tomjamescn / tunnelblick

Automatically exported from code.google.com/p/tunnelblick
0 stars 0 forks source link

Repeated disconnection/reconnection attempts on Mountain Lion #206

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
On OS X 10.8.1 or 10.8.2 ("Mountain Lion") some configurations that use "Set 
nameserver" causes Tunnelblick to continuously disconnect and reconnect the 
configuration.

The disconnect/reconnect will appear in the log as something similar to:

2012-03-26 22:17:33 *Tunnelblick process-network-changes: SearchDomains changed 
from
                    *                    
                    *                     to
                    *                    <array> {
                    *                    0 : openvpn
                    *                    }
                    *                    pre-VPN was
                    *                    

To work around this problem while still using "Set nameserver", you can do the 
following:

Click the "Advanced" button on the "Settings" tab for the configuration, then 
select the "While Connected" tab. Change the setting for "Search domain" in the 
right-hand column (the "When changes to anything else" column) from "Restart 
connection" to "Ignore". That will ignore the changes to "Search domain".

Anyone with a similar problem on Mountain Lion but not involving 
"SearchDomains", please post the extract from the log that is similar to the 
above extract, including the name of the item that changed.

Original issue reported on code.google.com by jkbull...@gmail.com on 26 Mar 2012 at 2:33

GoogleCodeExporter commented 9 years ago
Same "SearchDomain" issue for me on 10.7.3 and Tunnelblick 3.2.3 (build 
2891.2932) Unsigned  -  OpenVPN 2.2.1. 

Original comment by schapra...@gmail.com on 26 Apr 2012 at 1:41

GoogleCodeExporter commented 9 years ago
OS X 10.7.3 Tunnelblick 3.2.3 or 3.2.4 keeps reconnect even with disabled 
"Monitor network settings" flag and restart. Is there any other known 
workaround to make it work?

Original comment by Sergi.Vl...@gmail.com on 29 Apr 2012 at 8:15

GoogleCodeExporter commented 9 years ago
3.3beta04 the same issue.

Original comment by Sergi.Vl...@gmail.com on 29 Apr 2012 at 8:29

GoogleCodeExporter commented 9 years ago
I have the same problem on Mountain Lion with the stable version of Tunnelblick.
It's the same with Viscosity. BUT, in the new beta of Viscosity 
(http://www.thesparklabs.com/forum/viewtopic.php?f=7&t=34#p134) it's fixed! So 
if anyone wants OpenVPN to work on Mountain Lion I can recommend the new beta 
of Viscosity meanwhile.

Original comment by nygg...@gmail.com on 28 May 2012 at 9:18

GoogleCodeExporter commented 9 years ago
@nygganh --

The workaround doesn't work for you? If not, it is a different problem (with 
the same symptom) and will probably have a different solution. I would 
encourage you to post the complete Tunnelblick log and your configuration file 
to help solve your problem using Tunnelblick.

Original comment by jkbull...@gmail.com on 28 May 2012 at 10:35

GoogleCodeExporter commented 9 years ago
@Sergei --

You are also having a different problem with the same symptom. Please post the 
complete Tunnelblick log and your configuration file.

Original comment by jkbull...@gmail.com on 28 May 2012 at 10:41

GoogleCodeExporter commented 9 years ago
I have similar problem. But I fixed it by set DNS to "Set nameserver (3.1)".

Original comment by Ranm...@gmail.com on 23 Jun 2012 at 5:08

GoogleCodeExporter commented 9 years ago
I have similar problem. Setting 'Search domains' to 'Ignore' in the 'While 
Connected' tab prevents disconnects. However OS X Mountain Lion DP 4 looses 
Internet connection entirely. Everything worked fine in OS X Lion.

Original comment by nsk...@gmail.com on 27 Jun 2012 at 7:05

GoogleCodeExporter commented 9 years ago
To add a note, by implementing the workaround (either setting name servers to 
ignore or using 3.1 as descibed above) I lost all DNS connectivity.  Only after 
manually adding DNS's to the OS X Network settings (I used Google's 8.8.8.8 and 
8.8.4.4) did things start to work again.

Original comment by mar...@ohsocool.org on 11 Jul 2012 at 11:44

GoogleCodeExporter commented 9 years ago
yes, I have the same problem.  Once I set Advanced->Monitor Network settings-> 
Search Domain in right column to Ignore, it no longer disconnects but I lose 
all network connectivity. I had set the DNS server manually to get accesss to 
the Internet and use IP addresses of the company build servers to ssh into 
them. DNS is no workee!!!! I updated to OSX mountain lion yesterday. Someone 
please escalate a fix for this issue as it will affect a lot of people when the 
mountain lion comes up in one week.

Original comment by a...@arista.com on 11 Jul 2012 at 6:52

GoogleCodeExporter commented 9 years ago
It would help fix the problem faster if people would post their configuration 
files and logs (preferably both from Lion and from Mountain Lion using the same 
configuration file):

To get the Tunnelblick log on the Clipboard so you can paste it into an email:
1. Click the Tunnelblick icon
2. Click "VPN Details…"
3. Select the "Configurations" panel if it is not already selected
4. Select the configuration whose file you want to look at in the list on the 
left
5. Select the "Log" tab if it is not already selected
6. Click "Copy Log to Clipboard"

To put the contents of your configuration file on the Clipboard so you can 
paste it into an email, open it in TextEdit as follows:
1. Click the Tunnelblick icon
2. Click "VPN Details…"
3. Select the "Configurations" panel if it is not already selected
4. Select the configuration whose file you want to look at in the list on the 
left
5. Click the little "gear" icon at the bottom of the list on the left
6. Select "Edit OpenVPN Configuration File…" (or possibly "Examine OpenVPN 
Configuration File…").
7. In TextEdit you can Edit : Select All and then Edit : Copy to get the 
contents of the configuration file put into the clipboard.

Original comment by jkbull...@gmail.com on 11 Jul 2012 at 9:23

GoogleCodeExporter commented 9 years ago
Here's my TunnelBlk logs:

2012-07-11 14:33:26 *Tunnelblick: OS X 10.8.0; Tunnelblick 3.3beta06 (build 
3028)
2012-07-11 14:33:26 *Tunnelblick: Attempting connection with Arista-TCP-Corp; 
Set nameserver = 1; monitoring connection
2012-07-11 14:33:26 *Tunnelblick: 
/Applications/Tunnelblick.app/Contents/Resources/openvpnstart start 
Arista-TCP-Corp.conf 1337 1 0 0 0 49 -atDANGWrdasngw 
2012-07-11 14:33:26 *Tunnelblick: openvpnstart message: Loading tun.kext

