You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

essandess Author

Level 1

41 points

OpenVPN VPN Server on OS X Server with Mavericks, pfctl, and Tunnelblick

Here are notes on how to build an OpenVPN VPN server on OS X Server with Mavericks, pfctl, and Tunnelblick. Previous OpenVPN server configurations on OS X Server rely upon using the now deprecated natd and ipfw to route VPN traffic, and this solution no longer works. This post describes a replacement using the now preferred pfctl OpenBSD packet filter, which comes with its own NAT. This setup will provide a TLS-based VPN server using 4096-bit certificates and UDP port 443, accessible by any OpenVPN client, especially iOS with the OpenVPN app.

Why would you want to build your own VPN server when OS X server already comes with a VPN service? First, the latest Server.app version 3 breaks VPN to mobile devices. This problem is known and will undoubtedly be fixed soon; however, the VPN technology used by OS X Server is broken and should be avoided altogether (Microsoft’s PPTP: ("PPTP traffic should be considered unencrypted"), or is under a cloud (L2TP/Ipsec with pre-shared keys and MS-CHAPv2 authentication: "IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector"). So if you’re going to use OS X Server’s native VPN service, make sure that you use a really long *random* PSK. If you want secure certificate-based VPN between OS X Server and iOS, OpenVPN is the only option.

Furthermore, OS X Server has its firewall turned off by default, assuming that the server lives behind the router's firewall and NAT. Integrating OpenVPN access within a working OS X Server firewall provides greater security than OS X Server's default configuration.

Here’s how to build a VPN Server on OS X Mavericks:

Step 1. Get OpenVPN on OSX and configure it.

1A. I like Macports, so assuming that you've downloaded and installed Xcode from the App Store, installed Macports, run:

sudo port selfupdate

sudo port install openvpn

Step 2. Get Tunnelblick on OS X and configure it.

2A. <http://code.google.com/p/tunnelblick/>

2B. Create your certificates with Easy-RSA

mkdir -p ~/Backups/OpenVPN/easy-rsa-tunnelblick

sudo rsync -va /Applications/Tunnelblick.app/Contents/Resources/easy-rsa-tunnelblick/ ~/Backups/OpenVPN/easy-rsa-tunnelblick

cd ~/Backups/OpenVPN/easy-rsa-tunnelblick

su root

# edit script defaults like KEY_CN == Common Name

vi ./vars

export KEY_SIZE=4096

export KEY_EMAIL="admin@domainname.com"

export KEY_CN=Domainname

mkdir -m go-rwx ./keys

touch ./keys/index.txt

echo 1 > ./keys/serial

. ./vars

./clean-all

./build-ca --pass

./build-key-server server-domainname

# choose a unique Common Name (CN) for each client

./build-key client-domainname

./build-dh

openvpn2 --genkey --secret ./keys/ta.key

# Notes:

# Use the domain name "domainname.com" for the common name

# Contact email "admin@domainname.com" must match name in CA;

# otherwise, there will be some X509 error.

# For the server-domainname cert, use the default common name

# "server-domainname".This must also match the client configuration

# setting:

# tls-remote domainname.com

# Unnecessary if you already signed with ./build-key[-server]

# ./sign-req server-domainname

# ./sign-req client-domainname

cd keys

openssl verify -CAfile ca.crt ca.crt

openssl verify -CAfile ca.crt server-domainname.crt

openssl verify -CAfile ca.crt client-domainname.crt

exit # root

2C. Create a .tblk directory for your VPN server with all the necessary files. I'll demo a tun setup. The LAN here looks like a router on 10.0.1.1 and a OS X Server on 10.0.1.3.

mkdir ~/Desktop/Domainname_tun.tblk

cd ~/Backups/OpenVPN/easy-rsa-tunnelblick/keys

sudo cp -p ca.crt dh4096.pem server-domainname.crt server-domainname.key ta.key ~/Desktop/Domainname_tun.tblk

sudo chown -R username ~/Desktop/Domainname_tun.tblk

cd ~/Desktop/Domainname_tun.tblk

vi config.ovpn

local 10.0.1.3

port 443

proto udp

dev tun

;dev tap

ca ca.crt

cert server-domainname.crt

key server-domainname.key

tls-auth ta.key 0

dh dh4096.pem

server 10.2.0.0 255.255.255.0

;server-bridge 10.0.1.3 255.255.255.0 10.0.1.50 10.0.1.90

;topology subnet

# Push routes to the client to allow it

# to reach other private subnets behind

# the server. Remember that these

# private subnets will also need

# to know to route the OpenVPN client

# address pool (10.2.0.0/255.255.255.0)

# back to the OpenVPN server.

;push "route 10.0.1.0/255.255.255.0"

push "redirect-gateway def1"

push "dhcp-option DNS 8.8.8.8"

