OpenVPN Server on macOS X

[paolo83]

Hello! I need some help for the routing of a OpenVPN server on my macOS X High Sierra.

I have generated the certificats by hand using EasyRSA and openSSL for server and client.
Then I have set up the server.conf and client.ovpn as follow:

Code: Select all

dev tun
proto udp
port 1194
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# Push route in LAN to specific gateway and metric
push "route 192.168.100.0 255.255.255.0 192.168.100.1 1"
# Set your primary domin name server address for clients - Prevent DNS Leak
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Network traffic between VPN clients
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo # Deprecated from OpenVPN 2.5
user nobody
group nogroup
persist-key
persist-tun
crl-verify crl.pem
status-version 3
verb 1

As can see in the server.conf my LAN IPv4 is 192.168.100.0/24 and my router is 192.168.100.10, in addition, my macOS address is 192.168.100.10.
For the VPN tunnel I used the standard OpenVPN IPv4 10.8.0.0/24.

In the follow my typical client.ovpn file:

Code: Select all

client
dev tun
proto udp
remote MY IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
comp-lzo # Deprecated from OpenVPN 2.5
verb 3
<ca>
-----BEGIN CERTIFICATE-----
    COPY YOUR ca.crt
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
    COPY YOUR client.crt
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
    COPY YOUR client.key
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
    COPY YOUR ta.key
-----END OpenVPN Static key V1-----
</tls-auth>

After that The client and server connection works in iOS and also on Windows, but... The client thake the ip 10.8.0.2 but neither internet nor LAN connections works.

Then I have studied some routing in macOS X ad in the following what I did.

I have modified the file /etc/pf.anchors/com.apple
I have added the following:

Code: Select all

nat-anchor "100.customNATRules/*"
rdr-anchor "100.customNATRules/*"
load anchor "100.customNATRules" from "/etc/pf.anchors/customNATRules"

Then I have created and configured the file /etc/pf.anchors/customNATRules as follow:

Code: Select all

nat on en0 from 10.8.0.0/24 to any -> (en0)
pass from {lo0, 10.8.0.0/24} to any keep state

I have abilitete the forwarding:

Code: Select all

echo 'net.inet.ip.forwarding=1' | sudo tee -a /etc/sysctl.conf

In the end I have setted all to have the privileges and auto start with the system as follow:

Code: Select all

sudo cp /System/Library/LaunchDaemons/com.apple.pfctl.plist /Library/LaunchDaemons/net.mylan.pfctl.plist
sudo sed -i '' 's/com.apple.pfctl/net.mylan.pfctl/' /Library/LaunchDaemons/net.mylan.pfctl.plist
sudo sed -i '' 's/>-f</>-e</' /Library/LaunchDaemons/net.mylan.pfctl.plist
sudo sed -i '' '/pf\.conf/d' /Library/LaunchDaemons/net.mylan.pfctl.plist
sudo launchctl load -w /Library/LaunchDaemons/net.mylan.pfctl.plist

And this is all I did, unfortunally the situation not changes, the connection come up, but Internet and LAN are not online.

Can someone help me?
In the end, if all works, I'd like post a complete guide on what I did to provide an OpenVPN server on macOS X.

Thanx.

PS: I have tried use oconf for writing the openvpn config, but don't works.

[TinCanTech]

the situation not changes, the connection come up, but Internet and LAN are not online

You are not using --redirect-gateway so please read:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

[paolo83]

Ok Thanks, I have added the following line in the server.conf:

Code: Select all

push "redirect-gateway def1"

But the connection does not changes.
The connection is established but neither LAN IP are reached (also with ping) nor internet

[TinCanTech]

Ensure you have either enabled NAT correctly at your server or provide necessary routing for your network.

[paolo83]

I have open port UDP 1194 on my router and redirect on my macOS LAN IP 192.168.100.10
I also tried to disable the macOS internal firwall, but with frustration not has change.

[TinCanTech]

I also tried to disable the macOS internal firwall

I think NAT requires your Firewall to be operational ..

[paolo]

Ok, yes, You have reason, I suppose that the problem is in the routing table that VPN server generate.
If I abilitate the forwarding as I described in the beginning I suppose that the incoming client connection receive the IP from the OpenVPN server and then require something that route the IP 10.8.0.2 throught the VPN gateway 10.8.0.1 and then in my LAN server 192.168.100.10.
I don't understand why the routing that I have set in the fist post don't works.
I used the same procedure to route a vlan instead a VPN and in this case all works perfectly.
It seems like that the routing seted in the server.conf don't works.

