Viscosity VPN using existing Tunnelblick OpenVPN config cannot authenticate/connect

Got a problem with Viscosity or need help? Ask here!

john.dalsgaard

Posts: 9
Joined: Wed Aug 25, 2021 11:47 pm

Post by john.dalsgaard » Wed Aug 25, 2021 11:59 pm
I have been using Tunnelblick for a couple of years to connect to our company VPN (using MikroTik - configured with an OpenVPN server).

Now, there is an issue with MacOS Big Sur and VMware Fusion 12 where the (Windows) VMs cannot use the VPN of the Mac any more. But according to this discussion https://communities.vmware.com/t5/VMwar ... ue#M172119 Viscosity should work ;)

Therefore, I have installed a trial and it suggests to import my connection from Tunnelblick. Fine!

However, it does not connect. I have tried to edit the connection and re-select the certificates but still no luck. If I edit it again it just shows "ca.crt", "cert.crt" and "key.key" - but I guess this is Viscosity's way of hiding what I have selected?

When I try to connect I get this in the log:
Code: Select all
2021-08-25 12:39:35: Viscosity Mac 1.9.3 (1571)
2021-08-25 12:39:35: Viscosity OpenVPN Engine Started
2021-08-25 12:39:35: Running on macOS 11.5.2
2021-08-25 12:39:35: ---------
2021-08-25 12:39:35: State changed to Connecting
2021-08-25 12:39:35: Checking reachability status of connection...
2021-08-25 12:39:35: Connection is reachable. Starting connection attempt.
2021-08-25 12:39:35: Current Parameter Settings:
2021-08-25 12:39:35:   config = 'config.conf'
2021-08-25 12:39:35:   mode = 0
2021-08-25 12:39:35:   show_ciphers = DISABLED
2021-08-25 12:39:35:   show_digests = DISABLED
2021-08-25 12:39:35:   show_engines = DISABLED
2021-08-25 12:39:35:   genkey = DISABLED
2021-08-25 12:39:35:   key_pass_file = '[UNDEF]'
2021-08-25 12:39:35:   show_tls_ciphers = DISABLED
2021-08-25 12:39:35:   connect_retry_max = 0
2021-08-25 12:39:35: Connection profiles [0]:
2021-08-25 12:39:35:   proto = tcp-client
2021-08-25 12:39:35:   local = '[UNDEF]'
2021-08-25 12:39:35:   local_port = '[UNDEF]'
2021-08-25 12:39:35:   remote = 'myvpn.domain.com'
2021-08-25 12:39:35:   remote_port = '1194'
2021-08-25 12:39:35:   remote_float = DISABLED
2021-08-25 12:39:35:   bind_defined = DISABLED
2021-08-25 12:39:35:   bind_local = DISABLED
2021-08-25 12:39:35:   bind_ipv6_only = DISABLED
2021-08-25 12:39:35:   connect_retry_seconds = 5
2021-08-25 12:39:35:   connect_timeout = 120
2021-08-25 12:39:35:   socks_proxy_server = '[UNDEF]'
2021-08-25 12:39:35:   socks_proxy_port = '[UNDEF]'
2021-08-25 12:39:35:   tun_mtu = 1500
2021-08-25 12:39:35:   tun_mtu_defined = ENABLED
2021-08-25 12:39:35:   link_mtu = 1500
2021-08-25 12:39:35:   link_mtu_defined = DISABLED
2021-08-25 12:39:35:   tun_mtu_extra = 0
2021-08-25 12:39:35:   tun_mtu_extra_defined = DISABLED
2021-08-25 12:39:35:   mtu_discover_type = -1
2021-08-25 12:39:35:   fragment = 0
2021-08-25 12:39:35:   mssfix = 1450
2021-08-25 12:39:35:   explicit_exit_notification = 0
2021-08-25 12:39:35: Connection profiles END
2021-08-25 12:39:35:   remote_random = DISABLED
2021-08-25 12:39:35:   ipchange = '[UNDEF]'
2021-08-25 12:39:35:   dev = 'tun'
2021-08-25 12:39:35:   dev_type = '[UNDEF]'
2021-08-25 12:39:35:   dev_node = 'utun'
2021-08-25 12:39:35:   lladdr = '[UNDEF]'
2021-08-25 12:39:35:   topology = 1
2021-08-25 12:39:35:   ifconfig_local = '[UNDEF]'
