Problem with Tunnelblick / OpenVPN on OS X 10.8 Mountain Lion (solved)

Posted by . (2 comments)

After you upgrade to OS X Mountain Lion, your VPN connection might stop working.

Symptoms

(1)

Connection will not get established, you will be stuck in an infinite loop trying to re-connect.

Possible error messages you might see in your log:

VERIFY X509NAME ERROR: FOO, must be BAR
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting

(2)

After you managed to connect, you cannot open URLs like www.google.com in your local browser.

In the log file, you will see entries like this:

SearchDomains changed from

to
<array> {
0 : somecompany.local
}
pre-VPN was

Tunnelblick process-network-changes: A system configuration change was ignored because it was not relevant

Scope

You are only affected, if you use the standard settings: OpenVPN Version Standard(2.3-alpha1)
If you switch to: OpenVPN Version 2.2.1 you will have no problem with infinite re-connects.

Cause

(1)

If your issuer CN in your user.crt has spaces in it’s name, like “Some Company Name” good chances are, that in your .ovpn you have a line like this:

tls-remote "/C=de/L=Dresden/O=Some_Company_Name/CN=mail.somecompany.de/emailAddress=administrator@somecompany.de"

Notice how the spaces have been replaced with underscores.

In previous versions of OS X OpenVPN was able to successfully match these two together. Now it looks like the rules are more strict.

(2)

Nameserver settings must be changed.

Solution

(1a) change OpenVPN version in settings…

It work’s with: OpenVPN Version 2.2.1

(1b) …or remove underscores

Change your .opvn configuration file like this:

Doesn’t work:

tls-remote "/C=de/L=Dresden/O=Some_Company_Name/CN=mail.somecompany.de/emailAddress=administrator@somecompany.de"

Works:

tls-remote "C=de, L=Dresden, O=Some Company Name, CN=mail.somecompany.de, emailAddress=administrator@somecompany.de"

(2) change nameserver settings

In your configuration settings of the VPN connecting, under DNS/WINS settings, change from  your name server settings from “Set nameserver” to “Set nameserver (3.0b10)”.

2 Responses to “Problem with Tunnelblick / OpenVPN on OS X 10.8 Mountain Lion (solved)”

  2. Ole

    You sir! YOU Win one internet!

    I’ve been forced to boot up a virtual windows to access our VPN, but thanks to you it finally works.. why didn’t I see your post waaay sooner.. Thank you!

    Reply

Leave a Reply

  • (will not be published)