.0.13 mtu 1500 netmask 255.255.255.255 up
2018-01-03 12:08:05 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -r -w -ptADGNWradsgnw utun1 1500 1544 10.8.0.14 10.8.0.13 init
**********************************************
Start of output from client.up.tunnelblick.sh
Disabled IPv6 for 'Thunderbolt Ethernet'
Disabled IPv6 for 'Thunderbolt Ethernet Slot 1'
Disabled IPv6 for 'Thunderbolt Ethernet Slot 2'
Disabled IPv6 for 'iPhone USB'
Disabled IPv6 for 'Thunderbolt Bridge'
Disabled IPv6 for 'Wi-Fi'
Disabled IPv6 for 'Bluetooth PAN'
Retrieved from OpenVPN: name server(s) [ 8.8.8.8 8.8.4.4 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '10.170.16.21 10.170.10.71 10.170.10.22' to '8.8.8.8 8.8.4.4'
Changed DNS SearchDomains setting from '' to 'openvpn'
Changed DNS DomainName setting from 'wideopenwest.com' to 'openvpn'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of 'WIDEOPENWEST'
Did not change SMB WINSAddresses setting of '10.170.10.71 10.170.10.22'
DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active
The DNS servers include only free public DNS servers known to Tunnelblick.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2018-01-03 12:08:10 /sbin/route add -net 67.x.x.x 10.170.32.1 255.255.255.255
add net 67.x.x.x: gateway 10.170.32.1
2018-01-03 12:08:10 /sbin/route add -net 0.0.0.0 10.8.0.13 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.13
2018-01-03 12:08:10 /sbin/route add -net 128.0.0.0 10.8.0.13 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.13
2018-01-03 12:08:10 MANAGEMENT: >STATE:1515006490,ADD_ROUTES,,,
2018-01-03 12:08:10 /sbin/route add -net 10.8.0.1 10.8.0.13 255.255.255.255
add net 10.8.0.1: gateway 10.8.0.13
2018-01-03 12:08:10 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-01-03 12:08:10 Initialization Sequence Completed
2018-01-03 12:08:10 MANAGEMENT: >STATE:1515006490,CONNECTED,SUCCESS,10.8.0.14,67.x.x.x
2018-01-03 12:08:17 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:08:20 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-01-03 12:08:22 *Tunnelblick: No 'connected.sh' script to execute
2018-01-03 12:08:27 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:08:37 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:08:47 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:08:57 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:07 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:17 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:27 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:37 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:47 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:57 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:10:07 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:10:10 [server] Inactivity timeout (--ping-restart), restarting
2018-01-03 12:10:10 SIGUSR1[soft,ping-restart] received, process restarting
2018-01-03 12:10:10 MANAGEMENT: >STATE:1515006610,RECONNECTING,ping-restart,,
2018-01-03 12:10:10 *Tunnelblick: No 'reconnecting.sh' script to execute
2018-01-03 12:10:10 MANAGEMENT: CMD 'hold release'
2018-01-03 12:10:10 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2018-01-03 12:10:10 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-01-03 12:10:10 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-01-03 12:10:10 UDPv4 link local: [undef]
2018-01-03 12:10:10 UDPv4 link remote: [AF_INET]67.x.x.x:1194
2018-01-03 12:10:10 MANAGEMENT: >STATE:1515006610,WAIT,,,
2018-01-03 12:10:10 MANAGEMENT: >STATE:1515006610,AUTH,,,
2018-01-03 12:10:10 TLS: Initial packet from [AF_INET]67.x.x.x:1194, sid=a25577d6 4485c0aa
2018-01-03 12:10:10 VERIFY OK: depth=1, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=WOWINC CA, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:10:10 VERIFY OK: depth=0, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:10:10 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1557'
2018-01-03 12:10:10 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
2018-01-03 12:10:10 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2018-01-03 12:10:10 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:10:10 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:10:10 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:10:10 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:10:10 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:10:10 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:10:10 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-01-03 12:10:10 [server] Peer Connection Initiated with [AF_INET]67.x.x.x:1194
2018-01-03 12:10:11 MANAGEMENT: >STATE:1515006611,GET_CONFIG,,,
2018-01-03 12:10:12 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2018-01-03 12:10:12 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1'
2018-01-03 12:10:12 OPTIONS IMPORT: timers and/or timeouts modified
2018-01-03 12:10:12 OPTIONS IMPORT: --ifconfig/up options modified
2018-01-03 12:10:12 OPTIONS IMPORT: route options modified
2018-01-03 12:10:12 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-01-03 12:10:12 OPTIONS IMPORT: peer-id set
2018-01-03 12:10:12 OPTIONS IMPORT: adjusting link_mtu to 1544
2018-01-03 12:10:12 Preserving previous TUN/TAP instance: utun1
2018-01-03 12:10:12 Initialization Sequence Completed
2018-01-03 12:10:12 MANAGEMENT: >STATE:1515006612,CONNECTED,SUCCESS,10.8.0.14,67.x.x.x
2018-01-03 12:10:12 *Tunnelblick: No 'connected.sh' script to execute
