Skip to content
Viscosity VPN using existing Tunnelblick OpenVPN config cannot authenticate/connect
Got a problem with Viscosity or need help? Ask here!
- Posts: 9
- Joined: Wed Aug 25, 2021 11:47 pm
I have been using Tunnelblick for a couple of years to connect to our company VPN (using MikroTik - configured with an OpenVPN server).
Now, there is an issue with MacOS Big Sur and VMware Fusion 12 where the (Windows) VMs cannot use the VPN of the Mac any more. But according to this discussion https://communities.vmware.com/t5/VMwar ... ue#M172119 Viscosity should work
Therefore, I have installed a trial and it suggests to import my connection from Tunnelblick. Fine!
However, it does not connect. I have tried to edit the connection and re-select the certificates but still no luck. If I edit it again it just shows "ca.crt", "cert.crt" and "key.key" - but I guess this is Viscosity's way of hiding what I have selected?
When I try to connect I get this in the log:
Thanks in advance!
/John
Now, there is an issue with MacOS Big Sur and VMware Fusion 12 where the (Windows) VMs cannot use the VPN of the Mac any more. But according to this discussion https://communities.vmware.com/t5/VMwar ... ue#M172119 Viscosity should work
Therefore, I have installed a trial and it suggests to import my connection from Tunnelblick. Fine!
However, it does not connect. I have tried to edit the connection and re-select the certificates but still no luck. If I edit it again it just shows "ca.crt", "cert.crt" and "key.key" - but I guess this is Viscosity's way of hiding what I have selected?
When I try to connect I get this in the log:
Code: Select all
I use MikroTik (v.6.47.7) and I have set up the certificates for the Ovpn server like this:2021-08-25 12:39:35: Viscosity Mac 1.9.3 (1571)
2021-08-25 12:39:35: Viscosity OpenVPN Engine Started
2021-08-25 12:39:35: Running on macOS 11.5.2
2021-08-25 12:39:35: ---------
2021-08-25 12:39:35: State changed to Connecting
2021-08-25 12:39:35: Checking reachability status of connection...
2021-08-25 12:39:35: Connection is reachable. Starting connection attempt.
2021-08-25 12:39:35: Current Parameter Settings:
2021-08-25 12:39:35: config = 'config.conf'
2021-08-25 12:39:35: mode = 0
2021-08-25 12:39:35: show_ciphers = DISABLED
2021-08-25 12:39:35: show_digests = DISABLED
2021-08-25 12:39:35: show_engines = DISABLED
2021-08-25 12:39:35: genkey = DISABLED
2021-08-25 12:39:35: key_pass_file = '[UNDEF]'
2021-08-25 12:39:35: show_tls_ciphers = DISABLED
2021-08-25 12:39:35: connect_retry_max = 0
2021-08-25 12:39:35: Connection profiles [0]:
2021-08-25 12:39:35: proto = tcp-client
2021-08-25 12:39:35: local = '[UNDEF]'
2021-08-25 12:39:35: local_port = '[UNDEF]'
2021-08-25 12:39:35: remote = 'myvpn.domain.com'
2021-08-25 12:39:35: remote_port = '1194'
2021-08-25 12:39:35: remote_float = DISABLED
2021-08-25 12:39:35: bind_defined = DISABLED
2021-08-25 12:39:35: bind_local = DISABLED
2021-08-25 12:39:35: bind_ipv6_only = DISABLED
2021-08-25 12:39:35: connect_retry_seconds = 5
2021-08-25 12:39:35: connect_timeout = 120
2021-08-25 12:39:35: socks_proxy_server = '[UNDEF]'
2021-08-25 12:39:35: socks_proxy_port = '[UNDEF]'
2021-08-25 12:39:35: tun_mtu = 1500
