Connection via cellular only, not otherwise



  • Unable to connect OpenVPN unless using cellular

    Until now I’ve been able to connect without any trouble. Today however, if I try to connect I have a repeated cycle of resets when attempting to connect from my Mac to the Netgate OpenVPN server. IF instead of connecting while on either WIFI or Ethernet on my Mac, I switch to using a cellular hotspot, then I can connect to the Netgate OpenVPN server using the same configuration profile that fails when connecting normally. I’m not finding what’s gone wrong! Will appreciate all good advise. Here is the Tunnelblick log segment illustrating where the problem occurs:

    19-05-26 20:02:35.684049 MANAGEMENT: CMD 'hold release'
    2019-05-26 20:02:35.729979 *Tunnelblick: Obtained VPN username and password from the Keychain
    2019-05-26 20:02:35.730279 MANAGEMENT: CMD 'username "Auth" "BxxVPN"'
    2019-05-26 20:02:35.730415 MANAGEMENT: CMD 'password [...]'
    2019-05-26 20:02:35.736310 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    2019-05-26 20:02:35.736395 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    2019-05-26 20:02:35.736923 TCP/UDP: Preserving recently used remote address: [AF_INET]71.xx.153.xxx:443
    2019-05-26 20:02:35.737256 Socket Buffers: R=[131072->131072] S=[131072->131072]
    2019-05-26 20:02:35.737326 Attempting to establish TCP connection with [AF_INET]71.xx.153.xxx:443 [nonblock]
    2019-05-26 20:02:35.737356 MANAGEMENT: >STATE:1558929755,TCP_CONNECT,,,,,,
    2019-05-26 20:02:36.809764 TCP connection established with [AF_INET]71.xx.153.xxx:443
    2019-05-26 20:02:36.810044 TCP_CLIENT link local: (not bound)
    2019-05-26 20:02:36.810110 TCP_CLIENT link remote: [AF_INET]71.xx.153.xxx:443
    2019-05-26 20:02:36.810350 MANAGEMENT: >STATE:1558929756,WAIT,,,,,,
    2019-05-26 20:02:36.957960 Connection reset, restarting [0]
    2019-05-26 20:02:36.958150 SIGUSR1[soft,connection-reset] received, process restarting
    2019-05-26 20:02:36.958184 MANAGEMENT: >STATE:1558929756,RECONNECTING,connection-reset,,,,,
    2019-05-26 20:02:36.960056 MANAGEMENT: CMD 'hold release'
    ….. and, repeat ….

    Tunnelblick is latest stable release
    Netgate pfSense is latest update

    Using this same configuration I can connect to the VPN server if using cellular data, but not otherwise. ?????? Crazy!!!!!!



  • This is the configuration file which was working for every connection, but now works only via cellular to the Netgate SG1100, OpenVPN server:
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote 71.xx.153.xxx 443 tcp-client
    setenv opt block-outside-dns
    verify-x509-name "Bxxx OpenVPN Private Server Cert" name
    auth-user-pass
    remote-cert-tls server
    passtos
    auth-nocache
    <ca>
    -----BEGIN CERTIFICATE-----



  • @AKJim said in Connection via cellular only, not otherwise:

    71.xx.153.xxx

    Don't use 71.xx.153.xxx when you are connecting from LAN = locally to a local service like VPN.
    Use the local RFC 1918 IP.

    Or, do as we all do- don't use IP's in a VPN profile, there is no need to do so.
    Use a host + domain. A DDNS would be fine if not perfect here - when your WAN IP changes, your DDNS will change. Use also a host override (see DNS Resolver page, at the bottom). This way, when using your host + domain from a LAN, the host override will translate directly to the local IP, not the WAN IP.
    Connections from the outside will get resolved by the DDNS supplier, and always point to your WAN IP.



  • This instance is a remote (WAN) connection to the VPN server, not LAN



  • @AKJim I have a static IP



  • @AKJim Server Log: WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]



  • @AKJim So, I added: mtu-test to the server configuration in order to get a log of the connections and….
    now I’m unable to connect via Anything. Oh well ….. The server is on the other side of the continent and unattended. Will pay it a visit next month. Sigh……



  • For the record: I neglected to include this:

    OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on May 22 2019

    2019-05-26 20:02:35.129809 library versions: OpenSSL 1.0.2r 26 Feb 2019, LZO 2.10

    Tunnelblick: macOS 10.14.5; Tunnelblick 3.7.9 (build 5320)


Log in to reply