• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Second OpenVPN Connection Causes Drops

Scheduled Pinned Locked Moved OpenVPN
11 Posts 2 Posters 344 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    lao
    last edited by Mar 30, 2025, 7:47 PM

    I've been struggling with this for months and finally gave up. I had a hard time setting this up because the documentation was old and when it comes to multiple users, not clear. I want to have multiple users connect to a Netgate 2100 over VPN. Attached is my configs and logs. Strange that it works great for one user, but as soon as a second successfully authenticates, both connections start to drop and reauth every few minutes. I know I have a DNS config issue, but I don't see how that is creating this issue. I'm find using a different client than TunnelBlick or using IPSec. I just need this to work.

    I've been using PFSense for about a decade. I really like the low cost and features. I'm on my second firewall now. The problem I have is so many options and the learning curve is huge to do some things with no clear documentation for different use cases.

    L 1 Reply Last reply Mar 30, 2025, 7:50 PM Reply Quote 0
    • L
      lao @lao
      last edited by Mar 30, 2025, 7:50 PM

      I can't attach so here is a paste of what I have collected.

      Configuration
      VPN OpenVPN Server Configuration
      General Information
      Description
      A description of this VPN for administrative reference.
      Disabled
      Disable this server Set this option to disable this server without removing it from the list.
      Unique VPN ID
      Server 1 (ovpns1)
      Mode Configuration
      Server mode
      DCO
      Enable Data Channel Offload (DCO) for this instance When set, OpenVPN will use data channel offload for increased performance. Certain restrictions apply.
      Backend for authentication
      Device mode
      "tun" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms.
      "tap" mode is capable of carrying 802.3 (OSI Layer 2.)
      Endpoint Configuration
      Protocol
      Interface
      The interface or Virtual IP address where OpenVPN will receive client connections.
      Local port
      The port used by OpenVPN to receive client connections.
      Cryptographic Settings
      TLS Configuration
      Use a TLS Key A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections.The TLS Key does not have any effect on tunnel data.
      TLS Key

      # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 4e2b0f77d0d3df316a62921fe226a936 6bce69f0be2f24fdc95ecd9239e1dbd9 5f67d8e3c9b8bb19268db08cadccb9ed f22c72cb7831332ad880258ed0f6db37 49c772bcc0e89281a9def26fd41bdf3f d7c7e4b567101bc9985487a3fb36c50c cc89a60bb7b7182d9f2641c386aec670 2c1ee603ebd45b99c160336a9b0dfcb5 9a74c0bea3ecadf678ef9e0c90e5d2ad 82328e4bc1b21f0ddb01148981ee5054 bf7489a016487184bdf43eb09d3ef136 82646d9d35729a3c1e9b358299eaf00f f4d2e127835ea6471c428b93b034f842 3329ebacb42faff38e8683efb5e7c79c 33ba855a49da25563efdc8e4eaac9ccb f5afbec14ea1ef53c45b772b04011c7a -----END OpenVPN Static key V1----- Paste the TLS key here.

      This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel.
      TLS Key Usage Mode
      In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections.
      Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation.
      TLS keydir direction
      The TLS Key Direction must be set to complementary values on the client and server. For example, if the server is set to 0, the client must be set to 1. Both may be set to omit the direction, in which case the TLS Key will be used bidirectionally.
      Peer Certificate Authority
      Peer Certificate Revocation list
      No Certificate Revocation Lists defined. One may be created here: System > Cert. Manager
      OCSP Check
      Check client certificates with OCSP
      Server certificate
      Certificates known to be incompatible with use for OpenVPN are not included in this list, such as certificates using incompatible ECDSA curves or weak digest algorithms.
      DH Parameter Length
      Diffie-Hellman (DH) parameter set used for key exchange.
      ECDH Curve
      The Elliptic Curve to use for key exchange.
      The curve from the server certificate is used by default when the server uses an ECDSA certificate. Otherwise, secp384r1 is used as a fallback.
      Data Encryption Algorithms
      Available Data Encryption Algorithms
      Click to add or remove an algorithm from the list
      Allowed Data Encryption Algorithms. Click an algorithm name to remove it from the list
      The order of the selected Data Encryption Algorithms is respected by OpenVPN. This list is ignored in Shared Key mode.
      Fallback Data Encryption Algorithm
      The Fallback Data Encryption Algorithm used for data channel packets when communicating with clients that do not support data encryption algorithm negotiation (e.g. Shared Key). This algorithm is automatically included in the Data Encryption Algorithms list.
      Auth digest algorithm
      The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.
      When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.
      The server and all clients must have the same setting. While SHA1 is the default for OpenVPN, this algorithm is insecure.
      Certificate Depth
      When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server.
      Strict User-CN Matching
      Enforce match When authenticating users, enforce a match between the common name of the client certificate and the username given at login.
      Client Certificate Key Usage Validation
      Enforce key usage Verify that only hosts with a client certificate can connect (EKU: "TLS Web Client Authentication").
      Tunnel Settings
      IPv4 Tunnel Network
      This is the IPv4 virtual network or network type alias with a single entry used for private communications between this server and client hosts expressed using CIDR notation (e.g. 10.0.8.0/24). The first usable address in the network will be assigned to the server virtual interface. The remaining usable addresses will be assigned to connecting clients.

      A tunnel network of /30 or smaller puts OpenVPN into a special peer-to-peer mode which cannot push settings to clients. This mode is not compatible with several options, including DCO, Exit Notify, and Inactive.
      IPv6 Tunnel Network
      This is the IPv6 virtual network or network type alias with a single entry used for private communications between this server and client hosts expressed using CIDR notation (e.g. fe80::/64). The ::1 address in the network will be assigned to the server virtual interface. The remaining addresses will be assigned to connecting clients.
      Redirect IPv4 Gateway
      Force all client-generated IPv4 traffic through the tunnel.
      Redirect IPv6 Gateway
      Force all client-generated IPv6 traffic through the tunnel.
      IPv4 Local network(s)
      IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges or host/network type aliases. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
      IPv6 Local network(s)
      IPv6 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more IP/PREFIX or host/network type aliases. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
      Concurrent connections
      Specify the maximum number of clients allowed to concurrently connect to this server.
      Allow Compression
      Allow compression to be used with this VPN instance.
      Compression can potentially increase throughput but may allow an attacker to extract secrets if they can control compressed plaintext traversing the VPN (e.g. HTTP). Before enabling compression, consult information about the VORACLE, CRIME, TIME, and BREACH attacks against TLS to decide if the use case for this specific VPN is vulnerable to attack.

