Mac viscosity client won't connect to working ovpn instance

  • Systems in question:

    Ovpn server: pfsense 2.4-beta on SG-1000 hardware with a static IP on WAN. Openvpn configured using the wizard. Tun type, TLS-auth on, local user auth; very stock VPN setup I've done a thousand times.

    Clients: Win7 x64 openvpn gui 2.3.4; Win10 x64 openvpn gui 2.3ish; MacOS El Capitan Viscosity <latest>As expected, the connection works fine with openvpn on windows 7 and 10. It actually connects faster than some of my other ovpn links.

    Viscosity runs its reachability check which obviously works because we know the server is functional. When it attempts to connect however it times out at 60 seconds with the standard "TLS handshake" error that it would give if it couldn't see the server at all.

    Packet capture from the perspective of my local pfsense only shows outbound attempts from the mac with:


    This seems like an odd way to start the conversation, but I've not packet sniffed ovpn before.

    Does anyone have a) an answer  ;D or b) some idea what to check next?

    I'm thinking I will probably make a second vpn instance on that system to experiment with but for the moment I have to leave, so I figured it couldn't hurt to ask.

    Thanks in advance for any help.</latest>

  • Not 100% sure what worked here, but it's currently connected. Here's what has happened…

    1. Static IP on the server end is from ATT, using one of their router/modem trainwreck devices (NVG510). I changed the configuration of the available static IPs from a "private" network to "public". port 1194 was already being explicitly allowed at that modem, and pfsense believed it had a legit static IP, so I'm not sure if this helped since windows was already working.

    2. When I pasted the packet capture results in my previous post, I noticed that there were ovpn packets still going to my windows machine on the same network. They appeared to be part of a different conversation prior to the mac's attempt, so I didn't note them until now.

    So now I have a working connection, but more questions if anyone feels like answering....

    I have a limit of 5 concurrent connections set on the server end. I'm getting the impression that they can't come from the same source IP, is that correct?

    In the packet capture it almost appeared that the mac was requesting and windows was getting answers, although the timing of the packets didn't necessarily support that conclusion. Windows was disconnected at this point though, so there's no reason it should've been receiving packets from the server. Any explanation on this? Does pfsense (my local router in addition to the one I'm connecting to) do anything special with outbound openvpn? I don't imagine so, but this packet capture made no sense.

  • 00goat,

    What does the Viscosity log say?

  • It was doing things like (not actual viscosity log, but example)

    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    TLS Error: TLS handshake failed
    SIGUSR1[soft,tls-error] received, process restarting

    Usually that's an "unreachable" type error, like there's a missing firewall rule or whatnot but that couldn't have been the case since windows was working. If you've not used an ATT router it's entirely conceivable that it could allow one connection and not another, which is why I can't be confident exactly what fixed it.

    It is working at this time however.

  • 00goat,

    I was getting the exact symptom this morning when I first set my MacBook up with Viscosity.

    In Viscosity turn on the Details and then open the log, third tab. I will give you pretty good clues
    as to what's FUBAR. In my case it was a cipher setting I had to comment out and I also had
    to turn on username/password prompting. But your server settings could be different so have
    a go at the Viscosity logs first.


Log in to reply