Connections work flawlessly on Tunnelblick but ignore routes (?) on Viscosity

Got a problem with Viscosity or need help? Ask here!

philippgerard

Posts: 1
Joined: Thu Apr 08, 2021 9:42 pm

Post by philippgerard » Thu Apr 08, 2021 9:55 pm
Hi there,

I have two VPN connections for work with two different endpoints, which work flawlessly in Tunnelblick but don't work in Viscosity. It seems the routes are processed only in Tunnelblick and I can not identify the differences and would appreciate some help :)

This is the Tunneblick log, which I have sanitised (IP, usernames etc.) but which clearly shows routes created:
Code: Select all
2021-04-08 13:46:28.295892 *Tunnelblick: macOS 11.3 (20E5224a); Tunnelblick 3.8.5beta06 (build 5660); prior version 3.8.5beta05 (build 5650)
2021-04-08 13:46:28.593859 *Tunnelblick: Attempting connection with Corp - VPN using shadow copy; Set nameserver = 769; monitoring connection
2021-04-08 13:46:28.594153 *Tunnelblick: openvpnstart start Corp\ -\ VPN.tblk 59867 769 0 1 0 34652464 -ptADGNWradsgnw 2.4.10-openssl-1.1.1k
2021-04-08 13:46:28.627921 *Tunnelblick: openvpnstart starting OpenVPN
2021-04-08 13:46:29.093195 OpenVPN 2.4.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Apr  1 2021
2021-04-08 13:46:29.093410 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021-04-08 13:46:29.095161 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:59867
2021-04-08 13:46:29.095202 Need hold release from management interface, waiting...
2021-04-08 13:46:29.219521 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully.
     Command used to start OpenVPN (one argument per displayed line):
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.10-openssl-1.1.1k/openvpn
          --daemon
          --log /Library/Application Support/Tunnelblick/Logs/-..
          --cd /Library/Application Support/Tunnelblick/Users/.../Corp - VPN.tblk/Contents/Resources
          --machine-readable-output
          --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5660 3.8.5beta06 (build 5660)"
          --verb 3
          --config /Library/Application Support/Tunnelblick/Users/user/Corp - VPN.tblk/Contents/Resources/config.ovpn
          --setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/user/Corp - VPN.tblk/Contents/Resources
          --verb 3
          --cd /Library/Application Support/Tunnelblick/Users/user/Corp - VPN.tblk/Contents/Resources
          --management 127.0.0.1 59867 /Library/Application Support/Tunnelblick/jbnckfdfnlkpfobhcgcfjohdgddggbfhmckhjdej.mip
          --management-query-passwords
          --management-hold
          --script-security 2
          --route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2021-04-08 13:46:29.223310 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:59867
2021-04-08 13:46:29.237092 MANAGEMENT: CMD 'pid'
2021-04-08 13:46:29.237172 MANAGEMENT: CMD 'auth-retry interact'
2021-04-08 13:46:29.237196 MANAGEMENT: CMD 'state on'
2021-04-08 13:46:29.237215 MANAGEMENT: CMD 'state'
2021-04-08 13:46:29.237257 MANAGEMENT: CMD 'bytecount 1'
2021-04-08 13:46:29.237942 *Tunnelblick: Established communication with OpenVPN
2021-04-08 13:46:29.239206 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2021-04-08 13:46:29.240636 MANAGEMENT: CMD 'hold release'
2021-04-08 13:46:29.254357 *Tunnelblick: Obtained VPN username and password from the Keychain
2021-04-08 13:46:29.256161 MANAGEMENT: CMD 'username "Auth" "user"'
2021-04-08 13:46:29.256237 MANAGEMENT: CMD 'password [...]'
2021-04-08 13:46:29.257230 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-04-08 13:46:29.262807 MANAGEMENT: >STATE:1617882389,RESOLVE,,,,,,
2021-04-08 13:46:29.503632 TCP/UDP: Preserving recently used remote address: [AF_INET]{IP}:8443
2021-04-08 13:46:29.503797 Socket Buffers: R=[131072->131072] S=[131072->131072]
2021-04-08 13:46:29.503815 Attempting to establish TCP connection with [AF_INET]{IP}:8443 [nonblock]