      Asymmetric compression allows an easier transition when connecting with older peers.
      Type-of-Service
      Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
      Inter-client communication
      Allow communication between clients connected to this server
      Duplicate Connection
      Allow multiple concurrent connections from the same user When set, the same user may connect multiple times. When unset, a new connection from a user will disconnect the previous session.

      Users are identified by their username or certificate properties, depending on the VPN configuration. This practice is discouraged security reasons, but may be necessary in some environments.
      Client Settings
      Dynamic IP
      Allow connected clients to retain their connections if their IP address changes.
      Topology
      Specifies the method used to supply a virtual adapter IP address to clients when using TUN mode on IPv4.
      Some clients may require this be set to "subnet" even for IPv6, such as OpenVPN Connect (iOS/Android). Older versions of OpenVPN (before 2.0.9) or clients such as Yealink phones may require "net30".
      Ping settings
      Inactivity Timeout
      Causes OpenVPN to close a client connection after n seconds of inactivity on the TUN/TAP device.
      Activity is based on the last incoming or outgoing tunnel packet.
      A value of 0 disables this feature.
      This option is ignored in Peer-to-Peer Shared Key mode and in SSL/TLS mode with a blank or /30 tunnel network as it will cause the server to exit and not restart.
      Ping method
      keepalive helper uses interval and timeout parameters to define ping and ping-restart values as follows:
      ping = interval
      ping-restart = timeout*2
      push ping = interval
      push ping-restart = timeout
      Interval
      Timeout
      Advanced Client Settings
      DNS Default Domain
      Provide a default domain name to clients
      DNS Server enable
      Provide a DNS server list to clients. Addresses may be IPv4 or IPv6.
      Block Outside DNS
      Make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers. Requires Windows 10 and OpenVPN 2.3.9 or later. Only Windows 10 is prone to DNS leakage in this way, other clients will ignore the option as they are not affected.
      Force DNS cache update
      Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.
      NTP Server enable
      Provide an NTP server list to clients
      NetBIOS enable
      Enable NetBIOS over TCP/IP If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled.
      Advanced Configuration
      Custom options
      Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.
      EXAMPLE: push "route 10.0.0.0 255.255.255.0"
      Username as Common Name
      Use the authenticated client username instead of the certificate common name (CN). When a user authenticates, if this option is enabled then the username of the client will be used in place of the certificate common name for purposes such as determining Client Specific Overrides.
      UDP Fast I/O
      Use fast I/O operations with UDP writes to tun/tap. Experimental. Optimizes the packet write event loop, improving CPU efficiency by 5% to 10%. Not compatible with all platforms, and not compatible with OpenVPN bandwidth limiting.
      Exit Notify
      Send an explicit exit notification to connected clients/peers when restarting or shutting down, so they may immediately disconnect rather than waiting for a timeout. In SSL/TLS Server modes, clients may be directed to reconnect or use the next server. This option is ignored in Peer-to-Peer Shared Key mode and in SSL/TLS mode with a blank or /30 tunnel network as it will cause the server to exit and not restart. This feature is not currently compatible with DCO mode.
      Send/Receive Buffer
      Configure a Send and Receive Buffer size for OpenVPN. The default buffer size can be too small in many cases, depending on hardware and network uplink speeds. Finding the best buffer size can take some experimentation. To test the best value for a site, start at 512KiB and test higher and lower values.
      Gateway creation
      Both
      IPv4 only
      IPv6 only
      If you assign a virtual interface to this OpenVPN server, this setting controls which gateway types will be created. The default setting is 'both'.
      Verbosity level
      Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what's happening without being swamped by output.

      None: Only fatal errors
      Default through 4: Normal usage range
      5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
      6-11: Debug info range

      Tunnelblick Configuration
      dev tun
      persist-tun
      persist-key
      data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
      data-ciphers-fallback AES-256-CBC
      auth SHA512
      tls-client
      client
      resolv-retry infinite
      remote vpn.mikelemon.com 1194 udp4
      lport 0
      verify-x509-name "OpenVPN_Server" name
      auth-user-pass
      remote-cert-tls server
      explicit-exit-notify

