Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Second OpenVPN Connection Causes Drops

    OpenVPN
    2
    11
    107
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lao
      last edited by

      I've been struggling with this for months and finally gave up. I had a hard time setting this up because the documentation was old and when it comes to multiple users, not clear. I want to have multiple users connect to a Netgate 2100 over VPN. Attached is my configs and logs. Strange that it works great for one user, but as soon as a second successfully authenticates, both connections start to drop and reauth every few minutes. I know I have a DNS config issue, but I don't see how that is creating this issue. I'm find using a different client than TunnelBlick or using IPSec. I just need this to work.

      I've been using PFSense for about a decade. I really like the low cost and features. I'm on my second firewall now. The problem I have is so many options and the learning curve is huge to do some things with no clear documentation for different use cases.

      L 1 Reply Last reply Reply Quote 0
      • L
        lao @lao
        last edited by

        I can't attach so here is a paste of what I have collected.

        Configuration
        VPN OpenVPN Server Configuration
        General Information
        Description
        A description of this VPN for administrative reference.
        Disabled
        Disable this server Set this option to disable this server without removing it from the list.
        Unique VPN ID
        Server 1 (ovpns1)
        Mode Configuration
        Server mode
        DCO
        Enable Data Channel Offload (DCO) for this instance When set, OpenVPN will use data channel offload for increased performance. Certain restrictions apply.
        Backend for authentication
        Device mode
        "tun" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms.
        "tap" mode is capable of carrying 802.3 (OSI Layer 2.)
        Endpoint Configuration
        Protocol
        Interface
        The interface or Virtual IP address where OpenVPN will receive client connections.
        Local port
        The port used by OpenVPN to receive client connections.
        Cryptographic Settings
        TLS Configuration
        Use a TLS Key A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections.The TLS Key does not have any effect on tunnel data.
        TLS Key

        # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 4e2b0f77d0d3df316a62921fe226a936 6bce69f0be2f24fdc95ecd9239e1dbd9 5f67d8e3c9b8bb19268db08cadccb9ed f22c72cb7831332ad880258ed0f6db37 49c772bcc0e89281a9def26fd41bdf3f d7c7e4b567101bc9985487a3fb36c50c cc89a60bb7b7182d9f2641c386aec670 2c1ee603ebd45b99c160336a9b0dfcb5 9a74c0bea3ecadf678ef9e0c90e5d2ad 82328e4bc1b21f0ddb01148981ee5054 bf7489a016487184bdf43eb09d3ef136 82646d9d35729a3c1e9b358299eaf00f f4d2e127835ea6471c428b93b034f842 3329ebacb42faff38e8683efb5e7c79c 33ba855a49da25563efdc8e4eaac9ccb f5afbec14ea1ef53c45b772b04011c7a -----END OpenVPN Static key V1----- Paste the TLS key here.

        This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel.
        TLS Key Usage Mode
        In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections.
        Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation.
        TLS keydir direction
        The TLS Key Direction must be set to complementary values on the client and server. For example, if the server is set to 0, the client must be set to 1. Both may be set to omit the direction, in which case the TLS Key will be used bidirectionally.
        Peer Certificate Authority
        Peer Certificate Revocation list
        No Certificate Revocation Lists defined. One may be created here: System > Cert. Manager
        OCSP Check
        Check client certificates with OCSP
        Server certificate
        Certificates known to be incompatible with use for OpenVPN are not included in this list, such as certificates using incompatible ECDSA curves or weak digest algorithms.
        DH Parameter Length
        Diffie-Hellman (DH) parameter set used for key exchange.
        ECDH Curve
        The Elliptic Curve to use for key exchange.
        The curve from the server certificate is used by default when the server uses an ECDSA certificate. Otherwise, secp384r1 is used as a fallback.
        Data Encryption Algorithms
        Available Data Encryption Algorithms
        Click to add or remove an algorithm from the list
        Allowed Data Encryption Algorithms. Click an algorithm name to remove it from the list
        The order of the selected Data Encryption Algorithms is respected by OpenVPN. This list is ignored in Shared Key mode.
        Fallback Data Encryption Algorithm
        The Fallback Data Encryption Algorithm used for data channel packets when communicating with clients that do not support data encryption algorithm negotiation (e.g. Shared Key). This algorithm is automatically included in the Data Encryption Algorithms list.
        Auth digest algorithm
        The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.
        When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.
        The server and all clients must have the same setting. While SHA1 is the default for OpenVPN, this algorithm is insecure.
        Certificate Depth
        When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server.
        Strict User-CN Matching
        Enforce match When authenticating users, enforce a match between the common name of the client certificate and the username given at login.
        Client Certificate Key Usage Validation
        Enforce key usage Verify that only hosts with a client certificate can connect (EKU: "TLS Web Client Authentication").
        Tunnel Settings
        IPv4 Tunnel Network
        This is the IPv4 virtual network or network type alias with a single entry used for private communications between this server and client hosts expressed using CIDR notation (e.g. 10.0.8.0/24). The first usable address in the network will be assigned to the server virtual interface. The remaining usable addresses will be assigned to connecting clients.

        A tunnel network of /30 or smaller puts OpenVPN into a special peer-to-peer mode which cannot push settings to clients. This mode is not compatible with several options, including DCO, Exit Notify, and Inactive.
        IPv6 Tunnel Network
        This is the IPv6 virtual network or network type alias with a single entry used for private communications between this server and client hosts expressed using CIDR notation (e.g. fe80::/64). The ::1 address in the network will be assigned to the server virtual interface. The remaining addresses will be assigned to connecting clients.
        Redirect IPv4 Gateway
        Force all client-generated IPv4 traffic through the tunnel.
        Redirect IPv6 Gateway
        Force all client-generated IPv6 traffic through the tunnel.
        IPv4 Local network(s)
        IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges or host/network type aliases. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
        IPv6 Local network(s)
        IPv6 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more IP/PREFIX or host/network type aliases. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network.
        Concurrent connections
        Specify the maximum number of clients allowed to concurrently connect to this server.
        Allow Compression
        Allow compression to be used with this VPN instance.
        Compression can potentially increase throughput but may allow an attacker to extract secrets if they can control compressed plaintext traversing the VPN (e.g. HTTP). Before enabling compression, consult information about the VORACLE, CRIME, TIME, and BREACH attacks against TLS to decide if the use case for this specific VPN is vulnerable to attack.

