Skip to content
IPv4 routes does not get pushed
Got a problem with Viscosity or need help? Ask here!
Hi.
We are currently switching our VPN server to OPNsense and trying to get "client specific overrides" to work.
When doing a test with viscosity, I can connect but and do getting some client specific overrides but IPv4 routes does not get pushed.
From the OPNsense side, I can see, that IPv4 routes does get pushed.
The Viscosity log is:
---
2023-09-05 10:40:46: Viscosity Mac 1.10.7 (1650)
2023-09-05 10:40:46: Viscosity OpenVPN Engine Started
2023-09-05 10:40:46: Running on macOS 13.5.1
2023-09-05 10:40:46: ---------
2023-09-05 10:40:46: State changed to Connecting
2023-09-05 10:40:46: Checking reachability status of connection...
2023-09-05 10:40:48: Connection is reachable. Starting connection attempt.
2023-09-05 10:40:48: OpenVPN 2.5.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 9 2023
2023-09-05 10:40:48: library versions: OpenSSL 1.1.1u 30 May 2023, LZO 2.10
2023-09-05 10:40:54: Resolving address: access01.(__hide__)
2023-09-05 10:40:54: Valid endpoint found: 81.(__hide__)
udp
2023-09-05 10:40:54: TCP/UDP: Preserving recently used remote address: [AF_INET]81.(__hide__):1194
2023-09-05 10:40:54: UDP link local (bound): [AF_INET][undef]:0
2023-09-05 10:40:54: UDP link remote: [AF_INET]81.(__hide__):1194
2023-09-05 10:40:54: State changed to Authenticating
2023-09-05 10:40:54: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-09-05 10:40:54: [access01.(__hide__)] Peer Connection Initiated with [AF_INET]81.(__hide__):1194
2023-09-05 10:40:55: GDG6: problem writing to routing socket: No such process (errno=3)
2023-09-05 10:40:55: Opened utun device utun10
2023-09-05 10:40:55: /sbin/ifconfig utun10 delete
2023-09-05 10:40:55: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2023-09-05 10:40:55: /sbin/ifconfig utun10 10.0.9.2 10.0.9.1 mtu 1500 netmask 255.255.255.255 up
2023-09-05 10:40:55: /sbin/ifconfig utun10 inet6 2a02:(__hide__)::2/64 mtu 1500 up
2023-09-05 10:40:55: add_route_ipv6(2a02:(__hide__)::/64 -> 2a02:(__hide__)::2 metric 0) dev utun10
2023-09-05 10:40:55: add_route_ipv6(2a02:(__hide__)::/64 -> 2a02:(__hide__)::1 metric -1) dev utun10
2023-09-05 10:40:55: Initialization Sequence Completed
2023-09-05 10:40:55: DNS mode set to Split
2023-09-05 10:40:55: DNS Server/s: 10.(__hide__), 10.(__hide__), 10.(__hide__)
2023-09-05 10:40:55: DNS Domains/s: (__hide__).local
2023-09-05 10:40:55: WARNING: A .local domain is present in the DNS domain list. The .local domain is reserved for mDNS. Using it as a DNS domain may cause DNS resolution attempts to fail or unexpected DNS behaviour.
2023-09-05 10:40:56: State changed to Connected
----
When running a test on my iPad with OpenVPN app on the same OVPN file, I'll see the routes getting pushed:
----
Sep 05, 2023, 09:52:43] ----- OpenVPN Start -----
OpenVPN core 3.git::081bfebe ios arm64 64-bit
[Sep 05, 2023, 09:52:43] OpenVPN core 3.git::081bfebe ios arm64 64-bit
[Sep 05, 2023, 09:52:43] Frame=512/2048/512 mssfix-ctrl=1250
[Sep 05, 2023, 09:52:43] UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
3 [data-ciphers-fallback] [AES-256-CBC]
6 [resolv-retry] [infinite]
9 [lport] [0]
[Sep 05, 2023, 09:52:43] EVENT: RESOLVE
[Sep 05, 2023, 09:52:43] Contacting 81.(__hide__):1194 via UDP
[Sep 05, 2023, 09:52:43] EVENT: WAIT
[Sep 05, 2023, 09:52:43] Connecting to [access01.(__hide__)]:1194 (81.(__hide__)) via UDPv4
[Sep 05, 2023, 09:52:43] EVENT: CONNECTING
[Sep 05, 2023, 09:52:43] Tunnel Options:V4,dev-type tun,link-mtu 1585,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client
[Sep 05, 2023, 09:52:43] Creds: Username/Password
[Sep 05, 2023, 09:52:43] Peer Info:
IV_VER=3.git::081bfebe
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_GUI_VER=net.openvpn.connect.ios_3.3.4-5176
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1
[Sep 05, 2023, 09:52:43] VERIFY OK: depth=1, (__hide__)
[Sep 05, 2023, 09:52:43] VERIFY OK: depth=0, (__hide__)
[Sep 05, 2023, 09:52:43] SSL Handshake: peer certificate: CN=access01.(__hide__), 4096 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
[Sep 05, 2023, 09:52:43] Session is ACTIVE
[Sep 05, 2023, 09:52:43] EVENT: GET_CONFIG
[Sep 05, 2023, 09:52:43] Sending PUSH_REQUEST to server...
