[Resolved] Self Signed certificate

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
kobold
OpenVpn Newbie
Posts: 8
Joined: Sun Apr 08, 2012 12:34 pm

[Resolved] Self Signed certificate

Post by kobold » Sun Apr 08, 2012 1:02 pm

Hi,

I'm trying to setup a OpenVPN server / client on a Mac with the help of TunnelBlick.
After installing tunnelblick I created a self signed CA certificate, server certificate which is signed by the self signed CA certificate and a client certificate which is also signed by the self signed CA certificate.
Then I took the example configs from OpenVPN for both the client and the server and added where needed (see below).

Server config

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.10.46.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Client config

Code: Select all

client
dev tun
proto udp
remote 192.168.1.5 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 5
However when I wan't to connect from the client to the server I receive an error (see below).

Code: Select all

2012-04-08 14:37:19 us=52499 MANAGEMENT: >STATE:1333888639,WAIT,,,
                                        WRSun Apr  8 14:37:19 2012 us=54005 MANAGEMENT: >STATE:1333888639,AUTH,,,
2012-04-08 14:37:19 us=54069 TLS: Initial packet from 192.168.178.23:1194, sid=bac37ff4 f6a42e7b
                                        WWWWRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRSun Apr  8 14:37:19 2012 us=189535 VERIFY ERROR: depth=0, error=self signed certificate: /C=NL/ST=NH/L=Amsterdam/O=localhost/CN=client1/emailAddress=client1@localhost
2012-04-08 14:37:19 us=189870 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012-04-08 14:37:19 us=189950 TLS Error: TLS object -> incoming plaintext read error
2012-04-08 14:37:19 us=190023 TLS Error: TLS handshake failed
2012-04-08 14:37:19 us=190156 TCP/UDP: Closing socket
When I verify the certificates with openssl I get the following results

Code: Select all

$ openssl verify -CAfile ca.crt client1.crt 
client1.crt: /C=NL/ST=NH/L=Amsterdam/O=localhost/CN=client1/emailAddress=client1@localhost
error 18 at 0 depth lookup:self signed certificate
OK
Am I forgetting something?
Thanks your help!
Last edited by kobold on Tue Apr 10, 2012 1:04 pm, edited 1 time in total.
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: Self Signed certificate

Post by janjust » Mon Apr 09, 2012 11:54 pm

the output
$ openssl verify -CAfile ca.crt client1.crt
michael_rave.crt: /C=NL/ST=NH/L=Amsterdam/O=localhost/CN=client1/emailAddress=client1@localhost
error 18 at 0 depth lookup:self signed certificate
OK
suggests that you were verifing michael_rave.crt, not client1.crt, right?

the 'self signed certificate' warning suggests that your client cert was also self signed. You can verify this using

Code: Select all

openssl x509 -subject -issuer -noout -in client.crt
how did you generate the ca.crt and client1.crt files? did you use the easy-rsa scripts?
Top
kobold
OpenVpn Newbie
Posts: 8
Joined: Sun Apr 08, 2012 12:34 pm

Re: Self Signed certificate

Post by kobold » Tue Apr 10, 2012 1:30 pm

janjust wrote:the output
$ openssl verify -CAfile ca.crt client1.crt
michael_rave.crt: /C=NL/ST=NH/L=Amsterdam/O=localhost/CN=client1/emailAddress=client1@localhost
error 18 at 0 depth lookup:self signed certificate
OK
suggests that you were verifing michael_rave.crt, not client1.crt, right?
I renamed the certificate and mixed up the name, the result is the same though.
the 'self signed certificate' warning suggests that your client cert was also self signed. You can verify this using

Code: Select all

openssl x509 -subject -issuer -noout -in client.crt
Thats correct, it's a self signed certificate.
how did you generate the ca.crt and client1.crt files? did you use the easy-rsa scripts?
I didn't use the easy-rsa script because tunnelblick doesn't contain this scripts.
I used the following commands

Code: Select all

# Generate DH params
openssl dhparam -out dh2048.pem 2048

# Generate CA key/cert
openssl req -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt

# Generate server key/cert
openssl req -new -nodes -keyout server.key -out server.csr

# Generate user key/cert
openssl req -newkey rsa:2048 -keyout client1.key -out client1.csr

# Sign keys
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
openssl x509 -req -days 3650 -in client1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client1.crt
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: Self Signed certificate

Post by janjust » Tue Apr 10, 2012 2:51 pm

Thats correct, it's a self signed certificate.
then that's where things went wrong...

I just repeated your openssl statements and they work fine for me ; check your CA cert. You can also download and use the easy-rsa scripts from the openvpn-2.2.2.tar.gz file from the openvpn websiite.
Top
kobold
OpenVpn Newbie
Posts: 8
Joined: Sun Apr 08, 2012 12:34 pm

Re: Self Signed certificate

Post by kobold » Tue Apr 10, 2012 4:05 pm

janjust wrote:
Thats correct, it's a self signed certificate.
then that's where things went wrong...
What's going wrong?
This is my ouput

Code: Select all

$ openssl x509 -subject -issuer -noout -in client1.crt 
subject= /C=NL/ST=NH/L=Amsterdam/O=localhost/CN=client1/emailAddress=client1@localhost
issuer= /C=NL/ST=NH/L=Amsterdam/O=localhost/CN=admin/emailAddress=admin@localhost
I just repeated your openssl statements and they work fine for me ; check your CA cert. You can also download and use the easy-rsa scripts from the openvpn-2.2.2.tar.gz file from the openvpn websiite.
The CA cert on both machine are the same. I'll try the easy-rsa scripts later today but I don't know why my steps don't work.
Top
kobold
OpenVpn Newbie
Posts: 8
Joined: Sun Apr 08, 2012 12:34 pm

Re: Self Signed certificate

Post by kobold » Tue Apr 10, 2012 7:22 pm

Hi,

I got it working. I deleted every certificate and started over.
One way or another it got messed up. Thanks for you help JanJust!
Top
kobold
OpenVpn Newbie
Posts: 8
Joined: Sun Apr 08, 2012 12:34 pm

Re: Self Signed certificate

Post by kobold » Mon May 14, 2012 3:25 pm

Hi,

After a couple of weeks with a working VPN tunnel, it stopped working with the same error.
I did all steps again without any result.

Is there anything else I can try?

Thanks!
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: [Resolved] Self Signed certificate

Post by janjust » Tue May 15, 2012 8:59 am

please post the client and server logs with 'verb 4' set - are you absolutely sure it is the same error? did anything change WRT the certificates?
Top
kobold
OpenVpn Newbie
Posts: 8
Joined: Sun Apr 08, 2012 12:34 pm

Re: [Resolved] Self Signed certificate

Post by kobold » Tue May 15, 2012 8:19 pm

Here are the log files for both the client and the server.

