OpenVPN VPN Server on OS X Server with Mavericks, pfctl, and Tunnelblick

Thanks for the reply. Still struggling, the client now gets the 192.168.xx.6 LAN (so it is on the same subnet as the server), but still no access to the internet or LAN (I am trying to VNC into the server). Here are my findings/changes I've done now:

enable-vpn-forward-nat.sh

- yes, as suggested (this is the same as in the openpn server install)

pf.conf

- changed "vpn_net = "10.8.0/24"" into "vpn_net = "192.168/16"" and removed the # sign in front of this line

- removed the # sign in front of the "pass in..." line

sudo pfctl -si

- has been off

- turned it on now:

No ALTQ support in kernel

ALTQ related functions disabled

Status: Enabled for 0 days 01:44:30 Debug: Urgent

....

ifconfig -a

1) Yup, the server is on eth0

2) I also have this utun0:

utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380

inet6 fe80::bc72:d1bb:6775:955%utun0 prefixlen 64 scopeid 0x7

inet6 fd84:3088:1863:5d4e:bc72:d1bb:6775:955 prefixlen 64

nd6 options=1<PERFORMNUD>

3) Once I start the Tunnelblick server, I also get utun1:

utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500

inet 192.168.xx.1 --> 192.168.xx.2 netmask 0xffffffff

server config.ovpn:

server 192.168.xx.0 255.255.255.0

route 192.168.xx.1 255.255.255.0

route 192.168.xx.0 255.255.255.0

(further down:)

push "route 192.168.xx.1 255.255.255.0"

push "route 192.168.xx.0 255.255.255.0"

EDIT:

Tunnelblick log errors/possible problems when starting the server (yellow/blue highlighted bits):

2016-05-25 19:13:03 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2016-05-25 19:13:03 WARNING: potential conflict between --local address [192.168.xx.89] and --ifconfig address pair [192.168.xx.1, 192.168.xx.2] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn)

2016-05-25 19:13:03 /sbin/ifconfig utun1 delete

ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

2016-05-25 19:13:03 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

2016-05-25 19:13:03 /sbin/ifconfig utun1 192.168.xx.1 192.168.xx.2 mtu 1500 netmask 255.255.255.255 up

2016-05-25 19:13:03 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1542 192.168.xx.1 192.168.xx.2 init

**********************************************

Start of output from client.up.tunnelblick.sh

NOTE: No network configuration changes need to be made.

WARNING: Will NOT monitor for other network configuration changes.

WARNING: Will NOT disable IPv6 settings.

DNS servers '192.168.xx.1' were set manually

DNS servers '192.168.xx.1' will be used for DNS queries when the VPN is active

NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.

Flushed the DNS cache via dscacheutil

/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil

Notified mDNSResponder that the DNS cache was flushed

End of output from client.up.tunnelblick.sh

**********************************************

Hi again. Spent a couple of more hours on this today.

This time I added I moved the VPN clients onto the 192.168.100.xx subnet as suggested.

I propagated this change to config.ovpn (server 192.168.100.0 255.255.255.0 etc) and pf.conf like this:

# $vpn_net == utun0/24 when Tunnelblick creates utun0

vpn_net = "192.168/16"
# utun0 interface doesn't exist at boot time

...

int_if = "en0"

tun_if = "utun0"

no nat on ! $tun_if from $vpn_net to ($int_if)

nat on ! $tun_if from $vpn_net to ! ($int_if) -> ($int_if)

...

pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if

enable-vpn-forward-nat.sh is enabled and the daemon is loaded.

pfctl is enabled

en0 is indeed where my ethernet cabled is plugged into the server. Verified through system report as well as Terminal (ifconfig -a).

The VPN service in OSX Server.app is disabled.

The server now starts without conflicts (as opposed to before) and I can connect to it from clients without any errors as well. Clients get 192.168.100.xx IP and I can ping my server successfully (ping 192.168.xx.89 - my server).

Internet still does not work (neither websites by name nor IP) and AFP/VNC to the server do not work either.

Any ideas as to what I could be doing wrong?

Thanks.

