probleme openvpn avec tunnelblick

ptiseb60

Membre enregistré
17 Novembre 2017
1
0
40
Bonjour,

Je me trouve face a un blocage avec tunnelblick.
J'ai mis en place une connexion openvpn qui fonctionne tres bien avec des client openvpn sur windows.
en revanche j'ai un soucis avec tunnelblick sur mac avec le fichier de configuration openvpn généré.
Je m'explique, une fois connecté, j'arrive bien a communiquer avec les autres machine connecté sur la plage ip virtuel qui est en 192.168.20.x
En revanche je n'arrive pas a communiquer avec les serveur de mon site distant qui sont la plage ip 192.168.1.X ce qui est ennuyeux car c'etait là tout le but de la chose.

Je me rend compte que la box sur laquelle je suis en connecté avec mon mac est sur la même plage ip de mon site distant. J'ai donc changé la plage ip de ma box et du coup ca fonctionne.

Pourtant avec un client openvpn sous windows je ne rencontre pas ce soucis même si la plage de la box local est sur la même plage ip que mon site distant.

Je ne peut pas me permettre de demander a mes utilisateur de changer les plage ip de leurs box (trop compliqué pour eux) et je en peut pas changer la plage ip de mon site distant car il est déja interconnecté avec d'autre site en MPLS et ça engendrerai trop de changement.


Je vois pas trop pourquoi le client sous windows sait gérer et pas tunnelblick.

Je sais pas trop si ca peut aider sur cette reflexion mais voici le log de tunnelblick capturé durant la phase de connexion :

