Viscosity connects, no ping to destination

Got a problem with Viscosity or need help? Ask here!

wpn

Posts: 5
Joined: Thu Jan 28, 2021 11:38 pm

Post by wpn » Tue Nov 30, 2021 7:12 am
Hello,

try to connect from a DS lite line (only IP v6) to a Synology OpenVPN server on a classic IP v4 and v6 internet connection. The problem is that the connection is possible but there is no connection (and no ping) to the Synology (192.168.178.5). I think there might be a problem with the routes, but I cannot interpret it.

Connecting from another internet connection is possible, also different Mac (macOS 11 and macOS 12).

Thank you very much for your help!
Code: Select all
Internet:
Destination        Gateway            Flags           Netif Expire
default            192.168.178.1      UGScg             en0       
default            10.8.0.13          UGScIg         utun10       
10.8/24            10.8.0.13          UGSc           utun10       
10.8.0.1/32        10.8.0.13          UGSc           utun10       
10.8.0.13          10.8.0.14          UHr            utun10       
10.8.0.13/32       link#15            UCS            utun10       
127                127.0.0.1          UCS               lo0       
127.0.0.1          127.0.0.1          UH                lo0       
169.254            link#6             UCS               en0      !
192.168.178        link#6             UCS               en0      !
192.168.178.1/32   link#6             UCS               en0      !
192.168.178.1      xxxxx4d:63:3e  UHLWIir           en0   1173
192.168.178.5      link#6             UHRLWIi           en0      !
192.168.178.20/32  link#6             UCS               en0      !
192.168.178.21     xxxxxx0:7c:7d  UHLWIi            en0    641
192.168.178.23     xxxxxxxx8:db  UHLWI             en0    947
192.168.178.30     xxxxxxxx:15:37:7f  UHLWI             en0    841
192.168.178.31     xxxxxxxxxe7:97:5c  UHLWIi            en0   1119
192.168.178.33     xxxxxxxxx:99:c1:f2  UHLWI             en0    510
192.168.178.36     xxxxxxxxxb3:9:d6   UHLWI             en0    467
224.0.0/4          link#6             UmCS              en0      !
224.0.0/4          link#15            UmCSI          utun10       
224.0.0.251        xxxxxxx:0:0:fb      UHmLWI            en0       
255.255.255.255/32 link#6             UCS               en0      !
255.255.255.255/32 link#15            UCSI           utun10
Code: Select all
2021-11-28 18:54:05: Viscosity Mac 1.10.1 (1586)
2021-11-28 18:54:05: Viscosity OpenVPN Engine Started
2021-11-28 18:54:05: Running on macOS 12.0.1
2021-11-28 18:54:05: ---------
2021-11-28 18:54:05: State changed to Connecting
2021-11-28 18:54:05: Checking reachability status of connection...
2021-11-28 18:54:05: Connection is reachable. Starting connection attempt.
2021-11-28 18:54:05: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-11-28 18:54:05: OpenVPN 2.5.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Oct 22 2021
2021-11-28 18:54:05: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-11-28 18:54:05: Resolving address: xxxxxxx.synology.me
2021-11-28 18:54:05: Valid endpoint found: xxxxxxxx.107:55516:udp
2021-11-28 18:54:05: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021-11-28 18:54:05: TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxxxxx:55516
2021-11-28 18:54:05: UDP link local (bound): [AF_INET][undef]:1194
2021-11-28 18:54:05: UDP link remote: [AF_INET]xxxxxx6.107:55516
2021-11-28 18:54:05: State changed to Authenticating
2021-11-28 18:54:06: [xxxxxxx.synology.me] Peer Connection Initiated with [AF_INET]xxxxxxx:55516
2021-11-28 18:54:06: Opened utun device utun10
2021-11-28 18:54:06: /sbin/ifconfig utun10 delete
2021-11-28 18:54:06: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2021-11-28 18:54:06: /sbin/ifconfig utun10 10.8.0.14 10.8.0.13 mtu 1500 netmask 255.255.255.255 up
2021-11-28 18:54:06: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-11-28 18:54:06: Initialization Sequence Completed
2021-11-28 18:54:06: DNS mode set to Split
2021-11-28 18:54:06: DNS Server/s: 10.8.0.1
2021-11-28 18:54:06: DNS Domains/s: synology.me
2021-11-28 18:54:06: State changed to Connected

James

User avatar
Posts: 2143
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Nov 30, 2021 11:55 am
Hi wpn,

You should be able to access the Synology by its internal VPN IP address (likely 10.8.0.1 in this case).

As to why it's not accessible via 192.168.178.5, either the 192.168.178.0/24 range isn't being routed into the VPN connection, or the Synology OpenVPN server isn't configured to support routing this IP range over the VPN connection.

