Routes not being added to correct interface

Got a problem with Viscosity or need help? Ask here!

Zach

Posts: 3
Joined: Thu Aug 08, 2024 11:44 pm

Post by Zach » Thu Aug 08, 2024 11:57 pm
I'm attempting to set up a connection to my corporate OpenVPN server, running on OPNSense. When connecting with Viscosity, additional routes to reach my server's LAN are not added to the correct interface on my client.

Viscosity adds the route to my OpenVPN Server LAN (192.168.100.0/24) under my WiFi interface en0. The OpenVPN client adds the route correctly under the utun10 interface.

I tried adding route-delay auto to the client config, but it made no difference.

Any ideas?

Viscosity Connection Log
Code: Select all
2024-08-08 09:42:50: Viscosity Mac 1.11.2 (1691)
2024-08-08 09:42:50: Viscosity OpenVPN Engine Started
2024-08-08 09:42:50: Running on macOS 14.1
2024-08-08 09:42:50: ---------
2024-08-08 09:42:50: State changed to Connecting
2024-08-08 09:42:50: Checking reachability status of connection...
2024-08-08 09:42:50: Connection is reachable. Starting connection attempt.
2024-08-08 09:42:50: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-08-08 09:42:50: OpenVPN 2.6.10 aarch64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
2024-08-08 09:42:50: library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
2024-08-08 09:42:50: Valid endpoint found: xxx.xxx.xxx.xxx:1194:udp4
2024-08-08 09:42:50: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
2024-08-08 09:42:50: UDPv4 link local (bound): [AF_INET][undef]:0
2024-08-08 09:42:50: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
2024-08-08 09:42:50: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-08-08 09:42:50: State changed to Authenticating
2024-08-08 09:42:50: [xxxVPNServer] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
2024-08-08 09:42:53: Opened utun device utun10
2024-08-08 09:42:53: /sbin/ifconfig utun10 delete
2024-08-08 09:42:53: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2024-08-08 09:42:53: /sbin/ifconfig utun10 192.168.2.77 192.168.2.77 netmask 255.255.255.255 mtu 1500 up
2024-08-08 09:42:53: Initialization Sequence Completed
2024-08-08 09:42:53: DNS mode set to Split
2024-08-08 09:42:53: DNS Server/s: 192.168.100.11, 192.168.100.8
2024-08-08 09:42:53: DNS Domains/s: xxx.com
2024-08-08 09:42:53: WARNING: The DNS server 192.168.100.11 is not routed through the VPN connection. DNS lookups to this server may travel over a different network interface (en0).
2024-08-08 09:42:53: WARNING: The DNS server 192.168.100.8 is not routed through the VPN connection. DNS lookups to this server may travel over a different network interface (en0).
2024-08-08 09:42:53: State changed to Connected
2024-08-08 09:43:05: State changed to Disconnecting (Manual)
2024-08-08 09:43:05: SIGTERM[hard,] received, process exiting
2024-08-08 09:43:05: State changed to Disconnected (Process Terminated)
Viscosity Client
Code: Select all
zach@MacBook-Pro ~ % netstat -nr -f inet
Routing tables

Internet:
Destination        Gateway            Flags               Netif Expire
default            172.xxx.xxx.1        UGScg                 en0
default            192.168.2.1        UGScIg             utun10
127                127.0.0.1          UCS                   lo0
127.0.0.1          127.0.0.1          UH                    lo0
169.254            link#15            UCS                   en0      !
172.xxx.xxx/28       link#15            UCS                   en0      !
172.xxx.xxx.1/32     link#15            UCS                   en0      !
172.xxx.xxx.1        9a:60:ca:95:10:64  UHLWIir               en0   1155
172.xxx.xxx.2/32     link#15            UCS                   en0      !
192.168.2.1/32     link#29            UCS                utun10
192.168.2.1        link#29            UHWIir             utun10
192.168.2.77       192.168.2.77       UH                 utun10
192.168.100        192.168.2.1        UGSc                  en0
224.0.0/4          link#15            UmCS                  en0      !
224.0.0/4          link#29            UmCSI              utun10
224.0.0.251        1:0:5e:0:0:fb      UHmLWI                en0
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI                en0
239.255.255.250    link#29            UHmW3I             utun10     10
255.255.255.255/32 link#15            UCS                   en0      !
255.255.255.255/32 link#29            UCSI               utun10
OpenVPN Client
Code: Select all
zach@MacBook-Pro ~ % netstat -nr -f inet
Routing tables