Thanks for the reply. I do not think it is the DNS issue - internet websites do not open via their IP's either. I'm using Google DNS for both the server itself (Network preferences) and the server's vpn config. Excluding push "dhcp-option DNS 8.8.8.8" from the server config doesn't really change anything. FWIW, this is my vpn server config: http://pastebin.com/LEmNjSk7 very simple.

I am leaning towards a pf.conf issue. Here's what it looks like atm (edited out the comments and excluded lines for clarity's sake):

http://pastebin.com/7vj7cKhq

1.) Line 28 (pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if) - should this be moved right after my line 15?

2.) Lines 61&62 - are these correct with $vpn_net in there as such? Should there perhaps be 4 lines - two with and two without $vpn_net?

3.) Am I missing anything else in it? Anything else wrong?

4.) Reading your (I assume) thread here: http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-cli ent-to-server-but-ping-traceroute-work, should I be doing nat on en0 from { 10.8.0.0/24 10.0.1.0/24 } to any -> (en0) / pass all in my pf.conf?

Thanks.

Further to my questions above, I may be onto something:

Running sudo tcpdump -n -e -ttt -i pktap,en0,utun0 udp port 443, I get the following after the client connects to the vpn:

00:00:00.124010 <<SERVER ETHERNET MAC ADDRESS>> > <SERVER FIREWIRE MAC ADDRESS>, ethertype IPv4 (0x0800), length 151: <CLIENT PUBLIC IP>.65442 > <SERVER LOCAL IP>.443: UDP, length 109

00:00:02.077416 <SERVER FIREWIRE MAC ADDRESS> > <<SERVER ETHERNET MAC ADDRESS>>, ethertype IPv4 (0x0800), length 95: <SERVER LOCAL IP>.443 > <CLIENT PUBLIC IP>.65442: UDP, length 53

00:00:00.805616 <<SERVER ETHERNET MAC ADDRESS>> > <SERVER FIREWIRE MAC ADDRESS>, ethertype IPv4 (0x0800), length 151: <CLIENT PUBLIC IP>.65442 > <SERVER LOCAL IP>.443: UDP, length 109

00:00:00.125637 <<SERVER ETHERNET MAC ADDRESS>> > <SERVER FIREWIRE MAC ADDRESS>, ethertype IPv4 (0x0800), length 151: <CLIENT PUBLIC IP>.65442 > <SERVER LOCAL IP>.443: UDP, length 109

00:00:08.891086 <<SERVER ETHERNET MAC ADDRESS>> > <SERVER FIREWIRE MAC ADDRESS>, ethertype IPv4 (0x0800), length 151: <CLIENT PUBLIC IP>.65442 > <SERVER LOCAL IP>.443: UDP, length 109

00:00:00.000338 <SERVER FIREWIRE MAC ADDRESS> > <<SERVER ETHERNET MAC ADDRESS>>, ethertype IPv4 (0x0800), length 95: <SERVER LOCAL IP>.443 > <CLIENT PUBLIC IP>.65442: UDP, length 53

00:00:00.128451 <SERVER ETHERNET MAC ADDRESS> > <SERVER FIREWIRE MAC ADDRESS>, ethertype IPv4 (0x0800), length 151: <CLIENT PUBLIC IP>.65442 > <SERVER LOCAL IP>.443: UDP, length 109

00:00:10.008615 <<SERVER ETHERNET MAC ADDRESS>> > <SERVER FIREWIRE MAC ADDRESS>, ethertype IPv4 (0x0800), length 95: <CLIENT PUBLIC IP>.65442 > <SERVER LOCAL IP>.443: UDP, length 53

00:00:00.000224 <SERVER FIREWIRE MAC ADDRESS> > <<SERVER ETHERNET MAC ADDRESS>>, ethertype IPv4 (0x0800), length 95: <SERVER LOCAL IP>.443 > <CLIENT PUBLIC IP>.65442: UDP, length 53

00:00:10.001275 <<SERVER ETHERNET MAC ADDRESS>> > <SERVER FIREWIRE MAC ADDRESS>, ethertype IPv4 (0x0800), length 95: <CLIENT PUBLIC IP>.65442 > <SERVER LOCAL IP>.443: UDP, length 53