[paolo]

In addition this is the routing after OpenVPN server is started:

Code: Select all

netstat -rn

Code: Select all

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.100.1      UGSc          117        0     en0
10.8/24            10.8.0.1           UGSc            0        0   utun1
10.8.0.1           10.8.0.1           UH              1        0   utun1
127                127.0.0.1          UCS             3    14561     lo0
127.0.0.1          127.0.0.1          UH             20    20561     lo0
127.255.255.255    127.0.0.1          UHW3I           0    14507     lo0    182

[TinCanTech]

I suggest you read the Howto again .. I refer back to it often.

If you still cannot solve this you can contact me privately: tincanteksup <at> gmail

[paolo]

OK upgrade.
I have repeat all the passages that I have used to configure the VPN and I found an error in the file /etc/pf.conf.
After the file reparation the forwarding works.
Then I heve simplified a little the server.conf file as below:

Code: Select all

dev tun
proto udp
port 1194
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
# ping + ping restart
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo # Deprecated from OpenVPN 2.5
user nobody
group nogroup
persist-key
persist-tun
# Certificate Revocation List file
crl-verify crl.pem
status-version 3
verb 3

And this speed up the connection from Windows clients.

Then I made some test
- The LAN respond at ping for each device
- I try VNC connection on macOS X Server and on other Linux device and works

The issues that I found now are two:

• The LAN SMB sharing works with the LAN IPv4 192.168.100.x apart the server that not respond on the LAN IP but only on the VPN IP 10.8.0.1

• If I try to connect two different client the assigned IP is the same 10.8.0.2 and one push the other out of the VPN connection

[TinCanTech]

If I try to connect two different client the assigned IP is the same 10.8.0.2 and one push the other out of the VPN connection

See your server log file.

[paolo]

Here my log from Tunnelblick:
yy.yy.yy.yy my external IP
xx.xx.xx.xx the public IP of the client (in this case my iPhone connected from 4G)