2021-04-08 13:46:29.503841 MANAGEMENT: >STATE:1617882389,TCP_CONNECT,,,,,,
2021-04-08 13:46:30.546034 TCP connection established with [AF_INET]{IP}:8443
2021-04-08 13:46:30.546161 TCP_CLIENT link local: (not bound)
2021-04-08 13:46:30.546259 TCP_CLIENT link remote: [AF_INET]{IP}:8443
2021-04-08 13:46:30.546349 MANAGEMENT: >STATE:1617882390,WAIT,,,,,,
2021-04-08 13:46:30.576895 MANAGEMENT: >STATE:1617882390,AUTH,,,,,,
2021-04-08 13:46:30.576992 TLS: Initial packet from [AF_INET]{IP}:8443, sid=39ec4b5a 6b623b9b
2021-04-08 13:46:31.962865 VERIFY OK: depth=1, C=DE, ST=BY, L=Place, O=Comp, OU=OU, CN=Sophos_CA_SN, [email protected]
2021-04-08 13:46:31.963519 VERIFY X509NAME OK: C=DE, ST=BY, L=Place, O=Comp, OU=OU, CN=SophosApplianceCertificate_SN, [email protected]
2021-04-08 13:46:31.963548 VERIFY OK: depth=0, C=DE, ST=BY, L=Place, O=Comp, OU=OU, CN=SophosApplianceCertificate_SN, [email protected]
2021-04-08 13:46:32.438668 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2021-04-08 13:46:32.438862 [SophosApplianceCertificate_SN] Peer Connection Initiated with [AF_INET]{IP}:8443
2021-04-08 13:46:33.579386 MANAGEMENT: >STATE:1617882393,GET_CONFIG,,,,,,
2021-04-08 13:46:33.579843 SENT CONTROL [SophosApplianceCertificate_SN]: 'PUSH_REQUEST' (status=1)
2021-04-08 13:46:33.928251 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.60.1,sndbuf 0,rcvbuf 0,sndbuf 0,rcvbuf 0,ping 450,ping-restart 1800,route 212.77.173.22 255.255.255.255,route 172.29.0.0 255.255.0.0,route 212.77.173.23 255.255.255.255,route 10.10.96.0 255.255.240.0,route 10.10.49.0 255.255.255.0,route 10.120.50.0 255.255.255.0,route 10.148.10.0 255.255.255.0,route 10.149.10.0 255.255.255.0,route 10.150.20.0 255.255.255.0,route 10.10.20.128 255.255.255.128,route 10.30.22.0 255.255.255.0,route 10.30.23.0 255.255.255.0,route 192.168.0.0 255.255.0.0,route 10.30.25.0 255.255.255.0,route 10.10.26.0 255.255.255.128,route 10.30.26.0 255.255.255.0,route 10.10.12.0 255.255.254.0,route 10.192.0.0 255.192.0.0,route 10.64.0.0 255.255.0.0,route 10.71.0.0 255.255.128.0,route 10.148.0.0 255.255.0.0,route 10.149.0.0 255.255.0.0,route 10.224.0.0 255.240.0.0,route 10.192.0.0 255.240.0.0,route 10.150.0.0 255.255.0.0,route 10.10.20.0 255.255.255.128,route 10.40.0.0 255.255.0.0,push-continuation 2'
2021-04-08 13:46:34.017000 PUSH: Received control message: 'PUSH_REPLY,route 10.180.6.0 255.255.255.128,route 10.10.245.0 255.255.255.128,route 10.30.33.0 255.255.255.0,topology subnet,route remote_host 255.255.255.255 net_gateway,dhcp-option DNS 192.168.168.2,dhcp-option DNS 192.168.168.37,dhcp-option DOMAIN corp.local,ifconfig 192.168.60.9 255.255.255.0,push-continuation 1'
2021-04-08 13:46:34.017254 OPTIONS IMPORT: timers and/or timeouts modified
2021-04-08 13:46:34.017282 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2021-04-08 13:46:34.017312 Socket Buffers: R=[262144->262144] S=[131400->131400]
2021-04-08 13:46:34.017329 OPTIONS IMPORT: --ifconfig/up options modified
2021-04-08 13:46:34.017344 OPTIONS IMPORT: route options modified
2021-04-08 13:46:34.017359 OPTIONS IMPORT: route-related options modified
2021-04-08 13:46:34.017373 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-04-08 13:46:34.017529 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-04-08 13:46:34.017542 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-08 13:46:34.017552 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-04-08 13:46:34.017562 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-08 13:46:34.018688 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2021-04-08 13:46:34.018728 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2021-04-08 13:46:34.019022 Opened utun device utun2
2021-04-08 13:46:34.019611 MANAGEMENT: >STATE:1617882394,ASSIGN_IP,,192.168.60.9,,,,
2021-04-08 13:46:34.019651 /sbin/ifconfig utun2 delete