SERVER

Code: Select all

2012-05-15 22:13:35 *Tunnelblick: OS X 10.7.3; Tunnelblick 3.2.6 (build 2891.3007)
2012-05-15 22:13:35 *Tunnelblick: Attempting connection with server; Set nameserver = 1; monitoring connection
2012-05-15 22:13:35 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start server.ovpn 1338 1 0 0 0 49 -atDASNGWrdasngw 
2012-05-15 22:13:35 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Users/michael/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1338 --config /Users/michael/Library/Application Support/Tunnelblick/Configurations/server.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Smichael-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sserver.ovpn.1_0_0_0_49.1338.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart
2012-05-15 22:13:36 *Tunnelblick: openvpnstart message: Loading tun.kext
2012-05-15 22:13:36 us=35673 Current Parameter Settings:
2012-05-15 22:13:36 us=35900   config = '/Users/michael/Library/Application Support/Tunnelblick/Configurations/server.ovpn'
2012-05-15 22:13:36 us=35916   mode = 1
2012-05-15 22:13:36 us=35929   show_ciphers = DISABLED
2012-05-15 22:13:36 us=35942   show_digests = DISABLED
2012-05-15 22:13:36 us=35955   show_engines = DISABLED
2012-05-15 22:13:36 us=35968   genkey = DISABLED
2012-05-15 22:13:36 us=35985   key_pass_file = '[UNDEF]'
2012-05-15 22:13:36 us=35999   show_tls_ciphers = DISABLED
2012-05-15 22:13:36 us=36011 Connection profiles [default]:
2012-05-15 22:13:36 us=36024   proto = tcp-server
2012-05-15 22:13:36 us=36037   local = '[UNDEF]'
2012-05-15 22:13:36 us=36050   local_port = 1194
2012-05-15 22:13:36 us=36063   remote = '[UNDEF]'
2012-05-15 22:13:36 us=36076   remote_port = 1194
2012-05-15 22:13:36 us=36089   remote_float = DISABLED
2012-05-15 22:13:36 us=36102   bind_defined = DISABLED
2012-05-15 22:13:36 us=36115   bind_local = ENABLED
2012-05-15 22:13:36 us=36128   connect_retry_seconds = 5
2012-05-15 22:13:36 us=36141   connect_timeout = 10
2012-05-15 22:13:36 us=36154   connect_retry_max = 0
2012-05-15 22:13:36 us=36167   socks_proxy_server = '[UNDEF]'
2012-05-15 22:13:36 us=36180   socks_proxy_port = 0
2012-05-15 22:13:36 us=36192   socks_proxy_retry = DISABLED
2012-05-15 22:13:36 us=36205 Connection profiles END
2012-05-15 22:13:36 us=36218   remote_random = DISABLED
2012-05-15 22:13:36 us=36231   ipchange = '[UNDEF]'
2012-05-15 22:13:36 us=36243   dev = 'tun'
2012-05-15 22:13:36 us=36256   dev_type = '[UNDEF]'
2012-05-15 22:13:36 us=36269   dev_node = '[UNDEF]'
2012-05-15 22:13:36 us=36282   lladdr = '[UNDEF]'
2012-05-15 22:13:36 us=36295   topology = 1
2012-05-15 22:13:36 us=36308   tun_ipv6 = DISABLED
2012-05-15 22:13:36 us=36321   ifconfig_local = '10.10.46.1'
2012-05-15 22:13:36 us=36333   ifconfig_remote_netmask = '10.10.46.2'
2012-05-15 22:13:36 us=36346   ifconfig_noexec = DISABLED
2012-05-15 22:13:36 us=36359   ifconfig_nowarn = DISABLED
2012-05-15 22:13:36 us=36372   shaper = 0
2012-05-15 22:13:36 us=36385   tun_mtu = 1500
2012-05-15 22:13:36 us=36398   tun_mtu_defined = ENABLED
2012-05-15 22:13:36 us=36411   link_mtu = 1500
2012-05-15 22:13:36 us=36424   link_mtu_defined = DISABLED
2012-05-15 22:13:36 us=36436   tun_mtu_extra = 0
2012-05-15 22:13:36 us=36449   tun_mtu_extra_defined = DISABLED
2012-05-15 22:13:36 us=36462   fragment = 0
2012-05-15 22:13:36 us=36475   mtu_discover_type = -1
2012-05-15 22:13:36 us=36488   mtu_test = 0
2012-05-15 22:13:36 us=36501   mlock = DISABLED
2012-05-15 22:13:36 us=36514   keepalive_ping = 10
2012-05-15 22:13:36 us=36526   keepalive_timeout = 120
2012-05-15 22:13:36 us=36539   inactivity_timeout = 0
2012-05-15 22:13:36 us=36552   ping_send_timeout = 10
2012-05-15 22:13:36 us=36565   ping_rec_timeout = 240
2012-05-15 22:13:36 us=36578   ping_rec_timeout_action = 2
2012-05-15 22:13:36 us=36591   ping_timer_remote = DISABLED
2012-05-15 22:13:36 us=36603   remap_sigusr1 = 0
2012-05-15 22:13:36 us=36616   explicit_exit_notification = 0
2012-05-15 22:13:36 us=36629   persist_tun = ENABLED
2012-05-15 22:13:36 us=36642   persist_local_ip = DISABLED
2012-05-15 22:13:36 us=36655   persist_remote_ip = DISABLED
2012-05-15 22:13:36 us=36668   persist_key = ENABLED
2012-05-15 22:13:36 us=36681   mssfix = 1450
2012-05-15 22:13:36 us=36693   passtos = DISABLED
2012-05-15 22:13:36 us=36706   resolve_retry_seconds = 1000000000
2012-05-15 22:13:36 us=36719   username = '[UNDEF]'
2012-05-15 22:13:36 us=36735   groupname = '[UNDEF]'
2012-05-15 22:13:36 us=36748   chroot_dir = '[UNDEF]'
2012-05-15 22:13:36 us=36761   cd_dir = '/Users/michael/Library/Application Support/Tunnelblick/Configurations'
2012-05-15 22:13:36 us=36789   writepid = '[UNDEF]'
2012-05-15 22:13:36 us=36803   up_script = '/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw'
2012-05-15 22:13:36 us=36817   down_script = '/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw'
2012-05-15 22:13:36 us=36830   down_pre = DISABLED
2012-05-15 22:13:36 us=36842   up_restart = ENABLED
2012-05-15 22:13:36 us=36855   up_delay = DISABLED
2012-05-15 22:13:36 us=36871   daemon = ENABLED
2012-05-15 22:13:36 us=36889   inetd = 0
2012-05-15 22:13:36 us=36902   log = ENABLED
2012-05-15 22:13:36 us=36915   suppress_timestamps = DISABLED
2012-05-15 22:13:36 us=36928   nice = 0
2012-05-15 22:13:36 us=36944   verbosity = 4
2012-05-15 22:13:36 us=36958   mute = 0
2012-05-15 22:13:36 us=36970   gremlin = 0
2012-05-15 22:13:36 us=36983   status_file = 'openvpn-status.log'
2012-05-15 22:13:36 us=36996   status_file_version = 1
2012-05-15 22:13:36 us=37009   status_file_update_freq = 60
2012-05-15 22:13:36 us=37022   occ = ENABLED
2012-05-15 22:13:36 us=37035   rcvbuf = 65536
2012-05-15 22:13:36 us=37047   sndbuf = 65536
2012-05-15 22:13:36 us=37060   sockflags = 0
2012-05-15 22:13:36 us=37077   fast_io = DISABLED
2012-05-15 22:13:36 us=37091   lzo = 7
2012-05-15 22:13:36 us=37104   route_script = '[UNDEF]'
2012-05-15 22:13:36 us=37117   route_default_gateway = '[UNDEF]'
2012-05-15 22:13:36 us=37130   route_default_metric = 0
2012-05-15 22:13:36 us=37143   route_noexec = DISABLED
2012-05-15 22:13:36 us=37155   route_delay = 0
2012-05-15 22:13:36 us=37168   route_delay_window = 30
2012-05-15 22:13:36 us=37181   route_delay_defined = DISABLED
2012-05-15 22:13:36 us=37194   route_nopull = DISABLED
2012-05-15 22:13:36 us=37207   route_gateway_via_dhcp = DISABLED
2012-05-15 22:13:36 us=37220   max_routes = 100
2012-05-15 22:13:36 us=37233   allow_pull_fqdn = DISABLED
2012-05-15 22:13:36 us=37247   route 10.10.46.0/255.255.255.0/nil/nil
2012-05-15 22:13:36 us=37261   management_addr = '127.0.0.1'
2012-05-15 22:13:36 us=37274   management_port = 1338
2012-05-15 22:13:36 us=37287   management_user_pass = '[UNDEF]'
2012-05-15 22:13:36 us=37301   management_log_history_cache = 250
2012-05-15 22:13:36 us=37315   management_echo_buffer_size = 100
2012-05-15 22:13:36 us=37329   management_write_peer_info_file = '[UNDEF]'
2012-05-15 22:13:36 us=37342   management_client_user = '[UNDEF]'
2012-05-15 22:13:36 us=37356   management_client_group = '[UNDEF]'
2012-05-15 22:13:36 us=37369   management_flags = 6
2012-05-15 22:13:36 us=37382   shared_secret_file = '[UNDEF]'
2012-05-15 22:13:36 us=37396   key_direction = 0
2012-05-15 22:13:36 us=37409   ciphername_defined = ENABLED
2012-05-15 22:13:36 us=37422   ciphername = 'BF-CBC'
2012-05-15 22:13:36 us=37436   authname_defined = ENABLED
2012-05-15 22:13:36 us=37449   authname = 'SHA1'
2012-05-15 22:13:36 us=37462   prng_hash = 'SHA1'
2012-05-15 22:13:36 us=37476   prng_nonce_secret_len = 16
2012-05-15 22:13:36 us=37489   keysize = 0
2012-05-15 22:13:36 us=37502   engine = DISABLED
2012-05-15 22:13:36 us=37515   replay = ENABLED
2012-05-15 22:13:36 us=37529   mute_replay_warnings = DISABLED
2012-05-15 22:13:36 us=37542   replay_window = 64
2012-05-15 22:13:36 us=37555   replay_time = 15
2012-05-15 22:13:36 us=37568   packet_id_file = '[UNDEF]'
2012-05-15 22:13:36 us=37582   use_iv = ENABLED
2012-05-15 22:13:36 us=37595   test_crypto = DISABLED
2012-05-15 22:13:36 us=37608   tls_server = ENABLED
2012-05-15 22:13:36 us=37625   tls_client = DISABLED
2012-05-15 22:13:36 us=37638   key_method = 2
2012-05-15 22:13:36 us=37651   ca_file = 'ca.crt'
2012-05-15 22:13:36 us=37665   ca_path = '[UNDEF]'
