Mac OS OpenVPN issue
-
Good morning fellows,
I'm new Mac user and I'm trying to migrate from Windows to Mac, but I'm stuck on my OpenVPN migration. On the Mac OS X I'm using Tunnelblick GUI, but I believe my issue is related to the OpenVPN side, therefore I'm writing in this forum.
My OpenVPN configuration is working perfectly fine on every windows PC. I'm running an OpenVPN server on a pfSense platform, configured properly. The configuration is using tap interface, UDP port and everything is in bridged mode, receiving IP addresses form my pfSense DHCP server.
However when I migrated to Mac OS X (Mavericks) the OpenVPN works randomly. By randomly I mean:
The initial OpenVPN connection is successful, the whole traffic is routed via the tunnel, no problems whatsoever, but as soon as I disconnect and reconnect again, the second connection is established, but I don't have access to the network at all. I can see that Tunnelblick has taken an IP address from my OpenVPN server, everything looks normal, but I don't have any network access, no ping, can't load any page, even if I try to type the IP address of the page there is no luck.
The strange thing is, that this happens randomly. I can't identify any pattern. When I leave my Macbook Pro for a while and then try to reconnect - the connection is successful, but as soon as I disconnect and reconnect again - no network access, despite the fact, that I have proper IP address, received via the tunnel.
I tried several different clients also - Viscosity, OpenVPN Connect Client and etc. All have the same issue. As soon as I disconnect and reconnect - no network access.
Since I spend about 2 days, trying to troubleshoot my issue I'm looking for help from you guys.
I'm quite open to any suggestions and looking forward to hearing from you!
Thank you for your time!
Regards,
Nick -
i can recall a similar issue with our Mac users.
make sure you disable ipv6 on the mac and the dns server to the Viscioty and Domain names.
i havent ask about the connection,
are you on a Wifi or Ethernet ?
if you are on a Wifi try with a cable and see if it works.
probably the wifi is not stable and keeps droping the connections.how have you configure the VPN ? RADIUS or just Certificate ?
-
Hi Jamerson,
Thank you for your reply!
I disabled ipv6, that was a very good suggestion, thank you. Also I'm using only Wi-Fi, no ethernet since I need an adapter in order to use ethernet.
After some extensive troubleshooting I think I identified the problem. It issue when I use on the client side —redirect-gateway in combination with —route-gateway in OpenVPN bridged configuration, where the clients are receiving their IP addresses from a DHCP server behind the OpenVPN server, which is my case.
The problem is still present and I will appreciate any suggestions from you guys.
Thanks for watching the topic.
Regards,
Nick -
when the c lients connect to your PFSENSE
what IP adres are they recieving ?
are you disabling the Block bogon networks and Block private networks from your WAN ? -
Dear fellows,
Problem Resolved!
Please be aware, that this solution is valid only for Mac users, trying to connect to OpenVPN server, which is bridged with a DHCP server using tap interface and UDP protocol. Also the final goal is to route all traffic via the VPN tunnel.
Tunnelblick now works. Finally I managed to solve my problem. Just for reference, today I installed security update 2014-005 for OS X Mavericks and disabled ipv6 protocol by typing the following command in Bash:
networksetup -setv6off wi-fi
I’m not sure whether this had any effect on my configuration or not, but it’s good to know what I’ve done.
In Tunnelblick my configuration works only with: Set nameserver (3.0b10)
The problem was that when I was using both redirect-gateway and route-gateway in my client configuration file, my tap adapter was not receiving any IP address from the DHCP server. Because of that OpenVPN was just skipping the fact that my tap adapter doesn’t have any IP address and proceeding to routing table modification, but since there was nothing to route, the client was proceeding to the next command –route-gateway.
Since my tap adapter didn’t have an IP address, the –route-gateway command was assigning the pre-defined gateway IP address to my Wi-Fi adapter.
Result: Complete mess.
When I introduced the –route-delay 10 command, I set a 10 seconds holding time, before the execution of –redirect-gateway and route-gateway commands. This holding time allowed my tap adapter to receive a proper network configuration from my DHCP server and from that point all other commands make sense.
Please if you see something, which is not right in the text above, feel free to correct me.
Good luck to all of you, trying to resolve similar cases!
Regards,
Nick -
good to know your issue is fixed,
didn't know your MAC wasnt patched with the latest security patch ( SSL ).
disabling IPV6 is really the solution,
had the same issue before with my Mac users.