Code: Select all

*Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.7 (build 5150); prior version 3.7.6a (build 5080)
2018-10-03 20:39:45 *Tunnelblick: Attempting connection with miniLAN-OpenVPN using shadow copy; Set nameserver = 775; monitoring connection
2018-10-03 20:39:45 *Tunnelblick: openvpnstart start miniLAN-OpenVPN.tblk 53377 775 0 1 0 1065264 -ptADGNWradsgnw 2.4.6-openssl-1.0.2p
2018-10-03 20:39:46 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2p/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SUsers-Spaolo-SLibrary-SApplication Support-STunnelblick-SConfigurations-SminiLAN--OpenVPN.tblk-SContents-SResources-Sconfig.ovpn.775_0_1_0_1065264.53377.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Users/paolo/miniLAN-OpenVPN.tblk/Contents/Resources
          --setenv
          IV_GUI_VER
          "net.tunnelblick.tunnelblick 5150 3.7.7 (build 5150)"
          --verb
          3
          --config
          /Library/Application Support/Tunnelblick/Users/paolo/miniLAN-OpenVPN.tblk/Contents/Resources/config.ovpn
          --verb
          3
          --cd
          /Library/Application Support/Tunnelblick/Users/paolo/miniLAN-OpenVPN.tblk/Contents/Resources
          --management
          127.0.0.1
          53377
          /Library/Application Support/Tunnelblick/inehacdaomncahlagchhoidhcebhnhcfgkinllmf.mip
          --management-query-passwords
          --management-hold
          --script-security
          2
          --up
          /Applications/Tunnelblick.app/Contents/Resources/client.1.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --plugin
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2p/openvpn-down-root.so
          /Applications/Tunnelblick.app/Contents/Resources/client.1.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2018-10-03 20:39:45 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 29 2018
2018-10-03 20:39:45 library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
2018-10-03 20:39:45 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:53377
2018-10-03 20:39:45 Need hold release from management interface, waiting...
2018-10-03 20:39:45 *Tunnelblick: openvpnstart starting OpenVPN
2018-10-03 20:39:46 *Tunnelblick: Established communication with OpenVPN
2018-10-03 20:39:46 >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2018-10-03 20:39:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:53377
2018-10-03 20:39:46 MANAGEMENT: CMD 'pid'
2018-10-03 20:39:46 MANAGEMENT: CMD 'auth-retry interact'
2018-10-03 20:39:46 MANAGEMENT: CMD 'state on'
2018-10-03 20:39:46 MANAGEMENT: CMD 'state'
2018-10-03 20:39:46 MANAGEMENT: CMD 'bytecount 1'
2018-10-03 20:39:46 MANAGEMENT: CMD 'hold release'
2018-10-03 20:39:46 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-10-03 20:39:46 PLUGIN_INIT: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2p/openvpn-down-root.so '[/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2p/openvpn-down-root.so] [/Applications/Tunnelblick.app/Contents/Resources/client.1.down.tunnelblick.sh] [-9] [-d] [-f] [-m] [-w] [-ptADGNWradsgnw]' intercepted=PLUGIN_UP|PLUGIN_DOWN 
2018-10-03 20:39:46 Diffie-Hellman initialized with 2048 bit key
2018-10-03 20:39:46 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-10-03 20:39:46 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-10-03 20:39:46 *Tunnelblick: No 'connected.sh' script to execute
2018-10-03 20:39:46 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2018-10-03 20:39:46 Opened utun device utun1
2018-10-03 20:39:46 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2018-10-03 20:39:46 MANAGEMENT: >STATE:1538591986,ASSIGN_IP,,10.8.0.1,,,,
2018-10-03 20:39:46 /sbin/ifconfig utun1 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-10-03 20:39:46 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-10-03 20:39:46 /sbin/ifconfig utun1 10.8.0.1 10.8.0.1 netmask 255.255.255.0 mtu 1500 up
2018-10-03 20:39:46 /sbin/route add -net 10.8.0.0 10.8.0.1 255.255.255.0
                                        add net 10.8.0.0: gateway 10.8.0.1
2018-10-03 20:39:46 PLUGIN_CALL: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2p/openvpn-down-root.so/PLUGIN_UP status=0
2018-10-03 20:39:46 /Applications/Tunnelblick.app/Contents/Resources/client.1.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1622 10.8.0.1 255.255.255.0 init
2018-10-03 20:39:46 Could not determine IPv4/IPv6 protocol. Using AF_INET6
2018-10-03 20:39:46 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-10-03 20:39:46 setsockopt(IPV6_V6ONLY=0)
2018-10-03 20:39:46 UDPv6 link local (bound): [AF_INET6][undef]:1194
2018-10-03 20:39:46 UDPv6 link remote: [AF_UNSPEC]
2018-10-03 20:39:46 GID set to nogroup
2018-10-03 20:39:46 UID set to nobody
2018-10-03 20:39:46 MULTI: multi_init called, r=256 v=256
2018-10-03 20:39:46 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
2018-10-03 20:39:46 Initialization Sequence Completed
2018-10-03 20:39:46 MANAGEMENT: >STATE:1538591986,CONNECTED,SUCCESS,10.8.0.1,,,,
2018-10-03 20:39:51 *Tunnelblick: This computer's apparent public IP address (yy.yy.yy.yy) was unchanged after the connection was made
2018-10-03 20:40:07 xx.xx.xx.xx TLS: Initial packet from [AF_INET6]::ffff:xx.xx.xx.xx:4428, sid=73b74ff1 ee3ec9a7
2018-10-03 20:40:08 xx.xx.xx.xx VERIFY OK: depth=1, CN=server
2018-10-03 20:40:08 xx.xx.xx.xx VERIFY KU OK
2018-10-03 20:40:08 xx.xx.xx.xx Validating certificate extended key usage
2018-10-03 20:40:08 xx.xx.xx.xx ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2018-10-03 20:40:08 xx.xx.xx.xx VERIFY EKU OK
2018-10-03 20:40:08 xx.xx.xx.xx VERIFY OK: depth=0, CN=paolo
2018-10-03 20:40:08 xx.xx.xx.xx peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.1-770
2018-10-03 20:40:08 xx.xx.xx.xx peer info: IV_VER=3.2
2018-10-03 20:40:08 xx.xx.xx.xx peer info: IV_PLAT=ios
2018-10-03 20:40:08 xx.xx.xx.xx peer info: IV_NCP=2
2018-10-03 20:40:08 xx.xx.xx.xx peer info: IV_TCPNL=1
2018-10-03 20:40:08 xx.xx.xx.xx peer info: IV_PROTO=2
2018-10-03 20:40:08 xx.xx.xx.xx peer info: IV_LZO=1
2018-10-03 20:40:08 xx.xx.xx.xx peer info: IV_AUTO_SESS=1
2018-10-03 20:40:08 xx.xx.xx.xx Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-10-03 20:40:08 xx.xx.xx.xx [paolo] Peer Connection Initiated with [AF_INET6]::ffff:xx.xx.xx.xx:4428
2018-10-03 20:40:08 paolo/xx.xx.xx.xx MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
2018-10-03 20:40:08 paolo/xx.xx.xx.xx MULTI: Learn: 10.8.0.2 -> paolo/xx.xx.xx.xx
2018-10-03 20:40:08 paolo/xx.xx.xx.xx MULTI: primary virtual IP for paolo/xx.xx.xx.xx: 10.8.0.2
2018-10-03 20:40:08 paolo/xx.xx.xx.xx PUSH: Received control message: 'PUSH_REQUEST'
2018-10-03 20:40:08 paolo/xx.xx.xx.xx SENT CONTROL [paolo]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
2018-10-03 20:40:08 paolo/xx.xx.xx.xx Data Channel: using negotiated cipher 'AES-256-GCM'
2018-10-03 20:40:08 paolo/xx.xx.xx.xx Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-10-03 20:40:08 paolo/xx.xx.xx.xx Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-10-03 20:40:29 paolo/xx.xx.xx.xx SIGTERM[soft,remote-exit] received, client-instance exiting