2012-07-11 14:33:26 OpenVPN 2.3-alpha1 i386-apple-darwin10.7.1 [SSL (OpenSSL)] 
[LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on 
May  3 2012
2012-07-11 14:33:26 WARNING: No server certificate verification method has been 
enabled.  See http://openvpn.net/howto.html#mitm for more info.
2012-07-11 14:33:26 NOTE: the current --script-security setting may allow this 
configuration to call user-defined scripts
2012-07-11 14:33:26 WARNING: file 'Arista-TCP.p12' is group or others accessible
2012-07-11 14:33:26 Attempting to establish TCP connection with 
[AF_INET]4.53.128.220:1194 [nonblock]
2012-07-11 14:33:26 TCP: connect to [AF_INET]4.53.128.220:1194 failed, will try 
again in 5 seconds: No route to host
2012-07-11 14:33:26 *Tunnelblick: openvpnstart starting OpenVPN:
                    *                    /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3-alpha1/openvpn --cd /Users/asinha/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1337 --config /Users/asinha/Library/Application Support/Tunnelblick/Configurations/Arista-TCP-Corp.conf --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Sani-SLibrary-SApplication Support-STunnelblick-SConfigurations-SArista--TCP--Corp.conf.1_0_0_0_49.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDANGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDANGWrdasngw --up-restart --route-pre-down /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -atDANGWrdasngw
2012-07-11 14:33:31 TCP: connect to [AF_INET]4.53.128.220:1194 failed, will try 
again in 5 seconds: No route to host
2012-07-11 14:33:36 TCP: connect to [AF_INET]4.53.128.220:1194 failed, will try 
again in 5 seconds: No route to host
2012-07-11 14:33:42 TCP connection established with [AF_INET]4.53.128.220:1194
2012-07-11 14:33:42 TCPv4_CLIENT link local: [undef]
2012-07-11 14:33:42 TCPv4_CLIENT link remote: [AF_INET]4.53.128.220:1194
2012-07-11 14:33:42 WARNING: this configuration may cache passwords in memory 
-- use the auth-nocache option to prevent this
2012-07-11 14:33:45 [AristanetworksVPN] Peer Connection Initiated with 
[AF_INET]4.53.128.220:1194
2012-07-11 14:33:48 TUN/TAP device /dev/tun0 opened
2012-07-11 14:33:48 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2012-07-11 14:33:48 /sbin/ifconfig tun0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2012-07-11 14:33:48 NOTE: Tried to delete pre-existing tun/tap instance -- No 
Problem if failure
2012-07-11 14:33:48 /sbin/ifconfig tun0 172.22.128.254 172.22.128.253 mtu 1500 
netmask 255.255.255.255 up
2012-07-11 14:33:48 
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w 
-d -atDANGWrdasngw tun0 1500 1560 172.22.128.254 172.22.128.253 init
                                          No such key
                                        add net 172.16.0.0: gateway 172.22.128.253
                                        add net 10.0.0.0: gateway 172.22.128.253
                                        add net 10.1.0.0: gateway 172.22.128.253
                                        add net 10.60.20.0: gateway 172.22.128.253
                                        add net 10.190.241.0: gateway 172.22.128.253
                                        add net 10.255.252.0: gateway 172.22.128.253
                                        add net 10.255.250.0: gateway 172.22.128.253
                                        add net 172.22.128.0: gateway 172.22.128.253
2012-07-11 14:33:50 Initialization Sequence Completed
2012-07-11 14:40:17 event_wait : Interrupted system call (code=4)
2012-07-11 14:40:17 
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m 
-w -d -atDANGWrdasngw tun0 1500 1560 172.22.128.254 172.22.128.253 restart
2012-07-11 14:40:17 SIGUSR1[hard,] received, process restarting
2012-07-11 14:40:17 WARNING: No server certificate verification method has been 
enabled.  See http://openvpn.net/howto.html#mitm for more info.
2012-07-11 14:40:17 NOTE: the current --script-security setting may allow this 
configuration to call user-defined scripts
2012-07-11 14:40:17 Attempting to establish TCP connection with 
[AF_INET]4.53.128.220:1194 [nonblock]
2012-07-11 14:40:18 TCP connection established with [AF_INET]4.53.128.220:1194
2012-07-11 14:40:18 TCPv4_CLIENT link local: [undef]
2012-07-11 14:40:18 TCPv4_CLIENT link remote: [AF_INET]4.53.128.220:1194
2012-07-11 14:40:20 [AristanetworksVPN] Peer Connection Initiated with 
[AF_INET]4.53.128.220:1194
2012-07-11 14:40:22 Preserving previous TUN/TAP instance: tun0
2012-07-11 14:40:22 
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w 
-d -atDANGWrdasngw tun0 1500 1560 172.22.128.254 172.22.128.253 restart
                                          No such key
2012-07-11 14:40:24 NOTE: Pulled options changed on restart, will need to close 
and reopen TUN/TAP device.
2012-07-11 14:40:24 
/Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelbli
ck.sh -m -w -d -atDANGWrdasngw tun0 1500 1560 172.22.128.254 172.22.128.253 init
                                        delete net 172.22.128.0: gateway 172.22.128.253
                                        delete net 10.255.250.0: gateway 172.22.128.253
                                        delete net 10.255.252.0: gateway 172.22.128.253
                                        delete net 10.190.241.0: gateway 172.22.128.253
                                        delete net 10.60.20.0: gateway 172.22.128.253
                                        delete net 10.1.0.0: gateway 172.22.128.253
                                        delete net 10.0.0.0: gateway 172.22.128.253
                                        delete net 172.16.0.0: gateway 172.22.128.253
2012-07-11 14:40:24 
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m 
-w -d -atDANGWrdasngw tun0 1500 1560 172.22.128.254 172.22.128.253 init
2012-07-11 14:40:26 TUN/TAP device /dev/tun0 opened
2012-07-11 14:40:26 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2012-07-11 14:40:26 /sbin/ifconfig tun0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2012-07-11 14:40:26 NOTE: Tried to delete pre-existing tun/tap instance -- No 
Problem if failure
2012-07-11 14:40:26 /sbin/ifconfig tun0 172.22.128.62 172.22.128.61 mtu 1500 
netmask 255.255.255.255 up
2012-07-11 14:40:26 
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w 
-d -atDANGWrdasngw tun0 1500 1560 172.22.128.62 172.22.128.61 init
                                          No such key
                                        add net 172.16.0.0: gateway 172.22.128.61
                                        add net 10.0.0.0: gateway 172.22.128.61
                                        add net 10.1.0.0: gateway 172.22.128.61
                                        add net 10.60.20.0: gateway 172.22.128.61
                                        add net 10.190.241.0: gateway 172.22.128.61
                                        add net 10.255.252.0: gateway 172.22.128.61
                                        add net 10.255.250.0: gateway 172.22.128.61
                                        add net 172.22.128.0: gateway 172.22.128.61
2012-07-11 14:40:28 Initialization Sequence Completed
OpenVPN started successfully. Command used to start OpenVPN (one argument per 
displayed line):

     /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3-alpha1/openvpn
     --cd
     /Users/asinha/Library/Application Support/Tunnelblick/Configurations
     --daemon
     --management
     127.0.0.1
     1337
     --config
     /Users/asinha/Library/Application Support/Tunnelblick/Configurations/Arista-TCP-Corp.conf
     --log
     /Library/Application Support/Tunnelblick/Logs/-SUsers-Sani-SLibrary-SApplication Support-STunnelblick-SConfigurations-SArista--TCP--Corp.conf.1_0_0_0_49.1337.openvpn.log
     --management-query-passwords
     --management-hold
     --script-security
     2
     --up
     /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDANGWrdasngw
     --down
     /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDANGWrdasngw
     --up-restart
     --route-pre-down
     /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -atDANGWrdasngw
2012-07-11 14:33:26 *Tunnelblick: Established communication with OpenVPN
2012-07-11 14:33:26 *Tunnelblick: Obtained VPN username and password from the 
Keychain
2012-07-11 14:33:50 *Tunnelblick: Flushed the DNS cache
2012-07-11 14:40:28 *Tunnelblick: Flushed the DNS cache

And here's the config file :

dev tun
persist-tun
persist-key
proto tcp-client
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote 4.53.128.220 1194
auth-user-pass
pkcs12 Arista-TCP.p12
comp-lzo

Original comment by a...@arista.com on 11 Jul 2012 at 9:45

GoogleCodeExporter commented 9 years ago
 @ani - Thanks. Two things:

(1) If you are using your IPS's DNS servers (for example, from home) and you 
connect to a VPN, all your DNS queries will go through the VPN, and appear to 
the ISP's DNS servers to be from outside their network. Many ISPs ignore such 
requests, with the result that you appear to have lost all connectivity (but 
pings would still work). In that case, since your VPN server isn't "pushing" 
its own DNS servers to you, you will need to set DNS servers manually in your 
System Preferences Network panel. You can, for example, use Google's public DNS 
servers at 8.8.8.8 and 8.8.4.4, or use OpenDNS's, or whatever else you want.

(2) That said, it also looks possible that Tunnelblick's 
"client.up.tunnelblick.sh" script is crashing. Can you check your console log 
for any relevant messages? Thanks.

Original comment by jkbull...@gmail.com on 11 Jul 2012 at 10:16

GoogleCodeExporter commented 9 years ago
I am pretty sure it used to. I never had to add DNS servers manually in
Lion.

When DNS stopped working, I had to add them manually. I now manually added
Google's DNS servers and our internal DNS server IPs.

Nop! nothing in console log yet!

Ani

Original comment by a...@arista.com on 11 Jul 2012 at 10:35

GoogleCodeExporter commented 9 years ago
I resolved this issue by adding the following on server side and without 
modifying tunnelblick config (as people suggested):

push dhcp-option DOMAIN example.com

and then restart openvpn server

Now I can see that the correct DNS and domain are pushed, but it only does IP 
resolution and not NAME resolution. For example, on terminal I can do "host 
foo.example.com" and it shows the correct IP, and in Chrome/Safari I can go to 
the site by entering the IP of foo.example.com but if I enter foo.example.com 
in URL it does not resolve! I get the following error:

Error 105 (net::ERR_NAME_NOT_RESOLVED): Unable to resolve the server's DNS 
address.

I am using Mountain Lion GM and the same configuration used to work on Lion and 
they are currently working on Ubuntu and Windows (by other dev users for the 
company). I have tried with Tunnelblick 3.2.6 stable. Does anyone have any 
solutions?

Original comment by moksh.kh...@gmail.com on 12 Jul 2012 at 4:27

GoogleCodeExporter commented 9 years ago
I have restored my Mac to Lion and the DNS works as before. Here's the log from 
Tunnelblick ;

2012-07-12 10:33:47 *Tunnelblick: OS X 10.7.4; Tunnelblick 3.2.5 (build 
2891.3004)
2012-07-12 10:33:47 *Tunnelblick: Attempting connection with Arista-TCP-Corp; 
Set nameserver = 1; monitoring connection
2012-07-12 10:33:47 *Tunnelblick: 
/Applications/Tunnelblick.app/Contents/Resources/openvpnstart start 
Arista-TCP-Corp.conf 1337 1 0 0 0 49 -atDASNGWrdasngw 
2012-07-12 10:33:47 *Tunnelblick: openvpnstart message: Loading tun.kext
2012-07-12 10:33:47 *Tunnelblick: Established communication with OpenVPN
2012-07-12 10:33:47 *Tunnelblick: Obtained VPN username and password from the 
Keychain
2012-07-12 10:33:47 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] 
[eurephia] built on Apr 27 2012
2012-07-12 10:33:47 WARNING: No server certificate verification method has been 
enabled.  See http://openvpn.net/howto.html#mitm for more info.
2012-07-12 10:33:47 NOTE: the current --script-security setting may allow this 
configuration to call user-defined scripts
2012-07-12 10:33:47 WARNING: file 'Arista-TCP.p12' is group or others accessible
2012-07-12 10:33:47 LZO compression initialized
2012-07-12 10:33:47 *Tunnelblick: openvpnstart: 
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn 
--cd /Users/asinha/Library/Application Support/Tunnelblick/Configurations 
--daemon --management 127.0.0.1 1337 --config /Users/asinha/Library/Application 
Support/Tunnelblick/Configurations/Arista-TCP-Corp.conf --log 
/Library/Application 
Support/Tunnelblick/Logs/-SUsers-Sani-SLibrary-SApplication 
Support-STunnelblick-SConfigurations-SArista--TCP--Corp.conf.1_0_0_0_49.1337.ope
nvpn.log --management-query-passwords --management-hold --script-security 2 
--up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh 
-m -w -d -atDASNGWrdasngw --down 
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m 
-w -d -atDASNGWrdasngw --up-restart
2012-07-12 10:33:48 Attempting to establish TCP connection with 
4.53.128.220:1194 [nonblock]
2012-07-12 10:33:49 TCP connection established with 4.53.128.220:1194
2012-07-12 10:33:49 TCPv4_CLIENT link local: [undef]
2012-07-12 10:33:49 TCPv4_CLIENT link remote: 4.53.128.220:1194
2012-07-12 10:33:49 WARNING: this configuration may cache passwords in memory 
-- use the auth-nocache option to prevent this
2012-07-12 10:33:51 [AristanetworksVPN] Peer Connection Initiated with 
4.53.128.220:1194
2012-07-12 10:33:54 TUN/TAP device /dev/tun0 opened
2012-07-12 10:33:54 /sbin/ifconfig tun0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2012-07-12 10:33:54 NOTE: Tried to delete pre-existing tun/tap instance -- No 
Problem if failure
2012-07-12 10:33:54 /sbin/ifconfig tun0 172.22.129.10 172.22.129.9 mtu 1500 
netmask 255.255.255.255 up
2012-07-12 10:33:54 
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w 
-d -atDASNGWrdasngw tun0 1500 1560 172.22.129.10 172.22.129.9 init
                                          No such key
                                        add net 172.16.0.0: gateway 172.22.129.9
                                        add net 10.0.0.0: gateway 172.22.129.9
                                        add net 10.1.0.0: gateway 172.22.129.9
                                        add net 10.60.20.0: gateway 172.22.129.9
                                        add net 10.190.241.0: gateway 172.22.129.9
                                        add net 10.255.252.0: gateway 172.22.129.9
                                        add net 10.255.250.0: gateway 172.22.129.9
                                        add net 172.22.128.0: gateway 172.22.129.9
2012-07-12 10:33:56 *Tunnelblick: Flushed the DNS cache
2012-07-12 10:33:56 Initialization Sequence Completed

Original comment by a...@arista.com on 12 Jul 2012 at 5:40

GoogleCodeExporter commented 9 years ago
Ah. Different version of Tunnelblick, too.