[Sep 05, 2023, 09:52:44] Sending PUSH_REQUEST to server...
[Sep 05, 2023, 09:52:44] OPTIONS:
0 [route] [172.(__hide__)] [255.255.255.0]
1 [route] [10.0.1.1]
2 [topology] [net30]
3 [ping] [10]
4 [ping-restart] [60]
5 [route] [10.(__hide__)] [255.255.255.0]
6 [route] [10.(__hide__)] [255.255.255.0]
7 [route] [10.(__hide__)] [255.255.255.0]
8 [route] [10.(__hide__)] [255.255.255.0]
9 [route] [10.(__hide__)] [255.255.255.0]
10 [route] [10.(__hide__)] [255.255.255.0]
11 [route] [10.(__hide__)] [255.255.255.0]
12 [route-ipv6] [2a02:(__hide__)::/64]
13 [dhcp-option] [DOMAIN] [(__hide__).local]
14 [dhcp-option] [DNS] [10.(__hide__)]
15 [dhcp-option] [DNS] [10.(__hide__)]
16 [dhcp-option] [DNS] [10.(__hide__)]
17 [dhcp-option] [NTP] [10.(__hide__)]
18 [dhcp-option] [NTP] [10.(__hide__)]
19 [ifconfig-ipv6] [2a02:(__hide__)::2/64] [2a02:(__hide__)::1]
20 [ifconfig] [10.0.9.2] [10.0.9.1]
21 [peer-id] [0]
22 [cipher] [AES-256-GCM]
23 [key-derivation] [tls-ekm]
[Sep 05, 2023, 09:52:44] PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
key-derivation: TLS Keying Material Exporter [RFC5705]
compress: NONE
peer ID: 0
control channel: tls-auth enabled
[Sep 05, 2023, 09:52:44] EVENT: ASSIGN_IP
[Sep 05, 2023, 09:52:44] NIP: preparing TUN network settings
[Sep 05, 2023, 09:52:44] NIP: init TUN network settings with endpoint: 81.(__hide__)
[Sep 05, 2023, 09:52:44] NIP: adding IPv4 address to network settings 10.0.9.2/255.255.255.252
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.0.9.0/30
[Sep 05, 2023, 09:52:44] NIP: adding IPv6 address to network settings 2a02:(__hide__)::2/64
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv6 route 2a02:(__hide__)::/64
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 172.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/32
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv6 route 2a02:(__hide__)::/64
[Sep 05, 2023, 09:52:44] NIP: adding match domain (__hide__).local
[Sep 05, 2023, 09:52:44] NIP: adding DNS 10.(__hide__)
[Sep 05, 2023, 09:52:44] NIP: adding DNS 10.(__hide__)
[Sep 05, 2023, 09:52:44] NIP: adding DNS 10.(__hide__)
[Sep 05, 2023, 09:52:44] NIP: adding DNS specific routes:
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/32
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/32
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/32
[Sep 05, 2023, 09:52:44] Connected via NetworkExtensionTUN
[Sep 05, 2023, 09:52:44] EVENT: CONNECTED (__hide__)@access01.(__hide__):1194 (81.(__hide__)) via /UDPv4 on NetworkExtensionTUN/10.0.9.2/2a02:(__hide__)::2 gw=[/]
....
How can I make sure, that Viscosity does get the routes pushed?
Best regards,
Christian
We are currently switching our VPN server to OPNsense and trying to get "client specific overrides" to work.
When doing a test with viscosity, I can connect but and do getting some client specific overrides but IPv4 routes does not get pushed.
From the OPNsense side, I can see, that IPv4 routes does get pushed.
The Viscosity log is:
---
2023-09-05 10:40:46: Viscosity Mac 1.10.7 (1650)
2023-09-05 10:40:46: Viscosity OpenVPN Engine Started
2023-09-05 10:40:46: Running on macOS 13.5.1
2023-09-05 10:40:46: ---------
2023-09-05 10:40:46: State changed to Connecting
2023-09-05 10:40:46: Checking reachability status of connection...
2023-09-05 10:40:48: Connection is reachable. Starting connection attempt.