                           ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2021-04-08 13:46:34.026684 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2021-04-08 13:46:34.026954 /sbin/ifconfig utun2 192.168.60.9 192.168.60.9 netmask 255.255.255.0 mtu 1500 up
2021-04-08 13:46:34.030663 /sbin/route add -net 192.168.60.0 192.168.60.9 255.255.255.0
                           add net 192.168.60.0: gateway 192.168.60.9
2021-04-08 13:46:38.126261 MANAGEMENT: >STATE:1617882398,ADD_ROUTES,,,,,,
2021-04-08 13:46:38.130206 /sbin/route add -net {IP} 192.168.50.1 255.255.255.255
                           add net {IP}: gateway 192.168.50.1
2021-04-08 13:46:38.137765 /sbin/route add -net 212.77.173.22 192.168.60.1 255.255.255.255
                           add net 212.77.173.22: gateway 192.168.60.1
2021-04-08 13:46:38.142049 /sbin/route add -net 172.29.0.0 192.168.60.1 255.255.0.0
                           add net 172.29.0.0: gateway 192.168.60.1
2021-04-08 13:46:38.144764 /sbin/route add -net 212.77.173.23 192.168.60.1 255.255.255.255
                           add net 212.77.173.23: gateway 192.168.60.1
2021-04-08 13:46:38.147775 /sbin/route add -net 10.10.96.0 192.168.60.1 255.255.240.0
                           add net 10.10.96.0: gateway 192.168.60.1
2021-04-08 13:46:38.150605 /sbin/route add -net 10.10.49.0 192.168.60.1 255.255.255.0
                           add net 10.10.49.0: gateway 192.168.60.1
2021-04-08 13:46:38.153445 /sbin/route add -net 10.120.50.0 192.168.60.1 255.255.255.0
                           add net 10.120.50.0: gateway 192.168.60.1
2021-04-08 13:46:38.158036 /sbin/route add -net 10.148.10.0 192.168.60.1 255.255.255.0
                           add net 10.148.10.0: gateway 192.168.60.1
2021-04-08 13:46:38.161313 /sbin/route add -net 10.149.10.0 192.168.60.1 255.255.255.0
                           add net 10.149.10.0: gateway 192.168.60.1
2021-04-08 13:46:38.164641 /sbin/route add -net 10.150.20.0 192.168.60.1 255.255.255.0
                           add net 10.150.20.0: gateway 192.168.60.1
2021-04-08 13:46:38.167345 /sbin/route add -net 10.10.20.128 192.168.60.1 255.255.255.128
                           add net 10.10.20.128: gateway 192.168.60.1
2021-04-08 13:46:38.169935 /sbin/route add -net 10.30.22.0 192.168.60.1 255.255.255.0
                           add net 10.30.22.0: gateway 192.168.60.1
2021-04-08 13:46:38.171986 /sbin/route add -net 10.30.23.0 192.168.60.1 255.255.255.0
                           add net 10.30.23.0: gateway 192.168.60.1
2021-04-08 13:46:38.174224 /sbin/route add -net 192.168.0.0 192.168.60.1 255.255.0.0
                           add net 192.168.0.0: gateway 192.168.60.1
2021-04-08 13:46:38.176230 /sbin/route add -net 10.30.25.0 192.168.60.1 255.255.255.0
                           add net 10.30.25.0: gateway 192.168.60.1
2021-04-08 13:46:38.177808 /sbin/route add -net 10.10.26.0 192.168.60.1 255.255.255.128
                           add net 10.10.26.0: gateway 192.168.60.1
2021-04-08 13:46:38.179687 /sbin/route add -net 10.30.26.0 192.168.60.1 255.255.255.0
                           add net 10.30.26.0: gateway 192.168.60.1
2021-04-08 13:46:38.181546 /sbin/route add -net 10.10.12.0 192.168.60.1 255.255.254.0
                           add net 10.10.12.0: gateway 192.168.60.1
2021-04-08 13:46:38.183923 /sbin/route add -net 10.192.0.0 192.168.60.1 255.192.0.0
                           add net 10.192.0.0: gateway 192.168.60.1
2021-04-08 13:46:38.185528 /sbin/route add -net 10.64.0.0 192.168.60.1 255.255.0.0
                           add net 10.64.0.0: gateway 192.168.60.1
2021-04-08 13:46:38.187114 /sbin/route add -net 10.71.0.0 192.168.60.1 255.255.128.0
                           add net 10.71.0.0: gateway 192.168.60.1
2021-04-08 13:46:38.188464 /sbin/route add -net 10.148.0.0 192.168.60.1 255.255.0.0
                           add net 10.148.0.0: gateway 192.168.60.1
2021-04-08 13:46:38.190047 /sbin/route add -net 10.149.0.0 192.168.60.1 255.255.0.0
                           add net 10.149.0.0: gateway 192.168.60.1