00:00:00.000210 <SERVER FIREWIRE MAC ADDRESS> > <<SERVER ETHERNET MAC ADDRESS>>, ethertype IPv4 (0x0800), length 95: <SERVER LOCAL IP>.443 > <CLIENT PUBLIC IP>.65442: UDP, length 53

00:00:06.919615 <<SERVER ETHERNET MAC ADDRESS>> > <SERVER FIREWIRE MAC ADDRESS>, ethertype IPv4 (0x0800), length 151: <CLIENT PUBLIC IP>.65442 > <SERVER LOCAL IP>.443: UDP, length 109

etc etc

Is there a reason to get the Server's Firewire involved into this? Wouldn't it be logical that my client's MAC address would appear in the above tcpdump? I am not using firewire on my mac mini at all.

I'm stuck at what to do next though. I did test the pf.conf rules with sudo pfctl -v -n -f /etc/pf.conf and they run just fine. I compared them with the original pf.conf on https://github.com/essandess/osx-openvpn-server/blob/master/pf.conf and the only difference is "vpn_net = "10.8.0/24"" changed to "vpn_net = "192.168.0/16"" line. I was also toying around with either included or excluded "pass in proto udp from { lo0 $vpn_net $int_if:network } to { lo0 $int_if } port $lan_udp_services" line and then various permutations of that with 'set nameserver' and 'do not set nameserver' in tunnelblick server, but no dice. Are there specific settings for Tunnelblick that should work?

Ok, internet access fixed now 🙂. Thank you! It was a pf.conf issue indeed, specifically the 'block all' line. Once I commented that bit out, I could reach the internet over VPN. A quick IP check verifies that my location is the same as server's location, so all good on that front.

However, I do not have access to the server itself via VPN. VNC and AFP both fail over VPN (while they both work over SSH).

This is my pf.conf now (I've removed filtering rules to keep it as simple as possible/as I am not (yet) using osxfortress):

vpn_net = "192.168/16" # utun0 interface doesn't exist at boot time

scrub-anchor "com.apple/*"

int_if = "en0"

tun_if = "utun0"

no nat on ! $tun_if from $vpn_net to ($int_if)

nat on ! $tun_if from $vpn_net to ! ($int_if) -> ($int_if)

pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if

nat-anchor "com.apple/*"

rdr-anchor "com.apple/*"

dummynet-anchor "com.apple/*"

anchor "com.apple/*"

load anchor "com.apple" from "/etc/pf.anchors/com.apple"

# OS X Server Adaptive Firewall

# Comment out for nonOS X Server instances

anchor "com.apple.server-firewall/*"

load anchor "com.apple.server-firewall" from "/etc/pf.anchors/com.apple.server-firewall"

Anything I'm missing in there?

Thank you.

Figured it out now, essandess. The solution was this:

Due to:

ifconfig -a

utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380

inet6 fe80::bc72:d1bb:6775:955%utun0 prefixlen 64 scopeid 0x7

inet6 fd84:3088:1863:5d4e:bc72:d1bb:6775:955 prefixlen 64

nd6 options=1<PERFORMNUD>

And after starting the Tunnelblick server, getting utun1 as well:

utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500

inet 192.168.100.1 --> 192.168.100.2 netmask 0xffffffff

I had to change the following in pf.conf:

from tun_if = "utun0" into tun_if = "utun1"

Now remote clients have access to the services running on the server as well (VNC, AFP, SMB, etc.) 🙂.

I do wonder why this was required. Perhaps a change in Tunnelblick? Or a recent El Capitan change?

Hi Guys, two very stupid question but cannot get out of it.

1. Is there a way to avoid continuously having the request for a password being prompted upon connection ? I expected to have it being saved on my keychain but cannot flag it ...

2. In my server config I added a log (or log-append) entry but nothing occours (I would like to keep a connection log history)

Thanks in advance

Hi Essandess, thanks for replying. I express myself wrongly with the term "keychain". Everything is perfect with Tunnelblick. Connection and - so far - reliability. I meant that when I click con the connect button I'm requested the password as - for security reason - the cfg is shadowed. If I disconnect and re-connect, password prompted again. So if I restart as I have Tunnelblick to start at login. I need T/B to connect to my cfg without user intervention so that, in case of problems, I just reboot my server and I have my vpn up and running. With keychain I meant the osx credential storage granted as root.