Can you get the log for 3.3beta06 on Lion? (You can just download the .dmg
and drag the Tunnelblick icon to the Desktop and run it from there; that
way you leave your existing 3.2.5 in /Applications uchanged.)

Original comment by jkbull...@gmail.com on 12 Jul 2012 at 5:49

GoogleCodeExporter commented 9 years ago
Here goes :

2012-07-12 10:57:14 *Tunnelblick: OS X 10.7.4; Tunnelblick 3.3beta06 (build 
3028)
2012-07-12 10:57:14 *Tunnelblick: Attempting connection with Arista-TCP-Corp; 
Set nameserver = 1; monitoring connection
2012-07-12 10:57:14 *Tunnelblick: 
/Users/asinha/Desktop/Tunnelblick.app/Contents/Resources/openvpnstart start 
Arista-TCP-Corp.conf 1337 1 0 0 0 49 -atDASNGWrdasngw 
2012-07-12 10:57:14 *Tunnelblick: openvpnstart message: Loading tun.kext

2012-07-12 10:57:14 OpenVPN 2.3-alpha1 i386-apple-darwin10.7.1 [SSL (OpenSSL)] 
[LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on 
May  3 2012
2012-07-12 10:57:14 *Tunnelblick: openvpnstart starting OpenVPN:
                    *                    /Users/asinha/Desktop/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3-alpha1/openvpn --cd /Users/asinha/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1337 --config /Users/asinha/Library/Application Support/Tunnelblick/Configurations/Arista-TCP-Corp.conf --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Sani-SLibrary-SApplication Support-STunnelblick-SConfigurations-SArista--TCP--Corp.conf.1_0_0_0_49.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Users/asinha/Desktop/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Users/asinha/Desktop/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart --route-pre-down /Users/asinha/Desktop/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -atDASNGWrdasngw
2012-07-12 10:57:15 WARNING: No server certificate verification method has been 
enabled.  See http://openvpn.net/howto.html#mitm for more info.
2012-07-12 10:57:15 NOTE: the current --script-security setting may allow this 
configuration to call user-defined scripts
2012-07-12 10:57:15 WARNING: file 'Arista-TCP.p12' is group or others accessible
2012-07-12 10:57:15 Attempting to establish TCP connection with 
[AF_INET]4.53.128.220:1194 [nonblock]
2012-07-12 10:57:16 TCP connection established with [AF_INET]4.53.128.220:1194
2012-07-12 10:57:16 TCPv4_CLIENT link local: [undef]
2012-07-12 10:57:16 TCPv4_CLIENT link remote: [AF_INET]4.53.128.220:1194
2012-07-12 10:57:16 WARNING: this configuration may cache passwords in memory 
-- use the auth-nocache option to prevent this
2012-07-12 10:57:18 [AristanetworksVPN] Peer Connection Initiated with 
[AF_INET]4.53.128.220:1194
2012-07-12 10:57:21 TUN/TAP device /dev/tun0 opened
2012-07-12 10:57:21 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2012-07-12 10:57:21 /sbin/ifconfig tun0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2012-07-12 10:57:21 NOTE: Tried to delete pre-existing tun/tap instance -- No 
Problem if failure
2012-07-12 10:57:21 /sbin/ifconfig tun0 172.22.129.34 172.22.129.33 mtu 1500 
netmask 255.255.255.255 up
2012-07-12 10:57:21 
/Users/asinha/Desktop/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.s
h -m -w -d -atDASNGWrdasngw tun0 1500 1560 172.22.129.34 172.22.129.33 init
                                          No such key
                                        add net 172.16.0.0: gateway 172.22.129.33
                                        add net 10.0.0.0: gateway 172.22.129.33
                                        add net 10.1.0.0: gateway 172.22.129.33
                                        add net 10.60.20.0: gateway 172.22.129.33
                                        add net 10.190.241.0: gateway 172.22.129.33
                                        add net 10.255.252.0: gateway 172.22.129.33
                                        add net 10.255.250.0: gateway 172.22.129.33
                                        add net 172.22.128.0: gateway 172.22.129.33
2012-07-12 10:57:23 Initialization Sequence Completed
OpenVPN started successfully. Command used to start OpenVPN (one argument per 
displayed line):

     /Users/asinha/Desktop/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3-alpha1/openvpn
     --cd
     /Users/asinha/Library/Application Support/Tunnelblick/Configurations
     --daemon
     --management
     127.0.0.1
     1337
     --config
     /Users/asinha/Library/Application Support/Tunnelblick/Configurations/Arista-TCP-Corp.conf
     --log
     /Library/Application Support/Tunnelblick/Logs/-SUsers-Sani-SLibrary-SApplication Support-STunnelblick-SConfigurations-SArista--TCP--Corp.conf.1_0_0_0_49.1337.openvpn.log
     --management-query-passwords
     --management-hold
     --script-security
     2
     --up
     /Users/asinha/Desktop/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw
     --down
     /Users/asinha/Desktop/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw
     --up-restart
     --route-pre-down
     /Users/asinha/Desktop/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -atDASNGWrdasngw
2012-07-12 10:57:15 *Tunnelblick: Established communication with OpenVPN
2012-07-12 10:57:15 *Tunnelblick: Obtained VPN username and password from the 
Keychain
2012-07-12 10:57:23 *Tunnelblick: Flushed the DNS cache

DNS works on this beta version too, albeit on mac 10.7.4

Original comment by a...@arista.com on 12 Jul 2012 at 5:59

GoogleCodeExporter commented 9 years ago
Thanks, ani.

The only thing that seem different about 10.8 is that it has trouble
connecting to the VPN server the first time:

2012-07-11 14:33:31 TCP: connect to [AF_INET]4.53.128.220:1194 failed, will

which seems odd, but doesn't really seem relevant to the problem.

I am also puzzled as to why client.up.tunnelblick.sh didn't output any
messages, but since it didn't output any in either log, nor did anything
show up the Console log, I don't know what that means.

So it looks like it may be something in OpenVPN, or possibly Tuntap.

Let me make sure I understand the problem (on 10.8):

   - The VPN connects and stays connected (after setting Advanced->Monitor
   Network settings-> Search Domain in right column to Ignore)
   - You can't browse to anything, either by name (www.google.com) or by IP
   address (173.194.75.104)
   - Nothing shows up in the Console log.

Also, did you try OpenVPN 2.2.1 when on 10.8? (It's on the "Preference" tab
of the "VPN Details…" window.)

Thanks for all your help with this.

BTW, can you dual boot (10.7 and 10.8) or did you just revert to 10.7 on
your (single) setup?

Original comment by jkbull...@gmail.com on 12 Jul 2012 at 6:48

GoogleCodeExporter commented 9 years ago
On your three points regarding 10.8 :
-yes, it does stay connected after that settings change.
- no, I can still browse using IP or if I set my /etc/hosts to resolve the 
names to IPs. So it seems the issue is DNS specific.
- yes, no crash logs on the console log.

Unfortunately I only have my work mac and I have restored it to 10.7.4 from my 
time machine. Don't want to much around with my work mac anymore.

Original comment by a...@arista.com on 12 Jul 2012 at 6:56

GoogleCodeExporter commented 9 years ago
OK, thanks for clarifying, and for all your help.

Original comment by jkbull...@gmail.com on 12 Jul 2012 at 7:00

GoogleCodeExporter commented 9 years ago
Is there a way to verify from TunnelBlick logs that the vpn server is pushing 
the DNS server IPs to the client? In the network settings, I do see that the 
corporate DNS server IPS are populated but in Mountain Lion they were not.

Original comment by a...@arista.com on 12 Jul 2012 at 7:09

GoogleCodeExporter commented 9 years ago
I assume you are talking about when the VPN is connected. If so, it looks
like that's the problem.

I see nothing in either the 10.7 or 10.8 logs that shows *anything* being
pushed.

Usually there would be a pair of log entries similar to the following:

2012-07-12 15:14:41 SENT CONTROL [*server-name*]: 'PUSH_REQUEST' (status=1)

 I have no idea why 10.7 is setting the DNS servers and 10.8 isn't. It
could be that the network settings in 10.7 had the corporate DNS servers
set manually -- I would expect the corporate DHCP to treat 10.7 and 10.8
the same.

I wonder if it could have anything to do with IPv6? Does your Corporate
network use it at all? Maybe that's changed in 10.8.

Original comment by jkbull...@gmail.com on 12 Jul 2012 at 7:31

GoogleCodeExporter commented 9 years ago
I have the exact same problem as above only on OS X 10.8 - I have tried with 
both the beta and the stable versions and can not replicate the problem in OS X 
10.7.  I am not connecting to a corporate VPN.  Setting 8.8.8.8 and 8.8.4.4 
allows me to browse the internet as normal on OS X 10.8 while connected through 
Tunnelblick.