2021-04-08 13:46:38.191496 /sbin/route add -net 10.224.0.0 192.168.60.1 255.240.0.0
                           add net 10.224.0.0: gateway 192.168.60.1
2021-04-08 13:46:38.192944 /sbin/route add -net 10.192.0.0 192.168.60.1 255.240.0.0
                           add net 10.192.0.0: gateway 192.168.60.1
2021-04-08 13:46:38.195064 /sbin/route add -net 10.150.0.0 192.168.60.1 255.255.0.0
                           add net 10.150.0.0: gateway 192.168.60.1
2021-04-08 13:46:38.197004 /sbin/route add -net 10.10.20.0 192.168.60.1 255.255.255.128
                           add net 10.10.20.0: gateway 192.168.60.1
2021-04-08 13:46:38.198367 /sbin/route add -net 10.40.0.0 192.168.60.1 255.255.0.0
                           add net 10.40.0.0: gateway 192.168.60.1
2021-04-08 13:46:38.199985 /sbin/route add -net 10.180.6.0 192.168.60.1 255.255.255.128
                           add net 10.180.6.0: gateway 192.168.60.1
2021-04-08 13:46:38.201338 /sbin/route add -net 10.10.245.0 192.168.60.1 255.255.255.128
                           add net 10.10.245.0: gateway 192.168.60.1
2021-04-08 13:46:38.202805 /sbin/route add -net 10.30.33.0 192.168.60.1 255.255.255.0
                           add net 10.30.33.0: gateway 192.168.60.1
2021-04-08 13:46:38.204075 /sbin/route add -net {IP} 192.168.50.1 255.255.255.255
                           route: writing to routing socket: File exists
                           add net {IP}: gateway 192.168.50.1: File exists
                           13:46:38 *Tunnelblick:  **********************************************
                           13:46:38 *Tunnelblick:  Start of output from client.up.tunnelblick.sh
                           13:46:40 *Tunnelblick:  Disabled IPv6 for 'Ethernet'
                           13:46:40 *Tunnelblick:  Disabled IPv6 for 'Ethernet Adaptor (en4)'
                           13:46:40 *Tunnelblick:  Disabled IPv6 for 'Ethernet Adaptor (en5)'
                           13:46:40 *Tunnelblick:  Disabled IPv6 for 'Wi-Fi'
                           13:46:40 *Tunnelblick:  Disabled IPv6 for 'Bluetooth PAN'
                           13:46:40 *Tunnelblick:  Disabled IPv6 for 'Thunderbolt Bridge'
                           13:46:40 *Tunnelblick:  Disabled IPv6 for 'Sweden (#2)'
                           13:46:40 *Tunnelblick:  Retrieved from OpenVPN: name server(s) [ 192.168.168.2 192.168.168.37 ], domain name [ corp.local ], search domain(s) [ ], and SMB server(s) [ ]
                           13:46:40 *Tunnelblick:  Not aggregating ServerAddresses because running on macOS 10.6 or higher
                           13:46:40 *Tunnelblick:  Setting search domains to 'corp.local' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
                           13:46:41 *Tunnelblick:  Saved the DNS and SMB configurations so they can be restored
                           13:46:41 *Tunnelblick:  Changed DNS ServerAddresses setting from '192.168.50.129 192.168.50.1' to '192.168.168.2 192.168.168.37'
                           13:46:41 *Tunnelblick:  Changed DNS SearchDomains setting from 'zen.wifi' to 'corp.local'
                           13:46:41 *Tunnelblick:  Changed DNS DomainName setting from '' to 'corp.local'
                           13:46:41 *Tunnelblick:  Did not change SMB NetBIOSName setting of ''
                           13:46:41 *Tunnelblick:  Did not change SMB Workgroup setting of ''
                           13:46:41 *Tunnelblick:  Did not change SMB WINSAddresses setting of '192.168.50.1'
                           13:46:41 *Tunnelblick:  DNS servers '192.168.168.2 192.168.168.37' will be used for DNS queries when the VPN is active
                           13:46:41 *Tunnelblick:  NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
                           13:46:42 *Tunnelblick:  Flushed the DNS cache via dscacheutil