2018-01-03 12:10:22 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:10:32 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:10:42 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:10:52 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:02 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:12 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:22 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:32 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:42 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:52 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:12:02 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:12:12 [server] Inactivity timeout (--ping-restart), restarting
2018-01-03 12:12:12 SIGUSR1[soft,ping-restart] received, process restarting
2018-01-03 12:12:12 MANAGEMENT: >STATE:1515006732,RECONNECTING,ping-restart,,
2018-01-03 12:12:12 *Tunnelblick: No 'reconnecting.sh' script to execute
2018-01-03 12:12:12 MANAGEMENT: CMD 'hold release'
2018-01-03 12:12:12 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2018-01-03 12:12:12 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-01-03 12:12:12 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-01-03 12:12:12 UDPv4 link local: [undef]
2018-01-03 12:12:12 UDPv4 link remote: [AF_INET]67.x.x.x:1194
2018-01-03 12:12:12 MANAGEMENT: >STATE:1515006732,WAIT,,,
2018-01-03 12:12:12 MANAGEMENT: >STATE:1515006732,AUTH,,,
2018-01-03 12:12:12 TLS: Initial packet from [AF_INET]67.x.x.x:1194, sid=9afb6370 2be647a9
2018-01-03 12:12:12 VERIFY OK: depth=1, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=WOWINC CA, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:12:12 VERIFY OK: depth=0, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:12:12 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1557'
2018-01-03 12:12:12 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
2018-01-03 12:12:12 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2018-01-03 12:12:12 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:12:12 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:12:12 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:12:12 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:12:12 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:12:12 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:12:12 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-01-03 12:12:12 [server] Peer Connection Initiated with [AF_INET]67.x.x.x:1194
2018-01-03 12:12:13 MANAGEMENT: >STATE:1515006733,GET_CONFIG,,,
2018-01-03 12:12:14 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2018-01-03 12:12:14 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 0'
2018-01-03 12:12:14 OPTIONS IMPORT: timers and/or timeouts modified
2018-01-03 12:12:14 OPTIONS IMPORT: --ifconfig/up options modified
2018-01-03 12:12:14 OPTIONS IMPORT: route options modified
2018-01-03 12:12:14 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-01-03 12:12:14 OPTIONS IMPORT: peer-id set
2018-01-03 12:12:14 OPTIONS IMPORT: adjusting link_mtu to 1544
2018-01-03 12:12:14 Preserving previous TUN/TAP instance: utun1
2018-01-03 12:12:14 Initialization Sequence Completed
2018-01-03 12:12:14 MANAGEMENT: >STATE:1515006734,CONNECTED,SUCCESS,10.8.0.14,67.x.x.x
2018-01-03 12:12:14 *Tunnelblick: No 'connected.sh' script to execute
2018-01-03 12:12:24 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:12:34 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:12:44 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:12:54 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:13:04 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:13:05 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-01-03 12:13:14 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:13:15 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-01-03 12:13:24 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:13:34 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:13:37 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2018-01-03 12:13:37 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2018-01-03 12:13:37 *Tunnelblick: Disconnecting using 'kill'
2018-01-03 12:13:37 event_wait : Interrupted system call (code=4)
2018-01-03 12:13:37 /sbin/route delete -net 10.8.0.1 10.8.0.13 255.255.255.255
delete net 10.8.0.1: gateway 10.8.0.13
2018-01-03 12:13:37 /sbin/route delete -net 67.x.x.x 10.170.32.1 255.255.255.255
delete net 67.x.x.x: gateway 10.170.32.1
2018-01-03 12:13:37 /sbin/route delete -net 0.0.0.0 10.8.0.13 128.0.0.0
delete net 0.0.0.0: gateway 10.8.0.13
2018-01-03 12:13:37 /sbin/route delete -net 128.0.0.0 10.8.0.13 128.0.0.0
delete net 128.0.0.0: gateway 10.8.0.13
2018-01-03 12:13:37 Closing TUN/TAP interface
2018-01-03 12:13:37 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -r -w -ptADGNWradsgnw utun1 1500 1544 10.8.0.14 10.8.0.13 init
**********************************************
Start of output from client.down.tunnelblick.sh
Cancelled monitoring of system configuration changes
Restored the DNS and SMB configurations
Re-enabled IPv6 (automatic) for 'Thunderbolt Ethernet'
Re-enabled IPv6 (automatic) for 'Thunderbolt Ethernet Slot 1'
Re-enabled IPv6 (automatic) for 'Thunderbolt Ethernet Slot 2'
Re-enabled IPv6 (automatic) for 'iPhone USB'
Re-enabled IPv6 (automatic) for 'Thunderbolt Bridge'
Re-enabled IPv6 (automatic) for 'Wi-Fi'
Re-enabled IPv6 (automatic) for 'Bluetooth PAN'
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Resetting primary interface 'en5' via ifconfig en5 down/up...