;push "dhcp-option DNS 10.0.1.3”

;push "dhcp-option DOMAIN domainname.com."

client-to-client

keepalive 10 120

;cipher BF-CBC

comp-lzo

max-clients 10

user nobody

group nobody

persist-key

persist-tun

ifconfig-pool-persist ipp.txt

verb 3

2D. Forward UDP port 443 from your router to you server at 10.0.1.3. (You may also wish to forward the default OpenVPN port 1194 as well to test other configurations.)

2E. Doubleclick on ~/Desktop/Domainname_tun.tblk within Finder, which should start Tunnelblick and import your configuration. Then,

Tunnelblick>VPN Details ... >Configuration>Settings>Set Nameserver (3.1)

You may also wish to launch this service at boot.

Hit connect and Tunnelblick should launch your OpenVPN server on UDP port 443.

2F. Get OpenVPN from the iOS App store and securely transfer a client.ovpn file to it:

client.ovpn:

####

## Domain Mac UDP client configuration version 2.0

####

client

dev tun

proto udp

remote server.domainname.com 443

redirect-gateway def1

resolv-retry infinite

nobind

;user nobody

;group nobody

persist-key

persist-tun

;ca ca.crt

;cert iPad-domainname.crt

;key iPad-domainname.key

<ca>

-----BEGIN CERTIFICATE-----

MY CERT from ca.crt

-----END CERTIFICATE-----

</ca>

ns-cert-type server

;tls-auth ta.key 1

key-direction 1

<tls-auth>

# 4096 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----

MY CERT from ta.key

-----END OpenVPN Static key V1-----

</tls-auth>

;auth-user-pass

;tls-remote server-domainname

tls-ciphe

r DHE-RSA-AES256-SHA

;cipher BF-CBC

;client-http-proxy 10.0.1.3 3128

comp-lzo

verb 3

Step 3. Configure pfctl on OS X to route your VPN packets correctly.

3.A. Set up sysctl variables at boot:

sudo mkdir -p /Library/Application\ Support/vpn

sudo vi /Library/Application\ Support/vpn/enable-vpn-forward-nat.sh

#!/bin/bash

# References: The Book of PF, p. 21; https://forums.openvpn.net/topic11401.html

# Sleep is necessary cause network has to be up at the time of following commands

# Otherwise the network will not work at all

sleep 15

/usr/sbin/sysctl -w net.inet.ip.fw.enable=1

/usr/sbin/sysctl -w net.inet.ip.forwarding=1

/usr/sbin/sysctl -w net.inet6.ip6.forwarding=1

# natd and ipfw are DEPRECATED. Use pfctl(8) instead with nat, e.g.

# nat on en0 from 10.0.0.0/8 to any -> (en0)

###/usr/sbin/natd -interface en0

###/sbin/ipfw add divert natd ip from any to any via en0

sudo vi /Library/LaunchDaemons/net.openvpn.enable-vpn-forward-nat.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd >

<dict>

<key>Label</key>

<string>net.openvpn.enable-vpn-forward-nat</string>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/vpn/enable-vpn-forward-nat.sh</string>

</array>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

sudo launchctl load -w /Library/LaunchDaemons/net.openvpn.enable-vpn-forward-nat.plist

3.B. Integrate a NAT within the existing OS X Server pfctl rules in /etc/pf.conf and set up a launch daemon for pf. The essential pfctl NAT and filter rules are

nat on en0 from 10.0.0.0/8 to any -> (en0)

pass from { lo0, 10.0.0.0/8 } to any keep state

sudo vi /etc/pf.conf

# References for modifications:

# The Book of PF by Peter N.M. Hansteen

# http://hints.macworld.com/article.php?story=20121011004626997

# http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/

# http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/

# Options

set block-policy drop

set fingerprints "/etc/pf.os"

set ruleset-optimization basic

set skip on lo0

# Normalization

# Scrub incoming packets

scrub in all no-df

# com.apple anchor point

scrub-anchor "com.apple/*"