        Asymmetric compression allows an easier transition when connecting with older peers.
        Type-of-Service
        Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
        Inter-client communication
        Allow communication between clients connected to this server
        Duplicate Connection
        Allow multiple concurrent connections from the same user When set, the same user may connect multiple times. When unset, a new connection from a user will disconnect the previous session.

        Users are identified by their username or certificate properties, depending on the VPN configuration. This practice is discouraged security reasons, but may be necessary in some environments.
        Client Settings
        Dynamic IP
        Allow connected clients to retain their connections if their IP address changes.
        Topology
        Specifies the method used to supply a virtual adapter IP address to clients when using TUN mode on IPv4.
        Some clients may require this be set to "subnet" even for IPv6, such as OpenVPN Connect (iOS/Android). Older versions of OpenVPN (before 2.0.9) or clients such as Yealink phones may require "net30".
        Ping settings
        Inactivity Timeout
        Causes OpenVPN to close a client connection after n seconds of inactivity on the TUN/TAP device.
        Activity is based on the last incoming or outgoing tunnel packet.
        A value of 0 disables this feature.
        This option is ignored in Peer-to-Peer Shared Key mode and in SSL/TLS mode with a blank or /30 tunnel network as it will cause the server to exit and not restart.
        Ping method
        keepalive helper uses interval and timeout parameters to define ping and ping-restart values as follows:
        ping = interval
        ping-restart = timeout*2
        push ping = interval
        push ping-restart = timeout
        Interval
        Timeout
        Advanced Client Settings
        DNS Default Domain
        Provide a default domain name to clients
        DNS Server enable
        Provide a DNS server list to clients. Addresses may be IPv4 or IPv6.
        Block Outside DNS
        Make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers. Requires Windows 10 and OpenVPN 2.3.9 or later. Only Windows 10 is prone to DNS leakage in this way, other clients will ignore the option as they are not affected.
        Force DNS cache update
        Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.
        NTP Server enable
        Provide an NTP server list to clients
        NetBIOS enable
        Enable NetBIOS over TCP/IP If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled.
        Advanced Configuration
        Custom options
        Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.
        EXAMPLE: push "route 10.0.0.0 255.255.255.0"
        Username as Common Name
        Use the authenticated client username instead of the certificate common name (CN). When a user authenticates, if this option is enabled then the username of the client will be used in place of the certificate common name for purposes such as determining Client Specific Overrides.
        UDP Fast I/O
        Use fast I/O operations with UDP writes to tun/tap. Experimental. Optimizes the packet write event loop, improving CPU efficiency by 5% to 10%. Not compatible with all platforms, and not compatible with OpenVPN bandwidth limiting.
        Exit Notify
        Send an explicit exit notification to connected clients/peers when restarting or shutting down, so they may immediately disconnect rather than waiting for a timeout. In SSL/TLS Server modes, clients may be directed to reconnect or use the next server. This option is ignored in Peer-to-Peer Shared Key mode and in SSL/TLS mode with a blank or /30 tunnel network as it will cause the server to exit and not restart. This feature is not currently compatible with DCO mode.
        Send/Receive Buffer
        Configure a Send and Receive Buffer size for OpenVPN. The default buffer size can be too small in many cases, depending on hardware and network uplink speeds. Finding the best buffer size can take some experimentation. To test the best value for a site, start at 512KiB and test higher and lower values.
        Gateway creation
        Both
        IPv4 only
        IPv6 only
        If you assign a virtual interface to this OpenVPN server, this setting controls which gateway types will be created. The default setting is 'both'.
        Verbosity level
        Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what's happening without being swamped by output.

        None: Only fatal errors
        Default through 4: Normal usage range
        5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
        6-11: Debug info range

        Tunnelblick Configuration
        dev tun
        persist-tun
        persist-key
        data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
        data-ciphers-fallback AES-256-CBC
        auth SHA512
        tls-client
        client
        resolv-retry infinite
        remote vpn.mikelemon.com 1194 udp4
        lport 0
        verify-x509-name "OpenVPN_Server" name
        auth-user-pass
        remote-cert-tls server
        explicit-exit-notify