      <ca>
      -----BEGIN CERTIFICATE-----
      MIIFNTCCAx2gAwIBAgIIcwa4+bgi27YwDQYJKoZIhvcNAQENBQAwFjEUMBIGA1UE
      AxMLaW50ZXJuYWwtY2EwIBcNMjQxMDI0MTQyOTQxWhgPMjA1NzA5MDExNDI5NDFa
      MBYxFDASBgNVBAMTC2ludGVybmFsLWNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
      MIICCgKCAgEArIv0dNnv8a2T4vYasvCHpxjKpXKSq8cU25vMqdWn+IlBFA+wOgv4
      3vfx3Vwg8No7iC8yLgnJH1UA5mi9Qq08sPC87MSrZn3NRMDSSybsIa+nfXG5E6L4
      tYX8nd8DA+wMJDx+EVHa5HxnNFt3SoEWZTvLq7voNzz4LIuU3L4J+Jml5TdTNDpC
      YjM1nh3pGMPsCvd8+WUZ+EKf7qGXZZ303+xQFHjadQltKg/Xl4TKEtn85ND/Vvwo
      2vli/8HOxhaNtaBxidDp5B5y9KQWkVirqV/XvF8SM9hLRPzvaqg/dig/OycW0OuO
      eoTdoDumDr44MSxcj3sReSzLKBzyXA10AHc6vXNAV501Cgil5vC+Swwkpn1ym5oy
      R7dx2Pfl9erqo71som2Wta3eXJMjMR7uyJWjJ/EStvw8dduXXR2gPezgyVpH9oPX
      yCR05B0CSZLQEjGL3P8NWQV22ZLrGo5lzzDzsRxKWIIG94mgUrijIvezsVtGD7cw
      INVC/tNuuZOV/SH9HipInOaVcvQWTpt8r+Mrl6WFPwD8dxYv5mvr9pctOGxZTAND
      c76V1b6enHmZLD8vz95UcOkiFpbKtli9yBjCPz24CXCF5R8dVxjqopPtVQvCVW4H
      k2U7u/7CzwQ0QjiHw+KZnTlh/RDIwjNlktnL6Edis54gly8D8luJuMECAwEAAaOB
      hDCBgTAdBgNVHQ4EFgQUgYLIp37Nrab1VHvazWu2SR47lnswRQYDVR0jBD4wPIAU
      gYLIp37Nrab1VHvazWu2SR47lnuhGqQYMBYxFDASBgNVBAMTC2ludGVybmFsLWNh
      gghzBrj5uCLbtjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
      AQ0FAAOCAgEADmNc7nuR4JalYt5Fqq8lMTSMHhI1fLJ7ghLK6sSrzOXdfreEJ0i/
      P0zlafrs+fXckjuKH4TWZWotL7JvGCKFOWOFN54pdKFJ+KMWKeRN/IBagYWmyjOs
      VO7Vlpcne/J+kVtWjg8nFzgHvD/S28FZsHKYFavSZMFqFXlbFTpF/DQBz9lrJ5vr
      JWUM5MRbmU0TFZ4eekeeSmvYn0B8LyCHbo9URSd9RA3TwA9V9veGcezZN4ZKHNK2
      6bwr9gauh5gLNnkJh2h3SH4DjLcXfAMv52mS3rYZRsAlEmV/PCtw2IbJSyYV8flG
      52ZSj0IJ1NLZ55+fDvY5CQJXm6gBmt7sDsfu4u4TO2NANnsSsICnz+RKj/7zXn7n
      rMN/q+vQuznzI6ZxOgmqig6dgYTZNw88v0mrHS7jmM2tWOcg+nU9BlCLyKKS7yjX
      U5dckjbNJUA7lS8TdFmDJ0ONe1acvyTfS7jvZUsXfhNT3IpxjAsuVbo5PYpMw1L7
      bp1JJjOQEi9/vKBM6UO85uxq6w0anXkJBanY8ai7pR2sSeKJZe7+jk8YWV/eB6/c
      Y/7wxBuPRDcIW47wLA5N6/QgWrIYjXprDldQJkcpjxY/EMG92lDL/d9/hm03n8Tm
      zdMINz9T68nK4y8Osm2Gfylf/iE6oh16X3vi7YB/5PTqadmwoXVUDY0=
      -----END CERTIFICATE-----
      </ca>
      <cert>
      -----BEGIN CERTIFICATE-----
      MIIF3TCCA8WgAwIBAgIBAjANBgkqhkiG9w0BAQ0FADAyMRYwFAYDVQQDEw1JbnRl
      cm5hbC1DQS0zMQswCQYDVQQGEwJVUzELMAkGA1UECxMCRFMwHhcNMjQxMDI0MTQ0
      MDAxWhcNMzQxMDIyMTQ0MDAxWjAxMRUwEwYDVQQDFAxPcGVuVlBOX1VzZXIxCzAJ
      BgNVBAYTAlVTMQswCQYDVQQLEwJEUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
      AgoCggIBAJQCDwFEiGJRNpRBDWq3jpoOjJeAKVYfYwTUmP4eEp+N6VHxAwlHrNxi
      pePgDKcjEI5hlbm9eq0FAWdhswHqxrulgQTd6zHjEOqwZagU2IHjvRbvW81uS5Op
      RFFnKNDrnQBV340t8kq1TM25hIXOqtRXNrDRpQ+/QqK14sHmdAAhzB+Ko6NDk8H+
      +WpBkB2zN3YU1uFQv+po30TxKjJgQ/vB8zTiuQA1gGbEiFXMAy17F0FztVysS6U
      wSCtpgCS+0r8ByIlaTihVCiD7O4l/bSnEMqm8MOO4Y3ArzC9E21PK3ybcrpnzGf/
      OgNMCUJlTJ4aS7zjLl68I9uXh4iwE6al/Z25FdfF/5ViGMHBM0lnx4WxEmC5SspB
      EKpBPpDHHx3OjxKSI5BB+j+pjZSfVS55r6e9d6XcPhUICarow0lMftcPXROIOYRG
      mkNSHvYzAm/QrzpxYx8qFzkleoQoiXhTHFn8MocH7lnOWdEKAXFWxNEa1rB3sWGw
      H1Koxc5Zlm7tcT5aYRy3EZlu++GVlcBZiRZNwhsKvjHnnhi9wRxQARKMsLXY4m65
      PF76AivOqGMMMQT4AWtMN8ea8PjkV90kwO6eMNU16IlYkm23CHHiBFRarEEBzN4P
      XRUqE4VyPKj4FfweG8i6cuffywQ6EBV2ks6S/fIWa5eCrt58Bjq1AgMBAAGjgf4w
      gfswCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwMQYJYIZIAYb4QgENBCQWIk9wZW5T
      U0wgR2VuZXJhdGVkIFVzZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAKqG0PwyjRM
      UIBvma7rPbt0OVX5MGEGA1UdIwRaMFiAFEy3wPKj/Q2rNPyGqxkZuy2KiUPkoTak
      NDAyMRYwFAYDVQQDEw1JbnRlcm5hbC1DQS0zMQswCQYDVQQGEwJVUzELMAkGA1UE
      CxMCRFOCCC2B0qY1BWoxMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBcGA1UdEQQQMA6C
      DE9wZW5WUE5fVXNlcjANBgkqhkiG9w0BAQ0FAAOCAgEAGlKgqSTCwaNhnhgLADDB
      +oYMF9TxAUAsn6z5q0S7FhPmzogox5CKCBg5OvrUGjHBzfL1roQ2NLkkjK+m44oK
      g8Lma3+AaCskG2S9PGK6Yw89+lsiGE80ZQdWyPTUqvpZ2uwtByIXvIv781Uc888u
      9o76JF1AsUZcZdQTdVQ9Mec23Jx6J478RYmUcaaWqumjqq1+7bYx9Q6OTra4xrw4
      Bcs2/c3/Y6srdUYYNxuwyUDgZWKYZpzqu1tm/NS3jzFCd1tAo8FtkI90yxRLUAfE
      Rb7bX3c3p8VvTGPRYg4vkIY5daYeUgQp/s8zZsIKS6GNDp3rYv7m8OmFr99ydHI8