If you turn the log verbosity level up, as documented at the link below, the log should list all routes being added:
https://www.sparklabs.com/support/kb/ar ... ed-logging

On the Synology OpenVPN server you'll need to ensure the Allow clients to access server's LAN option is enabled to use the LAN IP range (which is probably 192.168.178.x). You can find more setup information about this at:
https://www.sparklabs.com/support/kb/ar ... viscosity/

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

wpn

Posts: 5
Joined: Thu Jan 28, 2021 11:38 pm

Post by wpn » Wed Dec 01, 2021 7:00 am
Hi James,

thank you very much for your answer!

I tried the 10.8.0.1 address - and it works fine. I also made the verbose log as you suggested. In addition, I went through the manuals you linked. But it seems everything as you describe in there.

The one thing I see is some TLS certificate stuff. Can that be a problem?

Thanks a lot,
Stephan

Code: Select all
2021-11-30 20:21:36: Viscosity Mac 1.10.1 (1586)
2021-11-30 20:21:36: Viscosity OpenVPN Engine Started
2021-11-30 20:21:36: Running on macOS 12.0.1
2021-11-30 20:21:36: ---------
2021-11-30 20:21:36: State changed to Connecting
2021-11-30 20:21:36: Checking reachability status of connection...
2021-11-30 20:21:36: Connection is reachable. Starting connection attempt.
2021-11-30 20:21:36: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-11-30 20:21:36: Current Parameter Settings:
2021-11-30 20:21:36:   config = 'config.conf'
2021-11-30 20:21:36:   mode = 0
2021-11-30 20:21:36:   show_ciphers = DISABLED
2021-11-30 20:21:36:   show_digests = DISABLED
2021-11-30 20:21:36:   show_engines = DISABLED
2021-11-30 20:21:36:   genkey = DISABLED
2021-11-30 20:21:36:   genkey_filename = '[UNDEF]'
2021-11-30 20:21:36:   key_pass_file = '[UNDEF]'
2021-11-30 20:21:36:   show_tls_ciphers = DISABLED
2021-11-30 20:21:36:   connect_retry_max = 0
2021-11-30 20:21:36: Connection profiles [0]:
2021-11-30 20:21:36:   proto = udp
2021-11-30 20:21:36:   local = '[UNDEF]'
2021-11-30 20:21:36:   local_port = '1194'
2021-11-30 20:21:36:   remote = 'xxxxxx.synology.me'
2021-11-30 20:21:36:   remote_port = '55516'
2021-11-30 20:21:36:   remote_float = DISABLED
2021-11-30 20:21:36:   bind_defined = DISABLED
2021-11-30 20:21:36:   bind_local = ENABLED
2021-11-30 20:21:36:   bind_ipv6_only = DISABLED
2021-11-30 20:21:36:   connect_retry_seconds = 5
2021-11-30 20:21:36:   connect_timeout = 120
2021-11-30 20:21:36:   socks_proxy_server = '[UNDEF]'
2021-11-30 20:21:36:   socks_proxy_port = '[UNDEF]'
2021-11-30 20:21:36:   tun_mtu = 1500
2021-11-30 20:21:36:   tun_mtu_defined = ENABLED
2021-11-30 20:21:36:   link_mtu = 1500
2021-11-30 20:21:36:   link_mtu_defined = DISABLED
2021-11-30 20:21:36:   tun_mtu_extra = 0
2021-11-30 20:21:36:   tun_mtu_extra_defined = DISABLED
2021-11-30 20:21:36:   mtu_discover_type = -1
2021-11-30 20:21:36:   fragment = 0
2021-11-30 20:21:36:   mssfix = 1450
2021-11-30 20:21:36:   explicit_exit_notification = 0
2021-11-30 20:21:36:   tls_auth_file = '[UNDEF]'
2021-11-30 20:21:36:   key_direction = not set
2021-11-30 20:21:36:   tls_crypt_file = '[UNDEF]'
2021-11-30 20:21:36:   tls_crypt_v2_file = '[UNDEF]'
2021-11-30 20:21:36: Connection profiles END
2021-11-30 20:21:36:   remote_random = DISABLED
2021-11-30 20:21:36:   ipchange = '[UNDEF]'
2021-11-30 20:21:36:   dev = 'tun'
2021-11-30 20:21:36:   dev_type = '[UNDEF]'
2021-11-30 20:21:36:   dev_node = 'utun'
2021-11-30 20:21:36:   lladdr = '[UNDEF]'
2021-11-30 20:21:36:   topology = 1
2021-11-30 20:21:36:   ifconfig_local = '[UNDEF]'
2021-11-30 20:21:36:   ifconfig_remote_netmask = '[UNDEF]'
2021-11-30 20:21:36:   ifconfig_noexec = DISABLED
2021-11-30 20:21:36:   ifconfig_nowarn = DISABLED
2021-11-30 20:21:36:   ifconfig_ipv6_local = '[UNDEF]'
2021-11-30 20:21:36:   ifconfig_ipv6_netbits = 0
2021-11-30 20:21:36:   ifconfig_ipv6_remote = '[UNDEF]'
2021-11-30 20:21:36:   shaper = 0
2021-11-30 20:21:36:   mtu_test = 0
2021-11-30 20:21:36:   mlock = DISABLED
2021-11-30 20:21:36:   keepalive_ping = 0
2021-11-30 20:21:36:   keepalive_timeout = 0
2021-11-30 20:21:36:   inactivity_timeout = 0
2021-11-30 20:21:36:   ping_send_timeout = 0
2021-11-30 20:21:36:   ping_rec_timeout = 0
2021-11-30 20:21:36:   ping_rec_timeout_action = 0
2021-11-30 20:21:36:   ping_timer_remote = DISABLED
2021-11-30 20:21:36:   remap_sigusr1 = 0
2021-11-30 20:21:36:   persist_tun = DISABLED
2021-11-30 20:21:36:   persist_local_ip = DISABLED
2021-11-30 20:21:36:   persist_remote_ip = DISABLED
2021-11-30 20:21:36:   persist_key = DISABLED
2021-11-30 20:21:36:   passtos = DISABLED
2021-11-30 20:21:36:   resolve_retry_seconds = 1000000000
2021-11-30 20:21:36:   resolve_in_advance = DISABLED
2021-11-30 20:21:36:   username = '[UNDEF]'
2021-11-30 20:21:36:   groupname = '[UNDEF]'
2021-11-30 20:21:36:   chroot_dir = '[UNDEF]'
2021-11-30 20:21:36:   cd_dir = '[UNDEF]'
2021-11-30 20:21:36:   writepid = '[UNDEF]'
2021-11-30 20:21:36:   up_script = '[UNDEF]'