        <ca>
        -----BEGIN CERTIFICATE-----
        MIIFNTCCAx2gAwIBAgIIcwa4+bgi27YwDQYJKoZIhvcNAQENBQAwFjEUMBIGA1UE
        AxMLaW50ZXJuYWwtY2EwIBcNMjQxMDI0MTQyOTQxWhgPMjA1NzA5MDExNDI5NDFa
        MBYxFDASBgNVBAMTC2ludGVybmFsLWNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
        MIICCgKCAgEArIv0dNnv8a2T4vYasvCHpxjKpXKSq8cU25vMqdWn+IlBFA+wOgv4
        3vfx3Vwg8No7iC8yLgnJH1UA5mi9Qq08sPC87MSrZn3NRMDSSybsIa+nfXG5E6L4
        tYX8nd8DA+wMJDx+EVHa5HxnNFt3SoEWZTvLq7voNzz4LIuU3L4J+Jml5TdTNDpC
        YjM1nh3pGMPsCvd8+WUZ+EKf7qGXZZ303+xQFHjadQltKg/Xl4TKEtn85ND/Vvwo
        2vli/8HOxhaNtaBxidDp5B5y9KQWkVirqV/XvF8SM9hLRPzvaqg/dig/OycW0OuO
        eoTdoDumDr44MSxcj3sReSzLKBzyXA10AHc6vXNAV501Cgil5vC+Swwkpn1ym5oy
        R7dx2Pfl9erqo71som2Wta3eXJMjMR7uyJWjJ/EStvw8dduXXR2gPezgyVpH9oPX
        yCR05B0CSZLQEjGL3P8NWQV22ZLrGo5lzzDzsRxKWIIG94mgUrijIvezsVtGD7cw
        INVC/tNuuZOV/SH9HipInOaVcvQWTpt8r+Mrl6WFPwD8dxYv5mvr9pctOGxZTAND
        c76V1b6enHmZLD8vz95UcOkiFpbKtli9yBjCPz24CXCF5R8dVxjqopPtVQvCVW4H
        k2U7u/7CzwQ0QjiHw+KZnTlh/RDIwjNlktnL6Edis54gly8D8luJuMECAwEAAaOB
        hDCBgTAdBgNVHQ4EFgQUgYLIp37Nrab1VHvazWu2SR47lnswRQYDVR0jBD4wPIAU
        gYLIp37Nrab1VHvazWu2SR47lnuhGqQYMBYxFDASBgNVBAMTC2ludGVybmFsLWNh
        gghzBrj5uCLbtjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
        AQ0FAAOCAgEADmNc7nuR4JalYt5Fqq8lMTSMHhI1fLJ7ghLK6sSrzOXdfreEJ0i/
        P0zlafrs+fXckjuKH4TWZWotL7JvGCKFOWOFN54pdKFJ+KMWKeRN/IBagYWmyjOs
        VO7Vlpcne/J+kVtWjg8nFzgHvD/S28FZsHKYFavSZMFqFXlbFTpF/DQBz9lrJ5vr
        JWUM5MRbmU0TFZ4eekeeSmvYn0B8LyCHbo9URSd9RA3TwA9V9veGcezZN4ZKHNK2
        6bwr9gauh5gLNnkJh2h3SH4DjLcXfAMv52mS3rYZRsAlEmV/PCtw2IbJSyYV8flG
        52ZSj0IJ1NLZ55+fDvY5CQJXm6gBmt7sDsfu4u4TO2NANnsSsICnz+RKj/7zXn7n
        rMN/q+vQuznzI6ZxOgmqig6dgYTZNw88v0mrHS7jmM2tWOcg+nU9BlCLyKKS7yjX
        U5dckjbNJUA7lS8TdFmDJ0ONe1acvyTfS7jvZUsXfhNT3IpxjAsuVbo5PYpMw1L7
        bp1JJjOQEi9/vKBM6UO85uxq6w0anXkJBanY8ai7pR2sSeKJZe7+jk8YWV/eB6/c
        Y/7wxBuPRDcIW47wLA5N6/QgWrIYjXprDldQJkcpjxY/EMG92lDL/d9/hm03n8Tm
        zdMINz9T68nK4y8Osm2Gfylf/iE6oh16X3vi7YB/5PTqadmwoXVUDY0=
        -----END CERTIFICATE-----
        </ca>
        <cert>
        -----BEGIN CERTIFICATE-----
        MIIF3TCCA8WgAwIBAgIBAjANBgkqhkiG9w0BAQ0FADAyMRYwFAYDVQQDEw1JbnRl
        cm5hbC1DQS0zMQswCQYDVQQGEwJVUzELMAkGA1UECxMCRFMwHhcNMjQxMDI0MTQ0
        MDAxWhcNMzQxMDIyMTQ0MDAxWjAxMRUwEwYDVQQDFAxPcGVuVlBOX1VzZXIxCzAJ
        BgNVBAYTAlVTMQswCQYDVQQLEwJEUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
        AgoCggIBAJQCDwFEiGJRNpRBDWq3jpoOjJeAKVYfYwTUmP4eEp+N6VHxAwlHrNxi
        pePgDKcjEI5hlbm9eq0FAWdhswHqxrulgQTd6zHjEOqwZagU2IHjvRbvW81uS5Op
        RFFnKNDrnQBV340t8kq1TM25hIXOqtRXNrDRpQ+/QqK14sHmdAAhzB+Ko6NDk8H+
        +WpBkB2zN3YU1uFQv+po30TxKjJgQ/vB8zTiuQA1gGbEiFXMAy17F0FztVysS6U
        wSCtpgCS+0r8ByIlaTihVCiD7O4l/bSnEMqm8MOO4Y3ArzC9E21PK3ybcrpnzGf/
        OgNMCUJlTJ4aS7zjLl68I9uXh4iwE6al/Z25FdfF/5ViGMHBM0lnx4WxEmC5SspB
        EKpBPpDHHx3OjxKSI5BB+j+pjZSfVS55r6e9d6XcPhUICarow0lMftcPXROIOYRG
        mkNSHvYzAm/QrzpxYx8qFzkleoQoiXhTHFn8MocH7lnOWdEKAXFWxNEa1rB3sWGw
        H1Koxc5Zlm7tcT5aYRy3EZlu++GVlcBZiRZNwhsKvjHnnhi9wRxQARKMsLXY4m65
        PF76AivOqGMMMQT4AWtMN8ea8PjkV90kwO6eMNU16IlYkm23CHHiBFRarEEBzN4P
        XRUqE4VyPKj4FfweG8i6cuffywQ6EBV2ks6S/fIWa5eCrt58Bjq1AgMBAAGjgf4w
        gfswCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwMQYJYIZIAYb4QgENBCQWIk9wZW5T
        U0wgR2VuZXJhdGVkIFVzZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAKqG0PwyjRM
        UIBvma7rPbt0OVX5MGEGA1UdIwRaMFiAFEy3wPKj/Q2rNPyGqxkZuy2KiUPkoTak
        NDAyMRYwFAYDVQQDEw1JbnRlcm5hbC1DQS0zMQswCQYDVQQGEwJVUzELMAkGA1UE
        CxMCRFOCCC2B0qY1BWoxMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBcGA1UdEQQQMA6C
        DE9wZW5WUE5fVXNlcjANBgkqhkiG9w0BAQ0FAAOCAgEAGlKgqSTCwaNhnhgLADDB
        +oYMF9TxAUAsn6z5q0S7FhPmzogox5CKCBg5OvrUGjHBzfL1roQ2NLkkjK+m44oK
        g8Lma3+AaCskG2S9PGK6Yw89+lsiGE80ZQdWyPTUqvpZ2uwtByIXvIv781Uc888u
        9o76JF1AsUZcZdQTdVQ9Mec23Jx6J478RYmUcaaWqumjqq1+7bYx9Q6OTra4xrw4
        Bcs2/c3/Y6srdUYYNxuwyUDgZWKYZpzqu1tm/NS3jzFCd1tAo8FtkI90yxRLUAfE
        Rb7bX3c3p8VvTGPRYg4vkIY5daYeUgQp/s8zZsIKS6GNDp3rYv7m8OmFr99ydHI8