Internet:
Destination        Gateway            Flags               Netif Expire
default            172.xxx.xxx.1        UGScg                 en0
127                127.0.0.1          UCS                   lo0
127.0.0.1          127.0.0.1          UH                    lo0
169.254            link#15            UCS                   en0      !
172.xxx.xxx/28       link#15            UCS                   en0      !
172.xxx.xxx.1/32     link#15            UCS                   en0      !
172.xxx.xxx.1        9a:60:ca:95:10:64  UHLWIir               en0   1186
172.xxx.xxx.2/32     link#15            UCS                   en0      !
172.xxx.xxx.2        f4:d4:88:74:1e:9f  UHLWIi                lo0
192.168.2.1        192.168.2.77       UH                 utun10
192.168.100        192.168.2.1        UGSc               utun10
224.0.0/4          link#15            UmCS                  en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI                en0
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI                en0
255.255.255.255/32 link#15            UCS                   en0      !

James

User avatar
Posts: 2361
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Aug 09, 2024 1:29 am
Hi Zach,

Please post (or email) the details listed in the following article and we can take a closer look for you:
https://www.sparklabs.com/support/kb/ar ... ort-staff/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Zach

Posts: 3
Joined: Thu Aug 08, 2024 11:44 pm

Post by Zach » Fri Aug 09, 2024 1:44 am
Raw Configuration Data
Code: Select all
#-- Configuration Generated By Viscosity --#