2023-09-05 10:40:48: OpenVPN 2.5.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 9 2023
2023-09-05 10:40:48: library versions: OpenSSL 1.1.1u 30 May 2023, LZO 2.10
2023-09-05 10:40:54: Resolving address: access01.(__hide__)
2023-09-05 10:40:54: Valid endpoint found: 81.(__hide__)
udp2023-09-05 10:40:54: TCP/UDP: Preserving recently used remote address: [AF_INET]81.(__hide__):1194
2023-09-05 10:40:54: UDP link local (bound): [AF_INET][undef]:0
2023-09-05 10:40:54: UDP link remote: [AF_INET]81.(__hide__):1194
2023-09-05 10:40:54: State changed to Authenticating
2023-09-05 10:40:54: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-09-05 10:40:54: [access01.(__hide__)] Peer Connection Initiated with [AF_INET]81.(__hide__):1194
2023-09-05 10:40:55: GDG6: problem writing to routing socket: No such process (errno=3)
2023-09-05 10:40:55: Opened utun device utun10
2023-09-05 10:40:55: /sbin/ifconfig utun10 delete
2023-09-05 10:40:55: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2023-09-05 10:40:55: /sbin/ifconfig utun10 10.0.9.2 10.0.9.1 mtu 1500 netmask 255.255.255.255 up
2023-09-05 10:40:55: /sbin/ifconfig utun10 inet6 2a02:(__hide__)::2/64 mtu 1500 up
2023-09-05 10:40:55: add_route_ipv6(2a02:(__hide__)::/64 -> 2a02:(__hide__)::2 metric 0) dev utun10
2023-09-05 10:40:55: add_route_ipv6(2a02:(__hide__)::/64 -> 2a02:(__hide__)::1 metric -1) dev utun10
2023-09-05 10:40:55: Initialization Sequence Completed
2023-09-05 10:40:55: DNS mode set to Split
2023-09-05 10:40:55: DNS Server/s: 10.(__hide__), 10.(__hide__), 10.(__hide__)
2023-09-05 10:40:55: DNS Domains/s: (__hide__).local
2023-09-05 10:40:55: WARNING: A .local domain is present in the DNS domain list. The .local domain is reserved for mDNS. Using it as a DNS domain may cause DNS resolution attempts to fail or unexpected DNS behaviour.
2023-09-05 10:40:56: State changed to Connected
----
When running a test on my iPad with OpenVPN app on the same OVPN file, I'll see the routes getting pushed:
----
Sep 05, 2023, 09:52:43] ----- OpenVPN Start -----
OpenVPN core 3.git::081bfebe ios arm64 64-bit
[Sep 05, 2023, 09:52:43] OpenVPN core 3.git::081bfebe ios arm64 64-bit
[Sep 05, 2023, 09:52:43] Frame=512/2048/512 mssfix-ctrl=1250
[Sep 05, 2023, 09:52:43] UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
3 [data-ciphers-fallback] [AES-256-CBC]
6 [resolv-retry] [infinite]
9 [lport] [0]
[Sep 05, 2023, 09:52:43] EVENT: RESOLVE
[Sep 05, 2023, 09:52:43] Contacting 81.(__hide__):1194 via UDP
[Sep 05, 2023, 09:52:43] EVENT: WAIT
[Sep 05, 2023, 09:52:43] Connecting to [access01.(__hide__)]:1194 (81.(__hide__)) via UDPv4
[Sep 05, 2023, 09:52:43] EVENT: CONNECTING
[Sep 05, 2023, 09:52:43] Tunnel Options:V4,dev-type tun,link-mtu 1585,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client
[Sep 05, 2023, 09:52:43] Creds: Username/Password
[Sep 05, 2023, 09:52:43] Peer Info:
IV_VER=3.git::081bfebe
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_GUI_VER=net.openvpn.connect.ios_3.3.4-5176
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1
[Sep 05, 2023, 09:52:43] VERIFY OK: depth=1, (__hide__)
[Sep 05, 2023, 09:52:43] VERIFY OK: depth=0, (__hide__)
[Sep 05, 2023, 09:52:43] SSL Handshake: peer certificate: CN=access01.(__hide__), 4096 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
[Sep 05, 2023, 09:52:43] Session is ACTIVE
[Sep 05, 2023, 09:52:43] EVENT: GET_CONFIG
[Sep 05, 2023, 09:52:43] Sending PUSH_REQUEST to server...
[Sep 05, 2023, 09:52:44] Sending PUSH_REQUEST to server...