2021-11-30 20:21:36:   down_script = '[UNDEF]'
2021-11-30 20:21:36:   down_pre = DISABLED
2021-11-30 20:21:36:   up_restart = DISABLED
2021-11-30 20:21:36:   up_delay = DISABLED
2021-11-30 20:21:36:   daemon = DISABLED
2021-11-30 20:21:36:   inetd = 0
2021-11-30 20:21:36:   log = DISABLED
2021-11-30 20:21:36:   suppress_timestamps = DISABLED
2021-11-30 20:21:36:   machine_readable_output = ENABLED
2021-11-30 20:21:36:   nice = 0
2021-11-30 20:21:36:   verbosity = 5
2021-11-30 20:21:36:   mute = 100
2021-11-30 20:21:36:   status_file = '[UNDEF]'
2021-11-30 20:21:36:   status_file_version = 1
2021-11-30 20:21:36:   status_file_update_freq = 60
2021-11-30 20:21:36:   occ = ENABLED
2021-11-30 20:21:36:   rcvbuf = 0
2021-11-30 20:21:36:   sndbuf = 0
2021-11-30 20:21:36:   sockflags = 0
2021-11-30 20:21:36:   fast_io = DISABLED
2021-11-30 20:21:36:   comp.alg = 0
2021-11-30 20:21:36:   comp.flags = 0
2021-11-30 20:21:36: NOTE: --mute triggered...
2021-11-30 20:21:36: 187 variation(s) on previous 100 message(s) suppressed by --mute
2021-11-30 20:21:36: OpenVPN 2.5.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Oct 22 2021
2021-11-30 20:21:36: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-11-30 20:21:36: Resolving address: qnapnapnap.synology.me
2021-11-30 20:21:36: Valid endpoint found: xxxxxxxxx.107:55516:udp
2021-11-30 20:21:36: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021-11-30 20:21:36: Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2021-11-30 20:21:36: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-11-30 20:21:36: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2021-11-30 20:21:36: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2021-11-30 20:21:36: TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxxx6.107:55516
2021-11-30 20:21:36: Socket Buffers: R=[786896->786896] S=[9216->9216]
2021-11-30 20:21:36: UDP link local (bound): [AF_INET][undef]:1194
2021-11-30 20:21:36: UDP link remote: [AF_INET]xxxxxxxx.107:55516
2021-11-30 20:21:36: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxxxxxx36.107:55516 [0]
2021-11-30 20:21:36: State changed to Authenticating
2021-11-30 20:21:36: TLS: Initial packet from [AF_INET]xxxxxxxxx107:55516, sid=dd2b4b86 67b7778c
2021-11-30 20:21:36: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxxxxxxx.107:55516 [0]
2021-11-30 20:21:36: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxxxxxx6.107:55516 [0]
2021-11-30 20:21:36: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxxxxxx36.107:55516 [0]
2021-11-30 20:21:36: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxxxxxxx36.107:55516 [0]
2021-11-30 20:21:36: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxxxxxx36.107:55516 [0]
2021-11-30 20:21:36: VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2021-11-30 20:21:36: VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2021-11-30 20:21:36: VERIFY OK: depth=0, CN=xxxxxxxx.synology.me
2021-11-30 20:21:36: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxxxxx6.107:55516 [0]
2021-11-30 20:21:36: TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxxxxxxx6.107:55516 [0]
2021-11-30 20:21:37: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2021-11-30 20:21:37: [xxxxxxxxxx.synology.me] Peer Connection Initiated with [AF_INET]xxxxxxx.107:55516
2021-11-30 20:21:37: SENT CONTROL [xxxxxxxxx.synology.me]: 'PUSH_REQUEST' (status=1)
2021-11-30 20:21:37: PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2021-11-30 20:21:37: OPTIONS IMPORT: timers and/or timeouts modified
2021-11-30 20:21:37: OPTIONS IMPORT: --ifconfig/up options modified
2021-11-30 20:21:37: OPTIONS IMPORT: route options modified
2021-11-30 20:21:37: OPTIONS IMPORT: peer-id set
2021-11-30 20:21:37: OPTIONS IMPORT: adjusting link_mtu to 1624
2021-11-30 20:21:37: OPTIONS IMPORT: data channel crypto options modified
2021-11-30 20:21:37: Data Channel: using negotiated cipher 'AES-256-GCM'
2021-11-30 20:21:37: Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
2021-11-30 20:21:37: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-11-30 20:21:37: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-11-30 20:21:37: Opened utun device utun10
2021-11-30 20:21:37: do_ifconfig, ipv4=1, ipv6=0
2021-11-30 20:21:37: /sbin/ifconfig utun10 delete
2021-11-30 20:21:37: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2021-11-30 20:21:37: /sbin/ifconfig utun10 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
2021-11-30 20:21:37: /sbin/route add -net 192.168.178.5 10.8.0.5 255.255.255.0
2021-11-30 20:21:37: /sbin/route add -net 10.8.0.0 10.8.0.5 255.255.255.0
2021-11-30 20:21:37: /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255
2021-11-30 20:21:37: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-11-30 20:21:37: Initialization Sequence Completed
2021-11-30 20:21:37: DNS mode set to Split
2021-11-30 20:21:37: DNS Server/s: 10.8.0.1
2021-11-30 20:21:37: DNS Domains/s: synology.me
2021-11-30 20:21:37: State changed to Connected