End of output from client.down.tunnelblick.sh
**********************************************
2018-01-03 12:13:47 SIGTERM[hard,] received, process exiting
2018-01-03 12:13:47 MANAGEMENT: >STATE:1515006827,EXITING,SIGTERM,,
2018-01-03 12:13:47 *Tunnelblick: No 'post-disconnect.sh' script to execute
2018-01-03 12:13:47 *Tunnelblick: Expected disconnection occurred.
ERRORS:
2018-01-03 12:08:02 TLS: Initial packet from [AF_INET]67.x.x.x:1194, sid=e55eb0f3 999b910b
2018-01-03 12:08:03 VERIFY OK: depth=1, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=WOWINC CA, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:08:03 VERIFY OK: depth=0, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:08:03 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1557'
2018-01-03 12:08:03 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
2018-01-03 12:08:03 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2018-01-03 12:08:03 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:08:03 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:08:03 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:08:03 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:08:03 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:08:03 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:08:03 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-01-03 12:08:03 [server] Peer Connection Initiated with [AF_INET]67.x.x.x:1194
uname -a
[root@localhost openvpn]# uname -a
Linux localhost.localdomain 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
ifconfig
[root@localhost openvpn]# ifconfig
eno16780032: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.10.249 netmask 255.255.255.0 broadcast 10.1.10.255
inet6 2603:300b:72d:d700:20c:29ff:fef2:ecb7 prefixlen 64 scopeid 0x0<global>
inet6 fe80::20c:29ff:fef2:ecb7 prefixlen 64 scopeid 0x20<link>
inet6 2603:300b:72d:d700::2bab prefixlen 128 scopeid 0x0<global>
ether 00:0c:29:f2:ec:b7 txqueuelen 1000 (Ethernet)
RX packets 1428752 bytes 978712683 (933.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1183510 bytes 949691535 (905.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno33559296: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.10.7 netmask 255.255.255.0 broadcast 10.1.10.255
inet6 2603:300b:72d:d700::b8fb prefixlen 128 scopeid 0x0<global>
inet6 2603:300b:72d:d700:20c:29ff:fef2:ecc1 prefixlen 64 scopeid 0x0<global>
inet6 fe80::20c:29ff:fef2:ecc1 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:f2:ec:c1 txqueuelen 1000 (Ethernet)
RX packets 127156 bytes 10627464 (10.1 MiB)
RX errors 0 dropped 76 overruns 0 frame 0
TX packets 10007 bytes 1727362 (1.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 25 bytes 2354 (2.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25 bytes 2354 (2.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 481232 bytes 110875122 (105.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 677141 bytes 786700689 (750.2 MiB)
TX errors 0 dropped 123 overruns 0 carrier 0 collisions 0
server.conf
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
;client-to-client
;duplicate-cn
keepalive 10 120
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
Server logs:
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:22:46 localhost.localdomain openvpn[6642]: Thu Jan 4 10:22:46 2018 andy/64.233.207.30:27151 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 04 10:26:05 localhost.localdomain openvpn[6642]: Thu Jan 4 10:26:05 2018 andy/64.233.207.30:27151 [andy] Inactivity timeout (--ping-restart), restarting
