I am hosting an OpenVPN Server (I followed this tutorial) and I am facing some issues on the client side.
When I use my phone as a hotspot, and I log into the VPN from my Mac (using my phone's connection), everything works perfectly.
However, when I log into the VPN from my house's WiFi, the behaviour is very weird: I can run ssh sessions, ping wherever I want, etc… (DNS is working). However, as soon as I try to send an HTTP/HTTPS request, it is blocked, somehow… It is weird, because I use the same VPN configuration! Why would the server block it this time?
I have been trying using OpenVPN Client and Tunnelblick (in all cases, the client is running on my Macbook pro with macOS Big Sur), and I get the same issue with both. When I look at the logs from one connection to the other (phone hotspot vs Wifi), the are very similar and I don't see what makes the difference (except the IP of the default gateway, which makes sense).
Any idea what could cause this?
Here are the logs of Tunnelblick, just in case (I replaced the OpenVPN Server IP by SE.RV.ER.IP):
2020-12-30 22:32:07.120527 *Tunnelblick: macOS 11.1 (20C69); Tunnelblick 3.8.4a (build 5601)
2020-12-30 22:32:07.630497 *Tunnelblick: Attempting connection with emmanuel-mac using shadow copy; Set nameserver = 769; monitoring connection
2020-12-30 22:32:07.631264 *Tunnelblick: openvpnstart start emmanuel-mac.tblk 49877 769 0 1 0 1098032 -ptADGNWradsgnw 2.4.9-openssl-1.1.1i
2020-12-30 22:32:07.653760 *Tunnelblick: openvpnstart starting OpenVPN
2020-12-30 22:32:08.015592 OpenVPN 2.4.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Dec 14 2020
2020-12-30 22:32:08.015704 library versions: OpenSSL 1.1.1i 8 Dec 2020, LZO 2.10
2020-12-30 22:32:08.017154 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:49877
2020-12-30 22:32:08.017191 Need hold release from management interface, waiting...
2020-12-30 22:32:08.257068 *Tunnelblick: openvpnstart log:
OpenVPN started successfully.
Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.9-openssl-1.1.1i/openvpn
--daemon
--log /Library/Application Support/Tunnelblick/Logs/-SUsers-Semmanuel-SLibrary-SApplication Support-STunnelblick-SConfigurations-Semmanuel--mac.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1098032.49877.openvpn.log
--cd /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources
--machine-readable-output
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5601 3.8.4a (build 5601)"
--verb 3
--config /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Users/emmanuel/emmanuel-mac.tblk/Contents/Resources
--management 127.0.0.1 49877 /Library/Application Support/Tunnelblick/dajnhpfeahklmohhfdnalmmjkfndbajhjflgbmin.mip
--management-query-passwords
--management-hold
--script-security 2
--route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2020-12-30 22:32:08.268874 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49877
2020-12-30 22:32:08.323857 MANAGEMENT: CMD 'pid'
2020-12-30 22:32:08.324000 MANAGEMENT: CMD 'auth-retry interact'
2020-12-30 22:32:08.324053 MANAGEMENT: CMD 'state on'
2020-12-30 22:32:08.324098 MANAGEMENT: CMD 'state'
2020-12-30 22:32:08.324151 MANAGEMENT: CMD 'bytecount 1'
2020-12-30 22:32:08.324988 *Tunnelblick: Established communication with OpenVPN
2020-12-30 22:32:08.355199 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2020-12-30 22:32:08.358526 MANAGEMENT: CMD 'hold release'
2020-12-30 22:32:08.358727 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-12-30 22:32:08.361291 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2020-12-30 22:32:08.361329 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2020-12-30 22:32:08.361568 TCP/UDP: Preserving recently used remote address: [AF_INET]SE.RV.ER.IP:3000
