How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[vodka1983]

since i got a little mixed up on my jail with fail2ban ( i didnt realize its really meant for the actual server with actual PF ) i re-did my jail and my configs and everything works with correct tls handshake.

first disable ALLtls related stuff and make sure you can get a connection. It has to be MATCHING in server/client configs (commented out both places, after basic authorization works add tsl related stuff (auth/tsl/cipher/remote lines)

additional routing was NEEDED in this install. some things have to absolutely match or handshake would not happen, tested things yesterday. when i didn't, i connected but could not route or ping to my servers on the network.

server:

port myport
proto udp
dev tun
ca /mnt/keys/ca.crt
cert /mnt/keys/openvpn-server.crt
key /mnt/keys/openvpn-server.key
dh /mnt/keys/dh1024.pem
server 172.16.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
status /var/log/openvpn/openvpn-status.log /var/log/openvpn
push "route 192.168.1.0 255.255.255.0"
route 192.168.168.1 255.255.255.0 192.168.4.1
tls-auth /mnt/openvpn/keys/ta.key 0
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3


firewall
# /usr/local/etc/ipfw.rules
ipfw -q -f flush
ipfw -q nat 1 config if epair3b
ipfw -q add nat 1 all from 172.16.8.0/24 to any out via epair3b
ipfw -q add nat 1 all from any to any in via epair3b


### rc.conf
# /etc/rc.conf
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/keys/openvpn.conf"
openvpn_dir="/mnt/keys"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

client:

dev tun
proto udp
remote my.net myport
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert yourmom.crt
key yourmom.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
tls-auth ta.key 1
comp-lzo
verb 3

####finally:::
sysctl net.inet.ip.forwarding=1
service ipfw start
service openvpn start

 

[Lucas Rey]

Hello community,
I already installed the OpenVPN/Jail in a standalone FreeNAS server and all is working fine (thank you again for this great guide). Now I have to install OpenVPN in a virtual environment, so this is what I have:

Code:

192.168.10.10 => Windows Server (where the VMWare is installed)
192.168.10.11 => FreeNAS em0 interface
192.168.10.12 => OpenVPN/Jail
172.16.8.0 => VPN subnet

I followed the same procedure (twice!!) and now I'm able to connect to VPN (via 192.168.10.12) and got an IP like: 172.16.8.6. problem is that I cannot ping the GW 172.16.8.1 and I cannot reach the server 192.168.10.10 (or other machine into the 192.168.10.0 subnet).
Maybe I'm missing an additional routing?? Please help, this is some info:

Server config:

Code:

port 1195
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
dh dh.pem
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0" #Yellow network
tls-auth ta.key 0
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

Client config:

Code:

client
dev tun
proto udp
remote mysite 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
auth SHA256
comp-lzo
verb 3

Firewall Rules:

Code:

root@OpenVPN:/ # ipfw list
00100 nat 1 ip from 172.16.8.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any

 

[adrianwi]

I've had this running perfectly for several months having decided not to update FreeNAS from 9.3.1. Last night I updated to 9.10.1-U4 as I was having some issues with other jails, and my very quick test late last night made me think this was still working (which made me very happy)

Whilst out and about today and trying to connect back to my network, I found that whilst it does connect I don't have access to the network or pass through to internet. Checked the firewall rules when I got home as I'd guessed this would be the problem, and updated the epair(n) but it's still not working. Did others have problems with a 9.3 jail when updating to 9.10? Some configuration below:

Server:

Code:

port 444																	  
proto udp																	  
dev tun																		
ca /mnt/keys/ca.crt															
cert /mnt/keys/openvpn-server.crt											  
key /mnt/keys/openvpn-server.key											  
dh /mnt/keys/dh1024.pem														
server 192.168.4.0 255.255.255.0											  
ifconfig-pool-persist ipp.txt												  
push "route 192.168.168.0 255.255.255.0"									  
route 192.168.168.22 255.255.255.0 192.168.4.1								
#tls-auth /mnt/keys/auth.key 0												
#crl-verify #/mnt/keys/crl.pem												
keepalive 10 120															  
group nobody																  
user nobody																	
comp-lzo																	  
persist-key																	
persist-tun

Client:

Code:

client
dev tun
proto udp
remote domain.co.uk 444
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert adrian.w.crt
key adrian.w.key
#tls-auth auth.key 1
ns-cert-type server
comp-lzo
verb 3
dhcp-option DNS 192.168.168.1
redirect-gateway def1

Thanks!