      8+yYphRn7DVTq3yOlsbWUcHurlmWIgrBsZBzAv9cioXYgYE4leNTlm+6/Vi5/1t+
      FiDpaSV6/etOIfQ/Ms7HLexGm4I6JzeBVHLcs6uoocn5Rp4dEiGY8PcqFNWLvyR
      QKx2YgohPsrJsfh/RkqXCwAkQhurodySFu8ujiROhvQ6SzPsufhbUwEaTFMn2hfb
      rN25OVOE+G40IexUi7bD4UR+U6QuzUq06WIauAyDZSh/1OfisDONf6Y2Gjl3rdtb
      AFQugZBBwUqBlGFnERRDKDcchbvefUtfUlUjByq4qWEml3l2BcRkAF7tBaRZdH2
      kO//DMDrk2xDT0vSRK6+Lsc=
      -----END CERTIFICATE-----
      </cert>
      <key>
      -----BEGIN PRIVATE KEY-----
      MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAEAAoICAQCUAg8BRIhiUTaU
      QQ1qt46aDoyXgClWH2ME1Jj+HhKfjelR8QMJR6zcYqXj4AynIxCOYZW5vXqtBQFn
      YbMB6sa7pYEE3esx4xDqsGWoFNiB470W71vNbkuTqURRZyjQ650AVd+NLfJKtUzN
      uYSFzqrUVzaw0aUPv0KiteLB5nQAIcwfiqOjQ5PB/vlqQZAdszd2FNbhUL/qaN9E
      8SoyYEP7wfM04rkANYBm4hIhVzAMtexdBc7VcrEulMEgraYAkvtK/AciJWk4oVQo
      g+zuJf20pxDKpvDDjuGNwK8wvRNtTyt8m3K6Z8xn/zoDTAlCZUyeGku84y5evCPb
      l4eIsBOmpf2duRXXxf+VYhjBwTNJZ8eFsRJguUrKQRCqQT6Qxx8dzo8SkiOQQfo/
      qY2Un1Uuea+nvXel3D4VCAmq6MNJTH7XD10TiDmERppDUh72MwJv0K86cWMfKhc5
      JXqEKIl4UxxZ/DKHB+5ZzlnRCgFxVsTRGtawd7FhsB9SqMXOWZZu7XE+WmEctxGZ
      bvvhlZXAWYkWTcIbCr4x554YvcEcUAESjLC12OJuuTxe+gIrzqhjDDEE+AFrTDfH
      mvD45FfdJMDunjDVNeiJWJJttwhx4gRUWqxBAczeD10VKhOFcjyo+BX8HhvIunLn
      38sEOhAVdpLOkv3yFmuXgq7efAY6tQIDAQABAoICACCLQFXgxhVKMrRQBn113Xjx
      5IeGcnBhp+HexkIwBhvHtisika6XcEKoPT45HEce3mvUOLoV1/TV0ixzbssn3qlR
      d6hEjIvUV/qmrT+TT9TlqMTzfg3SZ/NQp3k3s+GWQRgbCbPvC6TSLxBYL7PFUMou
      YBPqkP8AqMwCrtjATbbet5Wi5B7Iw+NG53wt7Nye9L210NbLrNtD0n4EAimAAcrI
      Z2v0Q0XwvapBoMdsdqAA23dLyOIlnSB3LGz9SbA8IV2oQ4BGVhfR32GmOnFV8K5p
      grdwlCWH1AAZg1v14yDopND6FDS5EJi4Zb7mV+3dvMZR1V/z2xURDNhivfY38yXe
      mnXoCJrJkyu4ItcFf41nUEtPYLN8p5Nr6haURCDxk3ecD11v2zE/27RDi7iS/6Hm
      pkH1X/1jcLPpKOuExPMJ8YSt9l7CuJ7Iguo6aqIvg+wybZ/Fv+vZi55p1KZIqtAz
      9Snyyaqsje9fCXPil6XET1Nj82gvlpkuUoR/OK0S33aeh6gazbw1sYtBdRlQJzs
      uvt5xMX5nSRRi/wTBVpRQgBJBm+B1W4rpzPbCzzW/aoe+vYW0uODFcTdrkyZfS+S
      0KOlj/fDD22DzAfwqfQmAkkWgUDRgjvnTerwy78B408gP4EGG7Oi18lxQ7UqD4t4
      FK2znMzOt4kuOIEELwA5AoIBAQDI0mxQKDCTr7WsHU/A0FAMaHZuCyClxiMUKiUi
      KzRv3ArAGt2wPKldwrQp1PQU5H27qKEKECNoYKiCyzsbqv2bcUAgx4dasU3TUxgB
      /XljtYP5qQA66E+c2GpFhsf14jUzl0/hG1jEREgf37xVDpZgkHq874i15bUBKlGL
      6saRkX1ywT4J5+PmTvfVGr52Og/QVBvDSOeLNV1lj9HediHBTI8wuLPczLXaz+8V
      bmOj5t5YSaoMZxVWYhCNp7obhbzjDiSDOax0x2b6yV6/RJ+TYGwLwHR2WlOjK96J
      0CUMhO4aTzoBOuG9iyjiIE0DFTMgvbEZJTJY12+z6wr8mHntAoIBAQC8rMRrv5P2
      bAtNEbToamtc0xYAKiOUP2YUZdIT/a3X+faS84Cvz5VTj44/gUTR59jtLFy0MiAH
      0x0oPfMPVlN3PEYvcr8D/rAziH8HnbHxUHhy/NN5j9alIrRTYmWFRdhPVRxehmL9
      4qlFnMgyMBS2Zjoo5TiN1PzRo9NJqkFjaiop2Mh70sMtFkooLZT+21DLJxv8+obp
      c9wM6DejdzU5jj3n77O07X9TevSaWTQU6eM8wYcLOabnNGZOSk0+ncepcorktpF7
      2vlVcsKXkZE5rJReCH0HHA1/XlGzY3NXamOiUZH2fjHjrPp2k//x5GN0WI3pJ3IM
      gxJbLWHi7ArpAoIBAQC2bWBzWG74Wi/AkEf4scNl4idjQ7x+mwUWtkpRRco2qz8g
      z8b+57w7LjoXnhm0OPR22nKf/5UKpnOtjQy+z4/d+vz0Sg0NN++ovt0aQbZZ+3RO
      AVXyLULVCktPqWZQWRNXMGch6IO0lwql2crtwXidc+Hra/VWt7q7ukOlxLppVi8N
      ZboDqaF/f9Dmx4qpP4lKCH3H4pxj+zBCqGlPmySCwhd5fO/27gdtJGLdpw/gvkLR
      FOnipmndtOuwouMPSWgTIq/MfUHKO7Gys+bb/WywpnDAJC4nrVo46gsYSfq96quZ
      PstEfsa+NoIHGKyc1k9BuM/+NaoMxnf0itnKKIDpAoIBAQCe4NFKdnnPcW4WyQlR
      CYQ9F1eYbeOmC7kXBiLgSKdijpAPcNN1uNTjF6jOWzmrlJO8LLYn22nTjPgpkfki
      eiww5OWpQPQPFiIkUxW9QRK9xWiYU8R0wiYayt2UtfANSSJ8s4v/ISUs6/hksUB3
      2rsmWXEyTMvRy3/VvSHID4GeiKDWukEg2/sU9YcezDuCXQZs/BL6dbCz16d+ivGH
      SnPccqY4sEXg3nlwv8JIU0OjNMzwtXrVfgfI+/wGg1UGnHCshNLnA8IAzQVW6hto
      7OCg823AvV8jZIENN0yPRfizrNgXsJ68NconEdubjMdjV1JUf9mIc3n7hUgo1U9v
      ehs5AoIBACje5dq2JvxdzAhWF/wpIW5gvIVJKV8JMPZ/dzT/4KpaeZX3ewqrHOw
      XGmgk4UvRzyBQfZS2RAZY7lTXk+YXDR+iicW/lyn+Kq4uG6RHYy/ZFvp7iXIFE7b
      lLepKl7taODsDySmZ2qL1YaA8TFIJaF3ECg1pzfFvjXJcMeCxnLZZu7xztLHme33
      7iBR9fAVLxP/lG4K7y3tmIA+Drk+2zu+9XnFNOId5qkAf2eg0toWgncDmtmr4gSC
      2RBhLv2IZtRvMO/BS8XsTDOZAKHgU6kaW3xTPHn88RK1FIVVBTRRyEEzqhkCtHu
      hcsuZaweh/AmGfNYXDkIpAYJlXZHshE=
      -----END PRIVATE KEY-----
      </key>
      <tls-crypt>