2020-12-30 22:32:08.361690 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-12-30 22:32:08.361726 UDP link local: (not bound)
2020-12-30 22:32:08.361750 UDP link remote: [AF_INET]SE.RV.ER.IP:3000
2020-12-30 22:32:08.361793 MANAGEMENT: >STATE:1609360328,WAIT,,,,,,
2020-12-30 22:32:08.427380 MANAGEMENT: >STATE:1609360328,AUTH,,,,,,
2020-12-30 22:32:08.427445 TLS: Initial packet from [AF_INET]SE.RV.ER.IP:3000, sid=a1c1b644 16b7bcc4
2020-12-30 22:32:08.502026 VERIFY OK: depth=1, CN=OpenVPN-Homemade CA
2020-12-30 22:32:08.507011 VERIFY KU OK
2020-12-30 22:32:08.507082 Validating certificate extended key usage
2020-12-30 22:32:08.507107 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-12-30 22:32:08.507129 VERIFY EKU OK
2020-12-30 22:32:08.507150 VERIFY OK: depth=0, CN=SE.RV.ER.IP
2020-12-30 22:32:08.587610 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
2020-12-30 22:32:08.587887 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2020-12-30 22:32:08.588274 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2020-12-30 22:32:08.588362 [SE.RV.ER.IP] Peer Connection Initiated with [AF_INET]SE.RV.ER.IP:3000
2020-12-30 22:32:09.876934 MANAGEMENT: >STATE:1609360329,GET_CONFIG,,,,,,
2020-12-30 22:32:09.877057 SENT CONTROL [SE.RV.ER.IP]: 'PUSH_REQUEST' (status=1)
2020-12-30 22:32:09.940358 PUSH: Received control message: 'PUSH_REPLY,block-outside-dns,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,comp-lzo no,route 192.168.255.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5,peer-id 2,cipher AES-256-GCM'
2020-12-30 22:32:09.940554 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.9)
2020-12-30 22:32:09.940724 OPTIONS IMPORT: timers and/or timeouts modified
2020-12-30 22:32:09.940772 OPTIONS IMPORT: compression parms modified
2020-12-30 22:32:09.940808 OPTIONS IMPORT: --ifconfig/up options modified
2020-12-30 22:32:09.940839 OPTIONS IMPORT: route options modified
2020-12-30 22:32:09.940867 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-12-30 22:32:09.940896 OPTIONS IMPORT: peer-id set
2020-12-30 22:32:09.940924 OPTIONS IMPORT: adjusting link_mtu to 1624
2020-12-30 22:32:09.947147 OPTIONS IMPORT: data channel crypto options modified
2020-12-30 22:32:09.947187 Data Channel: using negotiated cipher 'AES-256-GCM'
2020-12-30 22:32:09.947397 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-30 22:32:09.947428 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-12-30 22:32:09.947790 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.947822 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.947868 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.947883 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-12-30 22:32:09.950540 Opened utun device utun4
2020-12-30 22:32:09.951157 MANAGEMENT: >STATE:1609360329,ASSIGN_IP,,192.168.255.6,,,,
2020-12-30 22:32:09.951198 /sbin/ifconfig utun4 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2020-12-30 22:32:09.969424 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2020-12-30 22:32:09.969649 /sbin/ifconfig utun4 192.168.255.6 192.168.255.5 mtu 1500 netmask 255.255.255.255 up
2020-12-30 22:32:09.974095 /sbin/route add -net SE.RV.ER.IP 10.0.0.138 255.255.255.255
add net SE.RV.ER.IP: gateway 10.0.0.138
2020-12-30 22:32:09.982603 /sbin/route add -net 0.0.0.0 192.168.255.5 128.0.0.0
add net 0.0.0.0: gateway 192.168.255.5