2012-05-15 22:13:36 us=37678   dh_file = 'dh2048.pem'
2012-05-15 22:13:36 us=37705   cert_file = 'server.crt'
2012-05-15 22:13:36 us=37719   priv_key_file = 'server.key'
2012-05-15 22:13:36 us=37732   pkcs12_file = '[UNDEF]'
2012-05-15 22:13:36 us=37745   cipher_list = '[UNDEF]'
2012-05-15 22:13:36 us=37758   tls_verify = '[UNDEF]'
2012-05-15 22:13:36 us=37771   tls_export_cert = '[UNDEF]'
2012-05-15 22:13:36 us=37784   tls_remote = '[UNDEF]'
2012-05-15 22:13:36 us=37797   crl_file = '[UNDEF]'
2012-05-15 22:13:36 us=37811   ns_cert_type = 0
2012-05-15 22:13:36 us=37824   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37837   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37851   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37864   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37877   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37890   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37903   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37916   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37929   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37942   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37955   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37968   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37981   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=37995   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=38008   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=38021   remote_cert_ku[i] = 0
2012-05-15 22:13:36 us=38034   remote_cert_eku = '[UNDEF]'
2012-05-15 22:13:36 us=38047   tls_timeout = 2
2012-05-15 22:13:36 us=38060   renegotiate_bytes = 0
2012-05-15 22:13:36 us=38074   renegotiate_packets = 0
2012-05-15 22:13:36 us=38087   renegotiate_seconds = 3600
2012-05-15 22:13:36 us=38100   handshake_window = 60
2012-05-15 22:13:36 us=38114   transition_window = 3600
2012-05-15 22:13:36 us=38127   single_session = DISABLED
2012-05-15 22:13:36 us=38140   push_peer_info = DISABLED
2012-05-15 22:13:36 us=38153   tls_exit = DISABLED
2012-05-15 22:13:36 us=38167   tls_auth_file = '[UNDEF]'
2012-05-15 22:13:36 us=38180   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38194   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38207   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38221   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38234   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38248   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38261   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38275   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38288   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38302   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38315   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38329   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38342   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38356   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38369   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38383   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:36 us=38397   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38410   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38424   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38437   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38451   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38464   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38477   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38491   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38504   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38518   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38531   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38557   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38571   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38585   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38598   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38612   pkcs11_private_mode = 00000000
2012-05-15 22:13:36 us=38625   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38638   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38651   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38665   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38678   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38691   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38704   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38717   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38730   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38743   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38756   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38770   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38783   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38796   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38809   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38823   pkcs11_cert_private = DISABLED
2012-05-15 22:13:36 us=38836   pkcs11_pin_cache_period = -1
2012-05-15 22:13:36 us=38850   pkcs11_id = '[UNDEF]'
2012-05-15 22:13:36 us=38863   pkcs11_id_management = DISABLED
2012-05-15 22:13:36 us=38879   server_network = 10.10.46.0
2012-05-15 22:13:36 us=38894   server_netmask = 255.255.255.0
2012-05-15 22:13:36 us=38909   server_bridge_ip = 0.0.0.0
2012-05-15 22:13:36 us=38924   server_bridge_netmask = 0.0.0.0
2012-05-15 22:13:36 us=38939   server_bridge_pool_start = 0.0.0.0
2012-05-15 22:13:36 us=38954   server_bridge_pool_end = 0.0.0.0
2012-05-15 22:13:36 us=38968   push_entry = 'route 10.10.46.1'
2012-05-15 22:13:36 us=38981   push_entry = 'topology net30'
2012-05-15 22:13:36 us=38995   push_entry = 'ping 10'
2012-05-15 22:13:36 us=39008   push_entry = 'ping-restart 120'
2012-05-15 22:13:36 us=39022   ifconfig_pool_defined = ENABLED
2012-05-15 22:13:36 us=39037   ifconfig_pool_start = 10.10.46.4
2012-05-15 22:13:36 us=39052   ifconfig_pool_end = 10.10.46.251
2012-05-15 22:13:36 us=39067   ifconfig_pool_netmask = 0.0.0.0
2012-05-15 22:13:36 us=39081   ifconfig_pool_persist_filename = 'ipp.txt'
2012-05-15 22:13:36 us=39095   ifconfig_pool_persist_refresh_freq = 600
2012-05-15 22:13:36 us=39108   n_bcast_buf = 256
2012-05-15 22:13:36 us=39121   tcp_queue_limit = 64
2012-05-15 22:13:36 us=39134   real_hash_size = 256
2012-05-15 22:13:36 us=39147   virtual_hash_size = 256
2012-05-15 22:13:36 us=39161   client_connect_script = '[UNDEF]'
2012-05-15 22:13:36 us=39174   learn_address_script = '[UNDEF]'
2012-05-15 22:13:36 us=39188   client_disconnect_script = '[UNDEF]'
2012-05-15 22:13:36 us=39202   client_config_dir = '[UNDEF]'
2012-05-15 22:13:36 us=39215   ccd_exclusive = DISABLED
2012-05-15 22:13:36 us=39228   tmp_dir = '/var/folders/6k/r4rml09s5x50_t3s2lq90w2m0000gn/T/'
2012-05-15 22:13:36 us=39242   push_ifconfig_defined = DISABLED
2012-05-15 22:13:36 us=39257   push_ifconfig_local = 0.0.0.0
2012-05-15 22:13:36 us=39272   push_ifconfig_remote_netmask = 0.0.0.0
2012-05-15 22:13:36 us=39285   enable_c2c = DISABLED
2012-05-15 22:13:36 us=39298   duplicate_cn = DISABLED
2012-05-15 22:13:36 us=39311   cf_max = 0
2012-05-15 22:13:36 us=39325   cf_per = 0
2012-05-15 22:13:36 us=39338   max_clients = 1024
2012-05-15 22:13:36 us=39351   max_routes_per_client = 256
2012-05-15 22:13:36 us=39364   auth_user_pass_verify_script = '[UNDEF]'
2012-05-15 22:13:36 us=39378   auth_user_pass_verify_script_via_file = DISABLED
2012-05-15 22:13:36 us=39405   ssl_flags = 0
2012-05-15 22:13:36 us=39419   port_share_host = '[UNDEF]'
2012-05-15 22:13:36 us=39432   port_share_port = 0
2012-05-15 22:13:36 us=39445   client = DISABLED
2012-05-15 22:13:36 us=39458   pull = DISABLED
2012-05-15 22:13:36 us=39472   auth_user_pass_file = '[UNDEF]'
2012-05-15 22:13:36 us=39490 OpenVPN 2.2.1 i386-apple-darwin10.7.1 [SSL] [LZO2] [PKCS11] [eurephia] built on May  2 2012
2012-05-15 22:13:36 us=39629 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338
2012-05-15 22:13:36 us=40211 Need hold release from management interface, waiting...
2012-05-15 22:13:36 us=151246 MANAGEMENT: Client connected from 127.0.0.1:1338
2012-05-15 22:13:36 us=186701 MANAGEMENT: CMD 'pid'