      2048 bit OpenVPN static key

      -----BEGIN OpenVPN Static key V1-----
      4e2b0f77d0d3df316a62921fe226a9368
      6bce69f0be4f24fdc95ecd9239e1dbd9
      5f67d8e3c9b8bb19268db08cadccb9ed
      f22c72cb7831332ad880558ed0f6db37
      49c772bcc0e89281a9def26fd41bdf3f
      d7c7e4b567101bc9985487a3fb36c50c
      cc89a60bb7b7182d9f2641c386aec670
      2c1ee603ebd45b99c150336a9b0dfcb5
      9a74c0bea3ecadf678ef9e0c90e5d2ad
      82328e4bc1b21f0ddb01148981ee5054
      bf7489a016487184bdf43eb09d3ef136
      82646d9d35729a3c1e9b358299eaf00f
      f4d2e127835ea6471c428b93b034f842
      3329ebacb42faff38e8683efb5e7c79c
      33ba855a49da25563efdc8e4eaac9ccb
      f5afbec14ea1ef53c45b772b04011c4a
      -----END OpenVPN Static key V1-----
      </tls-crypt>

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by Mar 30, 2025, 8:39 PM

        The logs of the server and client would be more helpful than the whole config plus certificates. You should not publish your certificates and keys at all.

        Are the clients using the same certificate by any chance?
        The need to have unique ones.

        Also you can try to disable DCO for troubleshooting.

        L 1 Reply Last reply Mar 30, 2025, 10:43 PM Reply Quote 0
        • L
          lao @viragomann
          last edited by Mar 30, 2025, 10:43 PM

          @viragomann
          I tried loading the rest of the data and was blocked by spam control. Thank you for the warning about certs and keys. These were sanitized along with all other info. Here are logs although I think you nailed it with the same cert. Checking...

          Tunnelblick Log:

          2025-03-30 14:25:36.660939 *Tunnelblick: macOS 15.3.2 (24D81); Tunnelblick 6.0.1 (build 6161)
          2025-03-30 14:25:37.284604 *Tunnelblick: Attempting connection with Firewall-UDP4-1194-VPNuser-config using shadow copy; Set nameserver = 0x00000301; monitoring connection
          2025-03-30 14:25:37.286407 *Tunnelblick: openvpnstart start Firewall-UDP4-1194-VPNuser-config.tblk 60476 0x00000301 0 1 0 0x0210c130 -ptADGNWradsgnw 2.6.13-openssl-3.0.16 <password>
          2025-03-30 14:25:37.324084 *Tunnelblick: openvpnstart starting OpenVPN
          2025-03-30 14:25:37.812305 OpenVPN 2.6.13 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]
          2025-03-30 14:25:37.812701 library versions: OpenSSL 3.0.16 11 Feb 2025, LZO 2.10
          2025-03-30 14:25:37.814553 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:60476
          2025-03-30 14:25:37.814633 Need hold release from management interface, waiting...
          2025-03-30 14:25:38.553591 *Tunnelblick: openvpnstart log:
          OpenVPN started successfully.
          Command used to start OpenVPN (one argument per displayed line):
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.6.13-openssl-3.0.16/openvpn
          --daemon
          --log-append /Library/Application Support/Tunnelblick/Logs/-SUsers-Smike-SLibrary-SApplication Support-STunnelblick-SConfigurations-SFirewall--UDP4--1194--VPNuser--config.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_34652464.60476.openvpn.log
          --cd /Library/Application Support/Tunnelblick/Users/mike/Firewall-UDP4-1194-VPNuser-config.tblk/Contents/Resources
          --machine-readable-output
          --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 6161 6.0.1 (build 6161)"
          --verb 3
          --config /Library/Application Support/Tunnelblick/Users/mike/Firewall-UDP4-1194-VPNuser-config.tblk/Contents/Resources/config.ovpn
          --setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/mike/Firewall-UDP4-1194-VPNuser-config.tblk/Contents/Resources
          --verb 3
          --cd /Library/Application Support/Tunnelblick/Users/mike/Firewall-UDP4-1194-VPNuser-config.tblk/Contents/Resources
          --management 127.0.0.1 60476 /Library/Application Support/Tunnelblick/Mips/Firewall-UDP4-1194-VPNuser-config.tblk.mip
          --setenv IV_SSO webauth,crtext
          --management-query-passwords
          --management-hold
          --script-security 2
          --route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          2025-03-30 14:25:38.564195 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:63605
          2025-03-30 14:25:38.592396 MANAGEMENT: CMD 'pid'
          2025-03-30 14:25:38.592495 MANAGEMENT: CMD 'auth-retry interact'
          2025-03-30 14:25:38.592576 MANAGEMENT: CMD 'state on'
          2025-03-30 14:25:38.592617 MANAGEMENT: CMD 'state'
          2025-03-30 14:25:38.592650 MANAGEMENT: CMD 'bytecount 1'
          2025-03-30 14:25:38.593274 *Tunnelblick: Established communication with OpenVPN
          2025-03-30 14:25:38.594235 *Tunnelblick: >INFO:OpenVPN Management Interface Version 5 -- type 'help' for more info
          2025-03-30 14:25:38.595178 MANAGEMENT: CMD 'hold release'
          2025-03-30 14:25:51.805004 MANAGEMENT: CMD 'username "Auth" "mike"'
          2025-03-30 14:25:51.805100 MANAGEMENT: CMD 'password [...]'
          2025-03-30 14:25:51.805233 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
          2025-03-30 14:25:51.818571 MANAGEMENT: >STATE:1743359151,RESOLVE,,,,,,
          2025-03-30 14:25:52.213809 TCP/UDP: Preserving recently used remote address: [AF_INET]98.62.145.14:1194
          2025-03-30 14:25:52.214008 Socket Buffers: R=[786896->786896] S=[9216->9216]
          2025-03-30 14:25:52.216183 UDPv4 link local (bound): [AF_INET][undef]:0
          2025-03-30 14:25:52.216725 UDPv4 link remote: [AF_INET]98.62.145.14:1194
          2025-03-30 14:25:52.216834 MANAGEMENT: >STATE:1743359152,WAIT,,,,,,
          2025-03-30 14:25:52.573259 MANAGEMENT: >STATE:1743359152,AUTH,,,,,,
          2025-03-30 14:25:52.573381 TLS: Initial packet from [AF_INET]98.62.145.14:1194, sid=78d68927 f3181f22
          2025-03-30 14:25:52.573536 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
          2025-03-30 14:25:52.991606 VERIFY OK: depth=1, CN=internal-ca
          2025-03-30 14:25:52.993239 VERIFY KU OK
          2025-03-30 14:25:52.993291 Validating certificate extended key usage
          2025-03-30 14:25:52.993308 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
          2025-03-30 14:25:52.993320 VERIFY EKU OK
          2025-03-30 14:25:52.993332 VERIFY X509NAME OK: CN=OpenVPN_Server
          2025-03-30 14:25:52.993341 VERIFY OK: depth=0, CN=OpenVPN_Server
          2025-03-30 14:25:54.490473 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
          2025-03-30 14:25:54.490562 [OpenVPN_Server] Peer Connection Initiated with [AF_INET]98.62.145.14:1194
          2025-03-30 14:25:54.490615 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
          2025-03-30 14:25:54.490711 TLS: tls_multi_process: initial untrusted session promoted to trusted
          2025-03-30 14:25:55.612023 MANAGEMENT: >STATE:1743359155,GET_CONFIG,,,,,,
          2025-03-30 14:25:55.613339 SENT CONTROL [OpenVPN_Server]: 'PUSH_REQUEST' (status=1)
          2025-03-30 14:25:58.286387 PUSH: Received control message: 'PUSH_REPLY,route vpn.mikelemon.com 255.255.255.0,route-gateway 10.88.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.88.8.2 255.255.255.0,peer-id 2,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
          2025-03-30 14:25:58.286660 OPTIONS IMPORT: --ifconfig/up options modified
          2025-03-30 14:25:58.286707 OPTIONS IMPORT: route options modified
          2025-03-30 14:25:58.286726 OPTIONS IMPORT: route-related options modified
          2025-03-30 14:25:58.286741 OPTIONS IMPORT: tun-mtu set to 1500
          2025-03-30 14:25:58.289663 Opened utun device utun13
          2025-03-30 14:25:58.298864 MANAGEMENT: >STATE:1743359158,ASSIGN_IP,,10.88.8.2,,,,
          2025-03-30 14:25:58.299027 /sbin/ifconfig utun13 delete
          ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
          2025-03-30 14:25:58.316221 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
          2025-03-30 14:25:58.316266 /sbin/ifconfig utun13 10.88.8.2 10.88.8.2 netmask 255.255.255.0 mtu 1500 up
          2025-03-30 14:25:58.335602 /sbin/route add -net 10.88.8.0 10.88.8.2 255.255.255.0
          add net 10.88.8.0: gateway 10.88.8.2
          2025-03-30 14:25:58.345958 MANAGEMENT: >STATE:1743359158,ADD_ROUTES,,,,,,
          2025-03-30 14:25:58.346004 /sbin/route add -net vpn.mikelemon.com 10.88.8.1 255.255.255.0
          add net vpn.mikelemon.com: gateway 10.88.8.1
          14:25:58 *Tunnelblick: **********************************************
          14:25:58 *Tunnelblick: Start of output from client.up.tunnelblick.sh
          14:25:58 *Tunnelblick: Primary network service: Wi-Fi
          14:26:00 *Tunnelblick: Disabled IPv6 for 'Belkin USB-C LAN'
          14:26:00 *Tunnelblick: Disabled IPv6 for 'USB 10/100/1000 LAN 2'
          14:26:00 *Tunnelblick: Disabled IPv6 for 'Thunderbolt Bridge'
          14:26:00 *Tunnelblick: Disabled IPv6 for 'SC_USviaSw-SE-US-1'
          14:26:00 *Tunnelblick: Disabled IPv6 for 'Other VPNVPN'
          14:26:00 *Tunnelblick: No changes to DNS servers have been requested
          14:26:00 *Tunnelblick: DNS servers '<Other VPN DNS>' will be used for DNS queries when the VPN is active
          14:26:00 *Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
          14:26:00 *Tunnelblick: Will not monitor for network configuration changes.
          14:26:00 *Tunnelblick: Have written State:/Network/OpenVPN for no DNS changes and to inhibit network monitoring
          14:26:00 *Tunnelblick: Flushed the DNS cache via dscacheutil
          14:26:00 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
          14:26:00 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
          14:26:00 *Tunnelblick: Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
          14:26:00 *Tunnelblick: End of output from client.up.tunnelblick.sh
          14:26:00 *Tunnelblick: **********************************************
          2025-03-30 14:26:00.880945 Initialization Sequence Completed
          2025-03-30 14:26:00.881012 MANAGEMENT: >STATE:1743359160,CONNECTED,SUCCESS,10.88.8.2,98.62.145.14,1194,,
          2025-03-30 14:26:00.881604 Data Channel: cipher 'AES-256-GCM', peer-id: 2
          2025-03-30 14:26:00.881629 Timers: ping 10, ping-restart 60
          2025-03-30 14:26:00.881635 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
          2025-03-30 14:26:02.000801 *Tunnelblick: Warning: DNS server address is not being used.