2021-08-25 12:39:35:   ifconfig_remote_netmask = '[UNDEF]'
2021-08-25 12:39:35:   ifconfig_noexec = DISABLED
2021-08-25 12:39:35:   ifconfig_nowarn = DISABLED
2021-08-25 12:39:35:   ifconfig_ipv6_local = '[UNDEF]'
2021-08-25 12:39:35:   ifconfig_ipv6_netbits = 0
2021-08-25 12:39:35:   ifconfig_ipv6_remote = '[UNDEF]'
2021-08-25 12:39:35:   shaper = 0
2021-08-25 12:39:35:   mtu_test = 0
2021-08-25 12:39:35:   mlock = DISABLED
2021-08-25 12:39:35:   keepalive_ping = 0
2021-08-25 12:39:35:   keepalive_timeout = 0
2021-08-25 12:39:35:   inactivity_timeout = 0
2021-08-25 12:39:35:   ping_send_timeout = 10
2021-08-25 12:39:35:   ping_rec_timeout = 45
2021-08-25 12:39:35:   ping_rec_timeout_action = 2
2021-08-25 12:39:35:   ping_timer_remote = DISABLED
2021-08-25 12:39:35:   remap_sigusr1 = 0
2021-08-25 12:39:35:   persist_tun = DISABLED
2021-08-25 12:39:35:   persist_local_ip = DISABLED
2021-08-25 12:39:35:   persist_remote_ip = DISABLED
2021-08-25 12:39:35:   persist_key = ENABLED
2021-08-25 12:39:35:   passtos = DISABLED
2021-08-25 12:39:35:   resolve_retry_seconds = 1000000000
2021-08-25 12:39:35:   resolve_in_advance = DISABLED
2021-08-25 12:39:35:   username = '[UNDEF]'
2021-08-25 12:39:35:   groupname = '[UNDEF]'
2021-08-25 12:39:35:   chroot_dir = '[UNDEF]'
2021-08-25 12:39:35:   cd_dir = '[UNDEF]'
2021-08-25 12:39:35:   writepid = '[UNDEF]'
2021-08-25 12:39:35:   up_script = '[UNDEF]'
2021-08-25 12:39:35:   down_script = '[UNDEF]'
2021-08-25 12:39:35:   down_pre = DISABLED
2021-08-25 12:39:35:   up_restart = DISABLED
2021-08-25 12:39:35:   up_delay = DISABLED
2021-08-25 12:39:35:   daemon = DISABLED
2021-08-25 12:39:35:   inetd = 0
2021-08-25 12:39:35:   log = DISABLED
2021-08-25 12:39:35:   suppress_timestamps = DISABLED
2021-08-25 12:39:35:   machine_readable_output = DISABLED
2021-08-25 12:39:35:   nice = 0
2021-08-25 12:39:35:   verbosity = 4
2021-08-25 12:39:35:   mute = 100
2021-08-25 12:39:35:   status_file = '[UNDEF]'
2021-08-25 12:39:35:   status_file_version = 1
2021-08-25 12:39:35:   status_file_update_freq = 60
2021-08-25 12:39:35:   occ = ENABLED
2021-08-25 12:39:35:   rcvbuf = 0
2021-08-25 12:39:35:   sndbuf = 0
2021-08-25 12:39:35:   sockflags = 0
2021-08-25 12:39:35:   fast_io = DISABLED
2021-08-25 12:39:35:   comp.alg = 0
2021-08-25 12:39:35:   comp.flags = 0
2021-08-25 12:39:35:   route_script = '[UNDEF]'
2021-08-25 12:39:35:   route_default_gateway = '[UNDEF]'
2021-08-25 12:39:35:   route_default_metric = 0
2021-08-25 12:39:35:   route_noexec = DISABLED
2021-08-25 12:39:35:   route_delay = 2
2021-08-25 12:39:35: NOTE: --mute triggered...
2021-08-25 12:39:35: 181 variation(s) on previous 100 message(s) suppressed by --mute
2021-08-25 12:39:35: OpenVPN 2.4.11 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Apr 21 2021
2021-08-25 12:39:35: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021-08-25 12:39:40: Resolving address: myvpn.domain.com
2021-08-25 12:39:40: Valid endpoint found: 9111.222.333.444:1194:tcp-client
2021-08-25 12:39:40: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021-08-25 12:39:57: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-08-25 12:39:57: Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2021-08-25 12:39:57: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2021-08-25 12:39:57: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-08-25 12:39:57: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-08-25 12:39:57: TCP/UDP: Preserving recently used remote address: [AF_INET]9111.222.333.444:1194