        8+yYphRn7DVTq3yOlsbWUcHurlmWIgrBsZBzAv9cioXYgYE4leNTlm+6/Vi5/1t+
        FiDpaSV6/etOIfQ/Ms7HLexGm4I6JzeBVHLcs6uoocn5Rp4dEiGY8PcqFNWLvyR
        QKx2YgohPsrJsfh/RkqXCwAkQhurodySFu8ujiROhvQ6SzPsufhbUwEaTFMn2hfb
        rN25OVOE+G40IexUi7bD4UR+U6QuzUq06WIauAyDZSh/1OfisDONf6Y2Gjl3rdtb
        AFQugZBBwUqBlGFnERRDKDcchbvefUtfUlUjByq4qWEml3l2BcRkAF7tBaRZdH2
        kO//DMDrk2xDT0vSRK6+Lsc=
        -----END CERTIFICATE-----
        </cert>
        <key>
        -----BEGIN PRIVATE KEY-----
        MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAEAAoICAQCUAg8BRIhiUTaU
        QQ1qt46aDoyXgClWH2ME1Jj+HhKfjelR8QMJR6zcYqXj4AynIxCOYZW5vXqtBQFn
        YbMB6sa7pYEE3esx4xDqsGWoFNiB470W71vNbkuTqURRZyjQ650AVd+NLfJKtUzN
        uYSFzqrUVzaw0aUPv0KiteLB5nQAIcwfiqOjQ5PB/vlqQZAdszd2FNbhUL/qaN9E
        8SoyYEP7wfM04rkANYBm4hIhVzAMtexdBc7VcrEulMEgraYAkvtK/AciJWk4oVQo
        g+zuJf20pxDKpvDDjuGNwK8wvRNtTyt8m3K6Z8xn/zoDTAlCZUyeGku84y5evCPb
        l4eIsBOmpf2duRXXxf+VYhjBwTNJZ8eFsRJguUrKQRCqQT6Qxx8dzo8SkiOQQfo/
        qY2Un1Uuea+nvXel3D4VCAmq6MNJTH7XD10TiDmERppDUh72MwJv0K86cWMfKhc5
        JXqEKIl4UxxZ/DKHB+5ZzlnRCgFxVsTRGtawd7FhsB9SqMXOWZZu7XE+WmEctxGZ
        bvvhlZXAWYkWTcIbCr4x554YvcEcUAESjLC12OJuuTxe+gIrzqhjDDEE+AFrTDfH
        mvD45FfdJMDunjDVNeiJWJJttwhx4gRUWqxBAczeD10VKhOFcjyo+BX8HhvIunLn
        38sEOhAVdpLOkv3yFmuXgq7efAY6tQIDAQABAoICACCLQFXgxhVKMrRQBn113Xjx
        5IeGcnBhp+HexkIwBhvHtisika6XcEKoPT45HEce3mvUOLoV1/TV0ixzbssn3qlR
        d6hEjIvUV/qmrT+TT9TlqMTzfg3SZ/NQp3k3s+GWQRgbCbPvC6TSLxBYL7PFUMou
        YBPqkP8AqMwCrtjATbbet5Wi5B7Iw+NG53wt7Nye9L210NbLrNtD0n4EAimAAcrI
        Z2v0Q0XwvapBoMdsdqAA23dLyOIlnSB3LGz9SbA8IV2oQ4BGVhfR32GmOnFV8K5p
        grdwlCWH1AAZg1v14yDopND6FDS5EJi4Zb7mV+3dvMZR1V/z2xURDNhivfY38yXe
        mnXoCJrJkyu4ItcFf41nUEtPYLN8p5Nr6haURCDxk3ecD11v2zE/27RDi7iS/6Hm
        pkH1X/1jcLPpKOuExPMJ8YSt9l7CuJ7Iguo6aqIvg+wybZ/Fv+vZi55p1KZIqtAz
        9Snyyaqsje9fCXPil6XET1Nj82gvlpkuUoR/OK0S33aeh6gazbw1sYtBdRlQJzs
        uvt5xMX5nSRRi/wTBVpRQgBJBm+B1W4rpzPbCzzW/aoe+vYW0uODFcTdrkyZfS+S
        0KOlj/fDD22DzAfwqfQmAkkWgUDRgjvnTerwy78B408gP4EGG7Oi18lxQ7UqD4t4
        FK2znMzOt4kuOIEELwA5AoIBAQDI0mxQKDCTr7WsHU/A0FAMaHZuCyClxiMUKiUi
        KzRv3ArAGt2wPKldwrQp1PQU5H27qKEKECNoYKiCyzsbqv2bcUAgx4dasU3TUxgB
        /XljtYP5qQA66E+c2GpFhsf14jUzl0/hG1jEREgf37xVDpZgkHq874i15bUBKlGL
        6saRkX1ywT4J5+PmTvfVGr52Og/QVBvDSOeLNV1lj9HediHBTI8wuLPczLXaz+8V
        bmOj5t5YSaoMZxVWYhCNp7obhbzjDiSDOax0x2b6yV6/RJ+TYGwLwHR2WlOjK96J
        0CUMhO4aTzoBOuG9iyjiIE0DFTMgvbEZJTJY12+z6wr8mHntAoIBAQC8rMRrv5P2
        bAtNEbToamtc0xYAKiOUP2YUZdIT/a3X+faS84Cvz5VTj44/gUTR59jtLFy0MiAH
        0x0oPfMPVlN3PEYvcr8D/rAziH8HnbHxUHhy/NN5j9alIrRTYmWFRdhPVRxehmL9
        4qlFnMgyMBS2Zjoo5TiN1PzRo9NJqkFjaiop2Mh70sMtFkooLZT+21DLJxv8+obp
        c9wM6DejdzU5jj3n77O07X9TevSaWTQU6eM8wYcLOabnNGZOSk0+ncepcorktpF7
        2vlVcsKXkZE5rJReCH0HHA1/XlGzY3NXamOiUZH2fjHjrPp2k//x5GN0WI3pJ3IM
        gxJbLWHi7ArpAoIBAQC2bWBzWG74Wi/AkEf4scNl4idjQ7x+mwUWtkpRRco2qz8g
        z8b+57w7LjoXnhm0OPR22nKf/5UKpnOtjQy+z4/d+vz0Sg0NN++ovt0aQbZZ+3RO
        AVXyLULVCktPqWZQWRNXMGch6IO0lwql2crtwXidc+Hra/VWt7q7ukOlxLppVi8N
        ZboDqaF/f9Dmx4qpP4lKCH3H4pxj+zBCqGlPmySCwhd5fO/27gdtJGLdpw/gvkLR
        FOnipmndtOuwouMPSWgTIq/MfUHKO7Gys+bb/WywpnDAJC4nrVo46gsYSfq96quZ
        PstEfsa+NoIHGKyc1k9BuM/+NaoMxnf0itnKKIDpAoIBAQCe4NFKdnnPcW4WyQlR
        CYQ9F1eYbeOmC7kXBiLgSKdijpAPcNN1uNTjF6jOWzmrlJO8LLYn22nTjPgpkfki
        eiww5OWpQPQPFiIkUxW9QRK9xWiYU8R0wiYayt2UtfANSSJ8s4v/ISUs6/hksUB3
        2rsmWXEyTMvRy3/VvSHID4GeiKDWukEg2/sU9YcezDuCXQZs/BL6dbCz16d+ivGH
        SnPccqY4sEXg3nlwv8JIU0OjNMzwtXrVfgfI+/wGg1UGnHCshNLnA8IAzQVW6hto
        7OCg823AvV8jZIENN0yPRfizrNgXsJ68NconEdubjMdjV1JUf9mIc3n7hUgo1U9v
        ehs5AoIBACje5dq2JvxdzAhWF/wpIW5gvIVJKV8JMPZ/dzT/4KpaeZX3ewqrHOw
        XGmgk4UvRzyBQfZS2RAZY7lTXk+YXDR+iicW/lyn+Kq4uG6RHYy/ZFvp7iXIFE7b
        lLepKl7taODsDySmZ2qL1YaA8TFIJaF3ECg1pzfFvjXJcMeCxnLZZu7xztLHme33
        7iBR9fAVLxP/lG4K7y3tmIA+Drk+2zu+9XnFNOId5qkAf2eg0toWgncDmtmr4gSC
        2RBhLv2IZtRvMO/BS8XsTDOZAKHgU6kaW3xTPHn88RK1FIVVBTRRyEEzqhkCtHu
        hcsuZaweh/AmGfNYXDkIpAYJlXZHshE=
        -----END PRIVATE KEY-----
        </key>
        <tls-crypt>