Jan 04 10:26:05 localhost.localdomain openvpn[6642]: Thu Jan 4 10:26:05 2018 andy/64.233.207.30:27151 SIGUSR1[soft,ping-restart] received, client-instance restarting
Client:
astephenson$ uname -a
Darwin CODN-C02ML4S-MBs-MacBook-Pro.local 16.7.0 Darwin Kernel Version 16.7.0: Mon Nov 13 21:56:25 PST 2017; root:xnu-3789.72.11~1/RELEASE_X86_64 x86_64
stephenson [10:22 AM]
CODN-C02ML4S-MBs-MacBook-Pro:openvpn1 astephenson$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 3c:15:c2:c5:52:54
inet6 fe80::c72:a443:8d28:bda6%en0 prefixlen 64 secured scopeid 0x4
inet 10.113.64.160 netmask 0xfffffe00 broadcast 10.113.65.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 72:00:03:75:75:a0
media: autoselect <full-duplex>
status: inactive
en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 72:00:03:75:75:a1
media: autoselect <full-duplex>
status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 0e:15:c2:c5:52:54
media: autoselect
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 72:00:03:75:75:a0
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 5 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 6 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether 3e:8d:b2:d6:ca:b0
inet6 fe80::3c8d:b2ff:fed6:cab0%awdl0 prefixlen 64 scopeid 0x9
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::92ac:a815:ffea:ed1c%utun0 prefixlen 64 scopeid 0xa
nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.8.0.14 --> 10.8.0.13 netmask 0xffffffff
CODN-C02ML4S-MBs-MacBook-Pro:openvpn1 astephenson$
client.ovpn file:
client
dev tun
proto udp
remote 67.x.x.x. 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca ca.crt
cert andy.crt
key andy.key
Client Log file:
**********************************************************
Tunnelblick Log:
*Tunnelblick: OS X 10.12.6; Tunnelblick 3.7.4b (build 4921)
2018-01-03 12:08:02 *Tunnelblick: Attempting connection with lab1 using shadow copy; Set nameserver = 769; monitoring connection
2018-01-03 12:08:02 *Tunnelblick: openvpnstart start lab1.tblk 1337 769 0 1 0 1066288 -ptADGNWradsgnw 2.3.18-openssl-1.0.2n
2018-01-03 12:08:02 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.18-openssl-1.0.2n/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Sastephenson-SLibrary-SApplication Support-STunnelblick-SConfigurations-Slab1.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1066288.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/astephenson/lab1.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 4921 3.7.4b (build 4921)"
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/astephenson/lab1.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/astephenson/lab1.tblk/Contents/Resources
--management
127.0.0.1
1337
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -r -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -r -w -ptADGNWradsgnw
2018-01-03 12:08:02 *Tunnelblick: openvpnstart starting OpenVPN
2018-01-03 12:08:02 *Tunnelblick: Established communication with OpenVPN
2018-01-03 12:08:02 OpenVPN 2.3.18 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec 7 2017
2018-01-03 12:08:02 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
2018-01-03 12:08:02 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2018-01-03 12:08:02 Need hold release from management interface, waiting...