2012-05-15 22:13:36 us=187063 MANAGEMENT: CMD 'state on'
2012-05-15 22:13:36 us=187196 MANAGEMENT: CMD 'state'
2012-05-15 22:13:36 us=187363 MANAGEMENT: CMD 'hold release'
2012-05-15 22:13:36 us=187806 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2012-05-15 22:13:36 *Tunnelblick: Established communication with OpenVPN
2012-05-15 22:13:36 us=271213 Diffie-Hellman initialized with 2048 bit key
2012-05-15 22:13:36 us=273556 WARNING: file 'server.key' is group or others accessible
2012-05-15 22:13:36 us=274387 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
2012-05-15 22:13:36 us=274529 Socket Buffers: R=[262140->65536] S=[131070->65536]
2012-05-15 22:13:36 us=274805 ROUTE default_gateway=192.168.178.1
2012-05-15 22:13:36 us=275280 TUN/TAP device /dev/tun0 opened
2012-05-15 22:13:36 us=275392 MANAGEMENT: >STATE:1337112816,ASSIGN_IP,,10.10.46.1,
2012-05-15 22:13:36 us=275658 /sbin/ifconfig tun0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2012-05-15 22:13:36 us=289372 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2012-05-15 22:13:36 us=289562 /sbin/ifconfig tun0 10.10.46.1 10.10.46.2 mtu 1500 netmask 255.255.255.255 up
2012-05-15 22:13:36 us=298344 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw tun0 1500 1544 10.10.46.1 10.10.46.2 init
2012-05-15 22:13:38 *Tunnelblick client.up.tunnelblick.sh: No network configuration changes need to be made.
2012-05-15 22:13:38 *Tunnelblick client.up.tunnelblick.sh: Will NOT monitor for other network configuration changes.
2012-05-15 22:13:38 us=386030 MANAGEMENT: >STATE:1337112818,ADD_ROUTES,,,
2012-05-15 22:13:38 us=386347 /sbin/route add -net 10.10.46.0 10.10.46.2 255.255.255.0
                                        add net 10.10.46.0: gateway 10.10.46.2
2012-05-15 22:13:38 us=389217 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
2012-05-15 22:13:38 us=389370 Listening for incoming TCP connection on [undef]:1194
2012-05-15 22:13:38 us=389470 TCPv4_SERVER link local (bound): [undef]:1194
2012-05-15 22:13:38 us=389548 TCPv4_SERVER link remote: [undef]
2012-05-15 22:13:38 us=389639 MULTI: multi_init called, r=256 v=256
2012-05-15 22:13:38 us=389760 IFCONFIG POOL: base=10.10.46.4 size=62
2012-05-15 22:13:38 us=389849 IFCONFIG POOL LIST
2012-05-15 22:13:38 us=389940 MULTI: TCP INIT maxclients=1020 maxevents=1024
2012-05-15 22:13:38 us=390088 Initialization Sequence Completed
2012-05-15 22:13:38 us=390376 MANAGEMENT: >STATE:1337112818,CONNECTED,SUCCESS,10.10.46.1,
2012-05-15 22:13:38 *Tunnelblick: Flushed the DNS cache
2012-05-15 22:13:43 us=31875 MULTI: multi_create_instance called
2012-05-15 22:13:43 us=32107 Re-using SSL/TLS context
2012-05-15 22:13:43 us=32252 LZO compression initialized
2012-05-15 22:13:43 us=32510 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
2012-05-15 22:13:43 us=32637 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
2012-05-15 22:13:43 us=32790 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2012-05-15 22:13:43 us=32890 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2012-05-15 22:13:43 us=33009 Local Options hash (VER=V4): 'c0103fa8'
2012-05-15 22:13:43 us=33112 Expected Remote Options hash (VER=V4): '69109d17'
2012-05-15 22:13:43 us=33948 TCP connection established with 192.168.178.18:57255
2012-05-15 22:13:43 us=34057 TCPv4_SERVER link local: [undef]
2012-05-15 22:13:43 us=34153 TCPv4_SERVER link remote: 192.168.178.18:57255
2012-05-15 22:13:44 us=34206 192.168.178.18:57255 TLS: Initial packet from 192.168.178.18:57255, sid=82a6f64e 02a662d0
2012-05-15 22:13:44 us=82525 192.168.178.18:57255 Connection reset, restarting [0]
2012-05-15 22:13:44 us=82701 192.168.178.18:57255 SIGUSR1[soft,connection-reset] received, client-instance restarting
2012-05-15 22:13:44 us=82879 TCP/UDP: Closing socket
2012-05-15 22:13:44 us=89585 MULTI: multi_create_instance called
2012-05-15 22:13:44 us=89750 Re-using SSL/TLS context
2012-05-15 22:13:44 us=89840 LZO compression initialized
2012-05-15 22:13:44 us=89992 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
2012-05-15 22:13:44 us=90083 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
2012-05-15 22:13:44 us=90195 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2012-05-15 22:13:44 us=90275 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2012-05-15 22:13:44 us=90365 Local Options hash (VER=V4): 'c0103fa8'
2012-05-15 22:13:44 us=90450 Expected Remote Options hash (VER=V4): '69109d17'
2012-05-15 22:13:44 us=90545 TCP connection established with 192.168.178.18:57256
2012-05-15 22:13:44 us=90630 TCPv4_SERVER link local: [undef]
2012-05-15 22:13:44 us=90711 TCPv4_SERVER link remote: 192.168.178.18:57256
2012-05-15 22:13:45 us=89924 192.168.178.18:57256 TLS: Initial packet from 192.168.178.18:57256, sid=17bf6baa 2d4a24f0
2012-05-15 22:13:45 us=135364 192.168.178.18:57256 Connection reset, restarting [0]
2012-05-15 22:13:45 us=135567 192.168.178.18:57256 SIGUSR1[soft,connection-reset] received, client-instance restarting
2012-05-15 22:13:45 us=135722 TCP/UDP: Closing socket
2012-05-15 22:13:45 us=162029 MULTI: multi_create_instance called
2012-05-15 22:13:45 us=162452 Re-using SSL/TLS context
2012-05-15 22:13:45 us=162556 LZO compression initialized
2012-05-15 22:13:45 us=162857 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
2012-05-15 22:13:45 us=162965 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
2012-05-15 22:13:45 us=163096 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2012-05-15 22:13:45 us=163176 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2012-05-15 22:13:45 us=163262 Local Options hash (VER=V4): 'c0103fa8'
2012-05-15 22:13:45 us=163347 Expected Remote Options hash (VER=V4): '69109d17'
2012-05-15 22:13:45 us=163442 TCP connection established with 192.168.178.18:57257
2012-05-15 22:13:45 us=163539 TCPv4_SERVER link local: [undef]
2012-05-15 22:13:45 us=163835 TCPv4_SERVER link remote: 192.168.178.18:57257
2012-05-15 22:13:46 us=162734 192.168.178.18:57257 TLS: Initial packet from 192.168.178.18:57257, sid=5a713988 0286f71c
2012-05-15 22:13:46 us=212099 192.168.178.18:57257 Connection reset, restarting [0]
2012-05-15 22:13:46 us=212542 192.168.178.18:57257 SIGUSR1[soft,connection-reset] received, client-instance restarting
2012-05-15 22:13:46 us=212731 TCP/UDP: Closing socket
2012-05-15 22:13:46 us=254158 MULTI: multi_create_instance called
2012-05-15 22:13:46 us=254583 Re-using SSL/TLS context
2012-05-15 22:13:46 us=254675 LZO compression initialized
2012-05-15 22:13:46 us=255324 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
2012-05-15 22:13:46 us=255453 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
2012-05-15 22:13:46 us=258114 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2012-05-15 22:13:46 us=258223 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2012-05-15 22:13:46 us=258385 Local Options hash (VER=V4): 'c0103fa8'
2012-05-15 22:13:46 us=258621 Expected Remote Options hash (VER=V4): '69109d17'
2012-05-15 22:13:46 us=258724 TCP connection established with 192.168.178.18:57258
2012-05-15 22:13:46 us=259359 TCPv4_SERVER link local: [undef]
2012-05-15 22:13:46 us=259447 TCPv4_SERVER link remote: 192.168.178.18:57258
2012-05-15 22:13:46 us=652441 192.168.178.18:57258 Connection reset, restarting [0]
2012-05-15 22:13:46 us=652631 192.168.178.18:57258 SIGUSR1[soft,connection-reset] received, client-instance restarting
2012-05-15 22:13:46 us=652817 TCP/UDP: Closing socket
2012-05-15 22:13:50 *Tunnelblick: Disconnecting; 'disconnect' button pressed
2012-05-15 22:13:50 us=369157 TCP/UDP: Closing socket
2012-05-15 22:13:50 us=369344 /sbin/route delete -net 10.10.46.0 10.10.46.2 255.255.255.0
                                        delete net 10.10.46.0: gateway 10.10.46.2
2012-05-15 22:13:50 us=372743 Closing TUN/TAP interface
2012-05-15 22:13:50 us=373168 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw tun0 1500 1544 10.10.46.1 10.10.46.2 init
2012-05-15 22:13:51 *Tunnelblick client.down.tunnelblick.sh: WARNING: No existing OpenVPN DNS configuration found; not tearing down anything; exiting.
2012-05-15 22:13:51 us=410242 SIGTERM[hard,] received, process exiting
2012-05-15 22:13:51 us=410409 MANAGEMENT: >STATE:1337112831,EXITING,SIGTERM,,
2012-05-15 22:13:51 *Tunnelblick: Flushed the DNS cache
CLIENT

