Once a VPN has connected using a particular network card, it cannot connect again unless that network card is active

Got a problem with Viscosity or need help? Ask here!

bribri

Posts: 8
Joined: Fri Jan 11, 2019 6:57 am

Post by bribri » Thu Apr 11, 2019 1:28 am
I have a 2015 MacBook Air that I use with a USB ethernet adapter. Generally when I have it connected over ethernet I turn off my Wi-Fi card to ensure that all of my traffic goes over ethernet.

I've found that once Viscosity connects to a VPN using one of the two network cards, it cannot connect to that VPN again unless that specific network card is enabled and active. The only way to fix this situation that I've found is to reboot the system.

For example:

With Wi-Fi enabled and connected, and my USB ethernet card detached, I'll connect to VPN A.

I'll then disable Wi-Fi, attach my USB ethernet adapter and allow it to connect. Now if I try to connect to VPN A, it will immediately fail.

In this state I connect to VPN B and it connects successfully.

I then detach my USB ethernet adapter and enable Wi-Fi. Now VPN B will immediately fail if it tries to connect. However if I tell VPN A to connect it will succeed.

From this point on, neither of my VPN connections will work with both network adapters. If I reboot the system it resets, but then following the above steps will trigger the problem again.

Here's what is printed in the logs when either of these VPNs fail to connect (with IP addresses redacted):
Code: Select all
2019-04-10 11:15:49: Viscosity Mac 1.7.14 (1480)
2019-04-10 11:15:49: Viscosity OpenVPN Engine Started
2019-04-10 11:15:49: Running on macOS 10.14.3
2019-04-10 11:15:49: ---------
2019-04-10 11:15:49: State changed to Connecting
2019-04-10 11:15:49: Checking reachability status of connection...
2019-04-10 11:15:49: Testing address: X.Y.Z.W Route points to inactive interface
2019-04-10 11:15:49: Connection is not reachable. Disconnecting.
2019-04-10 11:15:49: State changed to Disconnected
2019-04-10 11:15:49: Connection will be reconnected when it becomes reachable
2019-04-10 11:16:54: Testing address: X.Y.Z.W Route points to inactive interface
Is this a bug, or do I have my VPNs configured improperly?

James

User avatar
Posts: 1855
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Apr 11, 2019 4:17 pm
Hi bribri,

Can you please post a copy of the configuration data for your connection and we'll take a look. Please feel free to censor out any sensitive details before posting it.

You can view the configuration data for your Viscosity connection by opening Viscosity’s Preferences window, holding down the Option key on your keyboard, right-clicking (or control-clicking) on your connection, and selecting “View Configuration Data”.

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

bribri

Posts: 8
Joined: Fri Jan 11, 2019 6:57 am

Post by bribri » Fri Apr 12, 2019 4:07 am
Here's the configuration:
Code: Select all
#-- Configuration Generated By Viscosity --#

#viscosity startonopen true
#viscosity protocol openvpn
#viscosity dns full
#viscosity usepeerdns true
#viscosity autoreconnect true
#viscosity name [VPN NAME]
#viscosity dhcp true
remote [VPN URL] 149 udp
remote [VPN URL] 1151 udp
remote [VPN URL] 1150 udp
remote [VPN URL] 1149 udp
remote [VPN URL] 1148 udp
remote [VPN URL] 148 udp
remote [VPN URL] 151 udp
remote [VPN URL] 150 udp
nobind 
dev tun
redirect-gateway def1 ipv6
tun-mtu 1500
fragment 1300
inactive 604800
ping 5
ping-restart 120
persist-tun 
persist-key 
persist-remote-ip 
compress 
pull 
auth-user-pass 
tls-client 
ca ca.crt
cert cert.crt
key key.key
remote-cert-tls server
tls-auth ta.key
tls-timeout 5
route-up "/Library/Application\\ Support/ViscosityScripts/autobypass.py"
remote-random 
hand-window 120
mssfix 
cipher AES-256-CBC
key-direction 1
mute-replay-warnings 
route-pre-down "/Library/Application\\ Support/ViscosityScripts/autounbypass.py"
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
route-delay 2
tun-ipv6 
auth SHA512
resolv-retry 60
reneg-sec 3600
The route-pre-up and route-pre-down scripts are custom scripts I wrote to automatically prevent certain hostnames from going through the VPN. This problem still occurs when those scripts are removed from the configuration, though.

James

User avatar
Posts: 1855
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Apr 12, 2019 5:12 pm
Hi bribri,

Well what's happening here is that a static route is being created at connection time, routing the server's external IP address through one interface/router, and it doesn't appear to be getting removed at disconnection time. Your config itself looks fine, so it'll have to be one of the following:

1. Your script is creating the route, and not removing it correctly on disconnect. This seems the most likely option: with the interface down your route removal command may be no longer valid (as the route itself may have adjusted, or your route command may now be looking at the wrong interface), leaving it in place. You may want to debug this by having your scripts log the output to a file on disk.