2021-08-25 12:39:57: Socket Buffers: R=[131072->131072] S=[131072->131072]
2021-08-25 12:39:57: Attempting to establish TCP connection with [AF_INET]9111.222.333.444:1194 [nonblock]
2021-08-25 12:39:58: TCP connection established with [AF_INET]9111.222.333.444:1194
2021-08-25 12:39:58: TCP_CLIENT link local: (not bound)
2021-08-25 12:39:58: TCP_CLIENT link remote: [AF_INET]9111.222.333.444:1194
2021-08-25 12:39:58: TLS: Initial packet from [AF_INET]9111.222.333.444:1194, sid=491643f1 448a22cb
2021-08-25 12:39:58: State changed to Authenticating
2021-08-25 12:40:04: VERIFY OK: depth=1, CN=ca
2021-08-25 12:40:04: VERIFY OK: depth=0, CN=server
2021-08-25 12:40:05: Connection reset, restarting [0]
2021-08-25 12:40:05: TCP/UDP: Closing socket
2021-08-25 12:40:05: SIGUSR1[soft,connection-reset] received, process restarting
2021-08-25 12:40:05: Viscosity Mac 1.9.3 (1571)
2021-08-25 12:40:05: Viscosity OpenVPN Engine Started
2021-08-25 12:40:05: Running on macOS 11.5.2
2021-08-25 12:40:05: ---------
2021-08-25 12:40:05: State changed to Connecting
2021-08-25 12:40:05: Resolving address: myvpn.domain.com
2021-08-25 12:40:05: Resolving address: myvpn.domain.com
2021-08-25 12:40:05: Valid endpoint found: 9111.222.333.444:1194:tcp-client
2021-08-25 12:40:05: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021-08-25 12:40:05: Re-using SSL/TLS context
2021-08-25 12:40:05: Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2021-08-25 12:40:05: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2021-08-25 12:40:05: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-08-25 12:40:05: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-08-25 12:40:05: TCP/UDP: Preserving recently used remote address: [AF_INET]9111.222.333.444:1194
2021-08-25 12:40:05: Socket Buffers: R=[131072->131072] S=[131072->131072]
2021-08-25 12:40:05: Attempting to establish TCP connection with [AF_INET]9111.222.333.444:1194 [nonblock]
2021-08-25 12:40:06: TCP connection established with [AF_INET]9111.222.333.444:1194
2021-08-25 12:40:06: TCP_CLIENT link local: (not bound)
2021-08-25 12:40:06: TCP_CLIENT link remote: [AF_INET]9111.222.333.444:1194
2021-08-25 12:40:06: TLS: Initial packet from [AF_INET]9111.222.333.444:1194, sid=4ed299ad 83e8947e
2021-08-25 12:40:06: State changed to Authenticating
2021-08-25 12:40:08: VERIFY OK: depth=1, CN=ca
2021-08-25 12:40:08: VERIFY OK: depth=0, CN=server
2021-08-25 12:40:08: Connection reset, restarting [0]
2021-08-25 12:40:08: TCP/UDP: Closing socket
2021-08-25 12:40:08: SIGUSR1[soft,connection-reset] received, process restarting
I use MikroTik (v.6.47.7) and I have set up the certificates for the Ovpn server like this:
Code: Select all
/certificate 
 add name=ca-template common-name=ca days-valid=3065 key-usage=key-cert-sign,crl-sign 
 add name=server-template common-name=server days-valid=3065 
 add name=client-template common-name=vpnclient days-valid=3065 
 sign ca-template name=ca
 sign ca=ca server-template name=server
 sign ca=ca client-template name=vpnclient
 set ca trusted=yes
 set server trusted=yes
 export-certificate ca
 export-certificate vpnclient export-passphrase=yyyyyyyyyyyyy