# Queueing

# Translation

# OpenVPN Server NAT

# The Book of PF, p. 21

int_if = "en0" # macro for internal interface

localnet = "10.0.0.0/8"

nat on $int_if from $localnet to any -> ($int_if)

nat-anchor "com.apple/*"

rdr-anchor "com.apple/*"

dummynet-anchor "com.apple/*"

anchor "com.apple/*"

load anchor "com.apple" from "/etc/pf.anchors/com.apple"

# Filtering

lan_server = 10.0.1.3

# Antispoof

antispoof log quick for { lo0 en0 }

# Block by default

block in log

# Allow outgoing traffic from NAT'd { lo0, $localnet }

# The Book of PF, p. 21

pass from { lo0, $localnet } to any keep state

# Block to/from illegal destinations or sources

block in log quick from no-route to any

# Allow critical system traffic

pass in quick inet proto udp from any port 67 to any port 68

# Allow ICMP from home LAN

pass in log proto icmp from $lan_server:network

# Allow outgoing traffic

pass out inet proto tcp from any to any keep state

pass out inet proto udp from any to any keep state

# Internet services

internet_udp_services = "{ https, 500, 1194, 1701, 4500, 5060, 5190, 5297, 5298, 5678, 16384 }"

internet_tcp_services = "{ ssh, smtp, https, 143, 587, 993, 995, 1640, 2170, 2195, 2196, 4190,\

5218, 5223, 5190, 5220, 5222, 5298, 8008, 8443, 8800, 8843 }"

pass in quick inet proto tcp from any to { lo0, $lan_server } port $internet_tcp_services

pass in quick inet proto udp from any to { lo0, $lan_server } port $internet_udp_services

# LAN services: block access, except from localnet

lan_udp_services = "{ 5001 }"

lan_tcp_services = "{ domain, auth, nntp, www, 311, 3128, 5001, 5900:5909, 8118, 8123 }"

pass in quick inet proto tcp from { lo0, $localnet } to { lo0, $lan_server } port $lan_tcp_services

pass in quick inet proto udp from { lo0, $localnet } to { lo0, $lan_server } port $lan_udp_services

sudo vi /Library/LaunchDaemons/net.openbsd.pf.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>net.openbsd.pf.plist</string>

<key>Program</key>

<string>/sbin/pfctl</string>

<key>ProgramArguments</key>

<array>

<string>/sbin/pfctl</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>ServiceDescription</key>

<string>OpenBSD Packet Filter (pf)</string>

<key>StandardErrorPath</key>

<key>StandardOutPath</key>

</dict>

</plist>

sudo launchctl load -w /Library/LaunchDaemons/net.openbsd.pf.plist

3.C. Finally, turn on OS X Server’s adaptive firewall if you like:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serverctl enable service=com.apple.afctl

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

Mac mini Server (Mid 2010), OS X Mountain Lion (10.8.2), OS X Server, EyeTV HD, Turbo.264 HD

Posted on Nov 8, 2013 6:44 AM

71 replies

essandess Author

Level 1

41 points

Dec 23, 2014 7:16 PM in response to essandess

Good news -- the issue that prevents VPN clients from accessing the host machine has been solved, thanks to this post. The solution involves these pf.conf directives:

vpn_net = "10.8.0/24" # utun0 interface doesn't exist at boot time

# The Book of PF, p. 21

# Allow VPN connections to the VPN host:

# http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-cli ent-to-server-but-ping-traceroute-work

int_if = "en0"

tun_if = "utun0"

# use ($tun_if) because utun0 doesn't exist at boot time

no nat on ! $tun_if from $vpn_net to ($int_if)

nat on ! $tun_if from $vpn_net to ! ($int_if) -> ($int_if)

# This rule must be included below:

pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if

This provides VPN access to the server itself, which is especially helpful to use things like DNS on the LAN and secure, privacy-enhancing proxies.