          2025-03-30 14:26:02.010969 *Tunnelblick: Warning: DNS server address <Other VPN DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

          2025-03-30 14:26:02.015015 *Tunnelblick: Warning: DNS server address <WiFi DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

          2025-03-30 14:26:02.017243 *Tunnelblick: Warning: DNS server address <Laptop DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

          2025-03-30 14:26:08.781457 *Tunnelblick: This computer's apparent public IP address (74.63.204.254) was unchanged after the connection was made
          2025-03-30 14:27:51.977395 [OpenVPN_Server] Inactivity timeout (--ping-restart), restarting
          2025-03-30 14:27:51.978375 SIGUSR1[soft,ping-restart] received, process restarting
          2025-03-30 14:27:51.978444 MANAGEMENT: >STATE:1743359271,RECONNECTING,ping-restart,,,,,
          2025-03-30 14:27:52.304682 *Tunnelblick: Delaying HOLD release for 1.000 seconds
          2025-03-30 14:27:53.307446 MANAGEMENT: CMD 'hold release'
          2025-03-30 14:27:53.307700 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
          2025-03-30 14:27:53.308443 TCP/UDP: Preserving recently used remote address: [AF_INET]98.62.145.14:1194
          2025-03-30 14:27:53.308572 Socket Buffers: R=[786896->786896] S=[9216->9216]
          2025-03-30 14:27:53.308767 UDPv4 link local (bound): [AF_INET][undef]:0
          2025-03-30 14:27:53.308799 UDPv4 link remote: [AF_INET]98.62.145.14:1194
          2025-03-30 14:27:53.308873 MANAGEMENT: >STATE:1743359273,WAIT,,,,,,
          2025-03-30 14:27:53.731787 MANAGEMENT: >STATE:1743359273,AUTH,,,,,,
          2025-03-30 14:27:53.731969 TLS: Initial packet from [AF_INET]98.62.145.14:1194, sid=65af832e 02628a3d
          2025-03-30 14:27:54.185703 VERIFY OK: depth=1, CN=internal-ca
          2025-03-30 14:27:54.186489 VERIFY KU OK
          2025-03-30 14:27:54.186541 Validating certificate extended key usage
          2025-03-30 14:27:54.186559 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
          2025-03-30 14:27:54.186577 VERIFY EKU OK
          2025-03-30 14:27:54.186588 VERIFY X509NAME OK: CN=OpenVPN_Server
          2025-03-30 14:27:54.186599 VERIFY OK: depth=0, CN=OpenVPN_Server
          2025-03-30 14:27:55.135952 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
          2025-03-30 14:27:55.136163 [OpenVPN_Server] Peer Connection Initiated with [AF_INET]98.62.145.14:1194
          2025-03-30 14:27:55.136242 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
          2025-03-30 14:27:55.136365 TLS: tls_multi_process: initial untrusted session promoted to trusted
          2025-03-30 14:27:56.288233 MANAGEMENT: >STATE:1743359276,GET_CONFIG,,,,,,
          2025-03-30 14:27:56.288515 SENT CONTROL [OpenVPN_Server]: 'PUSH_REQUEST' (status=1)
          2025-03-30 14:27:58.903589 PUSH: Received control message: 'PUSH_REPLY,route vpn.mikelemon.com 255.255.255.0,route-gateway 10.88.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.88.8.2 255.255.255.0,peer-id 1,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
          2025-03-30 14:27:58.903758 OPTIONS IMPORT: --ifconfig/up options modified
          2025-03-30 14:27:58.903788 OPTIONS IMPORT: route options modified
          2025-03-30 14:27:58.903798 OPTIONS IMPORT: route-related options modified
          2025-03-30 14:27:58.903808 OPTIONS IMPORT: tun-mtu set to 1500
          2025-03-30 14:27:58.903819 Preserving previous TUN/TAP instance: utun13
          2025-03-30 14:27:58.904018 Initialization Sequence Completed
          2025-03-30 14:27:58.904060 MANAGEMENT: >STATE:1743359278,CONNECTED,SUCCESS,10.88.8.2,98.62.145.14,1194,,
          2025-03-30 14:27:58.904075 Data Channel: cipher 'AES-256-GCM', peer-id: 1
          2025-03-30 14:27:58.904085 Timers: ping 10, ping-restart 60
          2025-03-30 14:27:58.904094 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
          2025-03-30 14:28:00.015437 *Tunnelblick: Warning: DNS server address is not being used.

          2025-03-30 14:28:00.018962 *Tunnelblick: Warning: DNS server address <Other VPN DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

          2025-03-30 14:28:00.020339 *Tunnelblick: Warning: DNS server address <WiFi DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

          2025-03-30 14:28:00.021425 *Tunnelblick: Warning: DNS server address <Laptop DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

          2025-03-30 14:28:06.832079 *Tunnelblick: This computer's apparent public IP address (74.63.204.254) was unchanged after the connection was made

          ================================================================================

          Installer log:

          2025-03-30 14:11:57.109215: Tunnelblick installer getuid() = 501; geteuid() = 0; getgid() = 20; getegid() = 20
          currentDirectoryPath = '/'; 1 arguments:
          0x0101
          2025-03-30 14:11:57.110910: Determined username 'mike' from getuid(): 501
          2025-03-30 14:11:57.112625: renamex_np() tests succeeded for /Applications
          2025-03-30 14:11:57.114670: renamex_np() tests succeeded for /Library/Application Support/Tunnelblick
          2025-03-30 14:11:57.118839: renamex_np() tests succeeded for /Users/mike/Library/Application Support/Tunnelblick/Configurations
          2025-03-30 14:11:57.119552: Created directory /Users/mike/Library/Application Support/Tunnelblick/TBLogs with owner 0:80 and permissions 750
          2025-03-30 14:11:57.119729: Changed ownership of /Users/mike/Library/Application Support/Tunnelblick/TBLogs from 0:80 to 501:80
          2025-03-30 14:11:57.121758: Replaced /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist
          2025-03-30 14:11:57.336845: Used launchctl to load tunnelblickd
          2025-03-30 14:11:57.348239: Tunnelblick installer succeeded