        2048 bit OpenVPN static key

        -----BEGIN OpenVPN Static key V1-----
        4e2b0f77d0d3df316a62921fe226a9368
        6bce69f0be4f24fdc95ecd9239e1dbd9
        5f67d8e3c9b8bb19268db08cadccb9ed
        f22c72cb7831332ad880558ed0f6db37
        49c772bcc0e89281a9def26fd41bdf3f
        d7c7e4b567101bc9985487a3fb36c50c
        cc89a60bb7b7182d9f2641c386aec670
        2c1ee603ebd45b99c150336a9b0dfcb5
        9a74c0bea3ecadf678ef9e0c90e5d2ad
        82328e4bc1b21f0ddb01148981ee5054
        bf7489a016487184bdf43eb09d3ef136
        82646d9d35729a3c1e9b358299eaf00f
        f4d2e127835ea6471c428b93b034f842
        3329ebacb42faff38e8683efb5e7c79c
        33ba855a49da25563efdc8e4eaac9ccb
        f5afbec14ea1ef53c45b772b04011c4a
        -----END OpenVPN Static key V1-----
        </tls-crypt>

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          The logs of the server and client would be more helpful than the whole config plus certificates. You should not publish your certificates and keys at all.

          Are the clients using the same certificate by any chance?
          The need to have unique ones.

          Also you can try to disable DCO for troubleshooting.

          L 1 Reply Last reply Reply Quote 0
          • L
            lao @viragomann
            last edited by

            @viragomann
            I tried loading the rest of the data and was blocked by spam control. Thank you for the warning about certs and keys. These were sanitized along with all other info. Here are logs although I think you nailed it with the same cert. Checking...

            Tunnelblick Log:

