Page 1 of 1

Data is not routed through VPN

Posted: Mon Feb 01, 2021 11:47 pm
by JamesZhang
Hello,

I am using Viscosity(version 1.9) on M1 MacBook Pro, OS "11.1", but I found that Data is not routed through VPN.
I originally wanted to use VS Code to remotely ssh to my server through openVPN, but the connection timed out.

I used a Tap VPN, and here is the information when I use ifconfig en6:
--------------------------------------------------------------------------------------------------------------------------
en6: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=400<CHANNEL_IO>
ether a6:10:d1:63:ab:40
inet6 fe80::14fd:b4f5:65ca:8e7e%en6 prefixlen 64 secured scopeid 0x19
inet 172.20.51.27 netmask 0xfffff800 broadcast 172.20.55.255
inet6 2001:250:3c02:719:c70:783c:a059:6a8 prefixlen 64 autoconf secured
inet6 2001:250:3c02:719:f953:855:d38e:8003 prefixlen 64 autoconf temporary
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active

Actually, if the data routed through VPN, next hop would be 172.20.*.* etc. Then I use traceroute to track, I found the data is not routed through VPN:
---------------------------------------------------------------------------------------------
traceroute to 10.10.1.87 (10.10.1.87), 64 hops max, 52 byte packets
1 192.168.0.1 (192.168.0.1) 3.393 ms 1.735 ms 1.660 ms
2 10.76.64.1 (10.76.64.1) 7.902 ms 4.278 ms 4.376 ms
3 218.202.12.53 (218.202.12.53) 4.994 ms 9.720 ms 4.952 ms
......

if everything goes right, I should get the result:
-------------------------------------------------------------------------
traceroute to 10.10.1.87 (10.10.1.87), 64 hops max, 52 byte packets
1 172.20.48.2 (172.20.48.2) 109.300 ms 101.385 ms 111.155 ms
2 10.250.1.1 (10.250.1.1) 102.849 ms 100.998 ms 104.760 ms
3 10.10.1.87 (10.10.1.87) 100.866 ms 157.957 ms 101.041 ms

I tried all the options like send all traffic over VPN connection, send all IPV4 traffic over VPN connection, but still doesn't work.
And here is the log:
-----------------------------------------------------------------------------------
2021-02-01 20:17:51: Viscosity Mac 1.9 (1556)
2021-02-01 20:17:51: Viscosity OpenVPN Engine Started
2021-02-01 20:17:51: Running on macOS 11.1.0
2021-02-01 20:17:51: ---------
2021-02-01 20:17:51: State changed to Connecting
2021-02-01 20:17:51: Checking reachability status of connection...
2021-02-01 20:17:51: Connection is reachable. Starting connection attempt.
2021-02-01 20:17:51: WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
2021-02-01 20:17:51: OpenVPN 2.4.9 arm-apple-darwin20.0.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 10 2020
2021-02-01 20:17:51: library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-02-01 20:17:51: Valid endpoint found: 210.75.252.18:8443:udp
2021-02-01 20:17:51: TCP/UDP: Preserving recently used remote address: [AF_INET]210.75.252.18:8443
2021-02-01 20:17:51: UDP link local: (not bound)
2021-02-01 20:17:51: UDP link remote: [AF_INET]210.75.252.18:8443
2021-02-01 20:17:51: State changed to Authenticating
2021-02-01 20:17:52: [siat-server] Peer Connection Initiated with [AF_INET]210.75.252.18:8443
2021-02-01 20:17:53: DHCP enabled on tap interface en6
2021-02-01 20:17:53: IPv6 enabled on tap interface en6
2021-02-01 20:17:54: TUN/TAP device en6 opened
2021-02-01 20:17:54: NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
2021-02-01 20:17:54: Initialization Sequence Completed
2021-02-01 20:17:54: DNS mode set to Split
2021-02-01 20:17:54: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/ar ... e-present/
2021-02-01 20:17:54: State changed to Connected
2021-02-01 20:17:57: DNS change detected, ignoring as it is likely RDNSS
2021-02-01 20:17:57: DNS change detected, ignoring as it is likely RDNSS
2021-02-01 20:17:57: DNS change detected, ignoring as it is likely RDNSS

Re: Data is not routed through VPN

Posted: Tue Feb 02, 2021 9:50 am
by James
Hi JamesZhang,

As you're using DHCP and IPv6 Auto configuration for address assignment, OpenVPN itself doesn't know what gateway address it should use for the routes it creates. The relevant line in the log is:
Code: Select all
NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
For IPv4 you can instruct OpenVPN to use the gateway set by the DHCP server by editing your connection in Viscosity, going to the Networking tab, and entering "dhcp" (without the quotes) into the Default Gateway field. If it isn't already in your configuration, it's also a good idea to add "route-delay auto" (without the quotes) as an advanced command to your connection as well (this will ensure that OpenVPN will wait for DHCP before creating the routes):
https://www.sparklabs.com/support/kb/ar ... n-commands

For IPv6 you'll need to specify the gateway address manually. To do this, add the advanced command "route-ipv6-gateway <gateway-ip>" (without the quotes) to your connection, and replace "<gateway-ip>" with the IPv6 address of the gateway/router to use.

