OpenVPN Issue OS X Mavericks

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Nikolay.Zhelev, Oct 14, 2014.

  1. Nikolay.Zhelev macrumors newbie

    Joined:
    Oct 14, 2014
    #1
    Good morning fellows,

    I'm new Mac user and I'm trying to migrate from Windows to Mac, but I'm stuck on my OpenVPN migration.

    First I would like to thank the Tunnelblick team, for doing this great free GUI for OpenVPN connectivity.

    Secondly I would like to ask the more experienced people regarding my issue.

    My OpenVPN configuration is working perfectly fine on every windows PC. I'm running an OpenVPN server on a pfSense platform, configured properly. The configuration is using tap interface, UDP port and everything is in bridged mode, receiving IP addresses form my pfSense DHCP server.

    However when I migrated to Mac OS X (Mavericks) the OpenVPN works randomly. By randomly I mean:

    The initial OpenVPN connection is successful, the whole traffic is routed via the tunnel, no problems whatsoever, but as soon as I disconnect and reconnect again, the second connection is established, but I don't have access to the network at all. I can see that Tunnelblick has taken an IP address from my OpenVPN server, everything looks normal, but I don't have any network access, no ping, can't load any page, even if I try to type the IP address of the page there is no luck.

    The strange thing is, that this happens randomly. I can't identify any pattern. When I leave my Macbook Pro for a while and then try to reconnect - the connection is successful, but as soon as I disconnect and reconnect again - no network access, despite the fact, that I have proper IP address, received via the tunnel.

    I tried several different clients also - Viscosity, OpenVPN Connect Client and etc. All have the same issue. As soon as I disconnect and reconnect - no network access.

    Since I spend about 2 days, trying to troubleshoot my issue I'm looking for help from you guys.

    I'm quite open to any suggestions and looking forward to hearing from you!

    Thank you for your time!

    Regards,
    Nick
     
  2. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #2
    To me sounds like a Kerberos problem so make sure the VPN sever and the client are on the same Time server.
     
  3. Nikolay.Zhelev thread starter macrumors newbie

    Joined:
    Oct 14, 2014
    #3
    Hi satcomer,

    Thank you for your reply!

    Regarding my problem, I set my macbook pro to use the same server as my OpenVPN router uses, but that didn't fix the problem.

    The issue is very strange I'll explain shortly is a few steps:

    1. I'm initiating the OpenVPN connection. Result: the initial connection is established, all of my traffic is routed via the VPN tunnel.
    2. I disconnect my Macbook form the server. Result: All networks settings restored to Pre-VPN configuration. All working satisfactory.
    3. I reconnect my Macbook to the server. Result: The connection is established successfully, but no network access. Can't open any page.
    4. I disconnect my Macbook from the server. Result:everything is OK.
    5. I wait about 10-15 minutes and reconnect to my OpenVPN server. Result: everything is OK, all traffic is routed via the VPN tunnel.

    And so on...

    I have two Windows machines, using the same configuration (different certificates of course) and I have never experienced any problem.

    The question is: Why in step 3. I don't have any network access?

    Thanks for spending time with my issue, I'm looking forward to hearing from you guys!

    Regards,
    Nick
     
  4. BrianBaughn macrumors 601

    BrianBaughn

    Joined:
    Feb 13, 2011
    Location:
    Baltimore, Maryland
    #4
    Do your DNS settings look OK when you're having the issue?
     
  5. Nikolay.Zhelev thread starter macrumors newbie

    Joined:
    Oct 14, 2014
    #5
    Hi fellows,

    After extensive troubleshooting (I spent around 6 hours) I identified the problem.

    OpenVPN for Mac OS X can't use "redirect-gateway def1" and "route-gateway xx.xx.xx.xx." at the same time. It omits one or the other.