Original comment by mar...@ohsocool.org on 12 Jul 2012 at 7:50

GoogleCodeExporter commented 9 years ago
martin, thanks for your report. Does anything show up in the Console
log<http://code.google.com/p/tunnelblick/wiki/cConsoleLog>?
I'm particularly looking for anything from the program "
client.up.tunnelblick.sh".

Also, please post your configuration file and log on 10.7 and 10.8 if
possible. Do you know if your VPN server should be "pushing" anything to
the client?

Original comment by jkbull...@gmail.com on 12 Jul 2012 at 7:56

GoogleCodeExporter commented 9 years ago
Just heard from a co-worker of mine that the same issue is hitting him too. 
Looks like lot of people are seeing the same problem. 

Original comment by a...@arista.com on 12 Jul 2012 at 8:46

GoogleCodeExporter commented 9 years ago
May be there is a verbose mode that spits out more information?

Original comment by a...@arista.com on 12 Jul 2012 at 8:58

GoogleCodeExporter commented 9 years ago
The default is "verb 3", which should log enough to see what is happening.
What's odd is that even though it is apparently at verb 3, it isn't showing
any "push" request or any "push" info coming back from the server.

Adding "verb 4" to the client's configuration file will log more, so it's
worth a try.

Original comment by jkbull...@gmail.com on 12 Jul 2012 at 9:06

GoogleCodeExporter commented 9 years ago
Got something now :

2012-07-12 14:12:40 us=399672 PUSH: Received control message: 'PUSH_REPLY,route 
172.16.0.0 255.240.0.0,dhcp-option DOMAIN sjc.aristanetworks.com,dhcp-optio\
     n DNS 172.22.22.10,dhcp-option DNS 172.22.22.40,dhcp-option NTP 172.22.22.50,route 10.0.0.0 255.255.255.0,route 10.1.0.0 255.255.255.0,route 10.60.20.0 255\
     .255.255.0,route 10.190.241.0 255.255.255.0,route 10.255.252.0 255.255.254.0,route 10.255.250.0 255.255.255.0,dhcp-option DOMAIN aristanetworks.com,dhcp-op\
     tion DOMAIN sjc.aristanetworks.com,route 172.22.128.0 255.255.252.0,topology net30,ping 10,ping-restart 60,ifconfig 172.22.128.90 172.22.128.89'  

Can't paste all the log without auditing - it might contain some sensitive 
information. I think it's worthwhile to try the same with verb 4 on mountain 
Lion and see what we get. Unfortunately, I am back on Lion.

Original comment by a...@arista.com on 12 Jul 2012 at 9:19

GoogleCodeExporter commented 9 years ago
Thanks. Don't need the rest of the log (although a 10.8 log might help).
Maybe your VPN server sends a "verb 2" or something, and that's why you
didn't get it before. Maybe even if you did "verb 3" it would show up.

The other thing you should see in the log is something like

and

If your co-worker still has Mountain Lion, maybe they could see if their
log contains something similar. Or if their Console log has anything.

And when they check the Console log they should check "All Messages".

I just tried my test setups on Mountain Lion and they worked fine, so it
must have to do with some particular OpenVPN option that's being used.

Original comment by jkbull...@gmail.com on 12 Jul 2012 at 10:09

GoogleCodeExporter commented 9 years ago
Hi I'm ani's coworker. I don't see anything interesting in the console log. 
Here's my log on Mountain Lion using the same config:

2012-07-12 23:42:44 *Tunnelblick: OS X 10.8.0; Tunnelblick 3.3beta06 (build 
3028) Unsigned
2012-07-12 23:42:44 *Tunnelblick: Attempting connection with Arista-TCP-Corp; 
Set nameserver = 1; monitoring connection
2012-07-12 23:42:44 *Tunnelblick: 
/Applications/Tunnelblick.app/Contents/Resources/openvpnstart start 
Arista-TCP-Corp.conf 1338 1 0 0 0 49 -atDASNGWrdasngw 
2012-07-12 23:42:44 *Tunnelblick: openvpnstart message: Loading tun.kext

2012-07-12 23:42:44 OpenVPN 2.3-alpha1 i386-apple-darwin10.7.1 [SSL (OpenSSL)] 
[LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on 
May  3 2012
2012-07-12 23:42:44 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338
2012-07-12 23:42:44 Need hold release from management interface, waiting...
2012-07-12 23:42:44 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338
2012-07-12 23:42:44 MANAGEMENT: CMD 'pid'
2012-07-12 23:42:44 MANAGEMENT: CMD 'state on'
2012-07-12 23:42:44 MANAGEMENT: CMD 'state'
2012-07-12 23:42:44 MANAGEMENT: CMD 'bytecount 1'
2012-07-12 23:42:44 MANAGEMENT: CMD 'hold release'
2012-07-12 23:42:44 MANAGEMENT: CMD 'username "Auth" "wei"'
2012-07-12 23:42:44 MANAGEMENT: CMD 'password [...]'
2012-07-12 23:42:44 WARNING: No server certificate verification method has been 
enabled.  See http://openvpn.net/howto.html#mitm for more info.
2012-07-12 23:42:44 NOTE: the current --script-security setting may allow this 
configuration to call user-defined scripts
2012-07-12 23:42:44 Socket Buffers: R=[131072->65536] S=[131072->65536]
2012-07-12 23:42:44 Attempting to establish TCP connection with 
[AF_INET]4.53.128.220:1194 [nonblock]
2012-07-12 23:42:44 MANAGEMENT: >STATE:1342161764,TCP_CONNECT,,,
2012-07-12 23:42:44 *Tunnelblick: openvpnstart starting OpenVPN:
                    *                    /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3-alpha1/openvpn --cd /Users/wei/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1338 --config /Users/wei/Library/Application Support/Tunnelblick/Configurations/Arista-TCP-Corp.conf --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Swei-SLibrary-SApplication Support-STunnelblick-SConfigurations-SArista--TCP--Corp.conf.1_0_0_0_49.1338.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart --route-pre-down /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -atDASNGWrdasngw
2012-07-12 23:42:45 TCP connection established with [AF_INET]4.53.128.220:1194
2012-07-12 23:42:45 TCPv4_CLIENT link local: [undef]
2012-07-12 23:42:45 TCPv4_CLIENT link remote: [AF_INET]4.53.128.220:1194
2012-07-12 23:42:45 MANAGEMENT: >STATE:1342161765,WAIT,,,
2012-07-12 23:42:45 MANAGEMENT: >STATE:1342161765,AUTH,,,
2012-07-12 23:42:45 TLS: Initial packet from [AF_INET]4.53.128.220:1194, 
sid=9e50ad00 9b54912a
2012-07-12 23:42:45 WARNING: this configuration may cache passwords in memory 
-- use the auth-nocache option to prevent this
2012-07-12 23:42:46 VERIFY OK: depth=1, C=US, ST=California, L=Santa Clara, 
O=Aristanetworks, emailAddress=it-support@aristanetworks.com, 
CN=AristaNetworksVPN
2012-07-12 23:42:46 VERIFY OK: depth=0, C=US, ST=California, L=Santa Clara, 
O=Aristanetworks, emailAddress=it-support@aristanetworks.com, 
CN=AristanetworksVPN
2012-07-12 23:42:47 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 
128 bit key
2012-07-12 23:42:47 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-07-12 23:42:47 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 
128 bit key
2012-07-12 23:42:47 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-07-12 23:42:47 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 2048 bit RSA
2012-07-12 23:42:47 [AristanetworksVPN] Peer Connection Initiated with 
[AF_INET]4.53.128.220:1194
2012-07-12 23:42:48 MANAGEMENT: >STATE:1342161768,GET_CONFIG,,,
2012-07-12 23:42:49 SENT CONTROL [AristanetworksVPN]: 'PUSH_REQUEST' (status=1)
2012-07-12 23:42:50 PUSH: Received control message: 'PUSH_REPLY,route 
172.16.0.0 255.240.0.0,dhcp-option DOMAIN sjc.aristanetworks.com,dhcp-option 
DNS 172.22.22.10,dhcp-option DNS 172.22.22.40,dhcp-option NTP 
172.22.22.50,route 10.0.0.0 255.255.255.0,route 10.1.0.0 255.255.255.0,route 
10.60.20.0 255.255.255.0,route 10.190.241.0 255.255.255.0,route 10.255.252.0 
255.255.254.0,route 10.255.250.0 255.255.255.0,dhcp-option DOMAIN 
aristanetworks.com,dhcp-option DOMAIN sjc.aristanetworks.com,route 172.22.128.0 
255.255.252.0,topology net30,ping 10,ping-restart 60,ifconfig 172.22.128.54 
172.22.128.53'
2012-07-12 23:42:50 OPTIONS IMPORT: timers and/or timeouts modified
2012-07-12 23:42:50 OPTIONS IMPORT: --ifconfig/up options modified
2012-07-12 23:42:50 OPTIONS IMPORT: route options modified
2012-07-12 23:42:50 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options 
modified
2012-07-12 23:42:50 ROUTE_GATEWAY 192.168.11.1/255.255.255.0 IFACE=en1 
HWADDR=e0:f8:47:07:ff:26
2012-07-12 23:42:50 TUN/TAP device /dev/tun0 opened
2012-07-12 23:42:50 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2012-07-12 23:42:50 MANAGEMENT: >STATE:1342161770,ASSIGN_IP,,172.22.128.54,
2012-07-12 23:42:50 /sbin/ifconfig tun0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2012-07-12 23:42:50 NOTE: Tried to delete pre-existing tun/tap instance -- No 
Problem if failure
2012-07-12 23:42:50 /sbin/ifconfig tun0 172.22.128.54 172.22.128.53 mtu 1500 
netmask 255.255.255.255 up
2012-07-12 23:42:50 
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w 
-d -atDASNGWrdasngw tun0 1500 1560 172.22.128.54 172.22.128.53 init
                                          No such key
2012-07-12 23:42:52 MANAGEMENT: >STATE:1342161772,ADD_ROUTES,,,
2012-07-12 23:42:52 /sbin/route add -net 172.16.0.0 172.22.128.53 255.240.0.0
                                        add net 172.16.0.0: gateway 172.22.128.53
2012-07-12 23:42:52 /sbin/route add -net 10.0.0.0 172.22.128.53 255.255.255.0
                                        add net 10.0.0.0: gateway 172.22.128.53
2012-07-12 23:42:52 /sbin/route add -net 10.1.0.0 172.22.128.53 255.255.255.0
                                        add net 10.1.0.0: gateway 172.22.128.53
2012-07-12 23:42:52 /sbin/route add -net 10.60.20.0 172.22.128.53 255.255.255.0
                                        add net 10.60.20.0: gateway 172.22.128.53
2012-07-12 23:42:52 /sbin/route add -net 10.190.241.0 172.22.128.53 
255.255.255.0
                                        add net 10.190.241.0: gateway 172.22.128.53
2012-07-12 23:42:52 /sbin/route add -net 10.255.252.0 172.22.128.53 
255.255.254.0
                                        add net 10.255.252.0: gateway 172.22.128.53
2012-07-12 23:42:52 /sbin/route add -net 10.255.250.0 172.22.128.53 
255.255.255.0
                                        add net 10.255.250.0: gateway 172.22.128.53
2012-07-12 23:42:52 /sbin/route add -net 172.22.128.0 172.22.128.53 
255.255.252.0
                                        add net 172.22.128.0: gateway 172.22.128.53
2012-07-12 23:42:52 Initialization Sequence Completed
2012-07-12 23:42:52 MANAGEMENT: 
>STATE:1342161772,CONNECTED,SUCCESS,172.22.128.54,4.53.128.220
2012-07-12 23:42:52 *Tunnelblick client.up.tunnelblick.sh: Unknown: 
'foreign_option_4' = 'dhcp-option NTP 172.22.22.50'
2012-07-12 23:42:52 *Tunnelblick client.up.tunnelblick.sh: Retrieved name 
server(s) [ 172.22.22.10 172.22.22.40 ], domain name [ sjc.aristanetworks.com 
], and WINS server(s) [ ]
2012-07-12 23:42:52 *Tunnelblick client.up.tunnelblick.sh: Up to two 'No such 
key' warnings are normal and may be ignored
2012-07-12 23:42:52 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and 
WINS configurations for later use
2012-07-12 23:42:52 *Tunnelblick client.up.tunnelblick.sh: Set up to monitor 
system configuration with process-network-changes
OpenVPN started successfully. Command used to start OpenVPN (one argument per 
displayed line):