I've created two github packages that incorporate feedback from this and other threads and install the configuration for an OpenVPN server on OS X, and a firewall/backhole/privacy-enhancing proxy. These are available from github.com at:

essandess/osx-openvpn-server

essandess/osxfortress

UrosR

Level 1

8 points

Oct 27, 2015 4:24 PM in response to essandess

Hi. I take it this still works under El Capitan? I'm just trying to set it all up on my Mac mini running El Capitan. I've installed tunnelblick and downloaded the latest osx-openvpn-server.zip. I started following the instructions in readme-and-install.sh, and, inputting commands line by line into Terminal.app, line 43 fails:

xxx:~ xxx$ sudo install -m 755 -B .orig ./vars $OPENVPN_INSTALL

install: ./vars: No such file or directory

I tried skipping down to line 49, however, that fails too:

xxx:~ xxx$ rsync -va ./openvpn-server-tun.tblk $OPENVPN_INSTALL

building file list ... rsync: link_stat "/Users/xxx/./openvpn-server-tun.tblk" failed: No such file or directory (2)

done

sent 29 bytes received 20 bytes 98.00 bytes/sec

total size is 0 speedup is 0.00

rsync error: some files could not be transferred (code 23) at /BuildRoot/Library/Caches/com.apple.xbs/Sources/rsync/rsync-47/rsync/main.c(992 ) [sender=2.6.9]

Any ideas as to what I'm doing wrong?

essandess Author

Level 1

41 points

Oct 29, 2015 3:33 AM in response to UrosR

UrosR wrote:

Hi. I take it this still works under El Capitan?

xxx:~ xxx$ sudo install -m 755 -B .orig ./vars $OPENVPN_INSTALL

install: ./vars: No such file or directory

Any ideas as to what I'm doing wrong?

Yes, everything works great on 10.11.

You're simply in the wrong directory. cd to the directory where vars lives and issue the commands. For simple errors like that there are man pages, e.g. "man install" or Google.

Dec 29, 2015 1:10 PM in response to essandess

I've tried the solution, but the pf.conf states the syntax is incorrect when reloaded.

What I'm trying to do is have a Yosemite desktop machine act as DHCP and DNS servers. Then connect to OpenVPN via tunnelblick. All clients to connect via the Yosemite machine and then through the tunnel to the Internet.

Ive enabled packet forwarding and all client machines are able to connect to the Internet through the Yosemite machine.

However as soon as I enable Tunnelblick VPN connection, the clients lose connection to the Internet, I think there is some NAT problem?

I think I'm looking in the right thread, any ideas on how to achieve this?

essandess Author

Level 1

41 points

Dec 30, 2015 11:09 AM in response to Elementjj

I don't understand how clients would be able to connect at all without Tunnelblick running…

Google the error messages and see if there's an obvious fix.

Oftentimes pf.conf configuration errors are caused by specifying an interface that doesn't exist. The interfaces specified in pf.conf must exist in the "ifconfig -a" command.

Dec 30, 2015 11:39 AM in response to essandess

It will work without the Tunnelblick VPN connection running because the OSX machine still has access to the internet. Therefore clients can have their packets forwaded to the internet in a normal fashion.

There is no error message, simply cannot get clients to get an internet connection, cannot resolve via IP or DNS.

I played around with it, and got it to work by adding Tunnelblick to the firewall (which i dont think is the right way), and the pf.conf rules as per the github.

Either way after a reboot, it was broken again, too finicky for my needs with Tunnelblick being a bit buggy to in its startup manner. Tried fixing it again, but nothing, so have gone back to Ubuntu Server.

jkbull

Level 1

86 points

Dec 30, 2015 12:13 PM in response to Elementjj

Elementjj wrote:

too finicky for my needs with Tunnelblick being a bit buggy to in its startup manner. Tried fixing it again, but nothing, so have gone back to Ubuntu Server.

In what way is Tunnelblick buggy in its startup manner?

(From a Tunnelblick developer.)

Dec 30, 2015 12:45 PM in response to jkbull

For example, im using the latest beta on your website, when I selected "connect to VPN on startup" and open on "Computer Startup", it would open but not connect.

But select Open on Computer Startup and Manually Connect -> it would actually open and automatically connect.

So maybe some issue in the managing of the startup daemons/plists.

essandess Author

Level 1

41 points

Dec 30, 2015 3:08 PM in response to Elementjj

Elementjj wrote:

It will work without the Tunnelblick VPN connection running because the OSX machine still has access to the internet. Therefore clients can have their packets forwaded to the internet in a normal fashion.