2021-08-25 12:39:35: tun_mtu_defined = ENABLED
2021-08-25 12:39:35: link_mtu = 1500
2021-08-25 12:39:35: link_mtu_defined = DISABLED
2021-08-25 12:39:35: tun_mtu_extra = 0
2021-08-25 12:39:35: tun_mtu_extra_defined = DISABLED
2021-08-25 12:39:35: mtu_discover_type = -1
2021-08-25 12:39:35: fragment = 0
2021-08-25 12:39:35: mssfix = 1450
2021-08-25 12:39:35: explicit_exit_notification = 0
2021-08-25 12:39:35: Connection profiles END
2021-08-25 12:39:35: remote_random = DISABLED
2021-08-25 12:39:35: ipchange = '[UNDEF]'
2021-08-25 12:39:35: dev = 'tun'
2021-08-25 12:39:35: dev_type = '[UNDEF]'
2021-08-25 12:39:35: dev_node = 'utun'
2021-08-25 12:39:35: lladdr = '[UNDEF]'
2021-08-25 12:39:35: topology = 1
2021-08-25 12:39:35: ifconfig_local = '[UNDEF]'
2021-08-25 12:39:35: ifconfig_remote_netmask = '[UNDEF]'
2021-08-25 12:39:35: ifconfig_noexec = DISABLED
2021-08-25 12:39:35: ifconfig_nowarn = DISABLED
2021-08-25 12:39:35: ifconfig_ipv6_local = '[UNDEF]'
2021-08-25 12:39:35: ifconfig_ipv6_netbits = 0
2021-08-25 12:39:35: ifconfig_ipv6_remote = '[UNDEF]'
2021-08-25 12:39:35: shaper = 0
2021-08-25 12:39:35: mtu_test = 0
2021-08-25 12:39:35: mlock = DISABLED
2021-08-25 12:39:35: keepalive_ping = 0
2021-08-25 12:39:35: keepalive_timeout = 0
2021-08-25 12:39:35: inactivity_timeout = 0
2021-08-25 12:39:35: ping_send_timeout = 10
2021-08-25 12:39:35: ping_rec_timeout = 45
2021-08-25 12:39:35: ping_rec_timeout_action = 2
2021-08-25 12:39:35: ping_timer_remote = DISABLED
2021-08-25 12:39:35: remap_sigusr1 = 0
2021-08-25 12:39:35: persist_tun = DISABLED
2021-08-25 12:39:35: persist_local_ip = DISABLED
2021-08-25 12:39:35: persist_remote_ip = DISABLED
2021-08-25 12:39:35: persist_key = ENABLED
2021-08-25 12:39:35: passtos = DISABLED
2021-08-25 12:39:35: resolve_retry_seconds = 1000000000
2021-08-25 12:39:35: resolve_in_advance = DISABLED
2021-08-25 12:39:35: username = '[UNDEF]'
2021-08-25 12:39:35: groupname = '[UNDEF]'
2021-08-25 12:39:35: chroot_dir = '[UNDEF]'
2021-08-25 12:39:35: cd_dir = '[UNDEF]'
2021-08-25 12:39:35: writepid = '[UNDEF]'
2021-08-25 12:39:35: up_script = '[UNDEF]'
2021-08-25 12:39:35: down_script = '[UNDEF]'
2021-08-25 12:39:35: down_pre = DISABLED
2021-08-25 12:39:35: up_restart = DISABLED
2021-08-25 12:39:35: up_delay = DISABLED
2021-08-25 12:39:35: daemon = DISABLED
2021-08-25 12:39:35: inetd = 0
2021-08-25 12:39:35: log = DISABLED
2021-08-25 12:39:35: suppress_timestamps = DISABLED
2021-08-25 12:39:35: machine_readable_output = DISABLED
2021-08-25 12:39:35: nice = 0
2021-08-25 12:39:35: verbosity = 4
2021-08-25 12:39:35: mute = 100
2021-08-25 12:39:35: status_file = '[UNDEF]'
2021-08-25 12:39:35: status_file_version = 1
2021-08-25 12:39:35: status_file_update_freq = 60
2021-08-25 12:39:35: occ = ENABLED
2021-08-25 12:39:35: rcvbuf = 0
2021-08-25 12:39:35: sndbuf = 0
2021-08-25 12:39:35: sockflags = 0
2021-08-25 12:39:35: fast_io = DISABLED
2021-08-25 12:39:35: comp.alg = 0
2021-08-25 12:39:35: comp.flags = 0
2021-08-25 12:39:35: route_script = '[UNDEF]'
2021-08-25 12:39:35: route_default_gateway = '[UNDEF]'
2021-08-25 12:39:35: route_default_metric = 0
2021-08-25 12:39:35: route_noexec = DISABLED
2021-08-25 12:39:35: route_delay = 2
2021-08-25 12:39:35: NOTE: --mute triggered...