James

User avatar
Posts: 2143
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Dec 01, 2021 2:37 pm
Hi Stephan,

The big problem I see here is it looks like your Synology OpenVPN server is using a Let's Encrypt certificate web certificate, instead of a self-generated server certificate. Using a Let's Encrypt certificate certificate like this is insecure, as it potentially allows anyone to MITM your VPN connection.

I recommend you re-create your Synology OpenVPN server from scratch using the guide linked below. It covers how to generate a certificate for the OpenVPN server, as well as some other configuration settings that could be the cause of your problem accessing your LAN:
https://www.sparklabs.com/support/kb/ar ... viscosity/

The "TLS Error: local/remote TLS keys are out of sync" can occur if two connections are attempting to access the OpenVPN server and appear to the server as having the same remote IP address and port number. Even if you're only using a single connection at a time, depending on its settings, the OpenVPN server may be slow at timing out old connections. Make sure the "No Bind" option is ticked under the "Options" tab when editing your connection in Viscosity, as that should resolve it in most instances.

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

wpn

Posts: 5
Joined: Thu Jan 28, 2021 11:38 pm

Post by wpn » Thu Dec 02, 2021 3:45 am
Hello James,

thanks for all your support!

I found the culprit: It was the Synology. The hook for Allow clients to access server's LAN does not have any effect except you reboot the Synology.

In addition, this option does not lead to the same behavior with different computers. On my Mac from an internet connection with full IPv4 and v6 addresses (no idea if that is the cause), I can access the Synology as well as other devices in the LAN even when this box is not checked. From by brothers connection (IPv6) the option works as expected and he cannot access the Synology or LAN when the hook is not set and the machine is rebooted to set the setting in effect. We tried this with several reboots. I always could access the Synology, he only when the box was checked.

Thank you also for the tip with the certificate! Your input is highly appreciated.

Best,
Stephan
5 posts Page 1 of 1