#viscosity name "VPN Users"
#viscosity protocol openvpn
#viscosity startonopen false
#viscosity usepeerdns true
#viscosity dns automatic
#viscosity ipv6 false
#viscosity autoreconnect true
#viscosity dhcp true
#viscosity dnssupport true
route-gateway dhcp
remote 70.xxx.xxx.xxx 1194 udp4
dev tun
persist-tun
persist-key
pull
auth-user-pass
tls-client
pkcs12 pkcs.p12
remote-cert-tls server
lport 0
resolv-retry infinite
route-delay auto
verify-x509-name "C=US, ST=xx, L=xxx, O=xxx, [email protected], CN=xxxVPNServer" subject
Connection Log (With Increased Logging)
Code: Select all
2024-08-08 11:39:09: Viscosity Mac 1.11.2 (1691)
2024-08-08 11:39:09: Viscosity OpenVPN Engine Started
2024-08-08 11:39:09: Running on macOS 14.1
2024-08-08 11:39:09: ---------
2024-08-08 11:39:09: State changed to Connecting
2024-08-08 11:39:09: Checking reachability status of connection...
2024-08-08 11:39:09: Connection is reachable. Starting connection attempt.
2024-08-08 11:39:09: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-08-08 11:39:09: Current Parameter Settings:
2024-08-08 11:39:09:   config = 'config.conf'
2024-08-08 11:39:09:   mode = 0
2024-08-08 11:39:09:   show_ciphers = DISABLED
2024-08-08 11:39:09:   show_digests = DISABLED
2024-08-08 11:39:09:   show_engines = DISABLED
2024-08-08 11:39:09:   genkey = DISABLED
2024-08-08 11:39:09:   genkey_filename = '[UNDEF]'
2024-08-08 11:39:09:   key_pass_file = '[UNDEF]'
2024-08-08 11:39:09:   show_tls_ciphers = DISABLED
2024-08-08 11:39:09:   connect_retry_max = 0
2024-08-08 11:39:09: Connection profiles [0]:
2024-08-08 11:39:09:   proto = udp4
2024-08-08 11:39:09:   local = '[UNDEF]'
2024-08-08 11:39:09:   local_port = '0'
2024-08-08 11:39:09:   remote = '70.xxx.xxx.xxx'
2024-08-08 11:39:09:   remote_port = '1194'
2024-08-08 11:39:09:   remote_float = DISABLED
2024-08-08 11:39:09:   bind_defined = DISABLED
2024-08-08 11:39:09:   bind_local = ENABLED
2024-08-08 11:39:09:   bind_ipv6_only = DISABLED
2024-08-08 11:39:09:   connect_retry_seconds = 1
2024-08-08 11:39:09:   connect_timeout = 120
2024-08-08 11:39:09:   socks_proxy_server = '[UNDEF]'
2024-08-08 11:39:09:   socks_proxy_port = '[UNDEF]'
2024-08-08 11:39:09:   tun_mtu = 1500
2024-08-08 11:39:09:   tun_mtu_defined = ENABLED
2024-08-08 11:39:09:   link_mtu = 1500
2024-08-08 11:39:09:   link_mtu_defined = DISABLED
2024-08-08 11:39:09:   tun_mtu_extra = 0
2024-08-08 11:39:09:   tun_mtu_extra_defined = DISABLED
2024-08-08 11:39:09:   tls_mtu = 1250
2024-08-08 11:39:09:   mtu_discover_type = -1
2024-08-08 11:39:09: NOTE: --mute triggered...
2024-08-08 11:39:09: 257 variation(s) on previous 100 message(s) suppressed by --mute
2024-08-08 11:39:09: OpenVPN 2.6.10 aarch64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
2024-08-08 11:39:09: library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
2024-08-08 11:39:10: Valid endpoint found: 70.xxx.xxx.xxx:1194:udp4
2024-08-08 11:39:10: Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2024-08-08 11:39:10: Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2024-08-08 11:39:10: TCP/UDP: Preserving recently used remote address: [AF_INET]70.xxx.xxx.xxx:1194
2024-08-08 11:39:10: Socket Buffers: R=[786896->786896] S=[9216->9216]
2024-08-08 11:39:10: UDPv4 link local (bound): [AF_INET][undef]:0
2024-08-08 11:39:10: UDPv4 link remote: [AF_INET]70.xxx.xxx.xxx:1194
2024-08-08 11:39:10: TLS: Initial packet from [AF_INET]70.xxx.xxx.xxx:1194, sid=196f1e2c 0d860791
2024-08-08 11:39:10: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-08-08 11:39:10: State changed to Authenticating
2024-08-08 11:39:10: VERIFY OK: depth=1, C=US, ST=xx, L=xxx, O=xxx, [email protected], CN=xxxVPNCA
2024-08-08 11:39:10: VERIFY KU OK
2024-08-08 11:39:10: Validating certificate extended key usage
2024-08-08 11:39:10: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-08-08 11:39:10: VERIFY EKU OK
2024-08-08 11:39:10: VERIFY X509NAME OK: C=US, ST=xx, L=xxx, O=xxx, [email protected], CN=xxxVPNServer
2024-08-08 11:39:10: VERIFY OK: depth=0, C=US, ST=xx, L=xxx, O=xxx, [email protected], CN=xxxVPNServer
2024-08-08 11:39:10: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2024-08-08 11:39:10: [xxxVPNServer] Peer Connection Initiated with [AF_INET]70.xxx.xxx.xxx:1194
2024-08-08 11:39:10: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-08-08 11:39:10: TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-08-08 11:39:10: SENT CONTROL [xxxVPNServer]: 'PUSH_REQUEST' (status=1)
2024-08-08 11:39:11: SENT CONTROL [xxxVPNServer]: 'PUSH_REQUEST' (status=1)
2024-08-08 11:39:11: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN xxx.com,dhcp-option DNS 192.168.100.11,dhcp-option DNS 192.168.100.8,route 192.168.100.0 255.255.255.0,route-gateway 192.168.2.1,topology subnet,ifconfig 192.168.2.77 255.255.255.255,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
2024-08-08 11:39:11: OPTIONS IMPORT: --ifconfig/up options modified
2024-08-08 11:39:11: OPTIONS IMPORT: route options modified
2024-08-08 11:39:11: OPTIONS IMPORT: route-related options modified
2024-08-08 11:39:11: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-08-08 11:39:11: OPTIONS IMPORT: tun-mtu set to 1500
2024-08-08 11:39:11: Opened utun device utun10
2024-08-08 11:39:11: do_ifconfig, ipv4=1, ipv6=0
2024-08-08 11:39:11: /sbin/ifconfig utun10 delete
2024-08-08 11:39:11: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2024-08-08 11:39:11: /sbin/ifconfig utun10 192.168.2.77 192.168.2.77 netmask 255.255.255.255 mtu 1500 up
2024-08-08 11:39:11: /sbin/route add -net 192.168.2.77 192.168.2.77 255.255.255.255
2024-08-08 11:39:11: /sbin/route add -net 192.168.100.0 192.168.2.1 255.255.255.0
2024-08-08 11:39:11: Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2024-08-08 11:39:11: Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
2024-08-08 11:39:11: Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-08-08 11:39:11: Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
2024-08-08 11:39:11: Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-08-08 11:39:11: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-08-08 11:39:11: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-08-08 11:39:11: Initialization Sequence Completed
2024-08-08 11:39:11: Data Channel: cipher 'AES-256-GCM', peer-id: 0
2024-08-08 11:39:11: Timers: ping-restart 120
2024-08-08 11:39:11: Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
2024-08-08 11:39:11: DNS mode set to Split
2024-08-08 11:39:11: DNS Server/s: 192.168.100.11, 192.168.100.8
2024-08-08 11:39:11: DNS Domains/s: xxx.com
2024-08-08 11:39:11: WARNING: The DNS server 192.168.100.11 is not routed through the VPN connection. DNS lookups to this server may travel over a different network interface (en0).
2024-08-08 11:39:11: WARNING: The DNS server 192.168.100.8 is not routed through the VPN connection. DNS lookups to this server may travel over a different network interface (en0).
2024-08-08 11:39:12: State changed to Connected