2018-01-03 12:08:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2018-01-03 12:08:02 MANAGEMENT: CMD 'pid'
2018-01-03 12:08:02 MANAGEMENT: CMD 'state on'
2018-01-03 12:08:02 MANAGEMENT: CMD 'state'
2018-01-03 12:08:02 MANAGEMENT: CMD 'bytecount 1'
2018-01-03 12:08:02 MANAGEMENT: CMD 'hold release'
2018-01-03 12:08:02 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2018-01-03 12:08:02 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-01-03 12:08:02 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-01-03 12:08:02 UDPv4 link local: [undef]
2018-01-03 12:08:02 UDPv4 link remote: [AF_INET]67.x.x.x:1194
2018-01-03 12:08:02 MANAGEMENT: >STATE:1515006482,WAIT,,,
2018-01-03 12:08:02 MANAGEMENT: >STATE:1515006482,AUTH,,,
2018-01-03 12:08:02 TLS: Initial packet from [AF_INET]67.x.x.x:1194, sid=e55eb0f3 999b910b
2018-01-03 12:08:03 VERIFY OK: depth=1, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=WOWINC CA, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:08:03 VERIFY OK: depth=0, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:08:03 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1557'
2018-01-03 12:08:03 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
2018-01-03 12:08:03 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2018-01-03 12:08:03 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:08:03 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:08:03 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:08:03 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:08:03 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:08:03 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:08:03 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-01-03 12:08:03 [server] Peer Connection Initiated with [AF_INET]67.x.x.x:1194
2018-01-03 12:08:04 MANAGEMENT: >STATE:1515006484,GET_CONFIG,,,
2018-01-03 12:08:05 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2018-01-03 12:08:05 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 0'
2018-01-03 12:08:05 OPTIONS IMPORT: timers and/or timeouts modified
2018-01-03 12:08:05 OPTIONS IMPORT: --ifconfig/up options modified
2018-01-03 12:08:05 OPTIONS IMPORT: route options modified
2018-01-03 12:08:05 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-01-03 12:08:05 OPTIONS IMPORT: peer-id set
2018-01-03 12:08:05 OPTIONS IMPORT: adjusting link_mtu to 1544
2018-01-03 12:08:05 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2018-01-03 12:08:05 Opened utun device utun1
2018-01-03 12:08:05 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2018-01-03 12:08:05 MANAGEMENT: >STATE:1515006485,ASSIGN_IP,,10.8.0.14,
2018-01-03 12:08:05 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-01-03 12:08:05 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-01-03 12:08:05 /sbin/ifconfig utun1 10.8.0.14 10.8.0.13 mtu 1500 netmask 255.255.255.255 up
2018-01-03 12:08:05 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -r -w -ptADGNWradsgnw utun1 1500 1544 10.8.0.14 10.8.0.13 init
**********************************************
Start of output from client.up.tunnelblick.sh
Disabled IPv6 for 'Thunderbolt Ethernet'
Disabled IPv6 for 'Thunderbolt Ethernet Slot 1'
Disabled IPv6 for 'Thunderbolt Ethernet Slot 2'
Disabled IPv6 for 'iPhone USB'
Disabled IPv6 for 'Thunderbolt Bridge'
Disabled IPv6 for 'Wi-Fi'
Disabled IPv6 for 'Bluetooth PAN'
Retrieved from OpenVPN: name server(s) [ 8.8.8.8 8.8.4.4 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '10.170.16.21 10.170.10.71 10.170.10.22' to '8.8.8.8 8.8.4.4'
Changed DNS SearchDomains setting from '' to 'openvpn'
Changed DNS DomainName setting from 'wideopenwest.com' to 'openvpn'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of 'WIDEOPENWEST'
Did not change SMB WINSAddresses setting of '10.170.10.71 10.170.10.22'
DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active
The DNS servers include only free public DNS servers known to Tunnelblick.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2018-01-03 12:08:10 /sbin/route add -net 67.x.x.x 10.170.32.1 255.255.255.255
add net 67.x.x.x: gateway 10.170.32.1
2018-01-03 12:08:10 /sbin/route add -net 0.0.0.0 10.8.0.13 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.13
2018-01-03 12:08:10 /sbin/route add -net 128.0.0.0 10.8.0.13 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.13
2018-01-03 12:08:10 MANAGEMENT: >STATE:1515006490,ADD_ROUTES,,,
2018-01-03 12:08:10 /sbin/route add -net 10.8.0.1 10.8.0.13 255.255.255.255
add net 10.8.0.1: gateway 10.8.0.13
2018-01-03 12:08:10 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-01-03 12:08:10 Initialization Sequence Completed
2018-01-03 12:08:10 MANAGEMENT: >STATE:1515006490,CONNECTED,SUCCESS,10.8.0.14,67.x.x.x
2018-01-03 12:08:17 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:08:20 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-01-03 12:08:22 *Tunnelblick: No 'connected.sh' script to execute