2021-08-25 12:39:35: 181 variation(s) on previous 100 message(s) suppressed by --mute
2021-08-25 12:39:35: OpenVPN 2.4.11 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Apr 21 2021
2021-08-25 12:39:35: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021-08-25 12:39:40: Resolving address: myvpn.domain.com
2021-08-25 12:39:40: Valid endpoint found: 9111.222.333.444:1194:tcp-client
2021-08-25 12:39:40: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-08-25 12:39:57: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-08-25 12:39:57: Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2021-08-25 12:39:57: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2021-08-25 12:39:57: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-08-25 12:39:57: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-08-25 12:39:57: TCP/UDP: Preserving recently used remote address: [AF_INET]9111.222.333.444:1194
2021-08-25 12:39:57: Socket Buffers: R=[131072->131072] S=[131072->131072]
2021-08-25 12:39:57: Attempting to establish TCP connection with [AF_INET]9111.222.333.444:1194 [nonblock]
2021-08-25 12:39:58: TCP connection established with [AF_INET]9111.222.333.444:1194
2021-08-25 12:39:58: TCP_CLIENT link local: (not bound)
2021-08-25 12:39:58: TCP_CLIENT link remote: [AF_INET]9111.222.333.444:1194
2021-08-25 12:39:58: TLS: Initial packet from [AF_INET]9111.222.333.444:1194, sid=491643f1 448a22cb
2021-08-25 12:39:58: State changed to Authenticating
2021-08-25 12:40:04: VERIFY OK: depth=1, CN=ca
2021-08-25 12:40:04: VERIFY OK: depth=0, CN=server
2021-08-25 12:40:05: Connection reset, restarting [0]
2021-08-25 12:40:05: TCP/UDP: Closing socket
2021-08-25 12:40:05: SIGUSR1[soft,connection-reset] received, process restarting
2021-08-25 12:40:05: Viscosity Mac 1.9.3 (1571)
2021-08-25 12:40:05: Viscosity OpenVPN Engine Started
2021-08-25 12:40:05: Running on macOS 11.5.2
2021-08-25 12:40:05: ---------
2021-08-25 12:40:05: State changed to Connecting
2021-08-25 12:40:05: Resolving address: myvpn.domain.com
2021-08-25 12:40:05: Resolving address: myvpn.domain.com
2021-08-25 12:40:05: Valid endpoint found: 9111.222.333.444:1194:tcp-client
2021-08-25 12:40:05: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-08-25 12:40:05: Re-using SSL/TLS context
2021-08-25 12:40:05: Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2021-08-25 12:40:05: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2021-08-25 12:40:05: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-08-25 12:40:05: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-08-25 12:40:05: TCP/UDP: Preserving recently used remote address: [AF_INET]9111.222.333.444:1194
2021-08-25 12:40:05: Socket Buffers: R=[131072->131072] S=[131072->131072]
2021-08-25 12:40:05: Attempting to establish TCP connection with [AF_INET]9111.222.333.444:1194 [nonblock]
2021-08-25 12:40:06: TCP connection established with [AF_INET]9111.222.333.444:1194
2021-08-25 12:40:06: TCP_CLIENT link local: (not bound)
2021-08-25 12:40:06: TCP_CLIENT link remote: [AF_INET]9111.222.333.444:1194
2021-08-25 12:40:06: TLS: Initial packet from [AF_INET]9111.222.333.444:1194, sid=4ed299ad 83e8947e
2021-08-25 12:40:06: State changed to Authenticating
2021-08-25 12:40:08: VERIFY OK: depth=1, CN=ca
2021-08-25 12:40:08: VERIFY OK: depth=0, CN=server
2021-08-25 12:40:08: Connection reset, restarting [0]
2021-08-25 12:40:08: TCP/UDP: Closing socket
2021-08-25 12:40:08: SIGUSR1[soft,connection-reset] received, process restarting
Code: Select all
And this works fine with this Tunnelblick config (ovpn):/certificate
add name=ca-template common-name=ca days-valid=3065 key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server days-valid=3065
add name=client-template common-name=vpnclient days-valid=3065
sign ca-template name=ca
sign ca=ca server-template name=server
sign ca=ca client-template name=vpnclient
set ca trusted=yes
set server trusted=yes
export-certificate ca
export-certificate vpnclient export-passphrase=yyyyyyyyyyyyy
/ppp secret add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name="user1" password="xxxxxxxxx" routes="" service=ovpn
Code: Select all
When Viscosity imports the ovpn file it adds these extra commands under "Advanced":remote myvpn.domain.com 1194
proto tcp-client
#client
tls-client
port 1194
ca cert_export_ca.crt
cert cert_export_vpnclient.crt
key cert_export_vpnclient.key
cipher AES-256-CBC
auth SHA1
dev tun
resolv-retry infinite
nobind
persist-key
ping 10
ping-restart 45
verb 4
auth-user-pass
#auth-nocache
route-method exe
route-delay 2
pull
#redirect-gateway def
route 192.168.42.0 255.255.255.0
Code: Select all
What could I be missing here? I really would like to test if Viscosity can solve the VMs' problems of using the VPN connection.resolv-retry infinite
cipher AES-256-CBC
verb 4
route-delay 2
auth SHA1
Thanks in advance!