UPDATE

Given my jail was pretty old and running an older version of openvpn with somewhat outdated security, I thought it might be easier to just have a crack at creating a new jail and following the latest instructions. As with previous attempts, it was a little hit and miss with problems getting the openvpn service to run (this was resolved by stopping the old jail) and then fiddling with configuration which just wasn't quite right, but after a couple of hours I have a openvpn jail up and running using the 10.3 template rather than the old 9.3 version.

Again, thanks for creating the guide and for all the helpful advice throughout the thread ;)

 

[Krist8]

Thanks for the tutorial. Although I have installed openvpn in my regular desktop , but having big problem with installing it on my FreeNAS jail. I am running FreeNAS-9.10.2-U3 (e1497f269).
I need help to understand how to create the yellow network. My purple network is 192.168.0.20 (the FN servser ip), but I am not clear on how to create the yellow network. In the absence of this knowledge, I went aheaad and create the jail, and openvpn as follow:

Code:

Jail root:  /mnt/NAS/jails
storage source :  /mnt/NAS/keys
destination: /mnt/keys
create directory: checked
mounted ? :

After this, openvpn shows it is running, but storage /mnt/keys mounted is false.

Code:

Jail name : openvpn
Type : Standard
IPv4 dhcp : checked
IPv4 address:  DHCP
IPv4 netmask: /24 (255.255.255.0)
IPv4 alias :
IPv4 bridge address : 10.0.0.0
IPv6 autoconfig :  checked
IPv6 address: autoconf
.....
......
Sysctl: allow.raw_sockets=true
Auto start: checked
Vimage: checked

View jail shows I have openvpn 10.0.0.14 and is auto start running

I went ahead and created ca, crt, keys, etc. and here is my openvpn.conf

Code:

port 443
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 192.168.0.20 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 10.0.0.14 255.255.255.0" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

Here is the client in windows 10 laptop

Code:

client
dev tun
proto udp
remote mypath.duckdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca "c://my path.....//ca.crt"
cert "c://my path//shum.vaiott.crt"
key "c://my path//shum.vaiott.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth "c://mypath//ta.key 1
dhcp-option DNS 8.8.8.8
redirect-gateway def1
comp-lzo
verb 3

I also set the ipfw, etc, following instructions.
However, when I did ps aux, it does not show that openvpn is running, but in the jail, it shows it is running (I restarted it many times).
On my laptop, trying to connect to openvpn, it stall at :

Code:

tls error:TLS key negotiation failed to occur...60 sec
tls error handshake failed

As I mentioned, I am not familiar with creating networks, so if you could give me some more detail instructions, please.
TIA

 

[zoomzoom]

This thread is over three years old and is no longer contributed to by @robles. And since I no longer have the patience to repeat myself over and over again, it's recommend to post on the OpenVPN forum.

For what it's worth, every problem users have posted about can be easily answered by reading the OpenVPN HowTo & Man page... of which I've stated repeatedly.

 

[Krist8]

This thread is over three years old and is no longer contributed to by @robles. And since I no longer have the patience to repeat myself over and over again, it's recommend to post on the OpenVPN forum.

For what it's worth, every problem users have posted about can be easily answered by reading the OpenVPN HowTo & Man page... of which I've stated repeatedly.

Yes, I realize this thread is 3 years old, but I also see others asking questions as late as April/May 2017. As I mentioned at the start of my post, I did install OpenVPN on my debian desktop, but I do have trouble with Jails. If you feel support is no longer available, why not shut it down, remove it so that newbies like me would not stumble upon it and waste their time.

 

[zoomzoom]

Again, @robles hasn't been active in this thread since Dec 2016... only a moderator can lock a thread.