            2025-03-30 14:25:36.660939 *Tunnelblick: macOS 15.3.2 (24D81); Tunnelblick 6.0.1 (build 6161)
            2025-03-30 14:25:37.284604 *Tunnelblick: Attempting connection with Firewall-UDP4-1194-VPNuser-config using shadow copy; Set nameserver = 0x00000301; monitoring connection
            2025-03-30 14:25:37.286407 *Tunnelblick: openvpnstart start Firewall-UDP4-1194-VPNuser-config.tblk 60476 0x00000301 0 1 0 0x0210c130 -ptADGNWradsgnw 2.6.13-openssl-3.0.16 <password>
            2025-03-30 14:25:37.324084 *Tunnelblick: openvpnstart starting OpenVPN
            2025-03-30 14:25:37.812305 OpenVPN 2.6.13 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]
            2025-03-30 14:25:37.812701 library versions: OpenSSL 3.0.16 11 Feb 2025, LZO 2.10
            2025-03-30 14:25:37.814553 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:60476
            2025-03-30 14:25:37.814633 Need hold release from management interface, waiting...
            2025-03-30 14:25:38.553591 *Tunnelblick: openvpnstart log:
            OpenVPN started successfully.
            Command used to start OpenVPN (one argument per displayed line):
            /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.6.13-openssl-3.0.16/openvpn
            --daemon
            --log-append /Library/Application Support/Tunnelblick/Logs/-SUsers-Smike-SLibrary-SApplication Support-STunnelblick-SConfigurations-SFirewall--UDP4--1194--VPNuser--config.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_34652464.60476.openvpn.log
            --cd /Library/Application Support/Tunnelblick/Users/mike/Firewall-UDP4-1194-VPNuser-config.tblk/Contents/Resources
            --machine-readable-output
            --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 6161 6.0.1 (build 6161)"
            --verb 3
            --config /Library/Application Support/Tunnelblick/Users/mike/Firewall-UDP4-1194-VPNuser-config.tblk/Contents/Resources/config.ovpn
            --setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/mike/Firewall-UDP4-1194-VPNuser-config.tblk/Contents/Resources
            --verb 3
            --cd /Library/Application Support/Tunnelblick/Users/mike/Firewall-UDP4-1194-VPNuser-config.tblk/Contents/Resources
            --management 127.0.0.1 60476 /Library/Application Support/Tunnelblick/Mips/Firewall-UDP4-1194-VPNuser-config.tblk.mip
            --setenv IV_SSO webauth,crtext
            --management-query-passwords
            --management-hold
            --script-security 2
            --route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
            --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
            2025-03-30 14:25:38.564195 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:63605
            2025-03-30 14:25:38.592396 MANAGEMENT: CMD 'pid'
            2025-03-30 14:25:38.592495 MANAGEMENT: CMD 'auth-retry interact'
            2025-03-30 14:25:38.592576 MANAGEMENT: CMD 'state on'
            2025-03-30 14:25:38.592617 MANAGEMENT: CMD 'state'
            2025-03-30 14:25:38.592650 MANAGEMENT: CMD 'bytecount 1'
            2025-03-30 14:25:38.593274 *Tunnelblick: Established communication with OpenVPN
            2025-03-30 14:25:38.594235 *Tunnelblick: >INFO:OpenVPN Management Interface Version 5 -- type 'help' for more info
            2025-03-30 14:25:38.595178 MANAGEMENT: CMD 'hold release'
            2025-03-30 14:25:51.805004 MANAGEMENT: CMD 'username "Auth" "mike"'
            2025-03-30 14:25:51.805100 MANAGEMENT: CMD 'password [...]'
            2025-03-30 14:25:51.805233 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
            2025-03-30 14:25:51.818571 MANAGEMENT: >STATE:1743359151,RESOLVE,,,,,,
            2025-03-30 14:25:52.213809 TCP/UDP: Preserving recently used remote address: [AF_INET]98.62.145.14:1194
            2025-03-30 14:25:52.214008 Socket Buffers: R=[786896->786896] S=[9216->9216]
            2025-03-30 14:25:52.216183 UDPv4 link local (bound): [AF_INET][undef]:0
            2025-03-30 14:25:52.216725 UDPv4 link remote: [AF_INET]98.62.145.14:1194
            2025-03-30 14:25:52.216834 MANAGEMENT: >STATE:1743359152,WAIT,,,,,,
            2025-03-30 14:25:52.573259 MANAGEMENT: >STATE:1743359152,AUTH,,,,,,
            2025-03-30 14:25:52.573381 TLS: Initial packet from [AF_INET]98.62.145.14:1194, sid=78d68927 f3181f22
            2025-03-30 14:25:52.573536 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
            2025-03-30 14:25:52.991606 VERIFY OK: depth=1, CN=internal-ca
            2025-03-30 14:25:52.993239 VERIFY KU OK
            2025-03-30 14:25:52.993291 Validating certificate extended key usage
            2025-03-30 14:25:52.993308 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
            2025-03-30 14:25:52.993320 VERIFY EKU OK
            2025-03-30 14:25:52.993332 VERIFY X509NAME OK: CN=OpenVPN_Server
            2025-03-30 14:25:52.993341 VERIFY OK: depth=0, CN=OpenVPN_Server
            2025-03-30 14:25:54.490473 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
            2025-03-30 14:25:54.490562 [OpenVPN_Server] Peer Connection Initiated with [AF_INET]98.62.145.14:1194
            2025-03-30 14:25:54.490615 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
            2025-03-30 14:25:54.490711 TLS: tls_multi_process: initial untrusted session promoted to trusted
            2025-03-30 14:25:55.612023 MANAGEMENT: >STATE:1743359155,GET_CONFIG,,,,,,
            2025-03-30 14:25:55.613339 SENT CONTROL [OpenVPN_Server]: 'PUSH_REQUEST' (status=1)
            2025-03-30 14:25:58.286387 PUSH: Received control message: 'PUSH_REPLY,route vpn.mikelemon.com 255.255.255.0,route-gateway 10.88.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.88.8.2 255.255.255.0,peer-id 2,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
            2025-03-30 14:25:58.286660 OPTIONS IMPORT: --ifconfig/up options modified
            2025-03-30 14:25:58.286707 OPTIONS IMPORT: route options modified
            2025-03-30 14:25:58.286726 OPTIONS IMPORT: route-related options modified
            2025-03-30 14:25:58.286741 OPTIONS IMPORT: tun-mtu set to 1500
            2025-03-30 14:25:58.289663 Opened utun device utun13
            2025-03-30 14:25:58.298864 MANAGEMENT: >STATE:1743359158,ASSIGN_IP,,10.88.8.2,,,,
            2025-03-30 14:25:58.299027 /sbin/ifconfig utun13 delete
            ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
            2025-03-30 14:25:58.316221 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
            2025-03-30 14:25:58.316266 /sbin/ifconfig utun13 10.88.8.2 10.88.8.2 netmask 255.255.255.0 mtu 1500 up
            2025-03-30 14:25:58.335602 /sbin/route add -net 10.88.8.0 10.88.8.2 255.255.255.0
            add net 10.88.8.0: gateway 10.88.8.2
            2025-03-30 14:25:58.345958 MANAGEMENT: >STATE:1743359158,ADD_ROUTES,,,,,,
            2025-03-30 14:25:58.346004 /sbin/route add -net vpn.mikelemon.com 10.88.8.1 255.255.255.0
            add net vpn.mikelemon.com: gateway 10.88.8.1
            14:25:58 *Tunnelblick: **********************************************
            14:25:58 *Tunnelblick: Start of output from client.up.tunnelblick.sh
            14:25:58 *Tunnelblick: Primary network service: Wi-Fi
            14:26:00 *Tunnelblick: Disabled IPv6 for 'Belkin USB-C LAN'
            14:26:00 *Tunnelblick: Disabled IPv6 for 'USB 10/100/1000 LAN 2'
            14:26:00 *Tunnelblick: Disabled IPv6 for 'Thunderbolt Bridge'
            14:26:00 *Tunnelblick: Disabled IPv6 for 'SC_USviaSw-SE-US-1'
            14:26:00 *Tunnelblick: Disabled IPv6 for 'Other VPNVPN'
            14:26:00 *Tunnelblick: No changes to DNS servers have been requested
            14:26:00 *Tunnelblick: DNS servers '<Other VPN DNS>' will be used for DNS queries when the VPN is active
            14:26:00 *Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
            14:26:00 *Tunnelblick: Will not monitor for network configuration changes.
            14:26:00 *Tunnelblick: Have written State:/Network/OpenVPN for no DNS changes and to inhibit network monitoring
            14:26:00 *Tunnelblick: Flushed the DNS cache via dscacheutil
            14:26:00 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
            14:26:00 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
            14:26:00 *Tunnelblick: Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
            14:26:00 *Tunnelblick: End of output from client.up.tunnelblick.sh
            14:26:00 *Tunnelblick: **********************************************
            2025-03-30 14:26:00.880945 Initialization Sequence Completed
            2025-03-30 14:26:00.881012 MANAGEMENT: >STATE:1743359160,CONNECTED,SUCCESS,10.88.8.2,98.62.145.14,1194,,
            2025-03-30 14:26:00.881604 Data Channel: cipher 'AES-256-GCM', peer-id: 2
            2025-03-30 14:26:00.881629 Timers: ping 10, ping-restart 60
            2025-03-30 14:26:00.881635 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
            2025-03-30 14:26:02.000801 *Tunnelblick: Warning: DNS server address is not being used.