/ppp secret add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name="user1" password="xxxxxxxxx" routes="" service=ovpn
And this works fine with this Tunnelblick config (ovpn):
Code: Select all
remote myvpn.domain.com 1194
proto tcp-client
#client
tls-client
port 1194
ca cert_export_ca.crt
cert cert_export_vpnclient.crt
key cert_export_vpnclient.key
cipher AES-256-CBC
auth SHA1
dev tun
resolv-retry infinite
nobind
persist-key
ping 10
ping-restart 45
verb 4
auth-user-pass
#auth-nocache
route-method exe
route-delay 2
pull
#redirect-gateway def
route 192.168.42.0 255.255.255.0
When Viscosity imports the ovpn file it adds these extra commands under "Advanced":
Code: Select all
resolv-retry infinite
cipher AES-256-CBC
verb 4
route-delay 2
auth SHA1
What could I be missing here? I really would like to test if Viscosity can solve the VMs' problems of using the VPN connection.

Thanks in advance!

/John

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Aug 27, 2021 8:37 am
Hi John,
but I guess this is Viscosity's way of hiding what I have selected?
Viscosity will rename the files to prevent potential clashes - they'll still be your selected files, just with a generic name.
2021-08-25 12:40:08: Connection reset, restarting [0]
It appears the server (or something in-between Viscosity and the server) is terminating the connection. More information should be available in the log on the server as to the exact reason (assuming it was the server itself). MikroTik do use their own custom OpenVPN protocol implementation, so I'm afraid it's difficult to speculate what may be the cause.

A possible difference is that you're likely using OpenVPN 2.5 with Tunnelblick, while Viscosity 1.9.x uses OpenVPN 2.4. If the server is configured to rely on a feature only in 2.5 it may be rejecting the connection attempt. You can try updating to the latest beta version of Viscosity which ships with OpenVPN 2.5:
https://www.sparklabs.com/support/kb/ar ... -versions/

If you're still stuck, I recommend also trying some of the tips listed at:
https://www.sparklabs.com/support/kb/ar ... -providers

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

john.dalsgaard

Posts: 9
Joined: Wed Aug 25, 2021 11:47 pm

Post by john.dalsgaard » Fri Aug 27, 2021 4:03 pm
Hi James

Thanks for replying.

On the server I get these messages:
Code: Select all
aug/25/2021 19:47:28 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,error duplicate packet, dropping
aug/25/2021 19:47:30 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,error duplicate packet, dropping
aug/25/2021 19:47:32 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,error duplicate packet, dropping
aug/25/2021 19:47:34 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,error duplicate packet, dropping
I had already checked these messages - and they seem to appear for many reasons - so there wasn't anything directly related to VPN connections. But I see these as a direct consequence of the connection attempts...

I'll try the beta client.

john.dalsgaard

Posts: 9
Joined: Wed Aug 25, 2021 11:47 pm

Post by john.dalsgaard » Fri Aug 27, 2021 4:12 pm
Hmmm.... the beta seems to make no difference... No connection and the same messages on the server...

This is my OVPN configuration on the MikroTik box:
Screenshot 2021-08-27 at 08.09.56.png
OVPN server config
Screenshot 2021-08-27 at 08.09.56.png (131.46 KiB) Viewed 9793 times
Does that give any clues to you?