James

User avatar
Posts: 2361
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Aug 09, 2024 2:15 pm
Hi Zach,

The OpenVPN server is pushing out an invalid route configuration, which is the cause of the problem.

It's pushing out the route 192.168.100.0/24 with a gateway of 192.168.2.1, but 192.168.2.1 isn't routed into the VPN connection. Only 192.168.2.77/32 is routed into the VPN connection.

There are two ways you can solve this:

1. Have the OpenVPN server also push out the route 192.168.2.0/24 (i.e. push the command "route 192.168.2.0 255.255.255.0"). You can also set this route in Viscosity if you don't have control of the OpenVPN server.

2. Have the OpenVPN server use a larger subnet when assigning the IP address (using the "ifconfig" command) instead of a single IP address. /24 (aka 255.255.255.0) is a more common netmask to use, and would enable access to the whole 192.168.2.0/24 subnet without needing to push an additional route.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Zach

Posts: 3
Joined: Thu Aug 08, 2024 11:44 pm

Post by Zach » Fri Aug 09, 2024 10:53 pm
Thank you, James.

After changing the client-specific-override on my OpenVPN server to include 192.168.2.77/24 as the "IPV4 Tunnel Network", the client routes now all traffic from that 192.168.2 subnet to the correct interface.

The official OpenVPN client functions with either configuration. It seems the difference is when setting up the interface, the OpenVPN client includes the (server-specified) gateway address of 192.168.2.1, whereas Viscosity omits that from the ifconfig command. The interface still ends up misconfigured, as even with either client, the netmask is still set to 255.255.255.255.

Regardless, the issue is now resolved, and I'm able to connect with Viscosity again.
5 posts Page 1 of 1