/John
Hi John,
A possible difference is that you're likely using OpenVPN 2.5 with Tunnelblick, while Viscosity 1.9.x uses OpenVPN 2.4. If the server is configured to rely on a feature only in 2.5 it may be rejecting the connection attempt. You can try updating to the latest beta version of Viscosity which ships with OpenVPN 2.5:
https://www.sparklabs.com/support/kb/ar ... -versions/
If you're still stuck, I recommend also trying some of the tips listed at:
https://www.sparklabs.com/support/kb/ar ... -providers
Cheers,
James
but I guess this is Viscosity's way of hiding what I have selected?Viscosity will rename the files to prevent potential clashes - they'll still be your selected files, just with a generic name.
2021-08-25 12:40:08: Connection reset, restarting [0]It appears the server (or something in-between Viscosity and the server) is terminating the connection. More information should be available in the log on the server as to the exact reason (assuming it was the server itself). MikroTik do use their own custom OpenVPN protocol implementation, so I'm afraid it's difficult to speculate what may be the cause.
A possible difference is that you're likely using OpenVPN 2.5 with Tunnelblick, while Viscosity 1.9.x uses OpenVPN 2.4. If the server is configured to rely on a feature only in 2.5 it may be rejecting the connection attempt. You can try updating to the latest beta version of Viscosity which ships with OpenVPN 2.5:
https://www.sparklabs.com/support/kb/ar ... -versions/
If you're still stuck, I recommend also trying some of the tips listed at:
https://www.sparklabs.com/support/kb/ar ... -providers
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
- Posts: 9
- Joined: Wed Aug 25, 2021 11:47 pm
Hi James
Thanks for replying.
On the server I get these messages:
I'll try the beta client.
Thanks for replying.
On the server I get these messages:
Code: Select all
I had already checked these messages - and they seem to appear for many reasons - so there wasn't anything directly related to VPN connections. But I see these as a direct consequence of the connection attempts...aug/25/2021 19:47:28 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,error duplicate packet, dropping
aug/25/2021 19:47:30 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,error duplicate packet, dropping
aug/25/2021 19:47:32 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,error duplicate packet, dropping
aug/25/2021 19:47:34 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,error duplicate packet, dropping
I'll try the beta client.
- Posts: 9
- Joined: Wed Aug 25, 2021 11:47 pm
Hmmm.... the beta seems to make no difference... No connection and the same messages on the server...
This is my OVPN configuration on the MikroTik box: Does that give any clues to you?
This is my OVPN configuration on the MikroTik box: Does that give any clues to you?
- Posts: 9
- Joined: Wed Aug 25, 2021 11:47 pm
Log messages from the beta client are slightly different:
Code: Select all
I have also updated the MikroTik RouterOS to version 6.48.4 that is the latest version from a week ago - still no luck2021-08-27 09:16:53: Viscosity Mac 1.10b4 (1580)
2021-08-27 09:16:53: Viscosity OpenVPN Engine Started
2021-08-27 09:16:53: Running on macOS 11.5.2
2021-08-27 09:16:53: ---------
2021-08-27 09:16:53: State changed to Connecting
2021-08-27 09:16:53: Checking reachability status of connection...
2021-08-27 09:16:53: Connection is reachable. Starting connection attempt.