     /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3-alpha1/openvpn
     --cd
     /Users/wei/Library/Application Support/Tunnelblick/Configurations
     --daemon
     --management
     127.0.0.1
     1338
     --config
     /Users/wei/Library/Application Support/Tunnelblick/Configurations/Arista-TCP-Corp.conf
     --log
     /Library/Application Support/Tunnelblick/Logs/-SUsers-Swei-SLibrary-SApplication Support-STunnelblick-SConfigurations-SArista--TCP--Corp.conf.1_0_0_0_49.1338.openvpn.log
     --management-query-passwords
     --management-hold
     --script-security
     2
     --up
     /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw
     --down
     /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw
     --up-restart
     --route-pre-down
     /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -atDASNGWrdasngw
2012-07-12 23:42:44 *Tunnelblick: Established communication with OpenVPN
2012-07-12 23:42:44 *Tunnelblick: Obtained VPN username and password from the 
Keychain
2012-07-12 23:42:52 *Tunnelblick: Flushed the DNS cache
2012-07-12 23:43:27 *Tunnelblick process-network-changes: SearchDomains changed 
from
                    *                    
                    *                     to
                    *                    <array> {
                    *                    0 : sjc.aristanetworks.com
                    *                    1 : aristanetworks.com
                    *                    }
                    *                    pre-VPN was
                    *                    
2012-07-12 23:43:27 *Tunnelblick process-network-changes: SearchDomains 
changed; sending USR1 to OpenVPN (process ID 17807) to restart the connection.
2012-07-12 23:43:28 event_wait : Interrupted system call (code=4)
2012-07-12 23:43:28 
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m 
-w -d -atDASNGWrdasngw tun0 1500 1560 172.22.128.54 172.22.128.53 restart
2012-07-12 23:43:28 *Tunnelblick client.down.tunnelblick.sh: Cancelled 
monitoring of system configuration changes
2012-07-12 23:43:28 *Tunnelblick client.down.tunnelblick.sh: Restored the DNS 
and WINS configurations
2012-07-12 23:43:28 SIGUSR1[hard,] received, process restarting
2012-07-12 23:43:28 MANAGEMENT: >STATE:1342161808,RECONNECTING,SIGUSR1,,
2012-07-12 23:43:28 MANAGEMENT: CMD 'hold release'
2012-07-12 23:43:28 WARNING: No server certificate verification method has been 
enabled.  See http://openvpn.net/howto.html#mitm for more info.
2012-07-12 23:43:28 NOTE: the current --script-security setting may allow this 
configuration to call user-defined scripts
2012-07-12 23:43:28 Socket Buffers: R=[131072->65536] S=[131072->65536]
2012-07-12 23:43:28 Attempting to establish TCP connection with 
[AF_INET]4.53.128.220:1194 [nonblock]
2012-07-12 23:43:28 MANAGEMENT: >STATE:1342161808,TCP_CONNECT,,,
2012-07-12 23:43:29 TCP connection established with [AF_INET]4.53.128.220:1194
2012-07-12 23:43:29 TCPv4_CLIENT link local: [undef]
2012-07-12 23:43:29 TCPv4_CLIENT link remote: [AF_INET]4.53.128.220:1194
2012-07-12 23:43:29 MANAGEMENT: >STATE:1342161809,WAIT,,,
2012-07-12 23:43:29 MANAGEMENT: >STATE:1342161809,AUTH,,,
2012-07-12 23:43:29 TLS: Initial packet from [AF_INET]4.53.128.220:1194, 
sid=ec30a08f 17475f04
2012-07-12 23:43:30 VERIFY OK: depth=1, C=US, ST=California, L=Santa Clara, 
O=Aristanetworks, emailAddress=it-support@aristanetworks.com, 
CN=AristaNetworksVPN
2012-07-12 23:43:30 VERIFY OK: depth=0, C=US, ST=California, L=Santa Clara, 
O=Aristanetworks, emailAddress=it-support@aristanetworks.com, 
CN=AristanetworksVPN
2012-07-12 23:43:31 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 
128 bit key
2012-07-12 23:43:31 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-07-12 23:43:31 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 
128 bit key
2012-07-12 23:43:31 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-07-12 23:43:31 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 2048 bit RSA
2012-07-12 23:43:31 [AristanetworksVPN] Peer Connection Initiated with 
[AF_INET]4.53.128.220:1194
2012-07-12 23:43:32 MANAGEMENT: >STATE:1342161812,GET_CONFIG,,,
2012-07-12 23:43:33 SENT CONTROL [AristanetworksVPN]: 'PUSH_REQUEST' (status=1)
2012-07-12 23:43:33 PUSH: Received control message: 'PUSH_REPLY,route 
172.16.0.0 255.240.0.0,dhcp-option DOMAIN sjc.aristanetworks.com,dhcp-option 
DNS 172.22.22.10,dhcp-option DNS 172.22.22.40,dhcp-option NTP 
172.22.22.50,route 10.0.0.0 255.255.255.0,route 10.1.0.0 255.255.255.0,route 
10.60.20.0 255.255.255.0,route 10.190.241.0 255.255.255.0,route 10.255.252.0 
255.255.254.0,route 10.255.250.0 255.255.255.0,dhcp-option DOMAIN 
aristanetworks.com,dhcp-option DOMAIN sjc.aristanetworks.com,route 172.22.128.0 
255.255.252.0,topology net30,ping 10,ping-restart 60,ifconfig 172.22.128.54 
172.22.128.53'
2012-07-12 23:43:33 OPTIONS IMPORT: timers and/or timeouts modified
2012-07-12 23:43:33 OPTIONS IMPORT: --ifconfig/up options modified
2012-07-12 23:43:33 OPTIONS IMPORT: route options modified
2012-07-12 23:43:33 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options 
modified
2012-07-12 23:43:33 Preserving previous TUN/TAP instance: tun0
2012-07-12 23:43:33 
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w 
-d -atDASNGWrdasngw tun0 1500 1560 172.22.128.54 172.22.128.53 restart
                                          No such key
2012-07-12 23:43:35 *Tunnelblick client.up.tunnelblick.sh: Unknown: 
'foreign_option_4' = 'dhcp-option NTP 172.22.22.50'
2012-07-12 23:43:35 *Tunnelblick client.up.tunnelblick.sh: Retrieved name 
server(s) [ 172.22.22.10 172.22.22.40 ], domain name [ sjc.aristanetworks.com 
], and WINS server(s) [ ]
2012-07-12 23:43:35 *Tunnelblick client.up.tunnelblick.sh: Up to two 'No such 
key' warnings are normal and may be ignored
2012-07-12 23:43:35 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and 
WINS configurations for later use
2012-07-12 23:43:35 *Tunnelblick client.up.tunnelblick.sh: Set up to monitor 
system configuration with process-network-changes
2012-07-12 23:43:36 *Tunnelblick: Flushed the DNS cache

Original comment by wei....@gmail.com on 13 Jul 2012 at 6:46

GoogleCodeExporter commented 9 years ago
I followed the instructions to ignore the changes to "Search domain". Now it 
doesn't disconnect and reconnect, but as ani pointed out DNS isn't working. But 
I had some interesting findings. The file /etc/resolv.conf is correctly 
populated, and nslookup works fine. Other programs presumably don't get DNS 
servers from that file so are not working. When I looked at the DNS servers in 
the Systems Settings program, the servers were listed but in grey color. As 
soon as I clicked the + button, the servers disappeared and I had to add them 
back manually. After I added them back everything was working fine.