2018-01-03 12:08:27 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:08:37 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:08:47 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:08:57 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:07 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:17 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:27 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:37 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:47 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:09:57 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:10:07 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:10:10 [server] Inactivity timeout (--ping-restart), restarting
2018-01-03 12:10:10 SIGUSR1[soft,ping-restart] received, process restarting
2018-01-03 12:10:10 MANAGEMENT: >STATE:1515006610,RECONNECTING,ping-restart,,
2018-01-03 12:10:10 *Tunnelblick: No 'reconnecting.sh' script to execute
2018-01-03 12:10:10 MANAGEMENT: CMD 'hold release'
2018-01-03 12:10:10 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2018-01-03 12:10:10 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-01-03 12:10:10 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-01-03 12:10:10 UDPv4 link local: [undef]
2018-01-03 12:10:10 UDPv4 link remote: [AF_INET]67.x.x.x:1194
2018-01-03 12:10:10 MANAGEMENT: >STATE:1515006610,WAIT,,,
2018-01-03 12:10:10 MANAGEMENT: >STATE:1515006610,AUTH,,,
2018-01-03 12:10:10 TLS: Initial packet from [AF_INET]67.x.x.x:1194, sid=a25577d6 4485c0aa
2018-01-03 12:10:10 VERIFY OK: depth=1, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=WOWINC CA, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:10:10 VERIFY OK: depth=0, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:10:10 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1557'
2018-01-03 12:10:10 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
2018-01-03 12:10:10 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2018-01-03 12:10:10 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:10:10 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:10:10 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:10:10 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:10:10 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:10:10 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:10:10 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-01-03 12:10:10 [server] Peer Connection Initiated with [AF_INET]67.x.x.x:1194
2018-01-03 12:10:11 MANAGEMENT: >STATE:1515006611,GET_CONFIG,,,
2018-01-03 12:10:12 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2018-01-03 12:10:12 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1'
2018-01-03 12:10:12 OPTIONS IMPORT: timers and/or timeouts modified
2018-01-03 12:10:12 OPTIONS IMPORT: --ifconfig/up options modified
2018-01-03 12:10:12 OPTIONS IMPORT: route options modified
2018-01-03 12:10:12 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-01-03 12:10:12 OPTIONS IMPORT: peer-id set
2018-01-03 12:10:12 OPTIONS IMPORT: adjusting link_mtu to 1544
2018-01-03 12:10:12 Preserving previous TUN/TAP instance: utun1
2018-01-03 12:10:12 Initialization Sequence Completed
2018-01-03 12:10:12 MANAGEMENT: >STATE:1515006612,CONNECTED,SUCCESS,10.8.0.14,67.x.x.x
2018-01-03 12:10:12 *Tunnelblick: No 'connected.sh' script to execute
2018-01-03 12:10:22 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:10:32 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:10:42 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:10:52 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:02 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:12 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:22 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:32 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:42 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:11:52 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:12:02 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:12:12 [server] Inactivity timeout (--ping-restart), restarting
2018-01-03 12:12:12 SIGUSR1[soft,ping-restart] received, process restarting
2018-01-03 12:12:12 MANAGEMENT: >STATE:1515006732,RECONNECTING,ping-restart,,
2018-01-03 12:12:12 *Tunnelblick: No 'reconnecting.sh' script to execute
2018-01-03 12:12:12 MANAGEMENT: CMD 'hold release'
2018-01-03 12:12:12 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2018-01-03 12:12:12 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-01-03 12:12:12 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-01-03 12:12:12 UDPv4 link local: [undef]
2018-01-03 12:12:12 UDPv4 link remote: [AF_INET]67.x.x.x:1194
2018-01-03 12:12:12 MANAGEMENT: >STATE:1515006732,WAIT,,,
2018-01-03 12:12:12 MANAGEMENT: >STATE:1515006732,AUTH,,,
2018-01-03 12:12:12 TLS: Initial packet from [AF_INET]67.x.x.x:1194, sid=9afb6370 2be647a9
2018-01-03 12:12:12 VERIFY OK: depth=1, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=WOWINC CA, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:12:12 VERIFY OK: depth=0, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:12:12 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1557'
2018-01-03 12:12:12 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
2018-01-03 12:12:12 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2018-01-03 12:12:12 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:12:12 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:12:12 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:12:12 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:12:12 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:12:12 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:12:12 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-01-03 12:12:12 [server] Peer Connection Initiated with [AF_INET]67.x.x.x:1194
