gco / tunnelblick

Automatically exported from code.google.com/p/tunnelblick
0 stars 0 forks source link

Connection to Bridge VPN won't work if server is in same subnet as client #134

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I use the following config MacOS X 10.6.2 Intel.

I can use OpenVPN in Linux(Debian) und Windows without problems.
I can also use OpenVPN in MacOS X with Viscosity.
When i connect via Tunnelblick, i can't route traffic over the vpn link.

Network Setup as Bridge:
   VPN Network 129.27.152.209 - 129.27.152.223, Mask 255.255.255.224
   VPN Server 129.27.152.209
   Client IP: 129.27.152.211 <- same subnet

During connecting i get this warning, which is perfectly justified.

Tue Dec 22 13:48:01 2009: WARNING: --remote address [129.27.152.209]
conflicts with --ifconfig subnet [129.27.152.211, 255.255.255.224] --
local and remote addresses cannot be inside of the --ifconfig subnet.
(silence this warning with --ifconfig-nowarn)

But i also get this warning under linux, mac viscosity and it works.

With tunnelblick i can't route traffic into the vpn link:

traceroute 129.27.152.32
traceroute to 129.27.152.32 (129.27.152.32), 64 hops max, 52 byte packets
traceroute: sendto: No route to host
 1 traceroute: wrote 129.27.152.32 52 chars, ret=-1

so this must be a routing problem.

I attached to routing tables of an active ovpn connection via tunnelblick
and with viscosity.

They differ in this entry:
default            link#5             UCSI            0        0    tap0

Could this be the problem?

best regards,
philip

ROUTING TABLE AND LOG FOR VISCOSITY
Internet:
Destination        Gateway            Flags        Refs      Use   Netif
Expire
default            129.27.142.129     UGSc           21      109     en0
default            link#5             UCSI            0        0    tap0
10.27.152/24       129.27.152.209     UGSc            0        0    tap0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              2    74541     lo0
129.27.142.128/25  link#4             UCS             7        0     en0
129.27.142.129     0:15:17:76:7f:a4   UHLWI          24        0     en0
  1150
129.27.142.137     0:c:29:40:6c:58    UHLWI           0       16     en0
  1191
129.27.142.140     0:4:75:bd:7:8b     UHLWI           2     2880     en0
  1162
129.27.142.186     0:16:36:4e:4b:5c   UHLWI           2     3200     en0
  1142
129.27.142.187     0:21:86:a1:3e:1    UHLWI           0     2208     en0
   180
129.27.142.197     0:1c:25:9e:f7:5c   UHLWI           0     1260     en0
  1106
129.27.142.202     127.0.0.1          UHS             0        0     lo0
129.27.142.255     ff:ff:ff:ff:ff:ff  UHLWbI          0        7     en0
129.27.152/25      129.27.152.209     UGSc            0        0    tap0
129.27.152.192/27  link#5             UC              3        0    tap0
129.27.152.198     0:e0:29:88:bb:7    UHLWI           0        7    tap0
  1179
129.27.152.209/32  129.27.142.129     UGSc            1        0     en0
129.27.152.223     ff:ff:ff:ff:ff:ff  UHLWbI          0        3    tap0
169.254            link#4             UCS             0        0     en0
169.254.193.187    127.0.0.1          UHS             0        0     lo0

