Data is not routed through VPN

Got a problem with Viscosity or need help? Ask here!

JamesZhang

Posts: 5
Joined: Mon Feb 01, 2021 11:24 pm

Post by JamesZhang » Mon Feb 01, 2021 11:47 pm
Hello,

I am using Viscosity(version 1.9) on M1 MacBook Pro, OS "11.1", but I found that Data is not routed through VPN.
I originally wanted to use VS Code to remotely ssh to my server through openVPN, but the connection timed out.

I used a Tap VPN, and here is the information when I use ifconfig en6:
--------------------------------------------------------------------------------------------------------------------------
en6: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=400<CHANNEL_IO>
ether a6:10:d1:63:ab:40
inet6 fe80::14fd:b4f5:65ca:8e7e%en6 prefixlen 64 secured scopeid 0x19
inet 172.20.51.27 netmask 0xfffff800 broadcast 172.20.55.255
inet6 2001:250:3c02:719:c70:783c:a059:6a8 prefixlen 64 autoconf secured
inet6 2001:250:3c02:719:f953:855:d38e:8003 prefixlen 64 autoconf temporary
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active

Actually, if the data routed through VPN, next hop would be 172.20.*.* etc. Then I use traceroute to track, I found the data is not routed through VPN:
---------------------------------------------------------------------------------------------
traceroute to 10.10.1.87 (10.10.1.87), 64 hops max, 52 byte packets
1 192.168.0.1 (192.168.0.1) 3.393 ms 1.735 ms 1.660 ms
2 10.76.64.1 (10.76.64.1) 7.902 ms 4.278 ms 4.376 ms
3 218.202.12.53 (218.202.12.53) 4.994 ms 9.720 ms 4.952 ms
......

if everything goes right, I should get the result:
-------------------------------------------------------------------------
traceroute to 10.10.1.87 (10.10.1.87), 64 hops max, 52 byte packets
1 172.20.48.2 (172.20.48.2) 109.300 ms 101.385 ms 111.155 ms
2 10.250.1.1 (10.250.1.1) 102.849 ms 100.998 ms 104.760 ms
3 10.10.1.87 (10.10.1.87) 100.866 ms 157.957 ms 101.041 ms

I tried all the options like send all traffic over VPN connection, send all IPV4 traffic over VPN connection, but still doesn't work.
And here is the log:
-----------------------------------------------------------------------------------
2021-02-01 20:17:51: Viscosity Mac 1.9 (1556)
2021-02-01 20:17:51: Viscosity OpenVPN Engine Started
2021-02-01 20:17:51: Running on macOS 11.1.0
2021-02-01 20:17:51: ---------
2021-02-01 20:17:51: State changed to Connecting
2021-02-01 20:17:51: Checking reachability status of connection...
2021-02-01 20:17:51: Connection is reachable. Starting connection attempt.
2021-02-01 20:17:51: WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
2021-02-01 20:17:51: OpenVPN 2.4.9 arm-apple-darwin20.0.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 10 2020
2021-02-01 20:17:51: library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-02-01 20:17:51: Valid endpoint found: 210.75.252.18:8443:udp
2021-02-01 20:17:51: TCP/UDP: Preserving recently used remote address: [AF_INET]210.75.252.18:8443
2021-02-01 20:17:51: UDP link local: (not bound)
2021-02-01 20:17:51: UDP link remote: [AF_INET]210.75.252.18:8443
2021-02-01 20:17:51: State changed to Authenticating
2021-02-01 20:17:52: [siat-server] Peer Connection Initiated with [AF_INET]210.75.252.18:8443
2021-02-01 20:17:53: DHCP enabled on tap interface en6
2021-02-01 20:17:53: IPv6 enabled on tap interface en6
2021-02-01 20:17:54: TUN/TAP device en6 opened
2021-02-01 20:17:54: NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
2021-02-01 20:17:54: Initialization Sequence Completed
2021-02-01 20:17:54: DNS mode set to Split
2021-02-01 20:17:54: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/ar ... e-present/
2021-02-01 20:17:54: State changed to Connected
2021-02-01 20:17:57: DNS change detected, ignoring as it is likely RDNSS
2021-02-01 20:17:57: DNS change detected, ignoring as it is likely RDNSS
2021-02-01 20:17:57: DNS change detected, ignoring as it is likely RDNSS
Attachments
Log.txt
(1.99 KiB) Downloaded 505 times

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Feb 02, 2021 9:50 am
Hi JamesZhang,

As you're using DHCP and IPv6 Auto configuration for address assignment, OpenVPN itself doesn't know what gateway address it should use for the routes it creates. The relevant line in the log is:
Code: Select all
NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
For IPv4 you can instruct OpenVPN to use the gateway set by the DHCP server by editing your connection in Viscosity, going to the Networking tab, and entering "dhcp" (without the quotes) into the Default Gateway field. If it isn't already in your configuration, it's also a good idea to add "route-delay auto" (without the quotes) as an advanced command to your connection as well (this will ensure that OpenVPN will wait for DHCP before creating the routes):
https://www.sparklabs.com/support/kb/ar ... n-commands

For IPv6 you'll need to specify the gateway address manually. To do this, add the advanced command "route-ipv6-gateway <gateway-ip>" (without the quotes) to your connection, and replace "<gateway-ip>" with the IPv6 address of the gateway/router to use.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

JamesZhang

Posts: 5
Joined: Mon Feb 01, 2021 11:24 pm

Post by JamesZhang » Tue Feb 02, 2021 1:26 pm
Thanks for your help,
I tried the methods you said, but they didn't work.I further tested and found that after successfully connecting to the VPN, my default gateway has not changed.