There is no error message, simply cannot get clients to get an internet connection, cannot resolve via IP or DNS.

I played around with it, and got it to work by adding Tunnelblick to the firewall (which i dont think is the right way), and the pf.conf rules as per the github.

Either way after a reboot, it was broken again, too finicky for my needs with Tunnelblick being a bit buggy to in its startup manner. Tried fixing it again, but nothing, so have gone back to Ubuntu Server.

This doesn't make any sense. How can VPN clients access the internet if the Tunnelblick VPN server isn't running?!

You say that you don't believe that adding the VPN server to the firewalls is "the right way", but do not say what you believe the right way is. These comments appear incoherent and difficult to address in any meaningful way.

Dec 30, 2015 3:21 PM in response to essandess

I Think you didn't understand the setup.

Traffic flow

Client PC -> OSX PC -> Home Router -> Internet --This worked fine.

OSX PC -> Tunnelblick -> Router -> VPN Server via tunnel -> Internet --This Works.

Client PC -> OSX PC -> Tunnelblick -> Router -> VPN Server via tunnel -> Internet --This doesnt work.

The OSX PC acts as a DNS server, also Gateway IP for the Client PC.

Tunnelblick is the VPN Client for my VPS server elsewhere.

Im coming from setting this up on Linux, where all I did was pass traffic from all addresses to the tunnel network adaptor. I didn't need to add anything more to the firewall, hence I wasn't sure about adding tunnelblick to the firewall. Also the OSX machine happily browsed the Internet without touching the firewall in the first place.

Either way no need to scratch heads, I've gone back to my original implementation.

Apr 2, 2016 1:15 AM in response to NEI

I face some issues while using a best vpn for mac at that time I wasn't knew about the VPN protocol but I join some expert communities and they recommend me to use Ivacy.com which is supportable on mac and other devices as well. I think I am very lucky because I am using mac with open vpn configuration at cheapest rates. You can find more information. https://www.ivacy.com/vpn-app-for-mac/

archeom

Level 1

4 points

May 20, 2016 10:09 AM in response to essandess

Hi guys, I currently have the simple need to access my office osx macmini from home (with a pc or a table) and when I'm onsite with my iPhone just to have a look at files served by Server.app with smb/webdav services. I've followed the very well detailed setup revised by essandess (not all actually, I do not even need forwarding by now, just to reach the server at 10.8.0.1 ...) and everything seems to work fine ( OSX 10.11.5 + Tunnelblick 3.6.3 ) but I have performance problems as I cannot obtain transfer rates higher that 50-80 kbps. Am I doing something wrong (I have set up no routes as I need nothing by now ...) or might there be a limitations by ISPs / network appliances ? Have tried different MTU's setup of server.conf and settings @ my router (disabled SPI firewall, and so on) but no way out. Any idea / known issue you know ? Thanks in advance.

essandess Author

Level 1

41 points

May 21, 2016 12:13 PM in response to archeom

You'll have to troubleshoot bandwidth issues. Personally, I see about 12 Mbps through a solid LTE link over VPN.

iperf is a nice bandwidth troubleshooting tool:

sudo port install iperf

iperf -s

VPN in to the server (preferred), or (temporarily) open a hole in the server firewall for port 5001, then:

On another box:

iperf -c servername.domainname.tld

On iOS, use the iPerf2 iOS app.

Here's a launchdaemon that will always keep a copy of iperf running:

sudo launchctl load -w com.mydomain.iperf.plist

com.mydomain.iperf.plist:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"

"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>

<dict>

<key>Label</key>

<string>com.mydomain.iperf</string>

<key>ServiceDescription</key>

<string>Starts an iPerf Server.</string>

<key>Program</key>

<string>/opt/local/bin/iperf</string>

<key>ProgramArguments</key>

<array>

<string>iperf</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>KeepAlive</key>

<dict>

<key>NetworkState</key>

<true/>

</dict>

<key>TimeOut</key>

</dict>

</plist>

UrosR

Level 1

8 points

May 24, 2016 3:51 PM in response to essandess

Hi, thanks for the reply earlier. I finally got some time to have another look at this.

I got the client (iOS OpenVPN) to connect to the server now (OSX 10.11.4 / Tunnelblick 3.6.3), however, not all works as it should. I believe I need help with routing.

