Connecting from CN

[airvpn.teiuxcg 4]

Hi, I hope you can help!

 

Basically trying to use the service while in China, I've created a config for both my iPad and OSX. The iPad works fine, takes a while to connect but does so eventually. OSX however fails to connect pretty much at all! I'm mainly using tunnelblick but I've tried the AirVPN client but that takes aaaages to do anything (and still doesn't connect like tunnelblick).

 

So my question is, why does the same profile work in iOS (iPad) and not on OSX? My thinking is that .cn is dropping the final auth packet from OSX and therefore the connection cannot be completed.

 

The logs below are from TunnelBlick.

 

Side note, I have tried using the SSL tunnel but the instructions are a bit rubbish! I've got the tunnel up but cant route anything down it!

 

Cheers!

 

2014-07-15 01:38:45 *Tunnelblick: OS X 10.9.4; Tunnelblick 3.4beta28 (build 3872); prior version 3.4beta26 (build 3828)

2014-07-15 01:38:45 *Tunnelblick: Attempting connection with AirVPN_UK_UDP-443; Set nameserver = 1; monitoring connection

2014-07-15 01:38:45 *Tunnelblick: openvpnstart start AirVPN_UK_UDP-443.tblk 1337 1 0 3 0 16689 -ptADGNWradsgnw 2.2.1

2014-07-15 01:38:46 *Tunnelblick: openvpnstart log:

     Tunnelblick: Loading tun-signed.kext

     Tunnelblick: 

     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

     

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn

          --daemon

          --log

          /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SAirVPN_UK_UDP--443.tblk-SContents-SResources-Sconfig.ovpn.1_0_3_0_16689.1337.openvpn.log

          --cd

          /Library/Application Support/Tunnelblick/Shared/AirVPN_UK_UDP-443.tblk/Contents/Resources

          --config

          /Library/Application Support/Tunnelblick/Shared/AirVPN_UK_UDP-443.tblk/Contents/Resources/config.ovpn

          --cd

          /Library/Application Support/Tunnelblick/Shared/AirVPN_UK_UDP-443.tblk/Contents/Resources

          --management

          127.0.0.1

          1337

          --management-query-passwords

          --management-hold

          --script-security

          2

          --up

          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw

          --down

          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw

 

2014-07-15 01:38:45 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Jun 12 2014

2014-07-15 01:38:45 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337

2014-07-15 01:38:45 Need hold release from management interface, waiting...

2014-07-15 01:38:45 *Tunnelblick: openvpnstart starting OpenVPN

2014-07-15 01:38:46 *Tunnelblick: Established communication with OpenVPN

2014-07-15 01:38:46 MANAGEMENT: Client connected from 127.0.0.1:1337

2014-07-15 01:38:46 MANAGEMENT: CMD 'pid'

2014-07-15 01:38:46 MANAGEMENT: CMD 'state on'

2014-07-15 01:38:46 MANAGEMENT: CMD 'state'

2014-07-15 01:38:46 MANAGEMENT: CMD 'bytecount 1'

2014-07-15 01:38:46 MANAGEMENT: CMD 'hold release'

2014-07-15 01:38:46 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2014-07-15 01:38:46 Control Channel Authentication: tls-auth using INLINE static key file

2014-07-15 01:38:46 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2014-07-15 01:38:46 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2014-07-15 01:38:46 LZO compression initialized

2014-07-15 01:38:46 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]

2014-07-15 01:38:46 Socket Buffers: R=[196724->65536] S=[9216->65536]

2014-07-15 01:38:46 MANAGEMENT: >STATE:1405359526,RESOLVE,,,

2014-07-15 01:38:46 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

2014-07-15 01:38:46 Local Options hash (VER=V4): '9e7066d2'

2014-07-15 01:38:46 Expected Remote Options hash (VER=V4): '162b04de'

2014-07-15 01:38:46 UDPv4 link local: [undef]

2014-07-15 01:38:46 UDPv4 link remote: 94.229.74.90:443

2014-07-15 01:38:46 MANAGEMENT: >STATE:1405359526,WAIT,,,

2014-07-15 01:38:47 MANAGEMENT: >STATE:1405359527,AUTH,,,

2014-07-15 01:38:47 TLS: Initial packet from 94.229.74.90:443, sid=a19a3237 67723ba1