Code: Select all

2012-05-15 22:13:42 *Tunnelblick: OS X 10.7.4; Tunnelblick 3.2.6 (build 2891.3007) Unsigned
2012-05-15 22:13:42 *Tunnelblick: Attempting connection with client1; Set nameserver = 1; monitoring connection
2012-05-15 22:13:42 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start client1.ovpn 1338 1 0 0 0 49 -atDASNGWrdasngw 
2012-05-15 22:13:42 us=899560 Current Parameter Settings:
2012-05-15 22:13:42 us=899722   config = '/Users/michael/Library/Application Support/Tunnelblick/Configurations/client1.ovpn'
2012-05-15 22:13:42 us=899733   mode = 0
2012-05-15 22:13:42 us=899742   show_ciphers = DISABLED
2012-05-15 22:13:42 us=899750   show_digests = DISABLED
2012-05-15 22:13:42 us=899759   show_engines = DISABLED
2012-05-15 22:13:42 us=899767   genkey = DISABLED
2012-05-15 22:13:42 us=899778   key_pass_file = '[UNDEF]'
2012-05-15 22:13:42 us=899787   show_tls_ciphers = DISABLED
2012-05-15 22:13:42 us=899796 Connection profiles [default]:
2012-05-15 22:13:42 us=899804   proto = tcp-client
2012-05-15 22:13:42 us=899813   local = '[UNDEF]'
2012-05-15 22:13:42 us=899822   local_port = 0
2012-05-15 22:13:42 us=899830   remote = '192.168.178.10'
2012-05-15 22:13:42 us=899839   remote_port = 1194
2012-05-15 22:13:42 us=899847   remote_float = DISABLED
2012-05-15 22:13:42 us=899855   bind_defined = DISABLED
2012-05-15 22:13:42 us=899864   bind_local = DISABLED
2012-05-15 22:13:42 us=899872   connect_retry_seconds = 5
2012-05-15 22:13:42 us=899881   connect_timeout = 10
2012-05-15 22:13:42 us=899890   connect_retry_max = 0
2012-05-15 22:13:42 us=899898   socks_proxy_server = '[UNDEF]'
2012-05-15 22:13:42 us=899907   socks_proxy_port = 0
2012-05-15 22:13:42 us=899915   socks_proxy_retry = DISABLED
2012-05-15 22:13:42 us=899924 Connection profiles END
2012-05-15 22:13:42 us=899932   remote_random = DISABLED
2012-05-15 22:13:42 us=899941   ipchange = '[UNDEF]'
2012-05-15 22:13:42 us=899949   dev = 'tun'
2012-05-15 22:13:42 us=899958   dev_type = '[UNDEF]'
2012-05-15 22:13:42 us=899966   dev_node = '[UNDEF]'
2012-05-15 22:13:42 us=899975   lladdr = '[UNDEF]'
2012-05-15 22:13:42 us=899983   topology = 1
2012-05-15 22:13:42 us=899991   tun_ipv6 = DISABLED
2012-05-15 22:13:42 us=900000   ifconfig_local = '[UNDEF]'
2012-05-15 22:13:42 us=900008   ifconfig_remote_netmask = '[UNDEF]'
2012-05-15 22:13:42 us=900017   ifconfig_noexec = DISABLED
2012-05-15 22:13:42 us=900025   ifconfig_nowarn = DISABLED
2012-05-15 22:13:42 us=900034   shaper = 0
2012-05-15 22:13:42 us=900042   tun_mtu = 1500
2012-05-15 22:13:42 us=900051   tun_mtu_defined = ENABLED
2012-05-15 22:13:42 us=900059   link_mtu = 1500
2012-05-15 22:13:42 us=900067   link_mtu_defined = DISABLED
2012-05-15 22:13:42 us=900076   tun_mtu_extra = 0
2012-05-15 22:13:42 us=900084   tun_mtu_extra_defined = DISABLED
2012-05-15 22:13:42 us=900093   fragment = 0
2012-05-15 22:13:42 us=900101   mtu_discover_type = -1
2012-05-15 22:13:42 us=900110   mtu_test = 0
2012-05-15 22:13:42 us=900122   mlock = DISABLED
2012-05-15 22:13:42 us=900131   keepalive_ping = 0
2012-05-15 22:13:42 us=900139   keepalive_timeout = 0
2012-05-15 22:13:42 us=900148   inactivity_timeout = 0
2012-05-15 22:13:42 us=900156   ping_send_timeout = 0
2012-05-15 22:13:42 us=900165   ping_rec_timeout = 0
2012-05-15 22:13:42 us=900173   ping_rec_timeout_action = 0
2012-05-15 22:13:42 us=900181   ping_timer_remote = DISABLED
2012-05-15 22:13:42 us=900190   remap_sigusr1 = 0
2012-05-15 22:13:42 us=900198   explicit_exit_notification = 0
2012-05-15 22:13:42 us=900207   persist_tun = ENABLED
2012-05-15 22:13:42 us=900215   persist_local_ip = DISABLED
2012-05-15 22:13:42 us=900224   persist_remote_ip = DISABLED
2012-05-15 22:13:42 us=900232   persist_key = ENABLED
2012-05-15 22:13:42 us=900241   mssfix = 1450
2012-05-15 22:13:42 us=900249   passtos = DISABLED
2012-05-15 22:13:42 us=900258   resolve_retry_seconds = 1000000000
2012-05-15 22:13:42 us=900266   username = '[UNDEF]'
2012-05-15 22:13:42 us=900275   groupname = '[UNDEF]'
2012-05-15 22:13:42 us=900283   chroot_dir = '[UNDEF]'
2012-05-15 22:13:42 us=900292   cd_dir = '/Users/michael/Library/Application Support/Tunnelblick/Configurations'
2012-05-15 22:13:42 us=900309   writepid = '[UNDEF]'
2012-05-15 22:13:42 us=900318   up_script = '/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw'
2012-05-15 22:13:42 us=900327   down_script = '/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw'
2012-05-15 22:13:42 us=900335   down_pre = DISABLED
2012-05-15 22:13:42 us=900344   up_restart = ENABLED
2012-05-15 22:13:42 us=900352   up_delay = DISABLED
2012-05-15 22:13:42 us=900363   daemon = ENABLED
2012-05-15 22:13:42 us=900372   inetd = 0
2012-05-15 22:13:42 us=900380   log = ENABLED
2012-05-15 22:13:42 us=900395   suppress_timestamps = DISABLED
2012-05-15 22:13:42 us=900404   nice = 0
2012-05-15 22:13:42 us=900415   verbosity = 4
2012-05-15 22:13:42 us=900424   mute = 0
2012-05-15 22:13:42 us=900433   gremlin = 0
2012-05-15 22:13:42 us=900441   status_file = '[UNDEF]'
2012-05-15 22:13:42 us=900450   status_file_version = 1
2012-05-15 22:13:42 us=900458   status_file_update_freq = 60
2012-05-15 22:13:42 us=900481   occ = ENABLED
2012-05-15 22:13:42 us=900490   rcvbuf = 65536
2012-05-15 22:13:42 us=900499   sndbuf = 65536
2012-05-15 22:13:42 us=900507   sockflags = 0
2012-05-15 22:13:42 us=900516   fast_io = DISABLED
2012-05-15 22:13:42 us=900524   lzo = 7
2012-05-15 22:13:42 us=900533   route_script = '[UNDEF]'
2012-05-15 22:13:42 us=900542   route_default_gateway = '[UNDEF]'
2012-05-15 22:13:42 us=900551   route_default_metric = 0
2012-05-15 22:13:42 us=900559   route_noexec = DISABLED
2012-05-15 22:13:42 us=900568   route_delay = 0
2012-05-15 22:13:42 us=900576   route_delay_window = 30
2012-05-15 22:13:42 us=900585   route_delay_defined = DISABLED
2012-05-15 22:13:42 us=900593   route_nopull = DISABLED
2012-05-15 22:13:42 us=900602   route_gateway_via_dhcp = DISABLED
2012-05-15 22:13:42 us=900611   max_routes = 100
2012-05-15 22:13:42 us=900620   allow_pull_fqdn = DISABLED
2012-05-15 22:13:42 us=900628   management_addr = '127.0.0.1'
2012-05-15 22:13:42 us=900637   management_port = 1338
2012-05-15 22:13:42 us=900646   management_user_pass = '[UNDEF]'
2012-05-15 22:13:42 us=900655   management_log_history_cache = 250
2012-05-15 22:13:42 us=900664   management_echo_buffer_size = 100
2012-05-15 22:13:42 us=900673   management_write_peer_info_file = '[UNDEF]'
2012-05-15 22:13:42 us=900682   management_client_user = '[UNDEF]'
2012-05-15 22:13:42 us=900691   management_client_group = '[UNDEF]'
2012-05-15 22:13:42 us=900700   management_flags = 6
2012-05-15 22:13:42 us=900709   shared_secret_file = '[UNDEF]'
2012-05-15 22:13:42 us=900718   key_direction = 0
2012-05-15 22:13:42 us=900727   ciphername_defined = ENABLED
2012-05-15 22:13:42 us=900736   ciphername = 'BF-CBC'
2012-05-15 22:13:42 us=900744   authname_defined = ENABLED
2012-05-15 22:13:42 us=900753   authname = 'SHA1'
2012-05-15 22:13:42 us=900762   prng_hash = 'SHA1'
2012-05-15 22:13:42 us=900771   prng_nonce_secret_len = 16
2012-05-15 22:13:42 us=900779   keysize = 0
2012-05-15 22:13:42 us=900788   engine = DISABLED
2012-05-15 22:13:42 us=900797   replay = ENABLED
2012-05-15 22:13:42 us=900806   mute_replay_warnings = DISABLED
2012-05-15 22:13:42 us=900814   replay_window = 64
2012-05-15 22:13:42 us=900823   replay_time = 15
2012-05-15 22:13:42 us=900832   packet_id_file = '[UNDEF]'
2012-05-15 22:13:42 us=900840   use_iv = ENABLED
2012-05-15 22:13:42 us=900849   test_crypto = DISABLED
2012-05-15 22:13:42 us=900858   tls_server = DISABLED
2012-05-15 22:13:42 us=900869   tls_client = ENABLED
2012-05-15 22:13:42 us=900878   key_method = 2
2012-05-15 22:13:42 us=900887   ca_file = 'ca.crt'
2012-05-15 22:13:42 us=900896   ca_path = '[UNDEF]'
2012-05-15 22:13:42 us=900913   dh_file = '[UNDEF]'
2012-05-15 22:13:42 us=900922   cert_file = 'client1.crt'
2012-05-15 22:13:42 us=900931   priv_key_file = 'client1.key'
2012-05-15 22:13:42 us=900939   pkcs12_file = '[UNDEF]'
2012-05-15 22:13:42 us=900948   cipher_list = '[UNDEF]'
2012-05-15 22:13:42 us=900957   tls_verify = '[UNDEF]'
2012-05-15 22:13:42 us=900965   tls_export_cert = '[UNDEF]'
2012-05-15 22:13:42 us=900974   tls_remote = '[UNDEF]'
2012-05-15 22:13:42 us=900983   crl_file = '[UNDEF]'