2018-01-03 12:12:13 MANAGEMENT: >STATE:1515006733,GET_CONFIG,,,
2018-01-03 12:12:14 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2018-01-03 12:12:14 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 0'
2018-01-03 12:12:14 OPTIONS IMPORT: timers and/or timeouts modified
2018-01-03 12:12:14 OPTIONS IMPORT: --ifconfig/up options modified
2018-01-03 12:12:14 OPTIONS IMPORT: route options modified
2018-01-03 12:12:14 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-01-03 12:12:14 OPTIONS IMPORT: peer-id set
2018-01-03 12:12:14 OPTIONS IMPORT: adjusting link_mtu to 1544
2018-01-03 12:12:14 Preserving previous TUN/TAP instance: utun1
2018-01-03 12:12:14 Initialization Sequence Completed
2018-01-03 12:12:14 MANAGEMENT: >STATE:1515006734,CONNECTED,SUCCESS,10.8.0.14,67.x.x.x
2018-01-03 12:12:14 *Tunnelblick: No 'connected.sh' script to execute
2018-01-03 12:12:24 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:12:34 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:12:44 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:12:54 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:13:04 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:13:05 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-01-03 12:13:14 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:13:15 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-01-03 12:13:24 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:13:34 Authenticate/Decrypt packet error: cipher final failed
2018-01-03 12:13:37 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2018-01-03 12:13:37 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2018-01-03 12:13:37 *Tunnelblick: Disconnecting using 'kill'
2018-01-03 12:13:37 event_wait : Interrupted system call (code=4)
2018-01-03 12:13:37 /sbin/route delete -net 10.8.0.1 10.8.0.13 255.255.255.255
delete net 10.8.0.1: gateway 10.8.0.13
2018-01-03 12:13:37 /sbin/route delete -net 67.x.x.x 10.170.32.1 255.255.255.255
delete net 67.x.x.x: gateway 10.170.32.1
2018-01-03 12:13:37 /sbin/route delete -net 0.0.0.0 10.8.0.13 128.0.0.0
delete net 0.0.0.0: gateway 10.8.0.13
2018-01-03 12:13:37 /sbin/route delete -net 128.0.0.0 10.8.0.13 128.0.0.0
delete net 128.0.0.0: gateway 10.8.0.13
2018-01-03 12:13:37 Closing TUN/TAP interface
2018-01-03 12:13:37 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -r -w -ptADGNWradsgnw utun1 1500 1544 10.8.0.14 10.8.0.13 init
**********************************************
Start of output from client.down.tunnelblick.sh
Cancelled monitoring of system configuration changes
Restored the DNS and SMB configurations
Re-enabled IPv6 (automatic) for 'Thunderbolt Ethernet'
Re-enabled IPv6 (automatic) for 'Thunderbolt Ethernet Slot 1'
Re-enabled IPv6 (automatic) for 'Thunderbolt Ethernet Slot 2'
Re-enabled IPv6 (automatic) for 'iPhone USB'
Re-enabled IPv6 (automatic) for 'Thunderbolt Bridge'
Re-enabled IPv6 (automatic) for 'Wi-Fi'
Re-enabled IPv6 (automatic) for 'Bluetooth PAN'
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Resetting primary interface 'en5' via ifconfig en5 down/up...
End of output from client.down.tunnelblick.sh
**********************************************
2018-01-03 12:13:47 SIGTERM[hard,] received, process exiting
2018-01-03 12:13:47 MANAGEMENT: >STATE:1515006827,EXITING,SIGTERM,,
2018-01-03 12:13:47 *Tunnelblick: No 'post-disconnect.sh' script to execute
2018-01-03 12:13:47 *Tunnelblick: Expected disconnection occurred.
ERRORS:
2018-01-03 12:08:02 TLS: Initial packet from [AF_INET]67.x.x.x:1194, sid=e55eb0f3 999b910b
2018-01-03 12:08:03 VERIFY OK: depth=1, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=WOWINC CA, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:08:03 VERIFY OK: depth=0, C=US, ST=CO, L=Denver, O=WOWINC, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
2018-01-03 12:08:03 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1557'
2018-01-03 12:08:03 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
2018-01-03 12:08:03 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2018-01-03 12:08:03 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:08:03 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:08:03 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:08:03 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2018-01-03 12:08:03 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2018-01-03 12:08:03 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-01-03 12:08:03 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-01-03 12:08:03 [server] Peer Connection Initiated with [AF_INET]67.x.x.x:1194
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Issues with MAC OS connecting using tunnelblick
You need to add this to your client config file:
Code: Select all
cipher AES-256-CBC-
Wraiith
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Jan 03, 2018 8:04 pm
Re: Issues with MAC OS connecting using tunnelblick
Thank you so much! This fixed it!TinCanTech wrote: ↑Thu Jan 04, 2018 11:23 pmYou need to add this to your client config file:Code: Select all
cipher AES-256-CBC