[TinCanTech]

Your server log does not show the client being disconnected by another client connection ..

However, See --duplicate-cn in The Manual v24x

Or make another cert/key for your second client.

[paolo]

Ok, sorry this is a my error, because I have tried to connect from two devices with the same certificate.
Now I have tried to connect from two device with two different certificate and all works, the first one takes the IP 10.8.0.2 and the second one 10.8.0.3.

Now remain only one issue.
After the connection, all device are reachable with their LAN IP 192.168.100.x apart the Server itself that is reachable with the VPN IP 10.8.0.1 instead that the LAN IP 192.168.100.10.

[paolo]

An update

I have tried to follow this HOWTO http://openvpn.net/index.php/open-sourc ... html#scope

The first try has been add to the server.conf file the following line:

Code: Select all

push "route 192.168.100.0 255.255.255.0"

the results has been that nothting change: The LAN is reachable 192.168.100.0/24 apart the server itself with the IP 192.168.100.10, that is reachable only with the VPN IP 10.8.0.1.

The second try has been add the ccd directory and the server additional commands

Code: Select all

client-config-dir ccd
route 192.168.100.0 255.255.255.0
client-to-client
push "route 192.168.100.0 255.255.255.0"

adding in ccd dir a file called with the client common name with the following command:

Code: Select all

iroute 192.168.100.0 255.255.255.0

The results has been worst that the previous, any device in LAN had been not reachable.

[paolo]

I'm trying to understand if the problem is in the routing table.
Here my routing table from the command

Code: Select all

netstat -rn

Code: Select all

Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.100.1      UGSc           65     3326     en0
10.8/24            10.8.0.1           UGSc            1        0   utun1
10.8.0.1           10.8.0.1           UH              2        0   utun1
127                127.0.0.1          UCS             2    18812     lo0
127.0.0.1          127.0.0.1          UH             26    68964     lo0
127.255.255.255    127.0.0.1          UHWIi           1    18812     lo0
169.254            link#7             UCS             1        0     en0
169.254.1.0        link#7             UHLSW           0    17162     en0
192.168.100        link#7             UCS             8        0     en0
192.168.100.1/32   link#7             UCS             1        0     en0
192.168.100.1      10:13:31:f8:a7:26  UHLWIir        18      534     en0   1195
192.168.100.2      link#7             UHLWIi          1     1213     en0
192.168.100.3      f0:23:b9:eb:5e:2e  UHLWI           0    12269     en0   1186
192.168.100.4      50:c7:bf:8b:55:72  UHLWI           0       92     en0    552
192.168.100.10/32  link#7             UCS             1        0     en0
192.168.100.10     3c:7:54:63:a3:0    UHLWIi          2    81040     lo0
192.168.100.12     c8:69:cd:71:7c:7b  UHLWIi          1      932     en0    815
192.168.100.54     78:d7:5f:90:83:4b  UHLWI           0        8     en0    815
192.168.100.69     24:a2:e1:a:4a:2d   UHLWIi          3      380     en0    818
192.168.100.73     88:e9:fe:74:8e:e5  UHLWIi          4  2601511     en0   1049
192.168.100.255    ff:ff:ff:ff:ff:ff  UHLWbI          0      122     en0
224.0.0/4          link#7             UmCS            3        0     en0
224.0.0.251        1:0:5e:0:0:fb      UHmLWI          0        0     en0
239.0.0.250        1:0:5e:0:0:fa      UHmLWI          0        2     en0
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI          0     6893     en0
255.255.255.255/32 link#7             UCS             1        0     en0
255.255.255.255    ff:ff:ff:ff:ff:ff  UHLWbI          0       16     en0

I observe that the 10.8.0.1 VPN server IP "Use" is 0, instead the 192.168.100.10 IP of the server in LAN side "Use" is 81040, is it possible that this is the reason because the Server responde only with the IP 10.8.0.1 when the client is connected via VPN?
And if the reason is this, how can I resolve this issue?

Thanx for any suggestion.