Cheers,
James

Re: Data is not routed through VPN

Posted: Tue Feb 02, 2021 1:26 pm
by JamesZhang
Thanks for your help,
I tried the methods you said, but they didn't work.I further tested and found that after successfully connecting to the VPN, my default gateway has not changed.

I used route -n get default to check the default gateway:
The result obtained when the VPN is not connected is (The result after VPN connection is the same):
Code: Select all
   route to: default
destination: default
       mask: default
    gateway: 192.168.0.1
  interface: en0
      flags: <UP,GATEWAY,DONE,STATIC,PRCLONING>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0 
       
However, the result should be:
Code: Select all
  route to: default
destination: default
       mask: default
    gateway: 172.20.48.1
  interface: en6
      flags: <UP,GATEWAY,DONE,STATIC,PRCLONING>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0 
Here is the results I get through ifconfig en6:
Code: Select all
en6: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether 72:1c:f8:10:2d:ec 
	inet6 fe80::cde:29c8:f554:e691%en6 prefixlen 64 secured scopeid 0x26 
	inet6 2001:250:3c02:719:c70:783c:a059:6a8 prefixlen 64 autoconf secured 
	inet6 2001:250:3c02:719:e094:e9c9:742b:7bfc prefixlen 64 autoconf temporary 
	inet 172.20.52.102 netmask 0xfffff800 broadcast 172.20.55.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active
Under normal circumstances, there should be a routing table entry with Local Address of 172.20.52.102, but I use netstat -n, I didn't find it.

I really need a client that can help me connect to the remote server. If this problem can be solved, I will buy Viscosity immediately.

Re: Data is not routed through VPN

Posted: Tue Feb 02, 2021 2:00 pm
by JamesZhang
Congratulations!!!!!

The problem has been solved!!!

I use the commands:
Code: Select all
sudo route delete default
sudo route add default 172.20.48.1
Thank you, my dear Viscosity.

But is there any way to make Viscosity automatically execute these two commands after connecting to the VPN? I don't know how the address 172.20.48.1 was obtained, I found it on the original computer where I use TunnelBlick.

Thanks again. :D

Re: Data is not routed through VPN

Posted: Tue Feb 02, 2021 3:05 pm
by James
Hi JamesZhang,

You don't want to be modifying the "default" route. OpenVPN will instead (assuming you're using the "def1" parameter, which Viscosity does by default) create two routes that override the default route. Modifying the default route directly can result in a dropping VPN connection or non-functional networking when you disconnect.

To check if your traffic is being routed into the tunnel by default please see:
https://www.sparklabs.com/support/kb/ar ... connection

For more information on how OpenVPN routes all traffic over the VPN connection please see:
https://www.sparklabs.com/support/kb/ar ... ct-gateway

Cheers,
James

Re: Data is not routed through VPN

Posted: Tue Feb 02, 2021 5:31 pm
by JamesZhang
Thank you, but currently this is the only available way I found, at least through this I can successfully access my remote server, I am so happy.

I used AppleScript to automatically change the default route after vpn connection and disconnection, but I encountered a problem, that is, the script cannot run normally when using sudo permissions.

Here is the Connected Script:
Code: Select all
display dialog "setting default 172.20.48.1"
do shell script "sudo route delete default; sudo route add default 172.20.48.1" user name "myname" password "mypassword" with administrator privileges
display dialog "successfully"
When VPN connected, AppleScript successfully displayed the "setting default 172.20.48.1" dialog box, but did not display the ”successfully“ dialog box. I judged that there was a problem when using sudo privileges, because I tested that a AppleScript that does not require sudo permissions can run normally. And the same with the Disconnected Script.

However it can run normally if I open it with AppleScript.app and click run button directly. Do you know why this is? Is there any solution to make the script run normally?

Thank you.

Re: Data is not routed through VPN

Posted: Tue Feb 02, 2021 6:12 pm
by James
Hi JamesZhang,

I need to stress again that you don't have to modify the computer's default route and that we advise against it. OpenVPN will create the routes needed as long as the default gateway is correctly configured.

Information for creating custom routes can be found at:
https://www.sparklabs.com/support/kb/ar ... lications/

Cheers,
James

Re: Data is not routed through VPN

Posted: Tue Feb 02, 2021 7:04 pm
by JamesZhang
Thank you, James.

I tried customizing an IP route in the network tab, but it didn't work, now I use my solution normally. Thank you anyway, I just don't know how to deal with the problem, for me, my solution is totally enough.

And I find that when VPN connection disconnected, the default gateway could be set to the default automatically by Viscosity, so I just need to make sure the Connected AppleScript mentioned above can run normally when VPN connected.

Could you help me solving the problem of sudo permission in AppleScript?

By the way, It would be great if you support Alipay to pay.

:)

Re: Data is not routed through VPN

Posted: Wed Feb 03, 2021 4:25 pm
by James
Could you help me solving the problem of sudo permission in AppleScript?
Please see the following for how to run a script with admin rights:
https://www.sparklabs.com/support/kb/ar ... ell-script

Cheers,
James