I spent hours helping users in this thread back in April and lost patience after users, like yourself, couldn't be bothered to read through the last page or two of this thread. You can find help by doing what I suggested in my prior post, but no one is going to help users in this thread, as I was the only one doing so in recent months.

If users setting up an OpenVPN server don't believe it's important to read the OpenVPN HowTo (~15min) and Man page (~45min), something I've suggested north of 10x in the past several months, the users shouldn't be setting up an OpenVPN server or clients for that VPN.

 

[adrianwi]

I think it's more basic than that. If the dataset you created to store the keys isn't mounted, then how is openvpn going to find them?

 

[zoomzoom]

I think it's more basic than that. If the dataset you created to store the keys isn't mounted, then how is openvpn going to find them?

Which we would know for sure if instead of blindly posting, users took the time to read the last few pages to see log files have been repeatedly requested, with the verbosity being server 4 client 5. Users refuse to take 5 - 10 min to read, with the result being continually repeating the same information over and over again to different users for their failure to simply read. So yeah, my patience has long since expired for users in this thread.

 

[Krist8]

Which we would know for sure if instead of blindly posting, users took the time to read the last few pages to see log files have been repeatedly requested, with the verbosity being server 4 client 5. Users refuse to take 5 - 10 min to read, with the result being continually repeating the same information over and over again to different users for their failure to simply read. So yeah, my patience has long since expired for users in this thread.

I have read OpenVPN how to and Man page many times when I installed it on my debian desk top (and also trying to make it work on Jail). So, please do not assume that I did not. As for reading this thread, I started from page one up to page 4..6 (yes, I do not have the patience to read it all). Then started to read from last page to a few previous. If you get tired of helping, why bother to reply and make me feel bad.
Adrian is correct that if my dataset is not mounted, then OpenVPN will never run. But I followed the instructions here, so where did I fall apart? Reading the OpenVPN how to is not relevent, and certainly the OpenVPN forum users will never touch FreeNAS Jail questions.

 

[adrianwi]

The certificate files don't need to be stored on a dataset outside the jail, but the tutorial suggests this and provided the instructions.

You should have created a dataset from the storage tab (e.g. /mnt/pool/vpn) and then in the jails - storage tab mounted this dataset to a folder inside the jail. Mine looks like this:

Where my openvpn jail is simply called 'vpn' and the pool is called 'pool'. Whether or not you choose to create a folder called 'keys' inside that is up to you, but you need to make sure the ca, cert and key lines of the openvpn.conf file are pointing to the correct location (e.g.
cert /mnt/openvpn-server.crt #Server public key) and the name is the same as the file you created.

And once it's all done, I've found openvpn won't work correctly until freenas is rebooted as the network interfaces don't update by just restarting the jail. You might be able to connect, but the routing won't work until you've rebooted.

 

[zoomzoom]

As for reading this thread, I started from page one up to page 4..6 (yes, I do not have the patience to read it all).

On a thread with more than 5 pages that's several months to years old, I always recommend simply reading the last 2 -3 pages, as very little in the beginning is going to be relevant, other than the first post.

If you get tired of helping, why bother to reply and make me feel bad.

Purpose wasn't to make anyone feel bad, but to simply inform yourself and the other few posters before you that this thread is not a good place to get help since @robles has been inactive since Dec. With myself being the only other major troubleshooting contributor in the past several months, would you rather I simply have continued to ignore the new posts, or inform the new posters they would be better served by posting on the OpenVPN forum?

Adrian is correct that if my dataset is not mounted, then OpenVPN will never run

@robles used /mnt/keys as an example, and is not something I would recommend doing, as it's pointless unless one is planning on using the same configs and keys on other OpenVPN servers, something that shouldn't be done. I think I understand why @robles did so, but it's not the recommended way to save OpenVPN configs and certs as it provides no additional security, and actually makes the VPN less secure. OpenVPN servers should be chrooted in /var/chroot-openvpn, unless one is utilizing a router where the onboard storage doesn't provide enough storage space to operate an OpenVPN chroot (usually ~11MBytes in size).