Some background info:

- I've already got a working L2TP server set up in Apple's Server.app that is enabled

- Tunnelblick is added to the Firewall's exception list so that incoming connections are allowed

- I skipped osxfortress for now/skipped the relevant bit from the server installation too - I assumed this isn't necessary for the openvpn server to work, no?

- I've updated server's and client's config.ovpn to reflect my home LAN as best as I could (as detailed below) prior to the openvpn server installation

- During the openvpn server installation, I have specified my server's IP on the LAN accordingly (i.e.,: sed -i '' -e 's/192.168.xx.89/'`.......)

- I did not edit enable-vpn-forward-nat.sh or pf.conf - do they need to be edited to reflect my home LAN?

Questions

1) Client has neither access to internet nor access to LAN upon successful connection. I cannot figure this bit out - I assume it is a routing error?

- My server is on 192.168.xx.89 with the modem/router at 192.168.xx.1. My client gets VPN IPv4 of 10.8.0.6 upon connection. Shouldn't it have been more like 192.168.xx.yy instead? I thought I have specified the range from 192.168.xx.60 to 192.168.xx.80 be available (as below).

- here's my routing bit of the server's ovpn:

server 10.8.0.0 255.255.255.0

route 192.168.xx.1 255.255.255.0

route 10.8.0.0 255.255.255.0

;server-bridge 192.168.xx.89 255.255.255.0 192.168.xx.60 192.168.xx.80

;topology subnet

# Push routes to the client to allow it

# to reach other private subnets behind

# the server. Remember that these

# private subnets will also need

# to know to route the OpenVPN client

# address pool (10.8.0.0/255.255.255.0)

# back to the OpenVPN server.

push "route 192.168.xx.1 255.255.255.0"

push "route 10.8.0.0 255.255.255.0"

push "redirect-gateway def1"

; push "dhcp-option DNS 10.8.0.1"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 4.4.4.4"

; push "dhcp-option DOMAIN server.domainname.com”

; push "dhcp-option PROXY_AUTO_CONFIG_URL http://proxy.domainname.private/proxy.pac"

;push "dhcp-option PROXY_HTTP 10.8.0.1 3128"

;push "dhcp-option PROXY_BYPASS domainname.com"

2) I get 'Use 'down-root' plugin for OpenVPN?' prompt in Tunnelblick - should I use it or not?

3) 'Route all IPv4 traffic through the VPN' and 'Disable IPv6 (tun only) - which of these should be checked in Tunnelblick? If the first one is checked, the server will not connect. Is this normal?

Any help is greatly appreciated.

essandess Author

Level 1

41 points

May 25, 2016 2:44 AM in response to UrosR

Looks like either a sysctl/pf configuration issue, or possibly a subnet issue crossing between 192.168/16 and 10/8.

You'll need to go through the setup step-by-step and troubleshoot.

sysctl: /Library/Application Support/vpn/enable-vpn-forward-nat.sh

Check that these flags are all set correctly:

/usr/sbin/sysctl net.inet.ip.fw.enable

net.inet.ip.fw.enable: 1

/usr/sbin/sysctl net.inet.ip.forwarding

net.inet.ip.forwarding: 1

/usr/sbin/sysctl net.inet6.ip6.forwarding

net.inet6.ip6.forwarding: 1

If not, run the shell script and make sure the launch daemon is loaded.

pf: /etc/pf.conf

Enabled?

sudo pfctl -si

VPN rules correct?

vpn_net = "10.8.0/24" # utun0 interface doesn't exist at boot time

int_if = "en0"

tun_if = "utun0"

no nat on ! $tun_if from $vpn_net to ($int_if)

nat on ! $tun_if from $vpn_net to ! ($int_if) -> ($int_if)

...

pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if

Is en0 the correct interface on your box?

ifconfig -a

Debug with tcpdump, e.g.:

sudo tcpdump -n -e -ttt -i pktap,en0,utun0 tcp port 80

Try putting the VPN server on a 192.168/16 subnet with the server directive in config.ovpn:

server 192.168.100.0 255.255.255.0

You'll need to propagate this change to other config files like pf.conf.

OpenVPN VPN Server on OS X Server with Mavericks, pfctl, and Tunnelblick