Upgraded to 1.7.16, connection stuck in connecting mode

Got a problem with Viscosity or need help? Ask here!

connie_xdotai

Posts: 3
Joined: Sat Dec 09, 2017 5:14 am

Post by connie_xdotai » Thu May 30, 2019 2:52 am
Hi,

After upgrading to 1.7.16, when doing a connect, the client seems to go into this connection loop, but never ends up connecting to the server. (Just to be certain it isn't my account or the server, using TunnelBlick with same client profile works)

On the server side, there was no log of authentication at all, no evidence that the client managed to send any packets to the server in order to start the authentication process.

According to the logs it seems like the client attempts to establish connection over IPv6. While our server does have an IPv6 address, OpenVPNAS currently does not support incoming IPv6 connections. I don't see an option that forces Viscosity to only connect via the server's IPv4 address.

Here are the sanitized logs from the client:

2019-05-29 12:19:45: Viscosity Mac 1.7.16 (1491)
2019-05-29 12:19:45: Viscosity OpenVPN Engine Started
2019-05-29 12:19:45: Running on macOS 10.13.6
2019-05-29 12:19:45: ---------
2019-05-29 12:19:45: State changed to Connecting
2019-05-29 12:19:45: Checking reachability status of connection...
2019-05-29 12:19:46: Connection is reachable. Starting connection attempt.
2019-05-29 12:19:46: OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on May 29 2019
2019-05-29 12:19:46: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
2019-05-29 12:19:58: Resolving address: vpn.example.com
2019-05-29 12:19:59: Valid endpoint found: xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194:udp
2019-05-29 12:19:59: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2019-05-29 12:19:59: TCP/UDP: Preserving recently used remote address: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194
2019-05-29 12:19:59: UDP link local: (not bound)
2019-05-29 12:19:59: UDP link remote: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194
2019-05-29 12:20:03: Server poll timeout, restarting
2019-05-29 12:20:03: SIGUSR1[soft,server_poll] received, process restarting
2019-05-29 12:20:03: Resolving address: vpn.example.com
2019-05-29 12:20:04: Valid endpoint found: xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443:tcp-client
2019-05-29 12:20:04: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2019-05-29 12:20:04: TCP/UDP: Preserving recently used remote address: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443
2019-05-29 12:20:04: Attempting to establish TCP connection with [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443 [nonblock]
2019-05-29 12:20:05: TCP: connect to [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443 failed: Connection refused
2019-05-29 12:20:05: SIGUSR1[connection failed(soft),init_instance] received, process restarting
2019-05-29 12:20:05: Resolving address: vpn.example.com
2019-05-29 12:20:06: Valid endpoint found: xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194:udp
2019-05-29 12:20:06: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2019-05-29 12:20:06: TCP/UDP: Preserving recently used remote address: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194
2019-05-29 12:20:06: UDP link local: (not bound)
2019-05-29 12:20:06: UDP link remote: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194
2019-05-29 12:20:10: Server poll timeout, restarting
2019-05-29 12:20:10: SIGUSR1[soft,server_poll] received, process restarting
2019-05-29 12:20:10: Resolving address: vpn.example.com
2019-05-29 12:20:11: Valid endpoint found: xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443:tcp-client
2019-05-29 12:20:11: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2019-05-29 12:20:11: TCP/UDP: Preserving recently used remote address: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443
2019-05-29 12:20:11: Attempting to establish TCP connection with [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443 [nonblock]
2019-05-29 12:20:12: TCP: connect to [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443 failed: Connection refused
2019-05-29 12:20:12: SIGUSR1[connection failed(soft),init_instance] received, process restarting
2019-05-29 12:20:12: Resolving address: vpn.example.com
2019-05-29 12:20:13: Valid endpoint found: xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194:udp
2019-05-29 12:20:13: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2019-05-29 12:20:13: TCP/UDP: Preserving recently used remote address: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194
2019-05-29 12:20:13: UDP link local: (not bound)
2019-05-29 12:20:13: UDP link remote: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194
2019-05-29 12:20:17: Server poll timeout, restarting
2019-05-29 12:20:17: SIGUSR1[soft,server_poll] received, process restarting
2019-05-29 12:20:17: Resolving address: vpn.example.com
2019-05-29 12:20:18: Valid endpoint found: xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443:tcp-client
2019-05-29 12:20:18: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2019-05-29 12:20:18: TCP/UDP: Preserving recently used remote address: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443
2019-05-29 12:20:18: Attempting to establish TCP connection with [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443 [nonblock]
2019-05-29 12:20:19: TCP: connect to [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443 failed: Connection refused
2019-05-29 12:20:19: SIGUSR1[connection failed(soft),init_instance] received, process restarting
2019-05-29 12:20:19: Resolving address: vpn.example.com
2019-05-29 12:20:20: Valid endpoint found: xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194:udp
2019-05-29 12:20:20: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2019-05-29 12:20:20: TCP/UDP: Preserving recently used remote address: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194
2019-05-29 12:20:20: UDP link local: (not bound)
2019-05-29 12:20:20: UDP link remote: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194
2019-05-29 12:20:24: Server poll timeout, restarting
2019-05-29 12:20:24: SIGUSR1[soft,server_poll] received, process restarting
2019-05-29 12:20:24: Resolving address: vpn.example.com
2019-05-29 12:20:25: Valid endpoint found: xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443:tcp-client
2019-05-29 12:20:25: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2019-05-29 12:20:25: TCP/UDP: Preserving recently used remote address: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443
2019-05-29 12:20:25: Attempting to establish TCP connection with [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443 [nonblock]
2019-05-29 12:20:26: TCP: connect to [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:443 failed: Connection refused
2019-05-29 12:20:26: SIGUSR1[connection failed(soft),init_instance] received, process restarting
2019-05-29 12:20:26: Resolving address: vpn.example.com
2019-05-29 12:20:27: Valid endpoint found: xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194:udp
2019-05-29 12:20:27: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2019-05-29 12:20:27: TCP/UDP: Preserving recently used remote address: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194
2019-05-29 12:20:27: UDP link local: (not bound)
2019-05-29 12:20:27: UDP link remote: [AF_INET6]xxxx:xxxx:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:1194

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu May 30, 2019 3:12 am
Hi connie_xdotai,

You can fix your connection issue by editing your connection in Viscosity, and under the General tab change the Protocol option from "UDP" to "UDP v4". This will force connections to use IPv4.

As the connection appears to support a fallback TCP server (which should be listed as an additional entry in the Remote Servers field), I'd also recommend changing its protocol from "tcp" to "tcp4".

Version 1.7.15 and later of Viscosity switch to letting macOS handle the IP address resolution order for resolved domains. This is so dual-stack connections are handled correctly, and also make the address resolution standards compliant. In your case macOS is preferring IPv6 connections over IPv4, and so IPv6 addresses have priority. It's very unusual for a server to have an IPv6 address and associated DNS record, but not IPv6 connectivity, so I'd recommend removing the IPv6 DNS record (e.g. AAAA) for the server until IPv6 connectivity has been resolved.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1