But I followed the instructions here, so where did I fall apart?

You state you read the last few pages...or the last post I made, to which you're replying... clearly you did not. The fact that you even quoted the post you're replying to and still do not perform what needs to be done is beyond baffling... and that exact behavior is why I will no longer help you or anyone else in this thread because I'm sick of repeating myself when users refuse to read.

Reading the OpenVPN how to is not relevent, and certainly the OpenVPN forum users will never touch FreeNAS Jail questions.

I'm not sure how this idea was formulated, but it's factually inaccurate, which should be apparent considering OpenVPN is not an OS, it's a program... a program that runs on almost every OS.

• The only thing that differs in setting up an OpenVPN server on FreeNAS versus OpenWrt, or DD-WRT, or Ubuntu, etc. is the network interface and firewall configurations - everything else is the exact same (minus a few config file quirks, such as OpenWrt utilizes option in front of config parameters).

 

[Krist8]

@Adrian, thanks, I'll start over again and see what happens
@zoomzoom, Thanks, I'll read them again.
I currently have a bit of problem with my debian desktop, and lost/recovered my photo album server (Piwigo). So, will be busy on that for a while before coming back to tackle openvpn. But thanks for your help.

 

[ispybadguys]

First thanks for a great post. I didn't have any issues until I got to the client part. I downloaded the OpenVPN Client 2.1.3.110 for Mac from https://ironsocket.com/setup/mac-osx/openvpn.

When I go to import home-vpn.ovpn it get an error message "Profile Import Error" my home-vpn.ovpn look like:

Code:

client
dev tun
proto udp
remote 75.161.53.205 10010
resolv-retry infinite
nobind
persist-key
persist-tun
ca /Users/Kurt/Desktop/OpenVPN/ca.crt
cert /Users/Kurt/Desktop/OpenVPN/kurt.lanes.crt
key /Users/Kurt/Desktop/OpenVPN/kurt.lanes.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
#dhcp-option DNS 192.168.1.1
#redirect-gateway def1
comp-lzo
verb 3

I initially tried it without the path to the desktop but it makes no difference. The only thing I did different from the help guide was to change my name in "Robles NAS CA" to "Kurt NAS CA" and change the IP address. My Router is at 192.168.1.1. OpenVPN is running and has the IP address 192.168.1.10

I also noted that if I select connect it has a username and password. What would these be?

Thanks

Kurt

 

[adrianwi]

I've just looked at mine, and I remember having some issues with the tls-auth settings so that line on mine is #'d out. Don't think you need the path to the certs either, just for them to be in the same folder as the .ovpn file.

I also prefer Tunnelblick.

 

[ispybadguys]

That was great advice Adrian. Tunnelblick pointed me right to the error and gave the line number. I had forgotten to copy the ca,crt file to the directory. I haven't been able to connect yet. It says waiting for server response however I am connected to my local lan and I don't know if it is possible to go out and come back in on the WAN side ip address. Do you know if I change the home-vpn.ovpn will Tunnelblick re-read that when it starts?

 

[adrianwi]

You can edit the opvn file in Tunnelblink - from the configuration tab, click the small cog icon at the bottom and then Edit in the drop-down. Not sure if it will pick up any new certs though, so I'd just delete it and then add it again.

 

[ispybadguys]

I tried connecting from my phone hotspot and it just sits waiting. Tunnelblick log shows
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). The whole log is:

Code:

*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.1a (build 4812); Admin user
git commit e70dc14d7a954d6fe0040b3b8c9007feb98ee29d


Configuration home-vpn

"Sanitized" condensed configuration file for /Library/Application Support/Tunnelblick/Shared/home-vpn.tblk:

client
dev tun
proto udp
remote 75.161.53.205 10011
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert kurt.lanes.crt
key kurt.lanes.key
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3


================================================================================

Non-Apple kexts that are loaded:

Index Refs Address			Size	   Wired	  Name (Version) UUID <Linked Against>
  137	0 0xffffff7f81213000 0x4000	 0x4000	 com.jft.driver.PdaNetDrv (1.0.64) 652751CC-7E2D-DBD8-469F-8EEA02AE9296 <47 5 4 3 1>
  145	0 0xffffff7f833a3000 0x7000	 0x7000	 com.parallels.virtualsound (1.0.36 36) E9131806-D073-8482-AC46-B4AAE55EA6FE <122 5 4 3 1>
  152	0 0xffffff7f833aa000 0x5000	 0x5000	 com.parallels.virtualhid (1.0.3 3) B0C355DF-4268-359B-9654-0A67F4305F7B <34 5 4 3 1>
  154	0 0xffffff7f833af000 0x6000	 0x6000	 com.parallels.kext.usbconnect (11.2.3 32663) 6996036D-00B1-367C-8702-95DDF4182433 <41 7 5 4 3 1>
  155	1 0xffffff7f833b5000 0x4b000	0x4b000	com.parallels.kext.hypervisor (11.2.3 32663) 725515BB-380B-3516-B934-88FCBB16636B <12 11 7 5 4 3 1>
  156	0 0xffffff7f83400000 0xf000	 0xf000	 com.parallels.kext.netbridge (11.2.3 32663) 994B6CC2-8A2F-3400-B247-C1D094CDE243 <155 5 4 3 1>
  157	0 0xffffff7f8340f000 0x4000	 0x4000	 com.parallels.kext.vnic (11.2.3 32663) D3590543-77E3-3DB4-999B-26773E4F3389 <5 4 3 1>
  171	0 0xffffff7f83485000 0x5000	 0x5000	 com.wch.usbserial (1) 2A7CE003-3526-32C8-BC4E-62C90DF85FB5 <111 41 4 3>

================================================================================

There are no unusual files in home-vpn.tblk

================================================================================

Configuration preferences:

-lastConnectionSucceeded = 0

================================================================================

Wildcard preferences:


================================================================================

Program preferences:

launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
	"3.7.1a (build 4812)"
)
lastLaunchTime = 519532064.005171
showConnectedDurations = 1
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
updateSendProfileInfo = 1
NSWindow Frame ConnectingWindow = 445 443 389 187 0 0 1280 777 
detailsWindowViewIndex = 0
leftNavSelectedDisplayName = home-vpn
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 1
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SULastCheckTime = 2017-06-19 02:27:24 +0000
SULastProfileSubmissionDate = 2017-06-19 02:27:23 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times

================================================================================

Tunnelblick Log:

2017-06-19 05:35:44 OpenVPN 2.3.16 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on May 19 2017
2017-06-19 05:35:44 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
2017-06-19 05:35:44 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2017-06-19 05:35:44 Need hold release from management interface, waiting...
*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.1a (build 4812)
2017-06-19 05:35:44 *Tunnelblick: Attempting connection with home-vpn; Set nameserver = 769; monitoring connection
2017-06-19 05:35:44 *Tunnelblick: openvpnstart start home-vpn.tblk 1337 769 0 3 0 1065264 -ptADGNWradsgnw 2.3.16-openssl-1.0.2k
2017-06-19 05:35:45 *Tunnelblick: openvpnstart log:
	 OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
	 