[Sep 05, 2023, 09:52:44] OPTIONS:
0 [route] [172.(__hide__)] [255.255.255.0]
1 [route] [10.0.1.1]
2 [topology] [net30]
3 [ping] [10]
4 [ping-restart] [60]
5 [route] [10.(__hide__)] [255.255.255.0]
6 [route] [10.(__hide__)] [255.255.255.0]
7 [route] [10.(__hide__)] [255.255.255.0]
8 [route] [10.(__hide__)] [255.255.255.0]
9 [route] [10.(__hide__)] [255.255.255.0]
10 [route] [10.(__hide__)] [255.255.255.0]
11 [route] [10.(__hide__)] [255.255.255.0]
12 [route-ipv6] [2a02:(__hide__)::/64]
13 [dhcp-option] [DOMAIN] [(__hide__).local]
14 [dhcp-option] [DNS] [10.(__hide__)]
15 [dhcp-option] [DNS] [10.(__hide__)]
16 [dhcp-option] [DNS] [10.(__hide__)]
17 [dhcp-option] [NTP] [10.(__hide__)]
18 [dhcp-option] [NTP] [10.(__hide__)]
19 [ifconfig-ipv6] [2a02:(__hide__)::2/64] [2a02:(__hide__)::1]
20 [ifconfig] [10.0.9.2] [10.0.9.1]
21 [peer-id] [0]
22 [cipher] [AES-256-GCM]
23 [key-derivation] [tls-ekm]
[Sep 05, 2023, 09:52:44] PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
key-derivation: TLS Keying Material Exporter [RFC5705]
compress: NONE
peer ID: 0
control channel: tls-auth enabled
[Sep 05, 2023, 09:52:44] EVENT: ASSIGN_IP
[Sep 05, 2023, 09:52:44] NIP: preparing TUN network settings
[Sep 05, 2023, 09:52:44] NIP: init TUN network settings with endpoint: 81.(__hide__)
[Sep 05, 2023, 09:52:44] NIP: adding IPv4 address to network settings 10.0.9.2/255.255.255.252
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.0.9.0/30
[Sep 05, 2023, 09:52:44] NIP: adding IPv6 address to network settings 2a02:(__hide__)::2/64
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv6 route 2a02:(__hide__)::/64
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 172.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/32
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/24
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv6 route 2a02:(__hide__)::/64
[Sep 05, 2023, 09:52:44] NIP: adding match domain (__hide__).local
[Sep 05, 2023, 09:52:44] NIP: adding DNS 10.(__hide__)
[Sep 05, 2023, 09:52:44] NIP: adding DNS 10.(__hide__)
[Sep 05, 2023, 09:52:44] NIP: adding DNS 10.(__hide__)
[Sep 05, 2023, 09:52:44] NIP: adding DNS specific routes:
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/32
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/32
[Sep 05, 2023, 09:52:44] NIP: adding (included) IPv4 route 10.(__hide__)/32
[Sep 05, 2023, 09:52:44] Connected via NetworkExtensionTUN
[Sep 05, 2023, 09:52:44] EVENT: CONNECTED (__hide__)@access01.(__hide__):1194 (81.(__hide__)) via /UDPv4 on NetworkExtensionTUN/10.0.9.2/2a02:(__hide__)::2 gw=[/]
....
How can I make sure, that Viscosity does get the routes pushed?
Best regards,
Christian
Hi Christian,
Can you please post a copy of the details listed in the following article. This will allow us to see what options are being pushed by the server for your connection attempt, and whether there are any local settings that could affect them as well.
https://www.sparklabs.com/support/kb/ar ... ort-staff/
If I had to guess at this stage, it would be that the two connections have a different certificate/key (with a different "common name"), and so aren't matching the same CCD config file.
Cheers,
James
Can you please post a copy of the details listed in the following article. This will allow us to see what options are being pushed by the server for your connection attempt, and whether there are any local settings that could affect them as well.
https://www.sparklabs.com/support/kb/ar ... ort-staff/
If I had to guess at this stage, it would be that the two connections have a different certificate/key (with a different "common name"), and so aren't matching the same CCD config file.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Hi James.
Thanks for your quick reply. With
I now need to figure out, why my OPNsense does not let traffic go through the tunnel.
One last question - I can let OPNsense put a "verb" statement into client config export file. Do you recommend a specific value to be enabled by default?
Thanks for helping
Best regards,
Christian
Thanks for your quick reply. With
Code: Select all
I can see the "PUSH_REPLY" with all routes and I see all "/sbin/route add -net" I was missing before. So I close this thread as the routes do gets pushed to Viscosity. verb 5I now need to figure out, why my OPNsense does not let traffic go through the tunnel.
One last question - I can let OPNsense put a "verb" statement into client config export file. Do you recommend a specific value to be enabled by default?
Thanks for helping
Best regards,
Christian
Glad to hear.
A verb level of 3 is recommended for production use, and 5+ for debugging. Debug log levels can affect VPN connection performance (especially those higher levels that log every send/receive), so we generally don't recommend their use outside of troubleshooting an issue.
Cheers,
James
A verb level of 3 is recommended for production use, and 5+ for debugging. Debug log levels can affect VPN connection performance (especially those higher levels that log every send/receive), so we generally don't recommend their use outside of troubleshooting an issue.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
4 posts
Page 1 of 1