john.dalsgaard

Posts: 9
Joined: Wed Aug 25, 2021 11:47 pm

Post by john.dalsgaard » Fri Aug 27, 2021 5:20 pm
Log messages from the beta client are slightly different:
Code: Select all
2021-08-27 09:16:53: Viscosity Mac 1.10b4 (1580)
2021-08-27 09:16:53: Viscosity OpenVPN Engine Started
2021-08-27 09:16:53: Running on macOS 11.5.2
2021-08-27 09:16:53: ---------
2021-08-27 09:16:53: State changed to Connecting
2021-08-27 09:16:53: Checking reachability status of connection...
2021-08-27 09:16:53: Connection is reachable. Starting connection attempt.
2021-08-27 09:16:53: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-08-27 09:16:53: Current Parameter Settings:
2021-08-27 09:16:53:   config = 'config.conf'
2021-08-27 09:16:53:   mode = 0
2021-08-27 09:16:53:   show_ciphers = DISABLED
2021-08-27 09:16:53:   show_digests = DISABLED
2021-08-27 09:16:53:   show_engines = DISABLED
2021-08-27 09:16:53:   genkey = DISABLED
2021-08-27 09:16:53:   genkey_filename = '[UNDEF]'
2021-08-27 09:16:53:   key_pass_file = '[UNDEF]'
2021-08-27 09:16:53:   show_tls_ciphers = DISABLED
2021-08-27 09:16:53:   connect_retry_max = 0
2021-08-27 09:16:53: Connection profiles [0]:
2021-08-27 09:16:53:   proto = tcp-client
2021-08-27 09:16:53:   local = '[UNDEF]'
2021-08-27 09:16:53:   local_port = '[UNDEF]'
2021-08-27 09:16:53:   remote = 'myvpn.domain.com'
2021-08-27 09:16:53:   remote_port = '1194'
2021-08-27 09:16:53:   remote_float = DISABLED
2021-08-27 09:16:53:   bind_defined = DISABLED
2021-08-27 09:16:53:   bind_local = DISABLED
2021-08-27 09:16:53:   bind_ipv6_only = DISABLED
2021-08-27 09:16:53:   connect_retry_seconds = 5
2021-08-27 09:16:53:   connect_timeout = 120
2021-08-27 09:16:53:   socks_proxy_server = '[UNDEF]'
2021-08-27 09:16:53:   socks_proxy_port = '[UNDEF]'
2021-08-27 09:16:53:   tun_mtu = 1500
2021-08-27 09:16:53:   tun_mtu_defined = ENABLED
2021-08-27 09:16:53:   link_mtu = 1500
2021-08-27 09:16:53:   link_mtu_defined = DISABLED
2021-08-27 09:16:53:   tun_mtu_extra = 0
2021-08-27 09:16:53:   tun_mtu_extra_defined = DISABLED
2021-08-27 09:16:53:   mtu_discover_type = -1
2021-08-27 09:16:53:   fragment = 0
2021-08-27 09:16:53:   mssfix = 1450
2021-08-27 09:16:53:   explicit_exit_notification = 0
2021-08-27 09:16:53:   tls_auth_file = '[UNDEF]'
2021-08-27 09:16:53:   key_direction = not set
2021-08-27 09:16:53:   tls_crypt_file = '[UNDEF]'
2021-08-27 09:16:53:   tls_crypt_v2_file = '[UNDEF]'
2021-08-27 09:16:53: Connection profiles END
2021-08-27 09:16:53:   remote_random = DISABLED
2021-08-27 09:16:53:   ipchange = '[UNDEF]'
2021-08-27 09:16:53:   dev = 'tun'
2021-08-27 09:16:53:   dev_type = '[UNDEF]'
2021-08-27 09:16:53:   dev_node = 'utun'
2021-08-27 09:16:53:   lladdr = '[UNDEF]'
2021-08-27 09:16:53:   topology = 1
2021-08-27 09:16:53:   ifconfig_local = '[UNDEF]'
2021-08-27 09:16:53:   ifconfig_remote_netmask = '[UNDEF]'
2021-08-27 09:16:53:   ifconfig_noexec = DISABLED
2021-08-27 09:16:53:   ifconfig_nowarn = DISABLED
2021-08-27 09:16:53:   ifconfig_ipv6_local = '[UNDEF]'
2021-08-27 09:16:53:   ifconfig_ipv6_netbits = 0
2021-08-27 09:16:53:   ifconfig_ipv6_remote = '[UNDEF]'
2021-08-27 09:16:53:   shaper = 0
2021-08-27 09:16:53:   mtu_test = 0
2021-08-27 09:16:53:   mlock = DISABLED