		  /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.16-openssl-1.0.2k/openvpn
		  --daemon
		  --log
		  /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Shome--vpn.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065264.1337.openvpn.log
		  --cd
		  /Library/Application Support/Tunnelblick/Shared/home-vpn.tblk/Contents/Resources
		  --verb
		  3
		  --config
		  /Library/Application Support/Tunnelblick/Shared/home-vpn.tblk/Contents/Resources/config.ovpn
		  --verb
		  3
		  --cd
		  /Library/Application Support/Tunnelblick/Shared/home-vpn.tblk/Contents/Resources
		  --management
		  127.0.0.1
		  1337
		  --management-query-passwords
		  --management-hold
		  --script-security
		  2
		  --up
		  /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
		  --down
		  /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2017-06-19 05:35:44 *Tunnelblick: openvpnstart starting OpenVPN
2017-06-19 05:35:45 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-06-19 05:35:45 *Tunnelblick: Established communication with OpenVPN
2017-06-19 05:35:45 MANAGEMENT: CMD 'pid'
2017-06-19 05:35:45 MANAGEMENT: CMD 'state on'
2017-06-19 05:35:45 MANAGEMENT: CMD 'state'
2017-06-19 05:35:45 MANAGEMENT: CMD 'bytecount 1'
2017-06-19 05:35:45 MANAGEMENT: CMD 'hold release'
2017-06-19 05:35:45 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-06-19 05:35:45 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-06-19 05:35:45 UDPv4 link local: [undef]
2017-06-19 05:35:45 UDPv4 link remote: [AF_INET]75.161.53.205:10011
2017-06-19 05:35:45 MANAGEMENT: >STATE:1497872145,WAIT,,,
2017-06-19 05:36:45 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2017-06-19 05:36:45 TLS Error: TLS handshake failed
2017-06-19 05:36:45 SIGUSR1[soft,tls-error] received, process restarting
2017-06-19 05:36:45 MANAGEMENT: >STATE:1497872205,RECONNECTING,tls-error,,
2017-06-19 05:36:45 MANAGEMENT: CMD 'hold release'
2017-06-19 05:36:45 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-06-19 05:36:45 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-06-19 05:36:45 UDPv4 link local: [undef]
2017-06-19 05:36:45 UDPv4 link remote: [AF_INET]75.161.53.205:10011
2017-06-19 05:36:45 MANAGEMENT: >STATE:1497872205,WAIT,,,
2017-06-19 05:37:45 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2017-06-19 05:37:45 TLS Error: TLS handshake failed
2017-06-19 05:37:45 SIGUSR1[soft,tls-error] received, process restarting
2017-06-19 05:37:45 MANAGEMENT: >STATE:1497872265,RECONNECTING,tls-error,,
2017-06-19 05:37:45 MANAGEMENT: CMD 'hold release'
2017-06-19 05:37:45 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-06-19 05:37:45 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-06-19 05:37:45 UDPv4 link local: [undef]
2017-06-19 05:37:45 UDPv4 link remote: [AF_INET]75.161.53.205:10011
2017-06-19 05:37:45 MANAGEMENT: >STATE:1497872265,WAIT,,,
2017-06-19 05:38:45 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2017-06-19 05:38:45 TLS Error: TLS handshake failed
2017-06-19 05:38:45 SIGUSR1[soft,tls-error] received, process restarting
2017-06-19 05:38:45 MANAGEMENT: >STATE:1497872325,RECONNECTING,tls-error,,
2017-06-19 05:38:45 MANAGEMENT: CMD 'hold release'
2017-06-19 05:38:45 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-06-19 05:38:45 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-06-19 05:38:45 UDPv4 link local: [undef]
2017-06-19 05:38:45 UDPv4 link remote: [AF_INET]75.161.53.205:10011
2017-06-19 05:38:45 MANAGEMENT: >STATE:1497872325,WAIT,,,
2017-06-19 05:39:45 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2017-06-19 05:39:45 TLS Error: TLS handshake failed
2017-06-19 05:39:45 SIGUSR1[soft,tls-error] received, process restarting
2017-06-19 05:39:45 MANAGEMENT: >STATE:1497872385,RECONNECTING,tls-error,,
2017-06-19 05:39:46 MANAGEMENT: CMD 'hold release'
2017-06-19 05:39:46 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-06-19 05:39:46 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-06-19 05:39:46 UDPv4 link local: [undef]
2017-06-19 05:39:46 UDPv4 link remote: [AF_INET]75.161.53.205:10011
2017-06-19 05:39:46 MANAGEMENT: >STATE:1497872386,WAIT,,,

================================================================================

"Sanitized" full configuration file

client
dev tun
proto udp
remote 75.161.53.205 10011
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert kurt.lanes.crt
key kurt.lanes.key
remote-cert-tls server
cipher AES-256-CBC
#tls-auth ta.key 1
#dhcp-option DNS 192.168.1.1
#redirect-gateway def1
comp-lzo
verb 3



