Page 1 of 1

Connected but no Client IP

Posted: Sun Aug 13, 2017 10:39 am
by msinca
Good afternoon,

I am evaluating Viscosity and will happily purchase if I can get it working. I appear to be experiencing a fairly common problem of my Mac not being able to get a Client IP in Viscosity.

Setup

- Server - Tomato Router with OpenVPN Server (screenshot of setup - https://www.evernote.com/shard/s3/sh/f62d6e2e-0ed5-41e4-bf6f-7e1319483680/9354079b4b8898f6)

- Client - Macbook Pro w/ MacOS Sierra

I can successfully connect to the OpenVPN Server using a Windows PC using the Windows OpenVPN GUI client. Everything works just fine.

However, I am having problems getting everything to work to the same server using my Mac via Viscosity. I'm including the Logs at the end of this post.

Viscosity appears to connect but I do not get assigned a Client IP - my IP address doesn't change and it won't seem to get a new IP (via DHCP) from the Tomato Router after connecting (even if I manually try to Renew the Lease).

I've confirmed that I don't have any static DNS routes set on my Mac.
NOTE: You may wonder why my port is set to 443. The location where I'm connecting from only allows traffic on certain browsing ports so I have to use 80 or 443.

Thanks very much for any advice/help you could offer.

Regards,
Mike

2017-08-12 16:34:24: Viscosity Mac 1.7.3 (1412)
2017-08-12 16:34:24: Viscosity OpenVPN Engine Started
2017-08-12 16:34:24: Running on macOS 10.12.6
2017-08-12 16:34:24: ---------
2017-08-12 16:34:24: State changed to Connecting
2017-08-12 16:34:24: Checking reachability status of connection...
2017-08-12 16:34:25: Connection is reachable. Starting connection attempt.
2017-08-12 16:34:25: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
2017-08-12 16:34:25: OpenVPN 2.4.3 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 21 2017
2017-08-12 16:34:25: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
2017-08-12 16:34:25: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-08-12 16:34:25: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-08-12 16:34:25: GDG6: problem writing to routing socket
2017-08-12 16:34:25: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2017-08-12 16:34:25: OpenVPN ROUTE: failed to parse/resolve route for host/network: fc00::/7
2017-08-12 16:34:25: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2017-08-12 16:34:25: OpenVPN ROUTE: failed to parse/resolve route for host/network: 3000::/4
2017-08-12 16:34:25: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2017-08-12 16:34:25: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/4
2017-08-12 16:34:25: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2017-08-12 16:34:25: OpenVPN ROUTE: failed to parse/resolve route for host/network: ::/3
2017-08-12 16:34:25: Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-08-12 16:34:25: Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-08-12 16:34:25: Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-08-12 16:34:25: Opened utun device utun3
2017-08-12 16:34:25: TCP/UDP: Preserving recently used remote address: [AF_INET]76.XXX.XXX.XXX:443
2017-08-12 16:34:25: UDP link local (bound): [AF_INET][undef]:1194
2017-08-12 16:34:25: UDP link remote: [AF_INET]76.XXX.XXX.XXX:443
2017-08-12 16:34:35: Peer Connection Initiated with [AF_INET]76.XXX.XXX.XXX:443
2017-08-12 16:34:35: WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
2017-08-12 16:34:35: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1545', remote='link-mtu 1577'
2017-08-12 16:34:35: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
2017-08-12 16:34:38: WARNING: OpenVPN was configured to add an IPv6 route over utun3. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.
2017-08-12 16:34:38: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-08-12 16:34:38: Initialization Sequence Completed
2017-08-12 16:34:38: DNS mode set to Full
2017-08-12 16:34:38: State changed to Connected
2017-08-12 16:34:38: DNS change detected, restoring DNS settings
2017-08-12 16:34:57: State changed to Disconnecting
2017-08-12 16:34:57: SIGTERM[hard,] received, process exiting
2017-08-12 16:34:58: State changed to Disconnected

Re: Connected but no Client IP

Posted: Mon Aug 14, 2017 3:31 pm
by James
Hi msinca,

I strongly recommend addressing the warnings in your log, as it's likely you'll see some performance and security issues if you don't. However the following indicates the problem:

Code: Select all

2017-08-12 16:34:35: WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'


Your server is set to use bridged/TAP mode, while the client is set to use tun. You should change this to TAP.