          ================================================================================

          Down log:

          14:24:59 *Tunnelblick: **********************************************
          14:24:59 *Tunnelblick: Start of output from client.down.tunnelblick.sh
          14:24:59 *Tunnelblick: Ignoring change of Network Primary Service from 283FA665-3088-45AF-B83C-62560DC2B505 to A3CC684B-8A3B-4B15-9147-53B0DE6CFF86
          14:24:59 *Tunnelblick: INHIBIT_NETWORK_MONITORING is true, so not removing leasewatcher
          14:24:59 *Tunnelblick: MADE_DNS_CHANGES is false, so not restoring network_settings
          14:24:59 *Tunnelblick: Re-enabled IPv6 (automatic) for "Belkin USB-C LAN"
          14:24:59 *Tunnelblick: Re-enabled IPv6 (automatic) for "USB 10/100/1000 LAN 2"
          14:24:59 *Tunnelblick: Re-enabled IPv6 (automatic) for "Thunderbolt Bridge"
          14:24:59 *Tunnelblick: Re-enabled IPv6 (automatic) for "SC_USviaSw-SE-US-1"
          14:24:59 *Tunnelblick: Re-enabled IPv6 (automatic) for "Other VPN"
          14:24:59 *Tunnelblick: Flushed the DNS cache with dscacheutil -flushcache
          14:24:59 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
          14:24:59 *Tunnelblick: Notified mDNSResponderHelper that the DNS cache was flushed
          14:24:59 *Tunnelblick: Up to six 'No such key' messages may appear next and may be ignored.
          14:24:59 *Tunnelblick: End of output from client.down.tunnelblick.sh
          14:24:59 *Tunnelblick: **********************************************

          V 1 Reply Last reply Mar 31, 2025, 4:58 PM Reply Quote 0
          • V
            viragomann @lao
            last edited by Mar 31, 2025, 4:58 PM

            @lao
            Can you post the server log, please?

            L 2 Replies Last reply Mar 31, 2025, 6:44 PM Reply Quote 0
            • L
              lao @viragomann
              last edited by Mar 31, 2025, 6:44 PM

              @viragomann
              I get one reply before I get blocked again. Can you and two others recommend or like or whatever so I can provide what you need and get this fixed? I'm still trying to validate the cert with the other user. I sent a lot of configs and not sure which one he is using. He is trying to sell his house and move to a new house so hard to get a hold of right now.

              PFSense OpenVPN Logs:

              Mar 30 13:48:36 openvpn 70698 user 'VPNuser' authenticated
              Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_SSO=webauth,crtext
              Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_GUI_VER=OCWindows_3.5.1-3946
              Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
              Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_MTU=1600
              Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_PROTO=2974
              Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_TCPNL=1
              Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_NCP=2
              Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_PLAT=win
              Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_VER=3.10.1
              Mar 30 12:51:23 openvpn 19393 user 'VPNuser' authenticated
              Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_SSO=webauth,crtext
              Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_GUI_VER=OCWindows_3.5.1-3946
              Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
              Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_MTU=1600
              Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_PROTO=2974
              Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_TCPNL=1
              Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_NCP=2
              Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_PLAT=win
              Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_VER=3.10.1
              Mar 30 11:54:12 openvpn 19836 openvpn server 'ovpns1' user 'VPNuser' address '67.209.16.165:53107' - connected
              Mar 30 11:54:11 openvpn 14750 openvpn server 'ovpns1' user 'VPNuser' address '67.209.16.165:53107' - connecting
              Mar 30 11:54:11 openvpn 46538 OpenVPN_User/67.209.16.165:53107 MULTI_sva: pool returned IPv4=10.88.8.2, IPv6=(Not enabled)
              Mar 30 11:54:10 openvpn 19393 user 'VPNuser' authenticated
              Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 [OpenVPN_User] Peer Connection Initiated with [AF_INET]67.209.16.165:53107
              Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_BS64DL=1
              Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_SSO=webauth,crtext
              Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_GUI_VER=OCWindows_3.5.1-3946
              Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
              Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_MTU=1600
              Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_PROTO=2974
              Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_TCPNL=1
              Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_NCP=2
              Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_PLAT=win
              Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_VER=3.10.1
              Mar 30 04:47:05 openvpn 46538 TLS Error: tls-crypt unwrapping failed from [AF_INET]185.20.116.72:55115
              Mar 30 04:47:05 openvpn 46538 tls-crypt unwrap error: packet too short

              V 1 Reply Last reply Mar 31, 2025, 7:13 PM Reply Quote 1
              • L
                lao @viragomann
                last edited by Mar 31, 2025, 7:06 PM

                @viragomann We are using the same cert. Do you know how I create another without breaking the old one? Do I need another Server?

                V 1 Reply Last reply Mar 31, 2025, 7:11 PM Reply Quote 1
                • V
                  viragomann @lao
                  last edited by Mar 31, 2025, 7:11 PM

                  @lao said in Second OpenVPN Connection Causes Drops:

                  We are using the same cert.

                  This was my very first question, because it's the most probably reason for this behavior.

                  Client certificates have to be unique, one for each client.

                  If you're using "TLS + user auth" mode, you can create the certificate in the user manager. There is a certificate checkbox, which let you create an assigned client cert.

                  L 2 Replies Last reply Mar 31, 2025, 8:04 PM Reply Quote 0
                  • V
                    viragomann @lao
                    last edited by Mar 31, 2025, 7:13 PM

                    @lao said in Second OpenVPN Connection Causes Drops:

                    Can you and two others recommend or like or whatever so I can provide what you need and get this fixed?

                    Best to request for upvotes in a separate thread.

                    1 Reply Last reply Reply Quote 0
                    • L
                      lao @viragomann
                      last edited by Mar 31, 2025, 8:04 PM

                      @viragomann Thank you. This helps. I'll let you know how it works out.

                      1 Reply Last reply Reply Quote 0
                      • L
                        lao @viragomann
                        last edited by Apr 1, 2025, 1:20 PM

                        @viragomann That worked. You are awesome! Thank you so much.

                        1 Reply Last reply Reply Quote 0
                        8 out of 11
                        • First post
                          8/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received