Tunnelblick Log:\
\
*Tunnelblick: OS X 10.11.3; Tunnelblick 3.7.4 (build 4900)\
2017-11-17 12:05:58 *Tunnelblick: Attempting connection with pfSense-UDP4-1194-User1-config; Set nameserver = 769; monitoring connection\
2017-11-17 12:05:58 *Tunnelblick: openvpnstart start pfSense-UDP4-1194-User1-config.tblk 1338 769 0 3 0 1132336 -ptADGNWradsgnw 2.3.18-openssl-1.0.2m\
2017-11-17 12:05:58 *Tunnelblick: openvpnstart log:\
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):\
\
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.18-openssl-1.0.2m/openvpn\
--daemon\
--log\
/Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SpfSense--UDP4--1194--User1--config.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1132336.1338.openvpn.log\
--cd\
/Library/Application Support/Tunnelblick/Shared/pfSense-UDP4-1194-User1-config.tblk/Contents/Resources\
--setenv\
IV_GUI_VER\
"net.tunnelblick.tunnelblick 4900 3.7.4 (build 4900)"\
--verb\
3\
--config\
/Library/Application Support/Tunnelblick/Shared/pfSense-UDP4-1194-User1-config.tblk/Contents/Resources/config.ovpn\
--verb\
3\
--cd\
/Library/Application Support/Tunnelblick/Shared/pfSense-UDP4-1194-User1-config.tblk/Contents/Resources\
--management\
127.0.0.1\
1338\
--management-query-passwords\
--management-hold\
--redirect-gateway\
def1\
--script-security\
2\
--up\
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -o -r -w -ptADGNWradsgnw\
--down\
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -o -r -w -ptADGNWradsgnw\
\
2017-11-17 12:05:58 *Tunnelblick: Established communication with OpenVPN\
2017-11-17 12:05:58 Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Shared/pfSense-UDP4-1194-User1-config.tblk/Contents/Resources/config.ovpn:10: block-outside-dns (2.3.18)\
2017-11-17 12:05:58 OpenVPN 2.3.18 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Nov 2 2017\
2017-11-17 12:05:58 library versions: OpenSSL 1.0.2m 2 Nov 2017, LZO 2.10\
2017-11-17 12:05:58 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338\
2017-11-17 12:05:58 Need hold release from management interface, waiting...\
2017-11-17 12:05:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338\
2017-11-17 12:05:58 MANAGEMENT: CMD 'pid'\
2017-11-17 12:05:58 MANAGEMENT: CMD 'state on'\
2017-11-17 12:05:58 MANAGEMENT: CMD 'state'\
2017-11-17 12:05:58 MANAGEMENT: CMD 'bytecount 1'\
2017-11-17 12:05:58 MANAGEMENT: CMD 'hold release'\
2017-11-17 12:05:58 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts\
2017-11-17 12:05:58 Control Channel Authentication: tls-auth using INLINE static key file\
2017-11-17 12:05:58 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication\
2017-11-17 12:05:58 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication\
2017-11-17 12:05:58 Socket Buffers: R=[196724->196724] S=[9216->9216]\
2017-11-17 12:05:58 UDPv4 link local (bound): [undef]\
2017-11-17 12:05:58 UDPv4 link remote: [AF_INET]%IPSITE_DISTANT%:1194\
2017-11-17 12:05:58 MANAGEMENT: >STATE:1510916758,WAIT,,,\
2017-11-17 12:05:58 MANAGEMENT: >STATE:1510916758,AUTH,,,\
2017-11-17 12:05:58 TLS: Initial packet from [AF_INET]%IPSITE_DISTANT%:1194, sid=9cb0af28 0fec11b7\
2017-11-17 12:05:58 VERIFY OK: depth=1, C=FR, ST=%DEPT%, L=%VILLE%, O=%SOCIETE% du %VILLE%, emailAddress=%ADRESS%@%SOCIETE%-%VILLE%.fr, CN=OpenVPN CA\
2017-11-17 12:05:58 Validating certificate key usage\
2017-11-17 12:05:58 ++ Certificate has key usage 00a0, expects 00a0\
2017-11-17 12:05:58 VERIFY KU OK\
2017-11-17 12:05:58 Validating certificate extended key usage\
2017-11-17 12:05:58 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\
2017-11-17 12:05:58 VERIFY EKU OK\
2017-11-17 12:05:58 VERIFY X509NAME OK: C=FR, ST=%DEPT%, L=%VILLE%, O=%SOCIETE% du %VILLE%, emailAddress=%ADRESS%@%SOCIETE%-%VILLE%.fr, CN=certif-serveur-%SOCIETE%-%VILLE%\
2017-11-17 12:05:58 VERIFY OK: depth=0, C=FR, ST=%DEPT%, L=%VILLE%, O=%SOCIETE% du %VILLE%, emailAddress=%ADRESS%@%SOCIETE%-%VILLE%.fr, CN=certif-serveur-%SOCIETE%-%VILLE%\
2017-11-17 12:05:58 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key\
2017-11-17 12:05:58 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication\
2017-11-17 12:05:58 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key\
2017-11-17 12:05:58 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication\
2017-11-17 12:05:58 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA\
2017-11-17 12:05:58 [certif-serveur-%SOCIETE%-%VILLE%] Peer Connection Initiated with [AF_INET]%IPSITE_DISTANT%:1194\
2017-11-17 12:05:58 *Tunnelblick: openvpnstart starting OpenVPN\