Tue Dec 22 13:47:58 2009: WARNING: No server certificate verification
method has been enabled.  See http://openvpn.net/howto.html#mitm for
more info.
Tue Dec 22 13:47:58 2009: NOTE: the current --script-security setting
may allow this configuration to call user-defined scripts
Tue Dec 22 13:47:59 2009: WARNING: this configuration may cache
passwords in memory -- use the auth-nocache option to prevent this
Tue Dec 22 13:47:59 2009: LZO compression initialized
Tue Dec 22 13:47:59 2009: UDPv4 link local: [undef]
Tue Dec 22 13:47:59 2009: UDPv4 link remote: 129.27.152.209:80
Tue Dec 22 13:47:59 2009: WARNING: this configuration may cache
passwords in memory -- use the auth-nocache option to prevent this
Tue Dec 22 13:47:59 2009: [openvpn.iaik.tugraz.at] Peer Connection
Initiated with 129.27.152.209:80
Tue Dec 22 13:48:01 2009: WARNING: --remote address [129.27.152.209]
conflicts with --ifconfig subnet [129.27.152.211, 255.255.255.224] --
local and remote addresses cannot be inside of the --ifconfig subnet.
(silence this warning with --ifconfig-nowarn)
Tue Dec 22 13:48:01 2009: TUN/TAP device /dev/tap0 opened
Tue Dec 22 13:48:01 2009: /sbin/ifconfig tap0 delete
Tue Dec 22 13:48:01 2009: NOTE: Tried to delete pre-existing tun/tap
instance -- No Problem if failure
Tue Dec 22 13:48:01 2009: /sbin/ifconfig tap0 129.27.152.211 netmask
255.255.255.224 mtu 1500 up
Tue Dec 22 13:48:01 2009:
/Applications/Viscosity.app/Contents/Resources/dnsup.py tap0 1500 1590
129.27.152.211 255.255.255.224 init
Tue Dec 22 13:48:02 2009: Initialization Sequence Completed

ROUTING TABLE AND LOG FOR TUNNELBLICK:
Internet:
Destination        Gateway            Flags        Refs      Use   Netif
Expire
default            129.27.142.129     UGSc           21      109     en0
10.27.152/24       129.27.152.209     UGSc            0        0    tap0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              2    79046     lo0
129.27.142.128/25  link#4             UCS             7        0     en0
129.27.142.129     0:15:17:76:7f:a4   UHLWI          24        0     en0
   865
129.27.142.137     0:c:29:40:6c:58    UHLWI           0       16     en0
  1199
129.27.142.140     0:4:75:bd:7:8b     UHLWI           3     3072     en0
  1177
129.27.142.186     0:16:36:4e:4b:5c   UHLWI           3     3360     en0
  1132
129.27.142.187     0:21:86:a1:3e:1    UHLWI           0     2208     en0
129.27.142.197     0:1c:25:9e:f7:5c   UHLWI           0     1335     en0
  1132
129.27.142.202     127.0.0.1          UHS             0        0     lo0
129.27.142.255     ff:ff:ff:ff:ff:ff  UHLWbI          0       32     en0
129.27.152/25      129.27.152.209     UGSc            0        0    tap0
129.27.152.192/27  link#5             UC              3        0    tap0
129.27.152.198     0:e0:29:88:bb:7    UHLWI           0        6    tap0
  1169
129.27.152.209/32  129.27.142.129     UGSc            1        0     en0
129.27.152.223     ff:ff:ff:ff:ff:ff  UHLWbI          0        3    tap0
169.254            link#4             UCS             0        0     en0