However, I'd strongly recommend removing the scripts. Viscosity itself is more than capable of handling routing outside of the VPN connection (and you can enter a domain name instead of an IP address for dynamically changing addresses):
https://www.sparklabs.com/support/kb/article/routing-traffic-for-websites-applications/#specifying-traffic-to-go-through-the-normal-network

I know you've tested removing the scripts, but once a static route is in place removing the scripts will not solve the issue. You'd need to remove the scripts, restart your computer, and then test connecting.

2. The OpenVPN server itself is pushing a fixed route. You'll need to check the OpenVPN server configuration for this. Alternatively you can block any routes it is pushing using the "route-nopull" advanced command (this also blocks DNS servers, so you'll want to specify these manually in your connection before using it):
https://www.sparklabs.com/support/kb/article/advanced-configuration-commands/

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

bribri

Posts: 8
Joined: Fri Jan 11, 2019 6:57 am

Post by bribri » Sat Apr 13, 2019 3:01 am
Well not only was I wrong about my script not causing this problem -- it was the cause of this problem -- but I feel silly for not realizing that Viscosity already had that feature built-in! I guess I was used to working with other VPN client software that did not provide this feature.

I do have a few more questions. I checked through the docs but apologies if I missed the answer in there!

1. When specifying hostnames that are routed through the local gateway, is it necessary for me to add entries for both IP4 and IP6?

2. Is there a convenient way I can set up all of my VPN connections to have all the same entries in their routing table without having to manually add them all for each connection?

James

User avatar
Posts: 1855
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Apr 15, 2019 11:59 am
1. When specifying hostnames that are routed through the local gateway, is it necessary for me to add entries for both IP4 and IP6?
Yes, it is.
2. Is there a convenient way I can set up all of my VPN connections to have all the same entries in their routing table without having to manually add them all for each connection?
If you have a huge number you could create a couple of the routes using Viscosity's editor, and then use the "View Configuration Data” option detailed previous to view the raw commands for these routes to get an idea of what they should look like. You could then create the commands for each route you want to add in a text editor and then either drop them into the advanced commands section in Viscosity for your connection, or edit the configuration file manually (located in Viscosity's Application Support folder).

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

bribri

Posts: 8
Joined: Fri Jan 11, 2019 6:57 am

Post by bribri » Tue Apr 16, 2019 2:22 pm
Thanks for the tip on copying over routes between connections!

I have one more question concerning IPv6 routes:

Currently I'm unable to add them to my connections. If I try to add it to routing section in the connection's settings, it doesn't give me an option for choosing any gateway other than "default" or "custom" -- I can't pick "local network gateway". And then once I save the settings, the next time I open the settings dialog that route won't be listed there. Further, if I try to add the route to the extra configuration commands (by adding something like "route-ipv6 hostname net_gateway default") that too is removed after I save the settings and reopen the settings dialog. Any idea what's happening?

James

User avatar
Posts: 1855
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Apr 16, 2019 8:05 pm
Hi bribri,

Sadly net_gateway isn't currently supported for IPv6 routes. We'll likely add support for it in the future, but for now you'll need to manually specify the IPv6 address of the gateway to use (that'll likely be the IPv6 address of your router).

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

bribri

Posts: 8
Joined: Fri Jan 11, 2019 6:57 am

Post by bribri » Wed Apr 17, 2019 3:18 am
Thanks for the help so far. Unfortunately I'm still unable to add an IPv6 route to Viscosity. Each time I create an IPv6 route it doesn't stick -- it just disappears the next time I open the settings window.

Further, since I'm using Viscosity on a laptop that's connecting to various different Wi-Fi networks, oftentimes ones I haven't connected to before, there's no one IPv6 address I can use in a configuration. I'd prefer not to have to write a script again like the one that instigated this thread in the first place!

Maybe a better solution is to configure my mac to have IPv6 be link-local only? If I understand correctly, I think that will force all traffic to be IPv4 and so I shouldn't need IPv6 routes configured in Viscosity.

James

User avatar
Posts: 1855
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Apr 18, 2019 12:48 pm
Unfortunately I'm still unable to add an IPv6 route to Viscosity. Each time I create an IPv6 route it doesn't stick -- it just disappears the next time I open the settings window.
It sounds like the syntax being used may be invalid, or the IPv6 address/es being entered may be invalid. I recommend trying to create some through the editor (make sure the IP version is to to v6) and see if it persists.
Maybe a better solution is to configure my mac to have IPv6 be link-local only? If I understand correctly, I think that will force all traffic to be IPv4 and so I shouldn't need IPv6 routes configured in Viscosity.
Does the VPN connection itself support IPv6 (i.e. is the VPN connection assigning you an IPv6 address)? If so, IPv6 traffic will still go through the VPN connection even if its disabled locally. However if it is an IPv4 only connection you can use Viscosity's "Block IPv6 traffic while connected to IPv4-only VPN connections" option under Preferences->Advanced.

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
11 posts Page 1 of 2