================================================================================

ifconfig output:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	inet 127.94.0.1 netmask 0xff000000 
	nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether b8:e8:56:31:df:fe 
	inet6 fe80::cdf:7ab9:e00b:4dad%en0 prefixlen 64 secured scopeid 0x4 
	inet 192.168.43.217 netmask 0xffffff00 broadcast 192.168.43.255
	inet6 2600:1011:b02f:880e:1001:e48e:9075:2351 prefixlen 64 autoconf secured 
	inet6 2600:1011:b02f:880e:c9a3:fb5f:6406:9867 prefixlen 64 autoconf temporary 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active
en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
	options=60<TSO4,TSO6>
	ether 72:00:00:56:b0:e0 
	media: autoselect <full-duplex>
	status: inactive
en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
	options=60<TSO4,TSO6>
	ether 72:00:00:56:b0:e1 
	media: autoselect <full-duplex>
	status: inactive
en5: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 0b:0b:0b:0b:0b:0b 
	inet6 fe80::2e:64d8:c2c9:fb1a%en5 prefixlen 64 secured scopeid 0x7 
	inet 169.254.23.237 netmask 0xffff0000 broadcast 169.254.255.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect (10baseT/UTP <full-duplex>)
	status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
	ether 0a:e8:56:31:df:fe 
	media: autoselect
	status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
	ether de:25:f9:87:48:d0 
	inet6 fe80::dc25:f9ff:fe87:48d0%awdl0 prefixlen 64 scopeid 0x9 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=63<RXCSUM,TXCSUM,TSO4,TSO6>
	ether 72:00:00:56:b0:e0 
	Configuration:
		id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
		maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
		root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
		ipfilter disabled flags 0x2
	member: en1 flags=3<LEARNING,DISCOVER>
			ifmaxaddr 0 port 5 priority 0 path cost 0
	member: en2 flags=3<LEARNING,DISCOVER>
			ifmaxaddr 0 port 6 priority 0 path cost 0
	nd6 options=201<PERFORMNUD,DAD>
	media: <unknown type>
	status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
	inet6 fe80::ed01:dc49:9908:144b%utun0 prefixlen 64 scopeid 0xb 
	nd6 options=201<PERFORMNUD,DAD>
vnic0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:1c:42:00:00:08 
	inet 10.211.55.2 netmask 0xffffff00 broadcast 10.211.55.255
	media: autoselect
	status: active
vnic1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:1c:42:00:00:09 
	inet 10.37.129.2 netmask 0xffffff00 broadcast 10.37.129.255
	media: autoselect
	status: active
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
	inet6 fe80::cf94:6173:8b3b:844a%utun1 prefixlen 64 scopeid 0xe 
	nd6 options=201<PERFORMNUD,DAD>

================================================================================

Console Log:

2017-06-19 05:34:50 Tunnelblick[66386] BUG in libdispatch client: kevent[EVFILT_MACHPORT] monitored resource vanished before the source cancel handler was invoked

 

[zoomzoom]

I've just looked at mine, and I remember having some issues with the tls-auth settings so that line on mine is #'d out. Don't think you need the path to the certs either, just for them to be in the same folder as the .ovpn file.

Not entirely sure why it is one would run a VPN and then purposefully make it exploitable. tls-auth DOES need to be in there... It sure is exhausting typing 8 characters into a search engine or taking 15min to read the OpenVPN HowTo.

But hey, I'm just a broken record, so please ignore the repeating of the same information.

 

[zoomzoom]

Could a moderator please lock this thread?

1. OP hasn't been online since 12/3/16 and the last 5 pages are filled with similar posts due to members refusing to read the last 10 - 20 posts prior to posting
   • This is unnecessarily extending the thread, thereby almost ensuring users will continue to refuse to read prior posts in a thread of 600 posts at this point int time.
   
   
2. The blind leading the blind is never a good solution, which is what's being done at this point.
   • Every issue over the past 6 months would have been more effective if it had been asked on the OpenVPN forum or in it's own thread on this forum.