2017-11-17 12:05:59 MANAGEMENT: >STATE:1510916759,GET_CONFIG,,,\
2017-11-17 12:06:00 SENT CONTROL [certif-serveur-%SOCIETE%-%VILLE%]: 'PUSH_REQUEST' (status=1)\
2017-11-17 12:06:00 PUSH: Received control message: 'PUSH_REPLY,route %RESEAU DISTANT% 255.255.255.0,dhcp-option DOMAIN %SOCIETE%-%VILLE%.fr,dhcp-option DNS %DNS1%,dhcp-option DNS %DNS2%,register-dns,redirect-gateway def1,route %RESEAU DISTANT% 255.255.255.0,route-gateway %GATEWAY RESEAU VIRTUEL%,topology subnet,ping 10,ping-restart 60,ifconfig %IP CLIENT MAC VIRTUEL% 255.255.255.0,peer-id 1'\
2017-11-17 12:06:00 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: register-dns (2.3.18)\
2017-11-17 12:06:00 OPTIONS IMPORT: timers and/or timeouts modified\
2017-11-17 12:06:00 OPTIONS IMPORT: --ifconfig/up options modified\
2017-11-17 12:06:00 OPTIONS IMPORT: route options modified\
2017-11-17 12:06:00 OPTIONS IMPORT: route-related options modified\
2017-11-17 12:06:00 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified\
2017-11-17 12:06:00 OPTIONS IMPORT: peer-id set\
2017-11-17 12:06:00 OPTIONS IMPORT: adjusting link_mtu to 1560\
2017-11-17 12:06:00 Opened utun device utun0\
2017-11-17 12:06:00 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0\
2017-11-17 12:06:00 MANAGEMENT: >STATE:1510916760,ASSIGN_IP,,%IP CLIENT MAC VIRTUEL%,\
2017-11-17 12:06:00 /sbin/ifconfig utun0 delete\
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address\
2017-11-17 12:06:00 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure\
2017-11-17 12:06:00 /sbin/ifconfig utun0 %IP CLIENT MAC VIRTUEL% %IP CLIENT MAC VIRTUEL% netmask 255.255.255.0 mtu 1500 up\
2017-11-17 12:06:00 /sbin/route add -net %RESEAU VIRTUEL% %IP CLIENT MAC VIRTUEL% 255.255.255.0\
add net %RESEAU VIRTUEL%: gateway %IP CLIENT MAC VIRTUEL%\
2017-11-17 12:06:00 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -o -r -w -ptADGNWradsgnw utun0 1500 1560 %IP CLIENT MAC VIRTUEL% 255.255.255.0 init\
**********************************************\
Start of output from client.up.tunnelblick.sh\
Retrieved from OpenVPN: name server(s) [ %DNS1% %DNS2% ], domain name [ %SOCIETE%-%VILLE%.fr ], search domain(s) [ ], and SMB server(s) [ ]\
Not aggregating ServerAddresses because running on OS X 10.6 or higher\
Setting search domains to '%SOCIETE%-%VILLE%.fr' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected\
Saved the DNS and SMB configurations so they can be restored\
Changed DNS ServerAddresses setting from '%IP BOX LOCAL%' to '%DNS1% %DNS2%'\
Changed DNS SearchDomains setting from '' to '%SOCIETE%-%VILLE%.fr'\
Changed DNS DomainName setting from 'home' to '%SOCIETE%-%VILLE%.fr'\
Did not change SMB NetBIOSName setting of ''\
Did not change SMB Workgroup setting of ''\
Did not change SMB WINSAddresses setting of ''\
DNS servers '%DNS1% %DNS2%' will be used for DNS queries when the VPN is active\
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.\
Flushed the DNS cache via dscacheutil\
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil\
Notified mDNSResponder that the DNS cache was flushed\
Setting up to monitor system configuration with process-network-changes\
End of output from client.up.tunnelblick.sh\
**********************************************\
2017-11-17 12:06:04 *Tunnelblick: No 'connected.sh' script to execute\
2017-11-17 12:06:04 /sbin/route add -net %IPSITE_DISTANT% %IP BOX LOCAL% 255.255.255.255\
add net %IPSITE_DISTANT%: gateway %IP BOX LOCAL%\
2017-11-17 12:06:04 /sbin/route add -net 0.0.0.0 %GATEWAY RESEAU VIRTUEL% 128.0.0.0\
add net 0.0.0.0: gateway %GATEWAY RESEAU VIRTUEL%\
2017-11-17 12:06:04 /sbin/route add -net 128.0.0.0 %GATEWAY RESEAU VIRTUEL% 128.0.0.0\
add net 128.0.0.0: gateway %GATEWAY RESEAU VIRTUEL%\
2017-11-17 12:06:04 MANAGEMENT: >STATE:1510916764,ADD_ROUTES,,,\
2017-11-17 12:06:04 /sbin/route add -net %RESEAU DISTANT% %GATEWAY RESEAU VIRTUEL% 255.255.255.0\
route: writing to routing socket: File exists\
add net %RESEAU DISTANT%: gateway %GATEWAY RESEAU VIRTUEL%: File exists\
2017-11-17 12:06:04 /sbin/route add -net %RESEAU DISTANT% %GATEWAY RESEAU VIRTUEL% 255.255.255.0\
route: writing to routing socket: File exists\
add net %RESEAU DISTANT%: gateway %GATEWAY RESEAU VIRTUEL%: File exists\
2017-11-17 12:06:04 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this\
2017-11-17 12:06:04 Initialization Sequence Completed\
2017-11-17 12:06:04 MANAGEMENT: >STATE:1510916764,CONNECTED,SUCCESS,%IP CLIENT MAC VIRTUEL%,%IPSITE_DISTANT%\
2017-11-17 12:06:09 *Tunnelblick process-network-changes: A system configuration change was ignored\