I have a new OpenVPN config which runs Ok on the server but the client fails to connect with the following error:
Options error: Unrecognized option or missing parameter(s) in /Library/Application Support/Tunnelblick/Users/Mark/markhorrocks.tblk/Contents/Resources/config.ovpn:28: tls-crypt (2.3.17)
Tunnelblick Log:
*Tunnelblick: OS X 10.12.5; Tunnelblick 3.7.2beta03 (build 4840); prior version 3.7.2beta02 (build 4830) 2017-07-06 23:54:08
*Tunnelblick: Attempting connection with markhorrocks using shadow copy; Set nameserver = 771; monitoring connection 2017-07-06 23:54:08
*Tunnelblick: openvpnstart start markhorrocks.tblk 1337 771 0 1 0 1065264 -ptADGNWradsgnw 2.3.17-openssl-1.0.2k 2017-07-06 23:54:08
*Tunnelblick:Could not start OpenVPN (openvpnstart returned with status #251)
Contents of the openvpnstart log:
*Tunnelblick: openvpnstart log:
Warning: Tunnelblick is using 'openvpn-down-root.so', so the route-pre-down script will not be used. You can override this by
providing a custom route-pre-down script (which may be a copy of
Tunnelblick's standard route-pre-down script) in a Tunnelblick VPN
Configuration. However, that script will not be executed as root
unless the 'user' and 'group' options are removed from the OpenVPN
configuration file. If the 'user' and 'group' options are removed,
then you don't need to use a custom route-pre-down script.OpenVPN
returned with status 1, errno = 0:
Undefined error: 0Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.17-openssl-1.0.2k/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SUsers-SMark-SLibrary-SApplicationSupport-STunnelblick-SConfigurations-Smarkhorrocks.tblk-SContents-SResources-Sconfig.ovpn.771_0_1_0_1065264.1337.openvpn.log
–cd
/Library/Application Support/Tunnelblick/Users/Mark/markhorrocks.tblk/Contents/Resources
–verb
3
–config
/Library/Application Support/Tunnelblick/Users/Mark/markhorrocks.tblk/Contents/Resources/config.ovpn
–verb
3
–cd
/Library/Application Support/Tunnelblick/Users/Mark/markhorrocks.tblk/Contents/Resources
–management
127.0.0.1
1337
–management-query-passwords
–management-hold
–script-security
2
–up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh
-9 -d -f -m -w -ptADGNWradsgnw
–plugin
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.17-openssl-1.0.2k/openvpn-down-root.so
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh
-9 -d -f -m -w -ptADGNWradsgnwContents of the OpenVPN log: Options error: Unrecognized option or missing parameter(s) in /Library/ApplicationSupport/Tunnelblick/Users/Mark/markhorrocks.tblk/Contents/Resources/config.ovpn:28:
tls-crypt (2.3.17)
Use –help for more information.More details may be in the Console Log's "All Messages"================================================================================
"Sanitized" full configuration file
client
proto udp
dev tun
remote vpn.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-GCM
tls-version-min 1.2
tls-client
ping 15
ping-restart 120
route 10.0.0.0 255.0.0.0
route-nopull
daemon
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
<ca>
[Security-related line(s) omitted]
</ca>
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
<tls-crypt>
[Security-related line(s) omitted]
</tls-crypt>
Best Answer
OpenVPN added tls-crypt functionality in version 2.4+. Tunnelblick defaults to using OpenVPN 2.3.7 in the settings for some reason, even in the latest releases (from what I have experienced). So just update the 'OpenVPN' version in the 'Settings' menu of Tunnelblick to 2.4+ and you should be good to go!