2021-08-27 09:16:53:   keepalive_ping = 0
2021-08-27 09:16:53:   keepalive_timeout = 0
2021-08-27 09:16:53:   inactivity_timeout = 0
2021-08-27 09:16:53:   ping_send_timeout = 10
2021-08-27 09:16:53:   ping_rec_timeout = 45
2021-08-27 09:16:53:   ping_rec_timeout_action = 2
2021-08-27 09:16:53:   ping_timer_remote = DISABLED
2021-08-27 09:16:53:   remap_sigusr1 = 0
2021-08-27 09:16:53:   persist_tun = DISABLED
2021-08-27 09:16:53:   persist_local_ip = DISABLED
2021-08-27 09:16:53:   persist_remote_ip = DISABLED
2021-08-27 09:16:53:   persist_key = ENABLED
2021-08-27 09:16:53:   passtos = DISABLED
2021-08-27 09:16:53:   resolve_retry_seconds = 1000000000
2021-08-27 09:16:53:   resolve_in_advance = DISABLED
2021-08-27 09:16:53:   username = '[UNDEF]'
2021-08-27 09:16:53:   groupname = '[UNDEF]'
2021-08-27 09:16:53:   chroot_dir = '[UNDEF]'
2021-08-27 09:16:53:   cd_dir = '[UNDEF]'
2021-08-27 09:16:53:   writepid = '[UNDEF]'
2021-08-27 09:16:53:   up_script = '[UNDEF]'
2021-08-27 09:16:53:   down_script = '[UNDEF]'
2021-08-27 09:16:53:   down_pre = DISABLED
2021-08-27 09:16:53:   up_restart = DISABLED
2021-08-27 09:16:53:   up_delay = DISABLED
2021-08-27 09:16:53:   daemon = DISABLED
2021-08-27 09:16:53:   inetd = 0
2021-08-27 09:16:53:   log = DISABLED
2021-08-27 09:16:53:   suppress_timestamps = DISABLED
2021-08-27 09:16:53:   machine_readable_output = ENABLED
2021-08-27 09:16:53:   nice = 0
2021-08-27 09:16:53:   verbosity = 4
2021-08-27 09:16:53:   mute = 100
2021-08-27 09:16:53:   status_file = '[UNDEF]'
2021-08-27 09:16:53:   status_file_version = 1
2021-08-27 09:16:53:   status_file_update_freq = 60
2021-08-27 09:16:53:   occ = ENABLED
2021-08-27 09:16:53:   rcvbuf = 0
2021-08-27 09:16:53:   sndbuf = 0
2021-08-27 09:16:53:   sockflags = 0
2021-08-27 09:16:53:   fast_io = DISABLED
2021-08-27 09:16:53:   comp.alg = 0
2021-08-27 09:16:53:   comp.flags = 0
2021-08-27 09:16:53: NOTE: --mute triggered...
2021-08-27 09:16:53: 187 variation(s) on previous 100 message(s) suppressed by --mute
2021-08-27 09:16:53: OpenVPN 2.5.3 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Aug 26 2021
2021-08-27 09:16:53: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-08-27 09:16:53: Resolving address: myvpn.domain.com
2021-08-27 09:16:53: Valid endpoint found: 111.222.333.444:1194:tcp-client
2021-08-27 09:16:53: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021-08-27 09:16:53: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-08-27 09:16:53: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-08-27 09:16:53: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-08-27 09:16:53: TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:53: Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194 [nonblock]
2021-08-27 09:16:53: TCP connection established with [AF_INET]111.222.333.444:1194
2021-08-27 09:16:53: TCP_CLIENT link local: (not bound)
2021-08-27 09:16:53: TCP_CLIENT link remote: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:53: State changed to Authenticating
2021-08-27 09:16:53: TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=c1c66253 00fde63e
2021-08-27 09:16:56: VERIFY OK: depth=1, CN=ca
2021-08-27 09:16:56: VERIFY OK: depth=0, CN=server