2021-08-27 09:16:53: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-08-27 09:16:53: Current Parameter Settings:
2021-08-27 09:16:53: config = 'config.conf'
2021-08-27 09:16:53: mode = 0
2021-08-27 09:16:53: show_ciphers = DISABLED
2021-08-27 09:16:53: show_digests = DISABLED
2021-08-27 09:16:53: show_engines = DISABLED
2021-08-27 09:16:53: genkey = DISABLED
2021-08-27 09:16:53: genkey_filename = '[UNDEF]'
2021-08-27 09:16:53: key_pass_file = '[UNDEF]'
2021-08-27 09:16:53: show_tls_ciphers = DISABLED
2021-08-27 09:16:53: connect_retry_max = 0
2021-08-27 09:16:53: Connection profiles [0]:
2021-08-27 09:16:53: proto = tcp-client
2021-08-27 09:16:53: local = '[UNDEF]'
2021-08-27 09:16:53: local_port = '[UNDEF]'
2021-08-27 09:16:53: remote = 'myvpn.domain.com'
2021-08-27 09:16:53: remote_port = '1194'
2021-08-27 09:16:53: remote_float = DISABLED
2021-08-27 09:16:53: bind_defined = DISABLED
2021-08-27 09:16:53: bind_local = DISABLED
2021-08-27 09:16:53: bind_ipv6_only = DISABLED
2021-08-27 09:16:53: connect_retry_seconds = 5
2021-08-27 09:16:53: connect_timeout = 120
2021-08-27 09:16:53: socks_proxy_server = '[UNDEF]'
2021-08-27 09:16:53: socks_proxy_port = '[UNDEF]'
2021-08-27 09:16:53: tun_mtu = 1500
2021-08-27 09:16:53: tun_mtu_defined = ENABLED
2021-08-27 09:16:53: link_mtu = 1500
2021-08-27 09:16:53: link_mtu_defined = DISABLED
2021-08-27 09:16:53: tun_mtu_extra = 0
2021-08-27 09:16:53: tun_mtu_extra_defined = DISABLED
2021-08-27 09:16:53: mtu_discover_type = -1
2021-08-27 09:16:53: fragment = 0
2021-08-27 09:16:53: mssfix = 1450
2021-08-27 09:16:53: explicit_exit_notification = 0
2021-08-27 09:16:53: tls_auth_file = '[UNDEF]'
2021-08-27 09:16:53: key_direction = not set
2021-08-27 09:16:53: tls_crypt_file = '[UNDEF]'
2021-08-27 09:16:53: tls_crypt_v2_file = '[UNDEF]'
2021-08-27 09:16:53: Connection profiles END
2021-08-27 09:16:53: remote_random = DISABLED
2021-08-27 09:16:53: ipchange = '[UNDEF]'
2021-08-27 09:16:53: dev = 'tun'
2021-08-27 09:16:53: dev_type = '[UNDEF]'
2021-08-27 09:16:53: dev_node = 'utun'
2021-08-27 09:16:53: lladdr = '[UNDEF]'
2021-08-27 09:16:53: topology = 1
2021-08-27 09:16:53: ifconfig_local = '[UNDEF]'
2021-08-27 09:16:53: ifconfig_remote_netmask = '[UNDEF]'
2021-08-27 09:16:53: ifconfig_noexec = DISABLED
2021-08-27 09:16:53: ifconfig_nowarn = DISABLED
2021-08-27 09:16:53: ifconfig_ipv6_local = '[UNDEF]'
2021-08-27 09:16:53: ifconfig_ipv6_netbits = 0
2021-08-27 09:16:53: ifconfig_ipv6_remote = '[UNDEF]'
2021-08-27 09:16:53: shaper = 0
2021-08-27 09:16:53: mtu_test = 0
2021-08-27 09:16:53: mlock = DISABLED
2021-08-27 09:16:53: keepalive_ping = 0
2021-08-27 09:16:53: keepalive_timeout = 0
2021-08-27 09:16:53: inactivity_timeout = 0
2021-08-27 09:16:53: ping_send_timeout = 10
2021-08-27 09:16:53: ping_rec_timeout = 45
2021-08-27 09:16:53: ping_rec_timeout_action = 2
2021-08-27 09:16:53: ping_timer_remote = DISABLED
2021-08-27 09:16:53: remap_sigusr1 = 0
2021-08-27 09:16:53: persist_tun = DISABLED
2021-08-27 09:16:53: persist_local_ip = DISABLED
2021-08-27 09:16:53: persist_remote_ip = DISABLED
2021-08-27 09:16:53: persist_key = ENABLED
2021-08-27 09:16:53: passtos = DISABLED
2021-08-27 09:16:53: resolve_retry_seconds = 1000000000
2021-08-27 09:16:53: resolve_in_advance = DISABLED
2021-08-27 09:16:53: username = '[UNDEF]'
2021-08-27 09:16:53: groupname = '[UNDEF]'
2021-08-27 09:16:53: chroot_dir = '[UNDEF]'
2021-08-27 09:16:53: cd_dir = '[UNDEF]'
2021-08-27 09:16:53: writepid = '[UNDEF]'
2021-08-27 09:16:53: up_script = '[UNDEF]'
2021-08-27 09:16:53: down_script = '[UNDEF]'
2021-08-27 09:16:53: down_pre = DISABLED
2021-08-27 09:16:53: up_restart = DISABLED
2021-08-27 09:16:53: up_delay = DISABLED
2021-08-27 09:16:53: daemon = DISABLED