2012-05-15 22:13:42 us=900991   ns_cert_type = 0
2012-05-15 22:13:42 us=901000   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901009   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901018   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901026   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901035   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901044   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901052   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901061   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901070   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901078   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901087   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901096   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901104   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901113   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901122   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901130   remote_cert_ku[i] = 0
2012-05-15 22:13:42 us=901139   remote_cert_eku = '[UNDEF]'
2012-05-15 22:13:42 us=901148   tls_timeout = 2
2012-05-15 22:13:42 us=901156   renegotiate_bytes = 0
2012-05-15 22:13:42 us=901165   renegotiate_packets = 0
2012-05-15 22:13:42 us=901174   renegotiate_seconds = 3600
2012-05-15 22:13:42 us=901183   handshake_window = 60
2012-05-15 22:13:42 us=901192   transition_window = 3600
2012-05-15 22:13:42 us=901200   single_session = DISABLED
2012-05-15 22:13:42 us=901209   push_peer_info = DISABLED
2012-05-15 22:13:42 us=901218   tls_exit = DISABLED
2012-05-15 22:13:42 us=901227   tls_auth_file = '[UNDEF]'
2012-05-15 22:13:42 us=901236   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901245   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901254   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901263   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901271   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901280   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901289   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901298   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901307   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901316   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901325   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901333   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901342   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901351   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901360   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901369   pkcs11_protected_authentication = DISABLED
2012-05-15 22:13:42 us=901378   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901387   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901396   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901404   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901413   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901422   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901431   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901440   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901449   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901465   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901474   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901483   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901492   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901501   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901510   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901519   pkcs11_private_mode = 00000000
2012-05-15 22:13:42 us=901527   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901536   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901545   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901554   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901563   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901571   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901580   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901589   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901598   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901607   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901615   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901624   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901633   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901642   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901651   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901659   pkcs11_cert_private = DISABLED
2012-05-15 22:13:42 us=901668   pkcs11_pin_cache_period = -1
2012-05-15 22:13:42 us=901677   pkcs11_id = '[UNDEF]'
2012-05-15 22:13:42 us=901686   pkcs11_id_management = DISABLED
2012-05-15 22:13:42 us=901712   server_network = 0.0.0.0
2012-05-15 22:13:42 us=901723   server_netmask = 0.0.0.0
2012-05-15 22:13:42 us=901733   server_bridge_ip = 0.0.0.0
2012-05-15 22:13:42 us=901743   server_bridge_netmask = 0.0.0.0
2012-05-15 22:13:42 us=901753   server_bridge_pool_start = 0.0.0.0
2012-05-15 22:13:42 us=901763   server_bridge_pool_end = 0.0.0.0
2012-05-15 22:13:42 us=901772   ifconfig_pool_defined = DISABLED
2012-05-15 22:13:42 us=901781   ifconfig_pool_start = 0.0.0.0
2012-05-15 22:13:42 us=901791   ifconfig_pool_end = 0.0.0.0
2012-05-15 22:13:42 us=901801   ifconfig_pool_netmask = 0.0.0.0
2012-05-15 22:13:42 us=901810   ifconfig_pool_persist_filename = '[UNDEF]'
2012-05-15 22:13:42 us=901819   ifconfig_pool_persist_refresh_freq = 600
2012-05-15 22:13:42 us=901827   n_bcast_buf = 256
2012-05-15 22:13:42 us=901836   tcp_queue_limit = 64
2012-05-15 22:13:42 us=901845   real_hash_size = 256
2012-05-15 22:13:42 us=901854   virtual_hash_size = 256
2012-05-15 22:13:42 us=901863   client_connect_script = '[UNDEF]'
2012-05-15 22:13:42 us=901872   learn_address_script = '[UNDEF]'
2012-05-15 22:13:42 us=901881   client_disconnect_script = '[UNDEF]'
2012-05-15 22:13:42 us=901890   client_config_dir = '[UNDEF]'
2012-05-15 22:13:42 us=901899   ccd_exclusive = DISABLED
2012-05-15 22:13:42 us=901908   tmp_dir = '/var/folders/mn/1r1wj7k13nzdhpss1tb7y_j00000gn/T/'
2012-05-15 22:13:42 us=901917   push_ifconfig_defined = DISABLED
2012-05-15 22:13:42 us=901926   push_ifconfig_local = 0.0.0.0
2012-05-15 22:13:42 us=901936   push_ifconfig_remote_netmask = 0.0.0.0
2012-05-15 22:13:42 us=901945   enable_c2c = DISABLED
2012-05-15 22:13:42 us=901954   duplicate_cn = DISABLED
2012-05-15 22:13:42 us=901963   cf_max = 0
2012-05-15 22:13:42 us=901971   cf_per = 0
2012-05-15 22:13:42 us=901980   max_clients = 1024
2012-05-15 22:13:42 us=901989   max_routes_per_client = 256
2012-05-15 22:13:42 us=901997   auth_user_pass_verify_script = '[UNDEF]'
2012-05-15 22:13:42 us=902006   auth_user_pass_verify_script_via_file = DISABLED
2012-05-15 22:13:42 us=902015   ssl_flags = 0
2012-05-15 22:13:42 us=902024   port_share_host = '[UNDEF]'
2012-05-15 22:13:42 us=902041   port_share_port = 0
2012-05-15 22:13:42 us=902050   client = ENABLED
2012-05-15 22:13:42 us=902058   pull = ENABLED
2012-05-15 22:13:42 us=902067   auth_user_pass_file = '[UNDEF]'
2012-05-15 22:13:42 us=902080 OpenVPN 2.2.1 i386-apple-darwin10.7.1 [SSL] [LZO2] [PKCS11] [eurephia] built on May  2 2012
2012-05-15 22:13:42 us=902187 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338
2012-05-15 22:13:42 us=902538 Need hold release from management interface, waiting...
2012-05-15 22:13:42 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Users/michael/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1338 --config /Users/michael/Library/Application Support/Tunnelblick/Configurations/client1.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Smichael-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient1.ovpn.1_0_0_0_49.1338.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart
2012-05-15 22:13:43 *Tunnelblick: openvpnstart message: Loading tun.kext
2012-05-15 22:13:43 us=18950 MANAGEMENT: Client connected from 127.0.0.1:1338
2012-05-15 22:13:43 us=30339 MANAGEMENT: CMD 'pid'
2012-05-15 22:13:43 us=30587 MANAGEMENT: CMD 'state on'
2012-05-15 22:13:43 us=30683 MANAGEMENT: CMD 'state'
2012-05-15 22:13:43 us=30809 MANAGEMENT: CMD 'hold release'
2012-05-15 22:13:43 *Tunnelblick: Established communication with OpenVPN