2021-08-27 09:16:57: Connection reset, restarting [0]
2021-08-27 09:16:57: TCP/UDP: Closing socket
2021-08-27 09:16:57: SIGUSR1[soft,connection-reset] received, process restarting
2021-08-27 09:16:57: Viscosity Mac 1.10b4 (1580)
2021-08-27 09:16:57: Viscosity OpenVPN Engine Started
2021-08-27 09:16:57: Running on macOS 11.5.2
2021-08-27 09:16:57: ---------
2021-08-27 09:16:57: State changed to Connecting
2021-08-27 09:16:57: Resolving address: myvpn.domain.com
2021-08-27 09:16:57: Resolving address: myvpn.domain.com
2021-08-27 09:16:57: Valid endpoint found: 111.222.333.444:1194:tcp-client
2021-08-27 09:16:57: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021-08-27 09:16:57: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-08-27 09:16:57: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-08-27 09:16:57: TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:57: Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194 [nonblock]
2021-08-27 09:16:57: TCP connection established with [AF_INET]111.222.333.444:1194
2021-08-27 09:16:57: TCP_CLIENT link local: (not bound)
2021-08-27 09:16:57: TCP_CLIENT link remote: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:57: State changed to Authenticating
2021-08-27 09:16:57: TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=3fa42b08 7bd9de73
2021-08-27 09:16:58: VERIFY OK: depth=1, CN=ca
2021-08-27 09:16:58: VERIFY OK: depth=0, CN=server
2021-08-27 09:16:58: Connection reset, restarting [0]
2021-08-27 09:16:58: TCP/UDP: Closing socket
2021-08-27 09:16:58: SIGUSR1[soft,connection-reset] received, process restarting
2021-08-27 09:16:58: Viscosity Mac 1.10b4 (1580)
2021-08-27 09:16:58: Viscosity OpenVPN Engine Started
2021-08-27 09:16:58: Running on macOS 11.5.2
2021-08-27 09:16:58: ---------
2021-08-27 09:16:58: State changed to Connecting
2021-08-27 09:16:58: Resolving address: myvpn.domain.com
2021-08-27 09:16:59: Resolving address: myvpn.domain.com
2021-08-27 09:16:59: Valid endpoint found: 111.222.333.444:1194:tcp-client
2021-08-27 09:16:59: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021-08-27 09:16:59: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-08-27 09:16:59: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-08-27 09:16:59: TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:59: Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194 [nonblock]
2021-08-27 09:16:59: TCP connection established with [AF_INET]111.222.333.444:1194
2021-08-27 09:16:59: TCP_CLIENT link local: (not bound)
2021-08-27 09:16:59: TCP_CLIENT link remote: [AF_INET]111.222.333.444:1194
2021-08-27 09:16:59: State changed to Authenticating
2021-08-27 09:16:59: TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=8fc919b9 163f76c5
2021-08-27 09:17:00: VERIFY OK: depth=1, CN=ca
2021-08-27 09:17:00: VERIFY OK: depth=0, CN=server
2021-08-27 09:17:01: State changed to Disconnecting (Manual)
2021-08-27 09:17:01: Connection reset, restarting [0]
2021-08-27 09:17:01: TCP/UDP: Closing socket
2021-08-27 09:17:01: SIGTERM[hard,connection-reset] received, process exiting
2021-08-27 09:17:01: State changed to Disconnected (Process Terminated)
I have also updated the MikroTik RouterOS to version 6.48.4 that is the latest version from a week ago - still no luck