                           13:46:42 *Tunnelblick:  /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                           13:46:42 *Tunnelblick:  Notified mDNSResponder that the DNS cache was flushed
                           13:46:42 *Tunnelblick:  Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
                           13:46:42 *Tunnelblick:  Setting up to monitor system configuration with process-network-changes
                           13:46:42 *Tunnelblick:  End of output from client.up.tunnelblick.sh
                           13:46:42 *Tunnelblick:  **********************************************
2021-04-08 13:46:42.330787 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-04-08 13:46:42.330959 Initialization Sequence Completed
2021-04-08 13:46:42.331209 MANAGEMENT: >STATE:1617882402,CONNECTED,SUCCESS,192.168.60.9,{IP},8443,192.168.50.9,56718
2021-04-08 13:46:43.553775 *Tunnelblick: DNS address 192.168.168.2 is being routed through the VPN
2021-04-08 13:46:43.661451 *Tunnelblick: DNS address 192.168.168.37 is being routed through the VPN
This is what Viscosity shows me in Details:
Code: Select all
2021-04-08 13:46:00: Viscosity Mac 1.9.2 (1565)
2021-04-08 13:46:00: Viscosity OpenVPN Engine Started
2021-04-08 13:46:00: Running on macOS 11.3.0
2021-04-08 13:46:00: ---------
2021-04-08 13:46:00: State changed to Connecting
2021-04-08 13:46:00: Checking reachability status of connection...
2021-04-08 13:46:00: Connection is reachable. Starting connection attempt.
2021-04-08 13:46:00: OpenVPN 2.4.10 arm-apple-darwin20.0.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jan 18 2021
2021-04-08 13:46:00: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-04-08 13:46:00: Resolving address: vpn.nkk.de
2021-04-08 13:46:00: Valid endpoint found: {IP}:8443:tcp-client
2021-04-08 13:46:00: TCP/UDP: Preserving recently used remote address: [AF_INET]{IP}:8443
2021-04-08 13:46:00: Attempting to establish TCP connection with [AF_INET]{IP}:8443 [nonblock]
2021-04-08 13:46:01: TCP connection established with [AF_INET]{IP}:8443
2021-04-08 13:46:01: TCP_CLIENT link local: (not bound)
2021-04-08 13:46:01: TCP_CLIENT link remote: [AF_INET]{IP}:8443
2021-04-08 13:46:01: State changed to Authenticating
2021-04-08 13:46:02: [SophosApplianceCertificate_SN] Peer Connection Initiated with [AF_INET]{IP}:8443
2021-04-08 13:46:04: Opened utun device utun10
2021-04-08 13:46:04: /sbin/ifconfig utun10 delete
2021-04-08 13:46:04: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2021-04-08 13:46:04: /sbin/ifconfig utun10 192.168.60.10 192.168.60.10 netmask 255.255.255.0 mtu 1500 up
2021-04-08 13:46:08: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-04-08 13:46:08: Initialization Sequence Completed
2021-04-08 13:46:08: DNS mode set to Split
2021-04-08 13:46:08: State changed to Connected
Acessing a .local domain in our internal network works with Tunnelblick but does not resolve with Viscosity. The (seemingly) same configuration is used for both clients. Any ideas?

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Apr 09, 2021 1:00 am
Hi philippgerard,
Acessing a .local domain in our internal network works with Tunnelblick but does not resolve with Viscosity. The (seemingly) same configuration is used for both clients. Any ideas?
.local domains cannot be used as DNS search domains. They are reserved for use by mDNS (Bonjour’s Multicast Domain Name Service) and should not be used as an internal domain in business or enterprise networks. Please see the offical documentation from Apple for more information:
https://support.apple.com/en-us/HT207511

If it appears to working with Tunnelblick, it's likely not working in the fashion expected (e.g. lookups may be taking place through the wrong network interface and mDNS is likely broken). The issue can be resolved by using a different suffix for your internal network (for example Apple recommend using a valid TLD, or failing that .home or .corp).

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1