2012-05-15 22:13:43 us=31127 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2012-05-15 22:13:43 us=31184 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2012-05-15 22:13:43 us=31998 WARNING: file 'client1.key' is group or others accessible
2012-05-15 22:13:43 us=32463 LZO compression initialized
2012-05-15 22:13:43 us=32592 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
2012-05-15 22:13:43 us=32689 Socket Buffers: R=[262140->65536] S=[131070->65536]
2012-05-15 22:13:43 us=32748 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
2012-05-15 22:13:43 us=32809 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2012-05-15 22:13:43 us=32861 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2012-05-15 22:13:43 us=34316 Local Options hash (VER=V4): '69109d17'
2012-05-15 22:13:43 us=34375 Expected Remote Options hash (VER=V4): 'c0103fa8'
2012-05-15 22:13:43 us=34439 Attempting to establish TCP connection with 192.168.178.10:1194 [nonblock]
2012-05-15 22:13:43 us=34504 MANAGEMENT: >STATE:1337112823,TCP_CONNECT,,,
2012-05-15 22:13:44 us=35675 TCP connection established with 192.168.178.10:1194
2012-05-15 22:13:44 us=35862 TCPv4_CLIENT link local: [undef]
2012-05-15 22:13:44 us=35969 TCPv4_CLIENT link remote: 192.168.178.10:1194
2012-05-15 22:13:44 us=36496 MANAGEMENT: >STATE:1337112824,WAIT,,,
2012-05-15 22:13:44 us=37637 MANAGEMENT: >STATE:1337112824,AUTH,,,
2012-05-15 22:13:44 us=37783 TLS: Initial packet from 192.168.178.10:1194, sid=b559972c beac9110
2012-05-15 22:13:44 us=84884 VERIFY ERROR: depth=0, error=self signed certificate: /C=NL/L=Amsterdam/O=domain/CN=vpn.domain.tld/emailAddress=client1@domain.tld
2012-05-15 22:13:44 us=85076 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012-05-15 22:13:44 us=85132 TLS Error: TLS object -> incoming plaintext read error
2012-05-15 22:13:44 us=85183 TLS Error: TLS handshake failed
2012-05-15 22:13:44 us=85266 Fatal TLS error (check_tls_errors_co), restarting
2012-05-15 22:13:44 us=85338 TCP/UDP: Closing socket
2012-05-15 22:13:44 us=85411 SIGUSR1[soft,tls-error] received, process restarting
2012-05-15 22:13:44 us=85466 MANAGEMENT: >STATE:1337112824,RECONNECTING,tls-error,,
2012-05-15 22:13:44 us=89997 MANAGEMENT: CMD 'hold release'
2012-05-15 22:13:44 us=90147 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2012-05-15 22:13:44 us=90224 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2012-05-15 22:13:44 us=90287 Re-using SSL/TLS context
2012-05-15 22:13:44 us=90341 LZO compression initialized
2012-05-15 22:13:44 us=90453 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
2012-05-15 22:13:44 us=90527 Socket Buffers: R=[262140->65536] S=[131070->65536]
2012-05-15 22:13:44 us=90586 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
2012-05-15 22:13:44 us=90646 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2012-05-15 22:13:44 us=90697 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2012-05-15 22:13:44 us=90753 Local Options hash (VER=V4): '69109d17'
2012-05-15 22:13:44 us=90809 Expected Remote Options hash (VER=V4): 'c0103fa8'
2012-05-15 22:13:44 us=90865 Attempting to establish TCP connection with 192.168.178.10:1194 [nonblock]
2012-05-15 22:13:44 us=90917 MANAGEMENT: >STATE:1337112824,TCP_CONNECT,,,
2012-05-15 22:13:45 us=92063 TCP connection established with 192.168.178.10:1194
2012-05-15 22:13:45 us=92238 TCPv4_CLIENT link local: [undef]
2012-05-15 22:13:45 us=92343 TCPv4_CLIENT link remote: 192.168.178.10:1194
2012-05-15 22:13:45 us=92463 MANAGEMENT: >STATE:1337112825,WAIT,,,
2012-05-15 22:13:45 us=93409 MANAGEMENT: >STATE:1337112825,AUTH,,,
2012-05-15 22:13:45 us=93583 TLS: Initial packet from 192.168.178.10:1194, sid=6f6c0ff9 19cbcb52
2012-05-15 22:13:45 us=137799 VERIFY ERROR: depth=0, error=self signed certificate: /C=NL/L=Amsterdam/O=domain/CN=vpn.domain.tld/emailAddress=client1@domain.tld
2012-05-15 22:13:45 us=137967 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012-05-15 22:13:45 us=138067 TLS Error: TLS object -> incoming plaintext read error
2012-05-15 22:13:45 us=138123 TLS Error: TLS handshake failed
2012-05-15 22:13:45 us=138199 Fatal TLS error (check_tls_errors_co), restarting
2012-05-15 22:13:45 us=138283 TCP/UDP: Closing socket
2012-05-15 22:13:45 us=138356 SIGUSR1[soft,tls-error] received, process restarting
2012-05-15 22:13:45 us=138420 MANAGEMENT: >STATE:1337112825,RECONNECTING,tls-error,,
2012-05-15 22:13:45 us=163849 MANAGEMENT: CMD 'hold release'
2012-05-15 22:13:45 us=163972 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2012-05-15 22:13:45 us=164027 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2012-05-15 22:13:45 us=164085 Re-using SSL/TLS context
2012-05-15 22:13:45 us=164140 LZO compression initialized
2012-05-15 22:13:45 us=164222 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
2012-05-15 22:13:45 us=164301 Socket Buffers: R=[262140->65536] S=[131070->65536]
2012-05-15 22:13:45 us=164360 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
2012-05-15 22:13:45 us=164422 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2012-05-15 22:13:45 us=164473 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2012-05-15 22:13:45 us=164530 Local Options hash (VER=V4): '69109d17'
2012-05-15 22:13:45 us=164585 Expected Remote Options hash (VER=V4): 'c0103fa8'
2012-05-15 22:13:45 us=164641 Attempting to establish TCP connection with 192.168.178.10:1194 [nonblock]
2012-05-15 22:13:45 us=164694 MANAGEMENT: >STATE:1337112825,TCP_CONNECT,,,
2012-05-15 22:13:46 us=164978 TCP connection established with 192.168.178.10:1194
2012-05-15 22:13:46 us=165158 TCPv4_CLIENT link local: [undef]
2012-05-15 22:13:46 us=165264 TCPv4_CLIENT link remote: 192.168.178.10:1194
2012-05-15 22:13:46 us=165383 MANAGEMENT: >STATE:1337112826,WAIT,,,
2012-05-15 22:13:46 us=166241 MANAGEMENT: >STATE:1337112826,AUTH,,,
2012-05-15 22:13:46 us=166390 TLS: Initial packet from 192.168.178.10:1194, sid=cba8be2d 8087b91c
2012-05-15 22:13:46 us=210753 VERIFY ERROR: depth=0, error=self signed certificate: /C=NL/L=Amsterdam/O=domain/CN=vpn.domain.tld/emailAddress=client1@domain.tld
2012-05-15 22:13:46 us=212739 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012-05-15 22:13:46 us=214103 TLS Error: TLS object -> incoming plaintext read error
2012-05-15 22:13:46 us=214695 TLS Error: TLS handshake failed
2012-05-15 22:13:46 us=214881 Fatal TLS error (check_tls_errors_co), restarting
2012-05-15 22:13:46 us=214960 TCP/UDP: Closing socket
2012-05-15 22:13:46 us=215041 SIGUSR1[soft,tls-error] received, process restarting
2012-05-15 22:13:46 us=215096 MANAGEMENT: >STATE:1337112826,RECONNECTING,tls-error,,
2012-05-15 22:13:46 *Tunnelblick: Disconnecting; 'disconnect' button pressed
2012-05-15 22:13:46 *Tunnelblick: Flushed the DNS cache
2012-05-15 22:13:46 us=255591 MANAGEMENT: CMD 'hold release'
2012-05-15 22:13:46 us=255866 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2012-05-15 22:13:46 us=255923 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2012-05-15 22:13:46 us=256086 Re-using SSL/TLS context
2012-05-15 22:13:46 us=256190 LZO compression initialized
2012-05-15 22:13:46 us=256334 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
2012-05-15 22:13:46 us=256411 Socket Buffers: R=[262140->65536] S=[131070->65536]
2012-05-15 22:13:46 us=256470 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
2012-05-15 22:13:46 us=256532 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2012-05-15 22:13:46 us=256583 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2012-05-15 22:13:46 us=256640 Local Options hash (VER=V4): '69109d17'
2012-05-15 22:13:46 us=256694 Expected Remote Options hash (VER=V4): 'c0103fa8'
2012-05-15 22:13:46 us=256749 Attempting to establish TCP connection with 192.168.178.10:1194 [nonblock]
2012-05-15 22:13:46 us=256805 MANAGEMENT: >STATE:1337112826,TCP_CONNECT,,,
2012-05-15 22:13:46 us=654629 TCP/UDP: Closing socket
2012-05-15 22:13:46 us=655286 SIGTERM[hard,init_instance] received, process exiting
2012-05-15 22:13:46 us=655410 MANAGEMENT: >STATE:1337112826,EXITING,init_instance,,
I've also tried regenerating the certificates, also on another machine, Linux instead of Mac OS X.
Thank you for you help again!
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: [Resolved] Self Signed certificate