2009-12-22 13:37:59 *Tunnelblick: OS X 10.6.2; Tunnelblick 3 (3.0b24
build 1301); OpenVPN 2 (2.1_rc20)
2009-12-22 13:38:09 *Tunnelblick: Attempting connection with
openvpn.conf; Set nameserver = 0; monitoring connection
2009-12-22 13:38:09 SUCCESS: pid=2451
2009-12-22 13:38:09 SUCCESS: real-time state notification set to ON
2009-12-22 13:38:09 SUCCESS: real-time log notification set to ON
2009-12-22 13:38:09 OpenVPN 2.1_rc20 i386-apple-darwin10.2.0 [SSL]
[LZO2] [PKCS11] built on Dec 12 2009
2009-12-22 13:38:09 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2009-12-22 13:38:09  waiting...
2009-12-22 13:38:09 MANAGEMENT: Client connected from 127.0.0.1:1337
2009-12-22 13:38:09 MANAGEMENT: CMD 'pid'
2009-12-22 13:38:09 MANAGEMENT: CMD 'state on'
2009-12-22 13:38:09 MANAGEMENT: CMD 'log on all'
2009-12-22 13:38:09 END
2009-12-22 13:38:09 MANAGEMENT: CMD 'hold release'
2009-12-22 13:38:09 SUCCESS: hold release succeeded
2009-12-22 13:38:09 MANAGEMENT: CMD 'username "Auth" "pweber"'
2009-12-22 13:38:09  but not yet verified
2009-12-22 13:38:09 MANAGEMENT: CMD 'password [...]'
2009-12-22 13:38:09  but not yet verified
2009-12-22 13:38:09 WARNING: No server certificate verification method
has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2009-12-22 13:38:09 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2009-12-22 13:38:09 MANAGEMENT: CMD 'password [...]'
2009-12-22 13:38:09  but not yet verified
2009-12-22 13:38:09 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2009-12-22 13:38:09 LZO compression initialized
2009-12-22 13:38:09 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0
ET:0 EL:0 ]
2009-12-22 13:38:09
2009-12-22 13:38:09 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135
ET:32 EL:0 AF:3/1 ]
2009-12-22 13:38:09 Local Options hash (VER=V4): 'b498be7c'
2009-12-22 13:38:09 Expected Remote Options hash (VER=V4): '26e19fc0'
2009-12-22 13:38:09 Socket Buffers: R=[42080->65536] S=[9216->65536]
2009-12-22 13:38:09 UDPv4 link local: [undef]
2009-12-22 13:38:09 UDPv4 link remote: 129.27.152.209:80
2009-12-22 13:38:09
2009-12-22 13:38:09
2009-12-22 13:38:09  sid=650b54d2 9ad14ebc
2009-12-22 13:38:09 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2009-12-22 13:38:09  /O=EuroPKI/CN=EuroPKI_Root_Certification_Authority
2009-12-22 13:38:09
/C=AT/O=EuroPKI/CN=EuroPKI_Austrian_Certification_Authority
2009-12-22 13:38:09
/CN=EuroPKI_IAIK_Certification_Authority/O=Graz_University_of_Technology/OU=Inst
itute_for_Applied_Information_Processing_and_Communications/L=Graz/C=AT
2009-12-22 13:38:09
/CN=EuroPKI_IAIK_SSL_CA/O=Graz_University_of_Technology/OU=Institute_for_Applied
_Information_Processing_and_Communications/L=Graz/C=AT
2009-12-22 13:38:09
/CN=openvpn.iaik.tugraz.at/O=Graz_University_of_Technology/OU=Institute_for_Appl
ied_Information_Processing_and_Communications/L=Graz/C=AT
2009-12-22 13:38:09 Data Channel Encrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
2009-12-22 13:38:09 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2009-12-22 13:38:09 Data Channel Decrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
2009-12-22 13:38:09 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2009-12-22 13:38:09  1024 bit RSA
2009-12-22 13:38:09 [openvpn.iaik.tugraz.at] Peer Connection Initiated
with 129.27.152.209:80
2009-12-22 13:38:10
2009-12-22 13:38:12 SENT CONTROL [openvpn.iaik.tugraz.at]:
'PUSH_REQUEST' (status=1)
2009-12-22 13:38:12 ifconfig 129.27.152.211 255.255.255.224'
2009-12-22 13:38:12 OPTIONS IMPORT: timers and/or timeouts modified
2009-12-22 13:38:12 OPTIONS IMPORT: --ifconfig/up options modified
2009-12-22 13:38:12 OPTIONS IMPORT: route options modified
2009-12-22 13:38:12 OPTIONS IMPORT: route-related options modified
2009-12-22 13:38:12 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
2009-12-22 13:38:12  255.255.255.224] -- local and remote addresses
cannot be inside of the --ifconfig subnet. (silence this warning with
--ifconfig-nowarn)
2009-12-22 13:38:12 ROUTE default_gateway=129.27.142.129
2009-12-22 13:38:12 TUN/TAP device /dev/tap0 opened
2009-12-22 13:38:12
2009-12-22 13:38:12 /sbin/ifconfig tap0 delete
2009-12-22 13:38:12 NOTE: Tried to delete pre-existing tun/tap instance
-- No Problem if failure
2009-12-22 13:38:12 /sbin/ifconfig tap0 129.27.152.211 netmask
255.255.255.224 mtu 1500 up
2009-12-22 13:38:12
2009-12-22 13:38:12 /sbin/route add -net 129.27.152.0 129.27.152.209
255.255.255.128
2009-12-22 13:38:12 /sbin/route add -net 10.27.152.0 129.27.152.209
255.255.255.0
2009-12-22 13:38:12 /sbin/route add -net 129.27.152.209 129.27.142.129
255.255.255.255
2009-12-22 13:38:12 Initialization Sequence Completed
2009-12-22 13:38:12 129.27.152.209
2009-12-22 13:41:23 event_wait : Interrupted system call (code=4)
2009-12-22 13:41:23 TCP/UDP: Closing socket
2009-12-22 13:41:23 /sbin/route delete -net 129.27.152.209
129.27.142.129 255.255.255.255
2009-12-22 13:41:23 /sbin/route delete -net 10.27.152.0 129.27.152.209
255.255.255.0
2009-12-22 13:41:23 /sbin/route delete -net 129.27.152.0 129.27.152.209
255.255.255.128
2009-12-22 13:41:23 Closing TUN/TAP interface
2009-12-22 13:41:23  process exiting
2009-12-22 13:41:23
2009-12-22 13:46:34 *Tunnelblick: Attempting connection with
openvpn.conf; Set nameserver = 0; monitoring connection
2009-12-22 13:46:34 SUCCESS: pid=2536
2009-12-22 13:46:34 SUCCESS: real-time state notification set to ON
2009-12-22 13:46:34 SUCCESS: real-time log notification set to ON
2009-12-22 13:46:34 OpenVPN 2.1_rc20 i386-apple-darwin10.2.0 [SSL]
[LZO2] [PKCS11] built on Dec 12 2009
2009-12-22 13:46:34 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2009-12-22 13:46:34  waiting...
2009-12-22 13:46:34 MANAGEMENT: Client connected from 127.0.0.1:1337
2009-12-22 13:46:34 MANAGEMENT: CMD 'pid'
2009-12-22 13:46:34 MANAGEMENT: CMD 'state on'
2009-12-22 13:46:34 MANAGEMENT: CMD 'log on all'
2009-12-22 13:46:34 END
2009-12-22 13:46:34 MANAGEMENT: CMD 'hold release'
2009-12-22 13:46:34 SUCCESS: hold release succeeded
2009-12-22 13:46:34 MANAGEMENT: CMD 'username "Auth" "pweber"'
2009-12-22 13:46:34  but not yet verified
2009-12-22 13:46:34 MANAGEMENT: CMD 'password [...]'
2009-12-22 13:46:34  but not yet verified
2009-12-22 13:46:34 WARNING: No server certificate verification method
has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2009-12-22 13:46:34 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2009-12-22 13:46:34 MANAGEMENT: CMD 'password [...]'
2009-12-22 13:46:34  but not yet verified
2009-12-22 13:46:34 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2009-12-22 13:46:34 LZO compression initialized
2009-12-22 13:46:34 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0
ET:0 EL:0 ]
2009-12-22 13:46:34
2009-12-22 13:46:34 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135