2021-08-27 09:16:53: inetd = 0
2021-08-27 09:16:53: log = DISABLED
2021-08-27 09:16:53: suppress_timestamps = DISABLED
2021-08-27 09:16:53: machine_readable_output = ENABLED
2021-08-27 09:16:53: nice = 0
2021-08-27 09:16:53: verbosity = 4
2021-08-27 09:16:53: mute = 100
2021-08-27 09:16:53: status_file = '[UNDEF]'
2021-08-27 09:16:53: status_file_version = 1
2021-08-27 09:16:53: status_file_update_freq = 60
2021-08-27 09:16:53: occ = ENABLED
2021-08-27 09:16:53: rcvbuf = 0
2021-08-27 09:16:53: sndbuf = 0
2021-08-27 09:16:53: sockflags = 0
2021-08-27 09:16:53: fast_io = DISABLED
2021-08-27 09:16:53: comp.alg = 0
2021-08-27 09:16:53: comp.flags = 0
2021-08-27 09:16:53: NOTE: --mute triggered...
2021-08-27 09:16:53: 187 variation(s) on previous 100 message(s) suppressed by --mute
2021-08-27 09:16:53: OpenVPN 2.5.3 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Aug 26 2021
2021-08-27 09:16:53: library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2021-08-27 09:16:53: Resolving address: myvpn.domain.com
2021-08-27 09:16:53: Valid endpoint found: 111.222.333.444:1194:tcp-client
2021-08-27 09:16:53: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-08-27 09:16:53: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-08-27 09:16:53: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-08-27 09:16:53: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-08-27 09:16:53: TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:53: Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194 [nonblock]
2021-08-27 09:16:53: TCP connection established with [AF_INET]111.222.333.444:1194
2021-08-27 09:16:53: TCP_CLIENT link local: (not bound)
2021-08-27 09:16:53: TCP_CLIENT link remote: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:53: State changed to Authenticating
2021-08-27 09:16:53: TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=c1c66253 00fde63e
2021-08-27 09:16:56: VERIFY OK: depth=1, CN=ca
2021-08-27 09:16:56: VERIFY OK: depth=0, CN=server
2021-08-27 09:16:57: Connection reset, restarting [0]
2021-08-27 09:16:57: TCP/UDP: Closing socket
2021-08-27 09:16:57: SIGUSR1[soft,connection-reset] received, process restarting
2021-08-27 09:16:57: Viscosity Mac 1.10b4 (1580)
2021-08-27 09:16:57: Viscosity OpenVPN Engine Started
2021-08-27 09:16:57: Running on macOS 11.5.2
2021-08-27 09:16:57: ---------
2021-08-27 09:16:57: State changed to Connecting
2021-08-27 09:16:57: Resolving address: myvpn.domain.com
2021-08-27 09:16:57: Resolving address: myvpn.domain.com
2021-08-27 09:16:57: Valid endpoint found: 111.222.333.444:1194:tcp-client
2021-08-27 09:16:57: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-08-27 09:16:57: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-08-27 09:16:57: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-08-27 09:16:57: TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:57: Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194 [nonblock]
2021-08-27 09:16:57: TCP connection established with [AF_INET]111.222.333.444:1194
2021-08-27 09:16:57: TCP_CLIENT link local: (not bound)
2021-08-27 09:16:57: TCP_CLIENT link remote: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:57: State changed to Authenticating
2021-08-27 09:16:57: TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=3fa42b08 7bd9de73
2021-08-27 09:16:58: VERIFY OK: depth=1, CN=ca
2021-08-27 09:16:58: VERIFY OK: depth=0, CN=server
2021-08-27 09:16:58: Connection reset, restarting [0]
2021-08-27 09:16:58: TCP/UDP: Closing socket
2021-08-27 09:16:58: SIGUSR1[soft,connection-reset] received, process restarting
2021-08-27 09:16:58: Viscosity Mac 1.10b4 (1580)
2021-08-27 09:16:58: Viscosity OpenVPN Engine Started
2021-08-27 09:16:58: Running on macOS 11.5.2