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Sep 01, 2021 4:47 pm
Hi John,

I'm afraid I can't offer any firm suggestions here: MikroTik's implementation isn't behaving anything like the offical implementation would in this situation. It appears to lack the output to indicate what is going on, and is instead just closing the underlying connection.

If your configuration is working in Tunnelblick, but not Viscosity, all I can suggest is checking the underlying configuration data for any differences. You can find information on how to view Viscosity's raw configuration data for your connection at:
https://www.sparklabs.com/support/kb/ar ... ation-data

Besides that, all I can suggest is getting in touch with MikroTik's support staff: they may be able to offer more useful information on why their server implementation is terminating the connection attempt.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

john.dalsgaard

Posts: 9
Joined: Wed Aug 25, 2021 11:47 pm

Post by john.dalsgaard » Thu Sep 09, 2021 11:33 pm
Thanks, James

I have already written to the MikroTik support/forum - but so far no response :roll:

I tried to compare the two configurations and there are some minor differences that I cannot tell if are important...

I have sorted the lines to make it easier to look at :)

Tunnelblick:
Code: Select all
#-- Tunnelblick Configuration --#
#auth-nocache
#client
#redirect-gateway def
auth SHA1
auth-user-pass
ca cert_export_ca.crt
cert cert_export_vpnclient.crt
cipher AES-256-CBC
dev tun
key cert_export_vpnclient.key
nobind
persist-key
ping 10
ping-restart 45
port 1194
proto tcp-client
pull
remote router.mydomain.dk 1194
resolv-retry infinite
route 192.168.42.0 255.255.255.0
route-delay 2
route-method exe
tls-client
verb 4
Viscosity:
Code: Select all
#-- Configuration Generated By Viscosity --#
#viscosity autoreconnect true
#viscosity dhcp true
#viscosity dns automatic
#viscosity name vpn-solbjerg
#viscosity protocol openvpn
#viscosity startonopen false
#viscosity usepeerdns true
auth SHA1
auth-user-pass 
ca ca.crt
cert cert.crt
cipher AES-256-CBC
dev tun
key key.key
nobind 
persist-key 
ping 10
ping-restart 45
pull 
remote router.mydomain.dk 1194 tcp-client
resolv-retry infinite
route 192.168.42.0 255.255.255.0
route-delay 2
tls-client 
verb 4
I would guess that proto, port and remote more or less end up with the same meaning. However, there is a difference in the route-method paramter.

Could this be the source of the problems? And can I configure it similarly in Viscosity?

Thanks for any light you can shed on this.

/John

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Sep 10, 2021 10:24 pm
Hi John,

Those configurations are identical from a macOS OpenVPN client standpoint.

I can only conclude either your CA/Cert files are mixed up or the wrong files, or the server is rejecting the connection for another reason (for example, there is already an active connection - or it thinks there is already an active connection - using those PKI credentials).

The offical OpenVPN server would add a message to the log about why the client is being rejected. However I'm afraid the MikroTik implementation doesn't appear to have any such logging. I can only again suggest reaching out to their support staff.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

john.dalsgaard

Posts: 9
Joined: Wed Aug 25, 2021 11:47 pm

Post by john.dalsgaard » Wed Sep 15, 2021 9:25 pm
Hi James

Ok, this turned out to be an (embarrassing) issue as our documentation wasn't entirely up to date so one password was incorrect :? Finding the magic steps to turn on logging for the OVPN server got me on the track.

Anyway, we do now have a connection!

However, I have one minor issue that I'm not sure where to solve. When I connect I do get an IP from the range specified by the OVPN server - but it does not see any of our internal servers.

So when I connect from Tunnelblick I get the following doing an nslookup:
Code: Select all
nslookup router.dalsgaard-data.dk
Server:		192.168.42.251
Address:	192.168.42.251#53

Non-authoritative answer:
Name:	router.dalsgaard-data.dk
Address: 192.168.42.251
However, when doing the same when connected via Viscosity I get:
Code: Select all
nslookup router.dalsgaard-data.dk
Server:		172.20.10.1
Address:	172.20.10.1#53

Non-authoritative answer:
router.dalsgaard-data.dk	canonical name = dalsgaard-data.dk.
Name:	dalsgaard-data.dk
Address: 95.209.155.214
I have tried manually to set the default gateway on the connection to 192.168.42.251 - but it seems to change nothing.

Do you have any ideas as to what I am missing?

Thanks in advance!

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Sep 16, 2021 10:16 am
Glad to hear you got it working.

I recommend running through the troubleshooting steps at:
https://www.sparklabs.com/support/kb/ar ... -problems/

My instinct is the article linked below is probably the cause, however run through the steps in the above article first to be sure:
https://www.sparklabs.com/support/kb/ar ... e-present/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
11 posts Page 1 of 2