            2025-03-30 14:26:02.010969 *Tunnelblick: Warning: DNS server address <Other VPN DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

            2025-03-30 14:26:02.015015 *Tunnelblick: Warning: DNS server address <WiFi DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

            2025-03-30 14:26:02.017243 *Tunnelblick: Warning: DNS server address <Laptop DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

            2025-03-30 14:26:08.781457 *Tunnelblick: This computer's apparent public IP address (74.63.204.254) was unchanged after the connection was made
            2025-03-30 14:27:51.977395 [OpenVPN_Server] Inactivity timeout (--ping-restart), restarting
            2025-03-30 14:27:51.978375 SIGUSR1[soft,ping-restart] received, process restarting
            2025-03-30 14:27:51.978444 MANAGEMENT: >STATE:1743359271,RECONNECTING,ping-restart,,,,,
            2025-03-30 14:27:52.304682 *Tunnelblick: Delaying HOLD release for 1.000 seconds
            2025-03-30 14:27:53.307446 MANAGEMENT: CMD 'hold release'
            2025-03-30 14:27:53.307700 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
            2025-03-30 14:27:53.308443 TCP/UDP: Preserving recently used remote address: [AF_INET]98.62.145.14:1194
            2025-03-30 14:27:53.308572 Socket Buffers: R=[786896->786896] S=[9216->9216]
            2025-03-30 14:27:53.308767 UDPv4 link local (bound): [AF_INET][undef]:0
            2025-03-30 14:27:53.308799 UDPv4 link remote: [AF_INET]98.62.145.14:1194
            2025-03-30 14:27:53.308873 MANAGEMENT: >STATE:1743359273,WAIT,,,,,,
            2025-03-30 14:27:53.731787 MANAGEMENT: >STATE:1743359273,AUTH,,,,,,
            2025-03-30 14:27:53.731969 TLS: Initial packet from [AF_INET]98.62.145.14:1194, sid=65af832e 02628a3d
            2025-03-30 14:27:54.185703 VERIFY OK: depth=1, CN=internal-ca
            2025-03-30 14:27:54.186489 VERIFY KU OK
            2025-03-30 14:27:54.186541 Validating certificate extended key usage
            2025-03-30 14:27:54.186559 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
            2025-03-30 14:27:54.186577 VERIFY EKU OK
            2025-03-30 14:27:54.186588 VERIFY X509NAME OK: CN=OpenVPN_Server
            2025-03-30 14:27:54.186599 VERIFY OK: depth=0, CN=OpenVPN_Server
            2025-03-30 14:27:55.135952 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
            2025-03-30 14:27:55.136163 [OpenVPN_Server] Peer Connection Initiated with [AF_INET]98.62.145.14:1194
            2025-03-30 14:27:55.136242 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
            2025-03-30 14:27:55.136365 TLS: tls_multi_process: initial untrusted session promoted to trusted
            2025-03-30 14:27:56.288233 MANAGEMENT: >STATE:1743359276,GET_CONFIG,,,,,,
            2025-03-30 14:27:56.288515 SENT CONTROL [OpenVPN_Server]: 'PUSH_REQUEST' (status=1)
            2025-03-30 14:27:58.903589 PUSH: Received control message: 'PUSH_REPLY,route vpn.mikelemon.com 255.255.255.0,route-gateway 10.88.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.88.8.2 255.255.255.0,peer-id 1,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
            2025-03-30 14:27:58.903758 OPTIONS IMPORT: --ifconfig/up options modified
            2025-03-30 14:27:58.903788 OPTIONS IMPORT: route options modified
            2025-03-30 14:27:58.903798 OPTIONS IMPORT: route-related options modified
            2025-03-30 14:27:58.903808 OPTIONS IMPORT: tun-mtu set to 1500
            2025-03-30 14:27:58.903819 Preserving previous TUN/TAP instance: utun13
            2025-03-30 14:27:58.904018 Initialization Sequence Completed
            2025-03-30 14:27:58.904060 MANAGEMENT: >STATE:1743359278,CONNECTED,SUCCESS,10.88.8.2,98.62.145.14,1194,,
            2025-03-30 14:27:58.904075 Data Channel: cipher 'AES-256-GCM', peer-id: 1
            2025-03-30 14:27:58.904085 Timers: ping 10, ping-restart 60
            2025-03-30 14:27:58.904094 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
            2025-03-30 14:28:00.015437 *Tunnelblick: Warning: DNS server address is not being used.

            2025-03-30 14:28:00.018962 *Tunnelblick: Warning: DNS server address <Other VPN DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

            2025-03-30 14:28:00.020339 *Tunnelblick: Warning: DNS server address <WiFi DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

            2025-03-30 14:28:00.021425 *Tunnelblick: Warning: DNS server address <Laptop DNS> is being used but should not be used. That may indicate that more than one network interface is active. Tunnelblick does not support multiple active network interfaces.