Below is the log after I ignored the changes to "Search Domain":

2012-07-12 23:58:33 *Tunnelblick: OS X 10.8.0; Tunnelblick 3.3beta06 (build 
3028) Unsigned
2012-07-12 23:58:33 *Tunnelblick: Attempting connection with Arista-UDP-Corp; 
Set nameserver = 1; monitoring connection
2012-07-12 23:58:33 *Tunnelblick: 
/Applications/Tunnelblick.app/Contents/Resources/openvpnstart start 
Arista-UDP-Corp.conf 1338 1 0 0 0 49 -atDANGWrdasngw 
2012-07-12 23:58:33 *Tunnelblick: openvpnstart message: Loading tun.kext

2012-07-12 23:58:33 OpenVPN 2.3-alpha1 i386-apple-darwin10.7.1 [SSL (OpenSSL)] 
[LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on 
May  3 2012
2012-07-12 23:58:33 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338
2012-07-12 23:58:33 Need hold release from management interface, waiting...
2012-07-12 23:58:33 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338
2012-07-12 23:58:33 MANAGEMENT: CMD 'pid'
2012-07-12 23:58:33 MANAGEMENT: CMD 'state on'
2012-07-12 23:58:33 MANAGEMENT: CMD 'state'
2012-07-12 23:58:33 MANAGEMENT: CMD 'bytecount 1'
2012-07-12 23:58:33 MANAGEMENT: CMD 'hold release'
2012-07-12 23:58:33 MANAGEMENT: CMD 'username "Auth" "wei@aristanetworks.com"'
2012-07-12 23:58:33 MANAGEMENT: CMD 'password [...]'
2012-07-12 23:58:33 WARNING: No server certificate verification method has been 
enabled.  See http://openvpn.net/howto.html#mitm for more info.
2012-07-12 23:58:33 NOTE: the current --script-security setting may allow this 
configuration to call user-defined scripts
2012-07-12 23:58:33 Socket Buffers: R=[196724->65536] S=[9216->65536]
2012-07-12 23:58:33 UDPv4 link local (bound): [undef]
2012-07-12 23:58:33 UDPv4 link remote: [AF_INET]4.53.128.220:1196
2012-07-12 23:58:33 MANAGEMENT: >STATE:1342162713,WAIT,,,
2012-07-12 23:58:33 MANAGEMENT: >STATE:1342162713,AUTH,,,
2012-07-12 23:58:33 TLS: Initial packet from [AF_INET]4.53.128.220:1196, 
sid=eab6d54e a021d91c
2012-07-12 23:58:33 WARNING: this configuration may cache passwords in memory 
-- use the auth-nocache option to prevent this
2012-07-12 23:58:33 *Tunnelblick: openvpnstart starting OpenVPN:
                    *                    /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3-alpha1/openvpn --cd /Users/wei/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1338 --config /Users/wei/Library/Application Support/Tunnelblick/Configurations/Arista-UDP-Corp.conf --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Swei-SLibrary-SApplication Support-STunnelblick-SConfigurations-SArista--UDP--Corp.conf.1_0_0_0_49.1338.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDANGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDANGWrdasngw --up-restart --route-pre-down /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -atDANGWrdasngw
2012-07-12 23:58:34 VERIFY OK: depth=1, C=US, ST=California, L=Santa Clara, 
O=Aristanetworks, emailAddress=it-support@aristanetworks.com, 
CN=AristaNetworksVPN
2012-07-12 23:58:34 VERIFY OK: depth=0, C=US, ST=California, L=Santa Clara, 
O=Aristanetworks, emailAddress=it-support@aristanetworks.com, 
CN=AristanetworksVPN
2012-07-12 23:58:34 TLS Error: local/remote TLS keys are out of sync: 
[AF_INET]4.53.128.220:1196 [0]
2012-07-12 23:58:34 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 
128 bit key
2012-07-12 23:58:34 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-07-12 23:58:34 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 
128 bit key
2012-07-12 23:58:34 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-07-12 23:58:34 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 2048 bit RSA
2012-07-12 23:58:34 [AristanetworksVPN] Peer Connection Initiated with 
[AF_INET]4.53.128.220:1196
2012-07-12 23:58:35 MANAGEMENT: >STATE:1342162715,GET_CONFIG,,,
2012-07-12 23:58:36 SENT CONTROL [AristanetworksVPN]: 'PUSH_REQUEST' (status=1)
2012-07-12 23:58:36 PUSH: Received control message: 'PUSH_REPLY,route 
172.16.0.0 255.240.0.0,dhcp-option DOMAIN sjc.aristanetworks.com,dhcp-option 
DNS 172.22.22.10,dhcp-option DNS 172.22.22.40,dhcp-option NTP 
172.22.22.50,route 10.0.0.0 255.255.255.0,route 10.1.0.0 255.255.255.0,route 
10.60.20.0 255.255.255.0,route 10.190.241.0 255.255.255.0,route 10.255.250.0 
255.255.255.0,route 10.255.252.0 255.255.254.0,dhcp-option DOMAIN 
aristanetworks.com,dhcp-option DOMAIN sjc.aristanetworks.com,route 172.22.132.0 
255.255.252.0,topology net30,ping 10,ping-restart 60,ifconfig 172.22.132.22 
172.22.132.21'
2012-07-12 23:58:36 OPTIONS IMPORT: timers and/or timeouts modified
2012-07-12 23:58:36 OPTIONS IMPORT: --ifconfig/up options modified
2012-07-12 23:58:36 OPTIONS IMPORT: route options modified
2012-07-12 23:58:36 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options 
modified
2012-07-12 23:58:36 ROUTE_GATEWAY 192.168.11.1/255.255.255.0 IFACE=en1 
HWADDR=e0:f8:47:07:ff:26
2012-07-12 23:58:36 TUN/TAP device /dev/tun0 opened
2012-07-12 23:58:36 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2012-07-12 23:58:36 MANAGEMENT: >STATE:1342162716,ASSIGN_IP,,172.22.132.22,
2012-07-12 23:58:36 /sbin/ifconfig tun0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2012-07-12 23:58:36 NOTE: Tried to delete pre-existing tun/tap instance -- No 
Problem if failure
2012-07-12 23:58:36 /sbin/ifconfig tun0 172.22.132.22 172.22.132.21 mtu 1500 
netmask 255.255.255.255 up
2012-07-12 23:58:36 
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w 
-d -atDANGWrdasngw tun0 1500 1558 172.22.132.22 172.22.132.21 init
                                          No such key
2012-07-12 23:58:38 MANAGEMENT: >STATE:1342162718,ADD_ROUTES,,,
2012-07-12 23:58:38 /sbin/route add -net 172.16.0.0 172.22.132.21 255.240.0.0
                                        add net 172.16.0.0: gateway 172.22.132.21
2012-07-12 23:58:38 /sbin/route add -net 10.0.0.0 172.22.132.21 255.255.255.0
                                        add net 10.0.0.0: gateway 172.22.132.21
2012-07-12 23:58:38 /sbin/route add -net 10.1.0.0 172.22.132.21 255.255.255.0
                                        add net 10.1.0.0: gateway 172.22.132.21
2012-07-12 23:58:38 /sbin/route add -net 10.60.20.0 172.22.132.21 255.255.255.0
                                        add net 10.60.20.0: gateway 172.22.132.21
2012-07-12 23:58:38 /sbin/route add -net 10.190.241.0 172.22.132.21 
255.255.255.0
                                        add net 10.190.241.0: gateway 172.22.132.21
2012-07-12 23:58:38 /sbin/route add -net 10.255.250.0 172.22.132.21 
255.255.255.0
                                        add net 10.255.250.0: gateway 172.22.132.21
2012-07-12 23:58:38 /sbin/route add -net 10.255.252.0 172.22.132.21 
255.255.254.0
                                        add net 10.255.252.0: gateway 172.22.132.21
2012-07-12 23:58:38 /sbin/route add -net 172.22.132.0 172.22.132.21 
255.255.252.0
                                        add net 172.22.132.0: gateway 172.22.132.21
2012-07-12 23:58:38 Initialization Sequence Completed
2012-07-12 23:58:38 MANAGEMENT: 
>STATE:1342162718,CONNECTED,SUCCESS,172.22.132.22,4.53.128.220
2012-07-12 23:58:38 *Tunnelblick client.up.tunnelblick.sh: Unknown: 
'foreign_option_4' = 'dhcp-option NTP 172.22.22.50'
2012-07-12 23:58:38 *Tunnelblick client.up.tunnelblick.sh: Retrieved name 
server(s) [ 172.22.22.10 172.22.22.40 ], domain name [ sjc.aristanetworks.com 
], and WINS server(s) [ ]
2012-07-12 23:58:38 *Tunnelblick client.up.tunnelblick.sh: Up to two 'No such 
key' warnings are normal and may be ignored
2012-07-12 23:58:38 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and 
WINS configurations for later use
2012-07-12 23:58:38 *Tunnelblick client.up.tunnelblick.sh: Set up to monitor 
system configuration with process-network-changes
OpenVPN started successfully. Command used to start OpenVPN (one argument per 
displayed line):