    A more detailed explanation regarding my case:

    My OpenVPN configuration is bridged using tap interface. My clients are receiving their IP addresses, DNS servers and Gateway via my DHCP server located on my OpenVPN server platform. Since that's my case, when I try to use any OpenVPN client for Mac OS X (I tried the official OpenVPN Connect Client, Viscosity and Tunnelblick) it requires both "redirect-gateway def1" and "route-gateway xx.xx.xx.xx" in order to receive full network configuration from my DHCP server. There were some suggestions to try to use "route-delay 10" or more, but that didn't helped. The problem is still present.

    I tried to perform the same thing on Windows - my configuration works great. Not a single issue. Apparantley the OpenVPN version for windows can execute both "redirect-gateway def1" and "route-gateway xx.xx.xx.xx." at the same time.

    Please, can you advise me, how can I overcome the problem in Mac OS X?

    I'm looking forward to hearing from you!

    ---
    Regards,
    Nick
     
  6. benjalamelami macrumors member

    Joined:
    Jul 30, 2012
    #6
    You probably knew way much more than any of these guys around.



     
  7. Nikolay.Zhelev thread starter macrumors newbie

    Joined:
    Oct 14, 2014
    #7
    Good morning fellows,

    Thank you for your interest in my topic.

    Regarding my case I think I identified the problem. Since my OpenVPN configuration is in bridged mode (bridging my OpenVPN server with my DHCP server on the server platform) all my clients receive their IP addresses from the DHCP server.

    OpenVPN Client has two very nice functions

    --redirect-gateway and --route-gateway.

    The first one is doing all the routing table modification and the second function is setting the default gateway to OpenVPN gateway.

    By the way my goal is to route all of my traffic via the VPN tunnel.

    Under Windows my configuration works flawlessly, but the problems appear under Mac OS X.

    When I use both --redirect-gateway and --route-gateway in my Mac OS X OpenVPN client configuration file, the --route-gateway function can't set the main default gateway of the system to my OpenVPN gateway apparently. As a result not all of my traffic is routed via the VPN tunnel, which is my problem.

    At the moment I managed to run a working configuration with Viscosity client, but still I can't manage to configure correctly Tunnelblick.

    I'll be happy if you suggest some ideas regarding my case.

    Have a nice day!

    Regards,
    Nick
     
  8. Nikolay.Zhelev thread starter macrumors newbie

    Joined:
    Oct 14, 2014
    #8
    Dear fellows,

    Problem Resolved!

    Please be aware, that this solution is valid only for Mac users, trying to connect to OpenVPN server, which is bridged with a DHCP server using tap interface and UDP protocol. Also the final goal is to route all traffic via the VPN tunnel.

    Tunnelblick now works. Finally I managed to solve my problem. Just for reference, today I installed security update 2014-005 for OS X Mavericks and disabled ipv6 protocol by typing the following command in Bash:

    networksetup -setv6off wi-fi

    I’m not sure whether this had any effect on my configuration or not, but it’s good to know what I’ve done.

    In Tunnelblick my configuration works only with: Set nameserver (3.0b10)

    The problem was that when I was using both redirect-gateway and route-gateway in my client configuration file, my tap adapter was not receiving any IP address from the DHCP server. Because of that OpenVPN was just skipping the fact that my tap adapter doesn’t have any IP address and proceeding to routing table modification, but since there was nothing to route, the client was proceeding to the next command –route-gateway.

    Since my tap adapter didn’t have an IP address, the --route-gateway command was assigning the pre-defined gateway IP address to my Wi-Fi adapter.

    Result: Complete mess.

    When I introduced the –route-delay 10 command, I set a 10 seconds holding time, before the execution of –redirect-gateway and route-gateway commands. This holding time allowed my tap adapter to receive a proper network configuration from my DHCP server and from that point all other commands make sense.

    Please if you see something, which is not right in the text above, feel free to correct me.

    Good luck to all of you, trying to resolve similar cases!

    Regards,
    Nick
     

Share This Page