            2025-03-30 14:28:06.832079 *Tunnelblick: This computer's apparent public IP address (74.63.204.254) was unchanged after the connection was made

            ================================================================================

            Installer log:

            2025-03-30 14:11:57.109215: Tunnelblick installer getuid() = 501; geteuid() = 0; getgid() = 20; getegid() = 20
            currentDirectoryPath = '/'; 1 arguments:
            0x0101
            2025-03-30 14:11:57.110910: Determined username 'mike' from getuid(): 501
            2025-03-30 14:11:57.112625: renamex_np() tests succeeded for /Applications
            2025-03-30 14:11:57.114670: renamex_np() tests succeeded for /Library/Application Support/Tunnelblick
            2025-03-30 14:11:57.118839: renamex_np() tests succeeded for /Users/mike/Library/Application Support/Tunnelblick/Configurations
            2025-03-30 14:11:57.119552: Created directory /Users/mike/Library/Application Support/Tunnelblick/TBLogs with owner 0:80 and permissions 750
            2025-03-30 14:11:57.119729: Changed ownership of /Users/mike/Library/Application Support/Tunnelblick/TBLogs from 0:80 to 501:80
            2025-03-30 14:11:57.121758: Replaced /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist
            2025-03-30 14:11:57.336845: Used launchctl to load tunnelblickd
            2025-03-30 14:11:57.348239: Tunnelblick installer succeeded

            ================================================================================

            Down log:

            14:24:59 *Tunnelblick: **********************************************
            14:24:59 *Tunnelblick: Start of output from client.down.tunnelblick.sh
            14:24:59 *Tunnelblick: Ignoring change of Network Primary Service from 283FA665-3088-45AF-B83C-62560DC2B505 to A3CC684B-8A3B-4B15-9147-53B0DE6CFF86
            14:24:59 *Tunnelblick: INHIBIT_NETWORK_MONITORING is true, so not removing leasewatcher
            14:24:59 *Tunnelblick: MADE_DNS_CHANGES is false, so not restoring network_settings
            14:24:59 *Tunnelblick: Re-enabled IPv6 (automatic) for "Belkin USB-C LAN"
            14:24:59 *Tunnelblick: Re-enabled IPv6 (automatic) for "USB 10/100/1000 LAN 2"
            14:24:59 *Tunnelblick: Re-enabled IPv6 (automatic) for "Thunderbolt Bridge"
            14:24:59 *Tunnelblick: Re-enabled IPv6 (automatic) for "SC_USviaSw-SE-US-1"
            14:24:59 *Tunnelblick: Re-enabled IPv6 (automatic) for "Other VPN"
            14:24:59 *Tunnelblick: Flushed the DNS cache with dscacheutil -flushcache
            14:24:59 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
            14:24:59 *Tunnelblick: Notified mDNSResponderHelper that the DNS cache was flushed
            14:24:59 *Tunnelblick: Up to six 'No such key' messages may appear next and may be ignored.
            14:24:59 *Tunnelblick: End of output from client.down.tunnelblick.sh
            14:24:59 *Tunnelblick: **********************************************

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @lao
              last edited by

              @lao
              Can you post the server log, please?

              L 2 Replies Last reply Reply Quote 0
              • L
                lao @viragomann
                last edited by

                @viragomann
                I get one reply before I get blocked again. Can you and two others recommend or like or whatever so I can provide what you need and get this fixed? I'm still trying to validate the cert with the other user. I sent a lot of configs and not sure which one he is using. He is trying to sell his house and move to a new house so hard to get a hold of right now.

                PFSense OpenVPN Logs:

                Mar 30 13:48:36 openvpn 70698 user 'VPNuser' authenticated
                Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_SSO=webauth,crtext
                Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_GUI_VER=OCWindows_3.5.1-3946
                Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
                Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_MTU=1600
                Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_PROTO=2974
                Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_TCPNL=1
                Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_NCP=2
                Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_PLAT=win
                Mar 30 13:48:36 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_VER=3.10.1
                Mar 30 12:51:23 openvpn 19393 user 'VPNuser' authenticated
                Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_SSO=webauth,crtext
                Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_GUI_VER=OCWindows_3.5.1-3946
                Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
                Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_MTU=1600
                Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_PROTO=2974
                Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_TCPNL=1
                Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_NCP=2
                Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_PLAT=win
                Mar 30 12:51:23 openvpn 46538 OpenVPN_User/67.209.16.165:53107 peer info: IV_VER=3.10.1
                Mar 30 11:54:12 openvpn 19836 openvpn server 'ovpns1' user 'VPNuser' address '67.209.16.165:53107' - connected
                Mar 30 11:54:11 openvpn 14750 openvpn server 'ovpns1' user 'VPNuser' address '67.209.16.165:53107' - connecting
                Mar 30 11:54:11 openvpn 46538 OpenVPN_User/67.209.16.165:53107 MULTI_sva: pool returned IPv4=10.88.8.2, IPv6=(Not enabled)
                Mar 30 11:54:10 openvpn 19393 user 'VPNuser' authenticated
                Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 [OpenVPN_User] Peer Connection Initiated with [AF_INET]67.209.16.165:53107
                Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_BS64DL=1
                Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_SSO=webauth,crtext
                Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_GUI_VER=OCWindows_3.5.1-3946
                Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
                Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_MTU=1600
                Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_PROTO=2974
                Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_TCPNL=1
                Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_NCP=2
                Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_PLAT=win
                Mar 30 11:54:10 openvpn 46538 67.209.16.165:53107 peer info: IV_VER=3.10.1
                Mar 30 04:47:05 openvpn 46538 TLS Error: tls-crypt unwrapping failed from [AF_INET]185.20.116.72:55115
                Mar 30 04:47:05 openvpn 46538 tls-crypt unwrap error: packet too short

                V 1 Reply Last reply Reply Quote 1
                • L
                  lao @viragomann
                  last edited by

                  @viragomann We are using the same cert. Do you know how I create another without breaking the old one? Do I need another Server?

                  V 1 Reply Last reply Reply Quote 1
                  • V
                    viragomann @lao
                    last edited by

                    @lao said in Second OpenVPN Connection Causes Drops:

                    We are using the same cert.

                    This was my very first question, because it's the most probably reason for this behavior.

                    Client certificates have to be unique, one for each client.

                    If you're using "TLS + user auth" mode, you can create the certificate in the user manager. There is a certificate checkbox, which let you create an assigned client cert.

                    L 2 Replies Last reply Reply Quote 0
                    • V
                      viragomann @lao
                      last edited by

                      @lao said in Second OpenVPN Connection Causes Drops:

                      Can you and two others recommend or like or whatever so I can provide what you need and get this fixed?

                      Best to request for upvotes in a separate thread.

                      1 Reply Last reply Reply Quote 0
                      • L
                        lao @viragomann
                        last edited by

                        @viragomann Thank you. This helps. I'll let you know how it works out.

                        1 Reply Last reply Reply Quote 0
                        • L
                          lao @viragomann
                          last edited by

                          @viragomann That worked. You are awesome! Thank you so much.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.