     /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3-alpha1/openvpn
     --cd
     /Users/wei/Library/Application Support/Tunnelblick/Configurations
     --daemon
     --management
     127.0.0.1
     1338
     --config
     /Users/wei/Library/Application Support/Tunnelblick/Configurations/Arista-UDP-Corp.conf
     --log
     /Library/Application Support/Tunnelblick/Logs/-SUsers-Swei-SLibrary-SApplication Support-STunnelblick-SConfigurations-SArista--UDP--Corp.conf.1_0_0_0_49.1338.openvpn.log
     --management-query-passwords
     --management-hold
     --script-security
     2
     --up
     /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDANGWrdasngw
     --down
     /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDANGWrdasngw
     --up-restart
     --route-pre-down
     /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -atDANGWrdasngw
2012-07-12 23:58:33 *Tunnelblick: Established communication with OpenVPN
2012-07-12 23:58:33 *Tunnelblick: Obtained VPN username and password from the 
Keychain
2012-07-12 23:58:38 *Tunnelblick: Flushed the DNS cache
2012-07-12 23:59:13 *Tunnelblick process-network-changes: SearchDomains changed 
from
                    *                    
                    *                     to
                    *                    <array> {
                    *                    0 : sjc.aristanetworks.com
                    *                    1 : aristanetworks.com
                    *                    }
                    *                    pre-VPN was
                    *                    
2012-07-12 23:59:13 *Tunnelblick process-network-changes: A system 
configuration change was ignored because it was not relevant
2012-07-13 00:02:25 *Tunnelblick process-network-changes: SearchDomains changed 
from
                    *                    
                    *                     to
                    *                    <array> {
                    *                    0 : sjc.aristanetworks.com
                    *                    1 : aristanetworks.com
                    *                    }
                    *                    pre-VPN was
                    *                    
2012-07-13 00:02:25 *Tunnelblick process-network-changes: A system 
configuration change was ignored because it was not relevant
2012-07-13 00:02:35 *Tunnelblick process-network-changes: SearchDomains changed 
from
                    *                    
                    *                     to
                    *                    <array> {
                    *                    0 : sjc.aristanetworks.com
                    *                    1 : aristanetworks.com
                    *                    }
                    *                    pre-VPN was
                    *                    
2012-07-13 00:02:35 *Tunnelblick process-network-changes: A system 
configuration change was ignored because it was not relevant

Original comment by wei....@gmail.com on 13 Jul 2012 at 7:07

GoogleCodeExporter commented 9 years ago
yes, I reinstalled Mountain lion gold master on a different mac and I get the 
same DNS push messages in the log. In the network advanced settings, I see the 
DNS servers populated. Yet DNS does not seem to work. I have to manually add 
google's DNS servers to browse the internet. Local company servers can't be 
reached through their names. Only through IPs.

Original comment by a...@arista.com on 16 Jul 2012 at 1:08

GoogleCodeExporter commented 9 years ago
yes, /etc/resolv.conf is correctly populated with the DNS server IPs. So I did 
a tcpdump and I see lots of bad checksums on outgoing DNS queries :

18:31:10.707470 IP (tos 0x0, ttl 255, id 23459, offset 0, flags [none], proto 
UDP (17), length 65, bad cksum 0 (->dcb5)!)
    192.168.0.108.65105 > 172.22.22.40.domain: [bad udp cksum 7b4b!] 20474+ A? calendar.google.com. (37)

18:30:54.799146 IP (tos 0x0, ttl 255, id 33201, offset 0, flags [none], proto 
UDP (17), length 71, bad cksum 0 (->b6a1)!)
    192.168.0.108.65420 > 172.22.22.40.domain: [bad udp cksum 20de!] 60609+ A? caldav.calendar.yahoo.com. (43)
18:30:55.799332 IP (tos 0x0, ttl 255, id 36235, offset 0, flags [none], proto 
UDP (17), length 74, bad cksum 0 (->aac4)!)
    192.168.0.108.50339 > 172.22.22.40.domain: [bad udp cksum 6aeb!] 17985+ A? bs222.sjc.aristanetworks.com. (46)
18:30:56.978000 IP (tos 0x0, ttl 255, id 18687, offset 0, flags [none], proto 
UDP (17), length 72, bad cksum 0 (->ef70)!)
    192.168.0.108.57720 > 172.22.22.10.domain: [bad udp cksum ccb1!] 42665+ PTR? 108.0.168.192.in-addr.arpa. (44)
18:30:57.678893 IP (tos 0x0, ttl 255, id 8914, offset 0, flags [none], proto 
UDP (17), length 65, bad cksum 0 (->15a5)!)
    192.168.0.108.65105 > 172.22.22.10.domain: [bad udp cksum b74b!] 20474+ A? calendar.google.com. (37)
18:30:57.805769 IP (tos 0x0, ttl 255, id 39347, offset 0, flags [none], proto 
UDP (17), length 71, bad cksum 0 (->9ebd)!)
    192.168.0.108.65420 > 172.22.22.10.domain: [bad udp cksum 5cde!] 60609+ A? caldav.calendar.yahoo.com. (43)
18:30:57.981204 IP (tos 0x0, ttl 255, id 9902, offset 0, flags [none], proto 
UDP (17), length 72, bad cksum 0 (->11c2)!)
    192.168.0.108.57720 > 172.22.22.10.domain: [bad udp cksum ccb1!] 42665+ PTR? 108.0.168.192.in-addr.arpa. (44)
18:30:58.682282 IP (tos 0x0, ttl 255, id 44945, offset 0, flags [none], proto 
UDP (17), length 65, bad cksum 0 (->88e5)!)
    192.168.0.108.65105 > 172.22.22.10.domain: [bad udp cksum b74b!] 20474+ A? calendar.google.com. (37)

Original comment by a...@arista.com on 16 Jul 2012 at 1:41

GoogleCodeExporter commented 9 years ago
any updates on this?

Original comment by a...@arista.com on 16 Jul 2012 at 6:57

GoogleCodeExporter commented 9 years ago
No, when there's news I'll post it here.

I thought the DNS problems may be related to specific options in the
configuration file or pushed from the server. But the bad checksums points
to OpenVPN or the tun/tap kexts.

Has everyone tried using OpenVPN 2.2.1? (It's on the Preferences panel of
the VPN Details… window.)

Original comment by jkbull...@gmail.com on 16 Jul 2012 at 7:46

GoogleCodeExporter commented 9 years ago
does the tun/tap kos maintained by Apple or buy tunnelblick?

Original comment by a...@arista.com on 16 Jul 2012 at 9:06

GoogleCodeExporter commented 9 years ago
Neither one. It is maintained by the TunTap
Project<http://tuntaposx.sourceforge.net/>
.

Original comment by jkbull...@gmail.com on 16 Jul 2012 at 9:11

GoogleCodeExporter commented 9 years ago
I tried OpenVPN 2.2.1 and same result.

Original comment by a...@arista.com on 17 Jul 2012 at 3:05

GoogleCodeExporter commented 9 years ago
Seems like tun/tap project does not even have a supported download for Lion!

Original comment by a...@arista.com on 17 Jul 2012 at 3:13

GoogleCodeExporter commented 9 years ago
One another update. I am observing the same issue with viscocity as well. This 
confirms that this issue is not related to TunnelBlick alone. What is a good 
forum to discuss this problem?

Original comment by a...@arista.com on 17 Jul 2012 at 3:33

GoogleCodeExporter commented 9 years ago
Tunnelblick uses the 2011-11-01 version, but creates a custom build for
PPC/Intel with 32/64-bit kernels. That build works on Lion without any
problem.

The major change from Snow Leopard to Lion was that the 64-bit kernel
became the default on most Macs. So the 64-bit Tuntap for Snow Leopard
works in Lion.

Original comment by jkbull...@gmail.com on 17 Jul 2012 at 3:33

GoogleCodeExporter commented 9 years ago
Sorry, spoke too soon. Viscocity has a beta version for Mountain Lion (1.4b11 
released 14 July 2012) that works perfectly for Mountain Lion.

Original comment by a...@arista.com on 17 Jul 2012 at 3:44

GoogleCodeExporter commented 9 years ago
So what broke between Lion and Mountain Lion?

Original comment by a...@arista.com on 17 Jul 2012 at 3:45

GoogleCodeExporter commented 9 years ago
An observation: I noticed the traffic towards the DNS server doesn't look like 
it's going through the tunnel, even though the routing table tells it to. This 
only applies when using ping/telnet etc., not dig.

Original comment by fred...@skolmli.no on 25 Jul 2012 at 4:31

GoogleCodeExporter commented 9 years ago
now that mountain lion has been released officially, lot more people will start 
to see this issue.

Original comment by a...@arista.com on 25 Jul 2012 at 6:26

GoogleCodeExporter commented 9 years ago
I can confirm that when I chose "Set Nameserver (3.0b10)" from vpn details 
menu, my DNS is working.  My tunnelblick version is Tunnelblick 3.3beta10 
(build 3048)

Original comment by a...@arista.com on 26 Jul 2012 at 3:44

GoogleCodeExporter commented 9 years ago
Same issue here :/

Original comment by fprete...@gmail.com on 26 Jul 2012 at 6:14

GoogleCodeExporter commented 9 years ago
I can also confirm that it is working after I chose and applied "Set Nameserver 
(3.0b10)" via the VPN details menu. DNS seems to resolve just fine now.
Running Tunnelblick 3.2.5 (build 2891.3004)  -  OpenVPN 2.2.1

Original comment by bjo...@gmail.com on 26 Jul 2012 at 3:27

GoogleCodeExporter commented 9 years ago
This was working fine under Lion, just upgraded to ML and now it 
connects/disconnects.