2014-07-15 01:39:12 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

2014-07-15 01:39:12 Validating certificate key usage

2014-07-15 01:39:12 ++ Certificate has key usage  00a0, expects 00a0

2014-07-15 01:39:12 VERIFY KU OK

2014-07-15 01:39:12 Validating certificate extended key usage

2014-07-15 01:39:12 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

2014-07-15 01:39:12 VERIFY EKU OK

2014-07-15 01:39:12 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

2014-07-15 01:39:46 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

2014-07-15 01:39:46 TLS Error: TLS handshake failed

2014-07-15 01:39:46 TCP/UDP: Closing socket

2014-07-15 01:39:46 SIGUSR1[soft,tls-error] received, process restarting

2014-07-15 01:39:46 MANAGEMENT: >STATE:1405359586,RECONNECTING,tls-error,,

2014-07-15 01:39:46 MANAGEMENT: CMD 'hold release'

2014-07-15 01:39:46 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2014-07-15 01:39:46 Re-using SSL/TLS context

2014-07-15 01:39:46 LZO compression initialized

2014-07-15 01:39:46 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]

2014-07-15 01:39:46 Socket Buffers: R=[196724->65536] S=[9216->65536]

2014-07-15 01:39:46 MANAGEMENT: >STATE:1405359586,RESOLVE,,,

2014-07-15 01:39:46 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

2014-07-15 01:39:46 Local Options hash (VER=V4): '9e7066d2'

2014-07-15 01:39:46 Expected Remote Options hash (VER=V4): '162b04de'

2014-07-15 01:39:46 UDPv4 link local: [undef]

2014-07-15 01:39:46 UDPv4 link remote: 94.229.74.90:443

2014-07-15 01:39:46 MANAGEMENT: >STATE:1405359586,WAIT,,,

2014-07-15 01:39:50 MANAGEMENT: >STATE:1405359590,AUTH,,,

2014-07-15 01:39:50 TLS: Initial packet from 94.229.74.90:443, sid=753edcc3 1db22f0f

2014-07-15 01:40:07 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

2014-07-15 01:40:07 Validating certificate key usage

2014-07-15 01:40:07 ++ Certificate has key usage  00a0, expects 00a0

2014-07-15 01:40:07 VERIFY KU OK

2014-07-15 01:40:07 Validating certificate extended key usage

2014-07-15 01:40:07 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

2014-07-15 01:40:07 VERIFY EKU OK

2014-07-15 01:40:07 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

2014-07-15 01:40:47 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

2014-07-15 01:40:47 TLS Error: TLS handshake failed

2014-07-15 01:40:47 TCP/UDP: Closing socket

2014-07-15 01:40:47 SIGUSR1[soft,tls-error] received, process restarting

2014-07-15 01:40:47 MANAGEMENT: >STATE:1405359647,RECONNECTING,tls-error,,

2014-07-15 01:40:47 MANAGEMENT: CMD 'hold release'

2014-07-15 01:40:47 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2014-07-15 01:40:47 Re-using SSL/TLS context

2014-07-15 01:40:47 LZO compression initialized

2014-07-15 01:40:47 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]

2014-07-15 01:40:47 Socket Buffers: R=[196724->65536] S=[9216->65536]

2014-07-15 01:40:47 MANAGEMENT: >STATE:1405359647,RESOLVE,,,

2014-07-15 01:40:47 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

2014-07-15 01:40:47 Local Options hash (VER=V4): '9e7066d2'

2014-07-15 01:40:47 Expected Remote Options hash (VER=V4): '162b04de'

2014-07-15 01:40:47 UDPv4 link local: [undef]

2014-07-15 01:40:47 UDPv4 link remote: 94.229.74.90:443

2014-07-15 01:40:47 MANAGEMENT: >STATE:1405359647,WAIT,,,

2014-07-15 01:40:47 MANAGEMENT: >STATE:1405359647,AUTH,,,

2014-07-15 01:40:47 TLS: Initial packet from 94.229.74.90:443, sid=0e16d65b 06cac51a