2020-12-30 22:32:09.985841 /sbin/route add -net 128.0.0.0 192.168.255.5 128.0.0.0
add net 128.0.0.0: gateway 192.168.255.5
2020-12-30 22:32:09.989094 MANAGEMENT: >STATE:1609360329,ADD_ROUTES,,,,,,
2020-12-30 22:32:09.989758 /sbin/route add -net 192.168.255.1 192.168.255.5 255.255.255.255
add net 192.168.255.1: gateway 192.168.255.5
22:32:10 *Tunnelblick: **********************************************
22:32:10 *Tunnelblick: Start of output from client.up.tunnelblick.sh
22:32:12 *Tunnelblick: Disabled IPv6 for 'LPSS Serial Adapter (1)'
22:32:12 *Tunnelblick: Disabled IPv6 for 'LPSS Serial Adapter (2)'
22:32:12 *Tunnelblick: Disabled IPv6 for 'USB 10/100/1000 LAN'
22:32:12 *Tunnelblick: Disabled IPv6 for 'Wi-Fi'
22:32:12 *Tunnelblick: Disabled IPv6 for 'Bluetooth PAN'
22:32:12 *Tunnelblick: Disabled IPv6 for 'Thunderbolt Bridge'
22:32:12 *Tunnelblick: Retrieved from OpenVPN: name server(s) [ 8.8.8.8 8.8.4.4 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
22:32:12 *Tunnelblick: Not aggregating ServerAddresses because running on macOS 10.6 or higher
22:32:12 *Tunnelblick: Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
22:32:14 *Tunnelblick: Saved the DNS and SMB configurations so they can be restored
22:32:14 *Tunnelblick: Changed DNS ServerAddresses setting from '10.0.0.138' to '8.8.8.8 8.8.4.4'
22:32:14 *Tunnelblick: Changed DNS SearchDomains setting from 'Home' to 'openvpn'
22:32:14 *Tunnelblick: Changed DNS DomainName setting from '' to 'openvpn'
22:32:14 *Tunnelblick: Did not change SMB NetBIOSName setting of ''
22:32:14 *Tunnelblick: Did not change SMB Workgroup setting of ''
22:32:14 *Tunnelblick: Did not change SMB WINSAddresses setting of ''
22:32:14 *Tunnelblick: DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active
22:32:14 *Tunnelblick: The DNS servers include only free public DNS servers known to Tunnelblick.
22:32:14 *Tunnelblick: Flushed the DNS cache via dscacheutil
22:32:14 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
22:32:14 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
22:32:14 *Tunnelblick: Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
22:32:14 *Tunnelblick: Setting up to monitor system configuration with process-network-changes
22:32:14 *Tunnelblick: End of output from client.up.tunnelblick.sh
22:32:14 *Tunnelblick: **********************************************
2020-12-30 22:32:14.354487 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-12-30 22:32:14.354550 Initialization Sequence Completed
2020-12-30 22:32:14.354625 MANAGEMENT: >STATE:1609360334,CONNECTED,SUCCESS,192.168.255.6,SE.RV.ER.IP,3000,,
2020-12-30 22:32:15.585018 *Tunnelblick: Routing info stdout:
route to: 127.0.0.1
destination: 127.0.0.1
interface: lo0
flags: <UP,HOST,DONE,LOCAL>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
49152 49152 0 7 14 0 16384 0
stderr:
2020-12-30 22:32:15.589686 *Tunnelblick: Warning: DNS server address 127.0.0.1 is not a public IP address and is not being routed through the VPN.
2020-12-30 22:32:15.689957 *Tunnelblick: DNS address 8.8.4.4 is being routed through the VPN
2020-12-30 22:32:15.796318 *Tunnelblick: DNS address 8.8.8.8 is being routed through the VPN
2020-12-30 22:32:58.125526 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
2020-12-30 22:33:36.295807 *Tunnelblick: An error occurred fetching IP address information using the ipInfo host's IP address after connecting
Thanks for your help!
Best Answer
@bitinerant 's comment helped me find the solution.
Following this article, I was able to set the MTU to the right value, and this would make the connection work.