2012-07-26 13:37:47 OpenVPN 2.2.1 i386-apple-darwin10.7.1 [SSL] [LZO2] [PKCS11] 
[eurephia] built on May  2 2012
2012-07-26 13:37:47 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2012-07-26 13:37:47 NOTE: the current --script-security setting may allow this 
configuration to call user-defined scripts
2012-07-26 13:37:47 WARNING: file 'user.key' is group or others accessible
2012-07-26 13:37:47 LZO compression initialized
2012-07-26 13:37:47 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 
EL:0 ]
2012-07-26 13:37:47 Socket Buffers: R=[196724->65536] S=[9216->65536]
2012-07-26 13:37:47 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 
EL:0 AF:3/1 ]
2012-07-26 13:37:47 Local Options hash (VER=V4): '22188c5b'
2012-07-26 13:37:47 Expected Remote Options hash (VER=V4): 'a8f55717'
2012-07-26 13:37:47 UDPv4 link local: [undef]
2012-07-26 13:37:47 UDPv4 link remote: 178.248.29.132:443
2012-07-26 13:37:47 write UDPv4: No route to host (code=65)
2012-07-26 13:37:47 *Tunnelblick: openvpnstart: 
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn 
--cd /Library/Application 
Support/Tunnelblick/Shared/AirVPN.tblk/Contents/Resources --daemon --management 
127.0.0.1 1337 --config /Library/Application 
Support/Tunnelblick/Shared/AirVPN.tblk/Contents/Resources/config.ovpn --log 
/Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication 
Support-STunnelblick-SShared-SAirVPN.tblk-SContents-SResources-Sconfig.ovpn.1_0_
3_0_49.1337.openvpn.log --script-security 2 --up 
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w 
-d -atDASNGWrdasngw --down 
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m 
-w -d -atDASNGWrdasngw --up-restart
2012-07-26 13:37:49 write UDPv4: No route to host (code=65)
2012-07-26 13:37:54 TLS: Initial packet from 178.248.29.132:443, sid=763c0569 
e191ec80
2012-07-26 13:37:55 VERIFY OK: depth=1, 
/C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org
2012-07-26 13:37:55 VERIFY OK: nsCertType=SERVER
2012-07-26 13:37:55 VERIFY OK: depth=0, 
/C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org
2012-07-26 13:37:58 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 
256 bit key
2012-07-26 13:37:58 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-07-26 13:37:58 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 
256 bit key
2012-07-26 13:37:58 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-07-26 13:37:58 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 2048 bit RSA
2012-07-26 13:37:58 [server] Peer Connection Initiated with 178.248.29.132:443
2012-07-26 13:38:00 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2012-07-26 13:38:05 *Tunnelblick: OS X 10.8.0; Tunnelblick 3.2.6 (build 
2891.3007) Unsigned
2012-07-26 13:38:05 MANAGEMENT: Client connected from 127.0.0.1:1337
2012-07-26 13:38:05 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2012-07-26 13:38:06 *Tunnelblick: Established communication with OpenVPN
2012-07-26 13:38:06 MANAGEMENT: CMD 'pid'
2012-07-26 13:38:06 MANAGEMENT: CMD 'state on'
2012-07-26 13:38:06 MANAGEMENT: CMD 'state'
2012-07-26 13:38:06 MANAGEMENT: CMD 'hold release'
2012-07-26 13:38:06 PUSH: Received control message: 
'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 
10.4.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.4.13.190 
10.4.13.189'
2012-07-26 13:38:06 OPTIONS IMPORT: timers and/or timeouts modified
2012-07-26 13:38:06 OPTIONS IMPORT: LZO parms modified
2012-07-26 13:38:06 OPTIONS IMPORT: --ifconfig/up options modified
2012-07-26 13:38:06 OPTIONS IMPORT: route options modified
2012-07-26 13:38:06 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options 
modified
2012-07-26 13:38:06 ROUTE default_gateway=192.168.15.1
2012-07-26 13:38:06 TUN/TAP device /dev/tun0 opened
2012-07-26 13:38:06 MANAGEMENT: >STATE:1343324286,ASSIGN_IP,,10.4.13.190,
2012-07-26 13:38:06 /sbin/ifconfig tun0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2012-07-26 13:38:06 NOTE: Tried to delete pre-existing tun/tap instance -- No 
Problem if failure
2012-07-26 13:38:06 /sbin/ifconfig tun0 10.4.13.190 10.4.13.189 mtu 1500 
netmask 255.255.255.255 up
2012-07-26 13:38:06 
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w 
-d -atDASNGWrdasngw tun0 1500 1558 10.4.13.190 10.4.13.189 init
                                          No such key
2012-07-26 13:38:08 *Tunnelblick: Flushed the DNS cache
2012-07-26 13:38:08 /sbin/route add -net 178.248.29.132 192.168.15.1 
255.255.255.255
                                        add net 178.248.29.132: gateway 192.168.15.1
2012-07-26 13:38:08 /sbin/route add -net 0.0.0.0 10.4.13.189 128.0.0.0
                                        add net 0.0.0.0: gateway 10.4.13.189
2012-07-26 13:38:08 /sbin/route add -net 128.0.0.0 10.4.13.189 128.0.0.0
                                        add net 128.0.0.0: gateway 10.4.13.189
2012-07-26 13:38:08 MANAGEMENT: >STATE:1343324288,ADD_ROUTES,,,
2012-07-26 13:38:08 /sbin/route add -net 10.4.0.1 10.4.13.189 255.255.255.255
                                        add net 10.4.0.1: gateway 10.4.13.189
2012-07-26 13:38:08 Initialization Sequence Completed
2012-07-26 13:38:08 MANAGEMENT: 
>STATE:1343324288,CONNECTED,SUCCESS,10.4.13.190,178.248.29.132
2012-07-26 13:38:08 *Tunnelblick client.up.tunnelblick.sh: Retrieved name 
server(s) [ 10.4.0.1 ] and WINS server(s) [ ] and using default domain name [ 
openvpn ]
2012-07-26 13:38:08 *Tunnelblick client.up.tunnelblick.sh: Up to two 'No such 
key' warnings are normal and may be ignored
2012-07-26 13:38:08 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and 
WINS configurations for later use
2012-07-26 13:38:08 *Tunnelblick client.up.tunnelblick.sh: Set up to monitor 
system configuration with process-network-changes
2012-07-26 13:38:22 PUSH: Received control message: 
'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 
10.4.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.4.13.190 
10.4.13.189'
2012-07-26 13:39:12 *Tunnelblick process-network-changes: SearchDomains changed 
from
                    *                    
                    *                     to
                    *                    <array> {
                    *                    0 : openvpn
                    *                    }
                    *                    pre-VPN was
                    *                    
2012-07-26 13:39:12 *Tunnelblick process-network-changes: SearchDomains 
changed; sending USR1 to OpenVPN (process ID 120) to restart the connection.
2012-07-26 13:39:13 event_wait : Interrupted system call (code=4)
2012-07-26 13:39:13 TCP/UDP: Closing socket
2012-07-26 13:39:13 /sbin/route delete -net 10.4.0.1 10.4.13.189 255.255.255.255
                                        delete net 10.4.0.1: gateway 10.4.13.189
2012-07-26 13:39:13 /sbin/route delete -net 178.248.29.132 192.168.15.1 
255.255.255.255
                                        delete net 178.248.29.132: gateway 192.168.15.1
2012-07-26 13:39:13 /sbin/route delete -net 0.0.0.0 10.4.13.189 128.0.0.0
                                        delete net 0.0.0.0: gateway 10.4.13.189
2012-07-26 13:39:13 /sbin/route delete -net 128.0.0.0 10.4.13.189 128.0.0.0
                                        delete net 128.0.0.0: gateway 10.4.13.189
2012-07-26 13:39:13 Closing TUN/TAP interface
2012-07-26 13:39:13 
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m 
-w -d -atDASNGWrdasngw tun0 1500 1558 10.4.13.190 10.4.13.189 init
2012-07-26 13:39:13 SIGUSR1[hard,] received, process restarting
2012-07-26 13:39:13 MANAGEMENT: >STATE:1343324353,RECONNECTING,SIGUSR1,,
2012-07-26 13:39:13 Restart pause, 2 second(s)
2012-07-26 13:39:13 MANAGEMENT: CMD 'hold release'
2012-07-26 13:39:13 *Tunnelblick client.down.tunnelblick.sh: Cancelled 
monitoring of system configuration changes
2012-07-26 13:39:13 *Tunnelblick client.down.tunnelblick.sh: Restored the DNS 
and WINS configurations
2012-07-26 13:39:15 NOTE: the current --script-security setting may allow this 
configuration to call user-defined scripts
2012-07-26 13:39:15 WARNING: file 'user.key' is group or others accessible
2012-07-26 13:39:15 LZO compression initialized
2012-07-26 13:39:15 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 
EL:0 ]
2012-07-26 13:39:15 Socket Buffers: R=[196724->65536] S=[9216->65536]
2012-07-26 13:39:15 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 
EL:0 AF:3/1 ]
2012-07-26 13:39:15 Local Options hash (VER=V4): '22188c5b'
2012-07-26 13:39:15 Expected Remote Options hash (VER=V4): 'a8f55717'
2012-07-26 13:39:15 UDPv4 link local: [undef]
2012-07-26 13:39:15 UDPv4 link remote: 178.248.29.132:443
2012-07-26 13:39:15 MANAGEMENT: >STATE:1343324355,WAIT,,,
2012-07-26 13:39:15 MANAGEMENT: >STATE:1343324355,AUTH,,,
2012-07-26 13:39:15 TLS: Initial packet from 178.248.29.132:443, sid=13d69e89 
29dd3e25
2012-07-26 13:39:16 VERIFY OK: depth=1, 
/C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org
2012-07-26 13:39:16 VERIFY OK: nsCertType=SERVER
2012-07-26 13:39:16 VERIFY OK: depth=0, 
/C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org
2012-07-26 13:39:23 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 
256 bit key
2012-07-26 13:39:23 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-07-26 13:39:23 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 
256 bit key
2012-07-26 13:39:23 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2012-07-26 13:39:23 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 2048 bit RSA
2012-07-26 13:39:23 [server] Peer Connection Initiated with 178.248.29.132:443
2012-07-26 13:39:24 MANAGEMENT: >STATE:1343324364,GET_CONFIG,,,
2012-07-26 13:39:26 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2012-07-26 13:39:26 AUTH: Received AUTH_FAILED control message
2012-07-26 13:39:26 SIGTERM received, sending exit notification to peer
2012-07-26 13:39:27 *Tunnelblick: Disconnecting; user cancelled authorization 
or there was an error obtaining authorization
2012-07-26 13:39:27 event_wait : Interrupted system call (code=4)
2012-07-26 13:39:27 TCP/UDP: Closing socket
2012-07-26 13:39:27 SIGTERM[hard,] received, process exiting
2012-07-26 13:39:27 MANAGEMENT: >STATE:1343324367,EXITING,SIGTERM,,
2012-07-26 13:39:28 *Tunnelblick: Flushed the DNS cache

Original comment by trhud...@gmail.com on 26 Jul 2012 at 5:45