Cheers,
James

Re: Connected but no Client IP

Posted: Tue Aug 15, 2017 4:29 am
by msinca
Hi James,

Thanks for the reply. I will definitely deal with the warnings but first I want to try to get it to work.

My bad on the tun/tap issue - I was changing it back and forth trying to get it to work and I must have sent you the log from one where I tried to connect where they were misaligned. The problem seems to occur regardless of whether the client/server are set to tun or tap.

I made sure they were both 'tap' and am still getting the same issue (see below).

Thanks again for any help!

Mike


2017-08-14 10:21:44: Viscosity Mac 1.7.3 (1412)
2017-08-14 10:21:44: Viscosity OpenVPN Engine Started
2017-08-14 10:21:44: Running on macOS 10.12.6
2017-08-14 10:21:44: ---------
2017-08-14 10:21:44: State changed to Connecting
2017-08-14 10:21:44: Checking reachability status of connection...
2017-08-14 10:21:44: Connection is reachable. Starting connection attempt.
2017-08-14 10:21:44: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
2017-08-14 10:21:44: OpenVPN 2.4.3 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 21 2017
2017-08-14 10:21:44: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
2017-08-14 10:21:45: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-08-14 10:21:45: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-08-14 10:21:45: GDG6: problem writing to routing socket
2017-08-14 10:21:45: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2017-08-14 10:21:45: OpenVPN ROUTE: failed to parse/resolve route for host/network: fc00::/7
2017-08-14 10:21:45: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2017-08-14 10:21:45: OpenVPN ROUTE: failed to parse/resolve route for host/network: 3000::/4
2017-08-14 10:21:45: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2017-08-14 10:21:45: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/4
2017-08-14 10:21:45: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2017-08-14 10:21:45: OpenVPN ROUTE: failed to parse/resolve route for host/network: ::/3
2017-08-14 10:21:45: TUN/TAP device /dev/tap0 opened
2017-08-14 10:21:45: TCP/UDP: Preserving recently used remote address: [AF_INET]76.XXX.XXX.XXX:443
2017-08-14 10:21:45: UDP link local (bound): [AF_INET][undef]:1194
2017-08-14 10:21:45: UDP link remote: [AF_INET]76.XXX.XXX.XXX:443
2017-08-14 10:21:45: DHCP enabled on tap interface tap0
2017-08-14 10:21:46: Peer Connection Initiated with [AF_INET]76.XXX.XXX.XXX:443
2017-08-14 10:21:46: write to TUN/TAP : Input/output error (code=5)
2017-08-14 10:21:48: WARNING: OpenVPN was configured to add an IPv6 route over tap0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.
2017-08-14 10:21:48: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-08-14 10:21:48: Initialization Sequence Completed
2017-08-14 10:21:48: DNS mode set to Split
2017-08-14 10:21:48: State changed to Connected
2017-08-14 10:21:52: DNS change detected, restoring DNS settings

Re: Connected but no Client IP

Posted: Thu Aug 17, 2017 9:46 pm
by James
Hi Mike,

Two things I'd recommend looking at:

1. You'll want to address the IPv6 routing errors. In Viscosity make sure you have the All Traffic option for your connections set to either "Automatic (Set by server)" or "Send all IPv4 traffic over VPN connection", as it does not appear that your connection is set up for IPv6.

2. Check to make sure that the VPN adapter is being assigned an IP address by the OpenVPN server. If it is, try adding a route setup delay (e.g. "route-delay 20") to ensure that OpenVPN adds the routes only after your connection has been assigned an IP address.
http://www.sparklabs.com/support/kb/art ... n-commands

Cheers,
James

Re: Connected but no Client IP

Posted: Fri Aug 18, 2017 2:35 pm
by msinca
Bingo! Thanks James.

Here's what did the trick:
- I had 'route-delay 2' and bumped it up to 'route-delay 20' per your suggestion.
- I enabled IPv6
- All Traffic: Send all traffic over VPN selected
- Mode: Full DNS and I set the DNS to Google's 8.8.8.8

and it worked!

You just got yourself a happy paying customer! (you'll see one to 'Miles' tonight)

Thanks!