I used route -n get default to check the default gateway:
The result obtained when the VPN is not connected is (The result after VPN connection is the same):
Code: Select all
   route to: default
destination: default
       mask: default
    gateway: 192.168.0.1
  interface: en0
      flags: <UP,GATEWAY,DONE,STATIC,PRCLONING>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0 
       
However, the result should be:
Code: Select all
  route to: default
destination: default
       mask: default
    gateway: 172.20.48.1
  interface: en6
      flags: <UP,GATEWAY,DONE,STATIC,PRCLONING>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0 
Here is the results I get through ifconfig en6:
Code: Select all
en6: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether 72:1c:f8:10:2d:ec 
	inet6 fe80::cde:29c8:f554:e691%en6 prefixlen 64 secured scopeid 0x26 
	inet6 2001:250:3c02:719:c70:783c:a059:6a8 prefixlen 64 autoconf secured 
	inet6 2001:250:3c02:719:e094:e9c9:742b:7bfc prefixlen 64 autoconf temporary 
	inet 172.20.52.102 netmask 0xfffff800 broadcast 172.20.55.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active
Under normal circumstances, there should be a routing table entry with Local Address of 172.20.52.102, but I use netstat -n, I didn't find it.

I really need a client that can help me connect to the remote server. If this problem can be solved, I will buy Viscosity immediately.

JamesZhang

Posts: 5
Joined: Mon Feb 01, 2021 11:24 pm

Post by JamesZhang » Tue Feb 02, 2021 2:00 pm
Congratulations!!!!!

The problem has been solved!!!

I use the commands:
Code: Select all
sudo route delete default
sudo route add default 172.20.48.1
Thank you, my dear Viscosity.

But is there any way to make Viscosity automatically execute these two commands after connecting to the VPN? I don't know how the address 172.20.48.1 was obtained, I found it on the original computer where I use TunnelBlick.

Thanks again. :D

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Feb 02, 2021 3:05 pm
Hi JamesZhang,

You don't want to be modifying the "default" route. OpenVPN will instead (assuming you're using the "def1" parameter, which Viscosity does by default) create two routes that override the default route. Modifying the default route directly can result in a dropping VPN connection or non-functional networking when you disconnect.

To check if your traffic is being routed into the tunnel by default please see:
https://www.sparklabs.com/support/kb/ar ... connection

For more information on how OpenVPN routes all traffic over the VPN connection please see:
https://www.sparklabs.com/support/kb/ar ... ct-gateway

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

JamesZhang

Posts: 5
Joined: Mon Feb 01, 2021 11:24 pm

Post by JamesZhang » Tue Feb 02, 2021 5:31 pm
Thank you, but currently this is the only available way I found, at least through this I can successfully access my remote server, I am so happy.

I used AppleScript to automatically change the default route after vpn connection and disconnection, but I encountered a problem, that is, the script cannot run normally when using sudo permissions.

Here is the Connected Script:
Code: Select all
display dialog "setting default 172.20.48.1"
do shell script "sudo route delete default; sudo route add default 172.20.48.1" user name "myname" password "mypassword" with administrator privileges
display dialog "successfully"
When VPN connected, AppleScript successfully displayed the "setting default 172.20.48.1" dialog box, but did not display the ”successfully“ dialog box. I judged that there was a problem when using sudo privileges, because I tested that a AppleScript that does not require sudo permissions can run normally. And the same with the Disconnected Script.

However it can run normally if I open it with AppleScript.app and click run button directly. Do you know why this is? Is there any solution to make the script run normally?

Thank you.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Feb 02, 2021 6:12 pm
Hi JamesZhang,

I need to stress again that you don't have to modify the computer's default route and that we advise against it. OpenVPN will create the routes needed as long as the default gateway is correctly configured.

Information for creating custom routes can be found at:
https://www.sparklabs.com/support/kb/ar ... lications/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

JamesZhang

Posts: 5
Joined: Mon Feb 01, 2021 11:24 pm

Post by JamesZhang » Tue Feb 02, 2021 7:04 pm
Thank you, James.

I tried customizing an IP route in the network tab, but it didn't work, now I use my solution normally. Thank you anyway, I just don't know how to deal with the problem, for me, my solution is totally enough.

And I find that when VPN connection disconnected, the default gateway could be set to the default automatically by Viscosity, so I just need to make sure the Connected AppleScript mentioned above can run normally when VPN connected.

Could you help me solving the problem of sudo permission in AppleScript?

By the way, It would be great if you support Alipay to pay.

:)

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Feb 03, 2021 4:25 pm
Could you help me solving the problem of sudo permission in AppleScript?
Please see the following for how to run a script with admin rights:
https://www.sparklabs.com/support/kb/ar ... ell-script

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
9 posts Page 1 of 1