2021-08-27 09:16:58: ---------
2021-08-27 09:16:58: State changed to Connecting
2021-08-27 09:16:58: Resolving address: myvpn.domain.com
2021-08-27 09:16:59: Resolving address: myvpn.domain.com
2021-08-27 09:16:59: Valid endpoint found: 111.222.333.444:1194:tcp-client
2021-08-27 09:16:59: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-08-27 09:16:59: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-08-27 09:16:59: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-08-27 09:16:59: TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:59: Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194 [nonblock]
2021-08-27 09:16:59: TCP connection established with [AF_INET]111.222.333.444:1194
2021-08-27 09:16:59: TCP_CLIENT link local: (not bound)
2021-08-27 09:16:59: TCP_CLIENT link remote: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:59: State changed to Authenticating
2021-08-27 09:16:59: TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=8fc919b9 163f76c5
2021-08-27 09:17:00: VERIFY OK: depth=1, CN=ca
2021-08-27 09:17:00: VERIFY OK: depth=0, CN=server
2021-08-27 09:17:01: State changed to Disconnecting (Manual)
2021-08-27 09:17:01: Connection reset, restarting [0]
2021-08-27 09:17:01: TCP/UDP: Closing socket
2021-08-27 09:17:01: SIGTERM[hard,connection-reset] received, process exiting
2021-08-27 09:17:01: State changed to Disconnected (Process Terminated)
Hi John,
I'm afraid I can't offer any firm suggestions here: MikroTik's implementation isn't behaving anything like the offical implementation would in this situation. It appears to lack the output to indicate what is going on, and is instead just closing the underlying connection.
If your configuration is working in Tunnelblick, but not Viscosity, all I can suggest is checking the underlying configuration data for any differences. You can find information on how to view Viscosity's raw configuration data for your connection at:
https://www.sparklabs.com/support/kb/ar ... ation-data
Besides that, all I can suggest is getting in touch with MikroTik's support staff: they may be able to offer more useful information on why their server implementation is terminating the connection attempt.
Cheers,
James
I'm afraid I can't offer any firm suggestions here: MikroTik's implementation isn't behaving anything like the offical implementation would in this situation. It appears to lack the output to indicate what is going on, and is instead just closing the underlying connection.
If your configuration is working in Tunnelblick, but not Viscosity, all I can suggest is checking the underlying configuration data for any differences. You can find information on how to view Viscosity's raw configuration data for your connection at:
https://www.sparklabs.com/support/kb/ar ... ation-data
Besides that, all I can suggest is getting in touch with MikroTik's support staff: they may be able to offer more useful information on why their server implementation is terminating the connection attempt.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
- Posts: 9
- Joined: Wed Aug 25, 2021 11:47 pm
Thanks, James
I have already written to the MikroTik support/forum - but so far no response
I tried to compare the two configurations and there are some minor differences that I cannot tell if are important...
I have sorted the lines to make it easier to look at
Tunnelblick:
Could this be the source of the problems? And can I configure it similarly in Viscosity?
Thanks for any light you can shed on this.
/John
I have already written to the MikroTik support/forum - but so far no response
I tried to compare the two configurations and there are some minor differences that I cannot tell if are important...