ET:32 EL:0 AF:3/1 ]
2009-12-22 13:46:34 Local Options hash (VER=V4): 'b498be7c'
2009-12-22 13:46:34 Expected Remote Options hash (VER=V4): '26e19fc0'
2009-12-22 13:46:34 Socket Buffers: R=[42080->65536] S=[9216->65536]
2009-12-22 13:46:34 UDPv4 link local: [undef]
2009-12-22 13:46:34 UDPv4 link remote: 129.27.152.209:80
2009-12-22 13:46:34
2009-12-22 13:46:34
2009-12-22 13:46:34  sid=c281c982 f7072ec2
2009-12-22 13:46:34 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2009-12-22 13:46:35  /O=EuroPKI/CN=EuroPKI_Root_Certification_Authority
2009-12-22 13:46:35
/C=AT/O=EuroPKI/CN=EuroPKI_Austrian_Certification_Authority
2009-12-22 13:46:35
/CN=EuroPKI_IAIK_Certification_Authority/O=Graz_University_of_Technology/OU=Inst
itute_for_Applied_Information_Processing_and_Communications/L=Graz/C=AT
2009-12-22 13:46:35
/CN=EuroPKI_IAIK_SSL_CA/O=Graz_University_of_Technology/OU=Institute_for_Applied
_Information_Processing_and_Communications/L=Graz/C=AT
2009-12-22 13:46:35
/CN=openvpn.iaik.tugraz.at/O=Graz_University_of_Technology/OU=Institute_for_Appl
ied_Information_Processing_and_Communications/L=Graz/C=AT
2009-12-22 13:46:35 Data Channel Encrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
2009-12-22 13:46:35 Data Channel Encrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2009-12-22 13:46:35 Data Channel Decrypt: Cipher 'AES-128-CBC'
initialized with 128 bit key
2009-12-22 13:46:35 Data Channel Decrypt: Using 160 bit message hash
'SHA1' for HMAC authentication
2009-12-22 13:46:35  1024 bit RSA
2009-12-22 13:46:35 [openvpn.iaik.tugraz.at] Peer Connection Initiated
with 129.27.152.209:80
2009-12-22 13:46:36
2009-12-22 13:46:38 SENT CONTROL [openvpn.iaik.tugraz.at]:
'PUSH_REQUEST' (status=1)
2009-12-22 13:46:38 ifconfig 129.27.152.211 255.255.255.224'
2009-12-22 13:46:38 OPTIONS IMPORT: timers and/or timeouts modified
2009-12-22 13:46:38 OPTIONS IMPORT: --ifconfig/up options modified
2009-12-22 13:46:38 OPTIONS IMPORT: route options modified
2009-12-22 13:46:38 OPTIONS IMPORT: route-related options modified
2009-12-22 13:46:38 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
2009-12-22 13:46:38  255.255.255.224] -- local and remote addresses
cannot be inside of the --ifconfig subnet. (silence this warning with
--ifconfig-nowarn)
2009-12-22 13:46:38 ROUTE default_gateway=129.27.142.129
2009-12-22 13:46:38 TUN/TAP device /dev/tap0 opened
2009-12-22 13:46:38
2009-12-22 13:46:38 /sbin/ifconfig tap0 delete
2009-12-22 13:46:38 NOTE: Tried to delete pre-existing tun/tap instance
-- No Problem if failure
2009-12-22 13:46:38 /sbin/ifconfig tap0 129.27.152.211 netmask
255.255.255.224 mtu 1500 up
2009-12-22 13:46:38
2009-12-22 13:46:38 /sbin/route add -net 129.27.152.0 129.27.152.209
255.255.255.128
2009-12-22 13:46:38 /sbin/route add -net 10.27.152.0 129.27.152.209
255.255.255.0
2009-12-22 13:46:38 /sbin/route add -net 129.27.152.209 129.27.142.129
255.255.255.255
2009-12-22 13:46:38 Initialization Sequence Completed
2009-12-22 13:46:38 129.27.152.209

Original issue reported on code.google.com by philip.w...@student.tugraz.at on 22 Dec 2009 at 12:58

GoogleCodeExporter commented 9 years ago
Please try "Set nameserver (alternate 1)" using Tunnelblick 3.1beta18.

Original comment by jkbull...@gmail.com on 18 Oct 2010 at 11:00

GoogleCodeExporter commented 9 years ago

Original comment by jkbull...@gmail.com on 31 Oct 2010 at 12:45