Post by janjust » Wed May 16, 2012 8:42 am

where and how did you generate the certificates? you need to generate the client and server certs using a single CA certificate , and this CA certificate needs to be present on both client and server.

You can verify the validity of a certificate using

Code: Select all

openssl verify -CAfile ca.crt  server.crt
Top
kobold
OpenVpn Newbie
Posts: 8
Joined: Sun Apr 08, 2012 12:34 pm

Re: [Resolved] Self Signed certificate

Post by kobold » Fri May 18, 2012 7:33 am

janjust wrote:where and how did you generate the certificates? you need to generate the client and server certs using a single CA certificate , and this CA certificate needs to be present on both client and server.

You can verify the validity of a certificate using

Code: Select all

openssl verify -CAfile ca.crt  server.crt
I used the commands earlier in this topic to generate the certificates.

Here is the output of you the openssl verify.

Code: Select all

$ openssl verify -CAfile ca.crt  server.crt
server.crt: /C=NL/L=Amsterdam/O=vpn/CN=vpn.domain.tld/emailAddress=client1@domain.tld
error 18 at 0 depth lookup:self signed certificate
OK
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: [Resolved] Self Signed certificate

Post by janjust » Fri May 18, 2012 10:12 pm

the problem is (again) in your server certificate - either the server cert was signed using another CA certificate or the server cert was not generated correctly. Try using the 'easy-rsa' scripts again and run 'build-key-server'
Top
kobold
OpenVpn Newbie
Posts: 8
Joined: Sun Apr 08, 2012 12:34 pm

Re: [Resolved] Self Signed certificate

Post by kobold » Mon May 21, 2012 10:17 am

I've generated the certificates on a clean installed Linux machine and now they work again.
Thanks again for you help.
Top
Post Reply

Return to “Server Administration”