Connection via cellular only, not otherwise

AKJim · May 27, 2019, 8:39 AM

Unable to connect OpenVPN unless using cellular

Until now I’ve been able to connect without any trouble. Today however, if I try to connect I have a repeated cycle of resets when attempting to connect from my Mac to the Netgate OpenVPN server. IF instead of connecting while on either WIFI or Ethernet on my Mac, I switch to using a cellular hotspot, then I can connect to the Netgate OpenVPN server using the same configuration profile that fails when connecting normally. I’m not finding what’s gone wrong! Will appreciate all good advise. Here is the Tunnelblick log segment illustrating where the problem occurs:

19-05-26 20:02:35.684049 MANAGEMENT: CMD 'hold release'
2019-05-26 20:02:35.729979 *Tunnelblick: Obtained VPN username and password from the Keychain
2019-05-26 20:02:35.730279 MANAGEMENT: CMD 'username "Auth" "BxxVPN"'
2019-05-26 20:02:35.730415 MANAGEMENT: CMD 'password [...]'
2019-05-26 20:02:35.736310 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-05-26 20:02:35.736395 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-05-26 20:02:35.736923 TCP/UDP: Preserving recently used remote address: [AF_INET]71.xx.153.xxx:443
2019-05-26 20:02:35.737256 Socket Buffers: R=[131072->131072] S=[131072->131072]
2019-05-26 20:02:35.737326 Attempting to establish TCP connection with [AF_INET]71.xx.153.xxx:443 [nonblock]
2019-05-26 20:02:35.737356 MANAGEMENT: >STATE:1558929755,TCP_CONNECT,,,,,,
2019-05-26 20:02:36.809764 TCP connection established with [AF_INET]71.xx.153.xxx:443
2019-05-26 20:02:36.810044 TCP_CLIENT link local: (not bound)
2019-05-26 20:02:36.810110 TCP_CLIENT link remote: [AF_INET]71.xx.153.xxx:443
2019-05-26 20:02:36.810350 MANAGEMENT: >STATE:1558929756,WAIT,,,,,,
2019-05-26 20:02:36.957960 Connection reset, restarting [0]
2019-05-26 20:02:36.958150 SIGUSR1[soft,connection-reset] received, process restarting
2019-05-26 20:02:36.958184 MANAGEMENT: >STATE:1558929756,RECONNECTING,connection-reset,,,,,
2019-05-26 20:02:36.960056 MANAGEMENT: CMD 'hold release'
….. and, repeat ….

Tunnelblick is latest stable release
Netgate pfSense is latest update

Using this same configuration I can connect to the VPN server if using cellular data, but not otherwise. ?????? Crazy!!!!!!

AKJim · May 27, 2019, 8:45 AM

This is the configuration file which was working for every connection, but now works only via cellular to the Netgate SG1100, OpenVPN server:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote 71.xx.153.xxx 443 tcp-client
setenv opt block-outside-dns
verify-x509-name "Bxxx OpenVPN Private Server Cert" name
auth-user-pass
remote-cert-tls server
passtos
auth-nocache
<ca>
-----BEGIN CERTIFICATE-----

Gertjan · May 27, 2019, 8:55 AM

@AKJim said in Connection via cellular only, not otherwise:

71.xx.153.xxx

Don't use 71.xx.153.xxx when you are connecting from LAN = locally to a local service like VPN.
Use the local RFC 1918 IP.

Or, do as we all do- don't use IP's in a VPN profile, there is no need to do so.
Use a host + domain. A DDNS would be fine if not perfect here - when your WAN IP changes, your DDNS will change. Use also a host override (see DNS Resolver page, at the bottom). This way, when using your host + domain from a LAN, the host override will translate directly to the local IP, not the WAN IP.
Connections from the outside will get resolved by the DDNS supplier, and always point to your WAN IP.

AKJim · May 27, 2019, 9:43 AM

This instance is a remote (WAN) connection to the VPN server, not LAN

AKJim · May 27, 2019, 9:51 AM

@AKJim I have a static IP

AKJim · May 27, 2019, 9:51 PM

@AKJim Server Log: WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

AKJim · May 27, 2019, 10:04 PM

@AKJim So, I added: mtu-test to the server configuration in order to get a log of the connections and….
now I’m unable to connect via Anything. Oh well ….. The server is on the other side of the continent and unattended. Will pay it a visit next month. Sigh……

AKJim · May 27, 2019, 10:20 PM

For the record: I neglected to include this:

OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on May 22 2019

2019-05-26 20:02:35.129809 library versions: OpenSSL 1.0.2r 26 Feb 2019, LZO 2.10

Tunnelblick: macOS 10.14.5; Tunnelblick 3.7.9 (build 5320)