OpenVPN with separate DHCP server

Got a problem with Viscosity or need help? Ask here!

vanesp

Posts: 2
Joined: Mon May 10, 2021 8:56 pm

Post by vanesp » Mon May 10, 2021 9:09 pm
I have been running Viscosity on my Mac with an OpenVPN installation for the last two years. It has always worked correctly. Only now, without changing anything in the OpenVPN install or my Viscosity configuration, it is assigning a self generated IP address (169.254.62.xxx) instead of an IP address in the correct range. Therefore I cannot access any of our internal systems, or shared drives.

Colleagues using Windows are still being assigned a correct IP address.

My OpenVPN config is using TAP with the
Code: Select all
server-bridge nogw
configuration. After a lot of Googling I found the following: "Note that only clients that support the binding of a DHCP client with the TAP adapter (such as Windows) can support this mode".

However, I am sure it has worked in the past. Has anything changed in Viscosity recently? My log file contains:
Code: Select all
2021-05-10 13:04:52: Viscosity Mac 1.9.3 (1571)
2021-05-10 13:04:52: Viscosity OpenVPN Engine Started
2021-05-10 13:04:52: Running on macOS 11.2.3
2021-05-10 13:04:52: ---------
2021-05-10 13:04:52: State changed to Connecting
2021-05-10 13:04:52: Checking reachability status of connection...
2021-05-10 13:04:52: Connection is reachable. Starting connection attempt.
2021-05-10 13:04:52: OpenVPN 2.4.11 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Apr 21 2021
2021-05-10 13:04:52: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021-05-10 13:04:52: Valid endpoint found: 46.144.203.46:4911:tcp-client
2021-05-10 13:04:52: TCP/UDP: Preserving recently used remote address: [AF_INET]46.144.203.46:4911
2021-05-10 13:04:52: Attempting to establish TCP connection with [AF_INET]46.144.203.46:4911 [nonblock]
2021-05-10 13:04:53: TCP connection established with [AF_INET]46.144.203.46:4911
2021-05-10 13:04:53: TCP_CLIENT link local: (not bound)
2021-05-10 13:04:53: TCP_CLIENT link remote: [AF_INET]46.144.203.46:4911
2021-05-10 13:04:53: State changed to Authenticating
2021-05-10 13:04:53: [vpn.easylogic.nl] Peer Connection Initiated with [AF_INET]46.144.203.46:4911
2021-05-10 13:04:54: TUN/TAP device en4 opened
2021-05-10 13:04:54: DHCP enabled on tap interface en4
2021-05-10 13:05:03: Extracted DHCP router address: 172.16.10.2
2021-05-10 13:05:14: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-05-10 13:05:14: Initialization Sequence Completed
2021-05-10 13:05:14: DNS mode set to Split
2021-05-10 13:05:14: DNS Server/s: 172.16.10.11
2021-05-10 13:05:14: WARNING: The DNS server 172.16.10.11 is not routed through the VPN connection. DNS lookups to this server may travel over a different network interface (en0).
2021-05-10 13:05:14: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
2021-05-10 13:05:14: State changed to Connected

James

User avatar
Posts: 2124
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue May 11, 2021 2:54 am
Hi vanesp,

An IP in the 169.254.x.x range is called a self-assigned IP address. macOS will automatically assign a self-assigned IP address to the interface if it doesn't receive one from a DHCP server. Typically this means that the DHCP server on the remote network isn't responding, or there is a problem with the TAP bridge on the OpenVPN server.

Please keep in mind that OpenVPN itself doesn't perform any server bridging: the server itself needs to be configured to bridge the TAP adapter on the server to the network interface you want to make accessible.

I recommend first you try adding "route-delay auto" (without the quotes) to your configuration. This will ensure that OpenVPN waits until DHCP setup is complete before continuing with the VPN connection setup. Information on how to add advanced commands can be found at:
https://www.sparklabs.com/support/kb/ar ... n-commands

If that still doesn't work, check the DHCP server logs to make sure it is assigning an IP address to the connecting client.

A problem could also occur if the DHCP is slow, in which case macOS may initially assign a 169.254.x.x, which will be updated later when the DHCP server responds. Viscosity may not necessarily update the IP address listed in the Details window in such a situation. So I recommend using the Terminal to see whether the IP address is still incorrect.

I also recommend addressing the DNS warning you're seeing: it's possible you may be getting a correctly assigned IP address, but your DNS is not working correctly making the VPN connection appear inaccessible.
https://www.sparklabs.com/support/kb/ar ... e-present/

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

vanesp

Posts: 2
Joined: Mon May 10, 2021 8:56 pm

Post by vanesp » Tue May 11, 2021 6:43 am
Tue May 11, 2021 2:54 amJames wrote:
An IP in the 169.254.x.x range is called a self-assigned IP address. macOS will automatically assign a self-assigned IP address to the interface if it doesn't receive one from a DHCP server.
I realise this.
Tue May 11, 2021 2:54 amJames wrote:
I recommend first you try adding "route-delay auto" (without the quotes) to your configuration.
I had a route-delay 20, which I just changed to route-delay auto.
Tue May 11, 2021 2:54 amJames wrote:
If that still doesn't work, check the DHCP server logs to make sure it is assigning an IP address to the connecting client.
I have access to the OpenVPN server on a Centos system. The dhcp server and DNS server run on a Windows Server, to which I have no access. I'll ask it's system admin to see if it is assigning an ip address. The admin told me there is a dhcp reservation for my mac address on my WiFi adapter. But the tap device generated by Viscosity surely uses a different MAC address?
Tue May 11, 2021 2:54 amJames wrote:
I also recommend addressing the DNS warning you're seeing: it's possible you may be getting a correctly assigned IP address, but your DNS is not working correctly making the VPN connection appear inaccessible.
I did not get a new IP address. And if I get a self-assigned IP address it will never be able to reach the DNS server at 172.16.10.11.

However, inexplicably, when I tried connecting again just now from home, it connected with a correctly assigned IP address in the right range, and I did not get a split DNS warning on the DNS above. Now I'm wondering if the sys admin on the Windows dhcp server and DNS server changed something after my buch of questions...

Thanks,

Peter

James

User avatar
Posts: 2124
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue May 11, 2021 1:38 pm
The admin told me there is a dhcp reservation for my mac address on my WiFi adapter. But the tap device generated by Viscosity surely uses a different MAC address?
Yes, by default your VPN adapter will be assigned a random MAC address. You can manually specify one using the "lladdr" OpenVPN command if needed (however it can't clash with any other MAC address on the system or local or VPN networks). If your system administrator was disallowing unknown or different MAC addresses, it may explain why you were not being assigned an IP address by the DHCP server.

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
4 posts Page 1 of 1