Open VPN mitm, DNS, auth-nocache Error

Post your questions about VPN Gate Academic Experiment Service here. Please answer questions if you can afford.
Post Reply
feiercrack
Posts: 2
Joined: Tue Jun 19, 2018 2:19 pm

Open VPN mitm, DNS, auth-nocache Error

Post by feiercrack » Fri Jun 22, 2018 1:58 pm

hi, got some problems using vpngate via tunnelblick

log shows me some "mitm" problem, DNS problem and something with auth-nocache.

dunno how to fix that...

And the connection often disconnects..

Any help please?

Thanks, cheers

Log:
*Tunnelblick: OS X 10.13.5; Tunnelblick 3.7.6 (build 5060); prior version 3.7.5a (build 5011)
2018-06-19 19:17:57 *Tunnelblick: Attempting connection with vpngate_vpn286957072.opengw.net_tcp_1253 using shadow copy; Set nameserver = 769; monitoring connection
2018-06-19 19:17:57 *Tunnelblick: openvpnstart start vpngate_vpn286957072.opengw.net_tcp_1253.tblk 52104 769 0 1 0 1065264 -ptADGNWradsgnw 2.4.6-openssl-1.0.2o
2018-06-19 19:17:58 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2o/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Schech-SLibrary-SApplication Support-STunnelblick-SConfigurations-Svpngate_vpn286957072.opengw.net_tcp_1253.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1065264.52104.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/chech/vpngate_vpn286957072.opengw.net_tcp_1253.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 5060 3.7.6 (build 5060)"
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/chech/vpngate_vpn286957072.opengw.net_tcp_1253.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/chech/vpngate_vpn286957072.opengw.net_tcp_1253.tblk/Contents/Resources
--management
127.0.0.1
52104
/Library/Application Support/Tunnelblick/nkbdnfccagienbimdnmgojgpdeeinkemmadbmmfj.mip
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2018-06-19 19:17:57 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 9 2018
2018-06-19 19:17:57 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
2018-06-19 19:17:57 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:52104
2018-06-19 19:17:57 Need hold release from management interface, waiting...
2018-06-19 19:17:57 *Tunnelblick: openvpnstart starting OpenVPN
2018-06-19 19:17:58 *Tunnelblick: Established communication with OpenVPN
2018-06-19 19:17:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:52104
2018-06-19 19:17:58 MANAGEMENT: CMD 'pid'
2018-06-19 19:17:58 MANAGEMENT: CMD 'state on'
2018-06-19 19:17:58 MANAGEMENT: CMD 'state'
2018-06-19 19:17:58 MANAGEMENT: CMD 'bytecount 1'
2018-06-19 19:17:58 MANAGEMENT: CMD 'hold release'
2018-06-19 19:17:58 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2018-06-19 19:17:58 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-06-19 19:17:58 MANAGEMENT: >STATE:1529428678,RESOLVE,,,,,,
2018-06-19 19:17:58 TCP/UDP: Preserving recently used remote address: [AF_INET]113.148.130.195:1253
2018-06-19 19:17:58 Socket Buffers: R=[131072->131072] S=[131072->131072]
2018-06-19 19:17:58 Attempting to establish TCP connection with [AF_INET]113.148.130.195:1253 [nonblock]
2018-06-19 19:17:58 MANAGEMENT: >STATE:1529428678,TCP_CONNECT,,,,,,
2018-06-19 19:17:59 TCP connection established with [AF_INET]113.148.130.195:1253
2018-06-19 19:17:59 TCP_CLIENT link local: (not bound)
2018-06-19 19:17:59 TCP_CLIENT link remote: [AF_INET]113.148.130.195:1253
2018-06-19 19:17:59 MANAGEMENT: >STATE:1529428679,WAIT,,,,,,
2018-06-19 19:17:59 MANAGEMENT: >STATE:1529428679,AUTH,,,,,,
2018-06-19 19:17:59 TLS: Initial packet from [AF_INET]113.148.130.195:1253, sid=766d4530 e223ef39
2018-06-19 19:18:00 VERIFY OK: depth=2, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
2018-06-19 19:18:00 VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
2018-06-19 19:18:00 VERIFY OK: depth=0, OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.opengw.net
2018-06-19 19:18:02 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2018-06-19 19:18:02 [*.opengw.net] Peer Connection Initiated with [AF_INET]113.148.130.195:1253
2018-06-19 19:18:03 MANAGEMENT: >STATE:1529428683,GET_CONFIG,,,,,,
2018-06-19 19:18:03 SENT CONTROL [*.opengw.net]: 'PUSH_REQUEST' (status=1)
2018-06-19 19:18:05 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.45 10.211.1.46,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.46,redirect-gateway def1'
2018-06-19 19:18:05 OPTIONS IMPORT: timers and/or timeouts modified
2018-06-19 19:18:05 OPTIONS IMPORT: --ifconfig/up options modified
2018-06-19 19:18:05 OPTIONS IMPORT: route options modified
2018-06-19 19:18:05 OPTIONS IMPORT: route-related options modified
2018-06-19 19:18:05 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-06-19 19:18:05 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2018-06-19 19:18:05 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-06-19 19:18:05 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2018-06-19 19:18:05 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-06-19 19:18:05 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2018-06-19 19:18:05 Opened utun device utun1
2018-06-19 19:18:05 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2018-06-19 19:18:05 MANAGEMENT: >STATE:1529428685,ASSIGN_IP,,10.211.1.45,,,,
2018-06-19 19:18:05 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-06-19 19:18:05 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-06-19 19:18:05 /sbin/ifconfig utun1 10.211.1.45 10.211.1.46 mtu 1500 netmask 255.255.255.255 up
2018-06-19 19:18:05 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1559 10.211.1.45 10.211.1.46 init
**********************************************
Start of output from client.up.tunnelblick.sh
Disabled IPv6 for 'VPN (L2TP)'
Retrieved from OpenVPN: name server(s) [ 10.211.254.254 8.8.8.8 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '192.168.178.10' to '10.211.254.254 8.8.8.8'
Changed DNS SearchDomains setting from '' to 'openvpn'
Changed DNS DomainName setting from 'router to 'openvpn'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of ''
DNS servers '10.211.254.254 8.8.8.8' will be used for DNS queries when the VPN is active
NOTE: The DNS servers include one or more free public DNS servers known to Tunnelblick and one or more DNS servers not known to Tunnelblick. If used, the DNS servers not known to Tunnelblick may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2018-06-19 19:18:09 *Tunnelblick: No 'connected.sh' script to execute
2018-06-19 19:18:09 /sbin/route add -net 113.148.130.195 192.168.178.1 255.255.255.255
add net 113.148.130.195: gateway 192.168.178.10
2018-06-19 19:18:09 /sbin/route add -net 0.0.0.0 10.211.1.46 128.0.0.0
add net 0.0.0.0: gateway 10.211.1.46
2018-06-19 19:18:09 /sbin/route add -net 128.0.0.0 10.211.1.46 128.0.0.0
add net 128.0.0.0: gateway 10.211.1.46
2018-06-19 19:18:09 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-06-19 19:18:09 Initialization Sequence Completed
2018-06-19 19:18:09 MANAGEMENT: >STATE:1529428689,CONNECTED,SUCCESS,10.211.1.45,113.148.130.195,1253,192.168.178.23,50359
2018-06-19 19:18:14 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-06-19 19:18:19 *Tunnelblick: This computer's apparent public IP address changed from 12.34.56.78 before connection to 113.148.130.195 after connection

Post Reply