2014-07-15 01:41:03 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

2014-07-15 01:41:03 Validating certificate key usage

2014-07-15 01:41:03 ++ Certificate has key usage  00a0, expects 00a0

2014-07-15 01:41:03 VERIFY KU OK

2014-07-15 01:41:03 Validating certificate extended key usage

2014-07-15 01:41:03 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

2014-07-15 01:41:03 VERIFY EKU OK

2014-07-15 01:41:03 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

2014-07-15 01:41:14 *Tunnelblick: Disconnecting; notification window disconnect button pressed

2014-07-15 01:41:14 *Tunnelblick: Disconnecting using 'kill'

2014-07-15 01:41:14 event_wait : Interrupted system call (code=4)

2014-07-15 01:41:14 SIGTERM received, sending exit notification to peer

2014-07-15 01:41:19 TCP/UDP: Closing socket

2014-07-15 01:41:19 SIGTERM[soft,exit-with-notification] received, process exiting

2014-07-15 01:41:19 MANAGEMENT: >STATE:1405359679,EXITING,exit-with-notification,,

2014-07-15 01:41:19 *Tunnelblick: No 'post-disconnect.sh' script to execute

2014-07-15 01:41:19 *Tunnelblick: Expected disconnection occurred.

[Staff 9973]

Hello!

 

On OS X, run Eddie (the AirVPN client) and configure it for OpenVPN over SSL: click the "AirVPN" button, select "Preferences", click "Advanced" tab, select "SSL Tunnel - Port 443" and click "Save".

 

Unfortunately Tunnelblick does not support connections of OpenVPN over SSL.

 

We have no rational explanation to the fact that OpenVPN is disrupted on your Mac and not on your iOS device. Maybe they are connected to different ISPs?

 

Kind regards

[airvpn.teiuxcg 4]

Thanks for the reply, I'll have a go with the SSL option now. I didn't try it with Eddie before as I thought it wasn't supported for OSX yet...!

 

We have no rational explanation to the fact that OpenVPN is disrupted on your Mac and not on your iOS device. Maybe they are connected to different ISPs?

 

In terms of this, they are both connected via the same Wifi network. Thinking that the iPad gives a different signature than the mac? Therefore the GFW doesn't recognise it and block it? Anyone ever compared a pcap of these two for comparison?

[airvpn.teiuxcg 4]

Ah, also, the way I used Tunnelblick with stunnel was to start stunnel in terminal and have tunnelblick connect to localhost. Worked ok, just REALLY slow!

[airvpn.teiuxcg 4]

On OS X, run Eddie (the AirVPN client) 

Oh and is Eddie the name of the client or a version of the AirVPN client?

[Staff 9973]

Hello!

 

Eddie is the codename of Air client versions 2.

 

The working iPad deserves investigation. Are you sure it is successfully connected?

 

Usually good performance from China can be achieved with OpenVPN over SSL to Hong Kong and Singapore servers.

 

Kind regards

[airvpn.teiuxcg 4]

Hi,

 

The working iPad deserves investigation. Are you sure it is successfully connected?

 

Yup the iPad definitely connected. I checked via a whatismyip service and also on the 'clients currently connected' list. Really strange.

 

The only thing wrong with it was it took a while to connect, but it connected at least 90% of the time...! OSX however dragged its feet a hell of a lot. This was the same with an OpenVPN server I have running at home, it was just permanently stuck at the authorising stage.

 

My initial thoughts are, what capabilities does the iPad (or the OpenVPN app to be more precise I guess) cater for in terms of openvpn directives? Can it do comp-lzo, or utilise the ta (HMAC) facilities or anything else that would change the packet structure to differ from OSX? Anyone have any ideas?

Failing that does AirVPN have any exit servers in China(?!) that I could use to do some testing? I only managed to get one sample each time (iPad connecting, OSX not connecting, and OSX successfully connecting from a different country)...!

[Staff 9973]

Hello!

 

Yes, we confirm that we are receiving some reports from China according to which on mobile networks OpenVPN is not disrupted anymore. The block remains on residential fixed lines, where OpenVPN over SSL still seems mandatory (OpenVPN over SSH works as well, but it is often too capped).

 

openvpn-connect for iOS supports a lot of OpenVPN directives on the client side, but not all. By the way there's everything you need to connect to our services. We tend to believe that it's probably not a matter of different implementation, because our servers packets are anyway the same, but maybe it's just that the disruption does not take place on (some?) mobile connections.

 

Feel free to keep us posted!

 

Kind regards