I have sorted the lines to make it easier to look at
Tunnelblick:
Code: Select all
Viscosity:
#-- Tunnelblick Configuration --#
#auth-nocache
#client
#redirect-gateway def
auth SHA1
auth-user-pass
ca cert_export_ca.crt
cert cert_export_vpnclient.crt
cipher AES-256-CBC
dev tun
key cert_export_vpnclient.key
nobind
persist-key
ping 10
ping-restart 45
port 1194
proto tcp-client
pull
remote router.mydomain.dk 1194
resolv-retry infinite
route 192.168.42.0 255.255.255.0
route-delay 2
route-method exe
tls-client
verb 4
Code: Select all
I would guess that proto, port and remote more or less end up with the same meaning. However, there is a difference in the route-method paramter.#-- Configuration Generated By Viscosity --#
#viscosity autoreconnect true
#viscosity dhcp true
#viscosity dns automatic
#viscosity name vpn-solbjerg
#viscosity protocol openvpn
#viscosity startonopen false
#viscosity usepeerdns true
auth SHA1
auth-user-pass
ca ca.crt
cert cert.crt
cipher AES-256-CBC
dev tun
key key.key
nobind
persist-key
ping 10
ping-restart 45
pull
remote router.mydomain.dk 1194 tcp-client
resolv-retry infinite
route 192.168.42.0 255.255.255.0
route-delay 2
tls-client
verb 4
Could this be the source of the problems? And can I configure it similarly in Viscosity?
Thanks for any light you can shed on this.
/John
Hi John,
Those configurations are identical from a macOS OpenVPN client standpoint.
I can only conclude either your CA/Cert files are mixed up or the wrong files, or the server is rejecting the connection for another reason (for example, there is already an active connection - or it thinks there is already an active connection - using those PKI credentials).
The offical OpenVPN server would add a message to the log about why the client is being rejected. However I'm afraid the MikroTik implementation doesn't appear to have any such logging. I can only again suggest reaching out to their support staff.
Cheers,
James
Those configurations are identical from a macOS OpenVPN client standpoint.
I can only conclude either your CA/Cert files are mixed up or the wrong files, or the server is rejecting the connection for another reason (for example, there is already an active connection - or it thinks there is already an active connection - using those PKI credentials).
The offical OpenVPN server would add a message to the log about why the client is being rejected. However I'm afraid the MikroTik implementation doesn't appear to have any such logging. I can only again suggest reaching out to their support staff.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
- Posts: 9
- Joined: Wed Aug 25, 2021 11:47 pm
Hi James
Ok, this turned out to be an (embarrassing) issue as our documentation wasn't entirely up to date so one password was incorrect Finding the magic steps to turn on logging for the OVPN server got me on the track.
Anyway, we do now have a connection!
However, I have one minor issue that I'm not sure where to solve. When I connect I do get an IP from the range specified by the OVPN server - but it does not see any of our internal servers.
So when I connect from Tunnelblick I get the following doing an nslookup:
Do you have any ideas as to what I am missing?
Thanks in advance!
Ok, this turned out to be an (embarrassing) issue as our documentation wasn't entirely up to date so one password was incorrect Finding the magic steps to turn on logging for the OVPN server got me on the track.
Anyway, we do now have a connection!
However, I have one minor issue that I'm not sure where to solve. When I connect I do get an IP from the range specified by the OVPN server - but it does not see any of our internal servers.
So when I connect from Tunnelblick I get the following doing an nslookup:
Code: Select all
However, when doing the same when connected via Viscosity I get:nslookup router.dalsgaard-data.dk
Server: 192.168.42.251
Address: 192.168.42.251#53
Non-authoritative answer:
Name: router.dalsgaard-data.dk
Address: 192.168.42.251
Code: Select all
I have tried manually to set the default gateway on the connection to 192.168.42.251 - but it seems to change nothing.nslookup router.dalsgaard-data.dk
Server: 172.20.10.1
Address: 172.20.10.1#53
Non-authoritative answer:
router.dalsgaard-data.dk canonical name = dalsgaard-data.dk.
Name: dalsgaard-data.dk
Address: 95.209.155.214
Do you have any ideas as to what I am missing?
Thanks in advance!
Glad to hear you got it working.
I recommend running through the troubleshooting steps at:
https://www.sparklabs.com/support/kb/ar ... -problems/
My instinct is the article linked below is probably the cause, however run through the steps in the above article first to be sure:
https://www.sparklabs.com/support/kb/ar ... e-present/
Cheers,
James
I recommend running through the troubleshooting steps at:
https://www.sparklabs.com/support/kb/ar ... -problems/
My instinct is the article linked below is probably the cause, however run through the steps in the above article first to be sure:
https://www.sparklabs.com/support/kb/ar ... e-present/
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs