Posted: Thu Sep 28, 2006 3:51 Post subject: OpenVPN and Mac clients fix
I just solved a problem I'd been having trying to get Mac clients to connect over OpenVPN to a WRT54GL running v23 SP2 (9/15) vpn. I could get the initial connection to work, but no data would flow over it. Connection logs on the client said "write to TUN/TAP : Input/output error (code=5)" and the tap0 interface never got an IP address.
The solution is to tell tap0 to use DHCP explicitly after bringing it up. Add the following line to your client.conf (I put this after my ca/cert/key lines) to call a quick little script to do this:
The vpn-up.sh script should be placed in the same directory with the client.conf file. Its contents:
ipconfig set tap0 DHCP
That's it. Just remember to make the vpn-up.sh script executable (chmod 755 vpn-up.sh). There might be a more elegant way to do all this, but it works for me as is.
Hope that helps someone. I found this info in a forum somewhere else, so I can't take credit for it.
Posted: Sun Oct 22, 2006 20:30 Post subject: Slightly more elegant solution :)
Thank you for this tip, it helped to get my setup working. I can however offer a small modification to your script: OpenVPN provides command line options to the up script. One of these parameters (the first one actually) is the device that is being processed. If you use the following, you don't have to hardcode the device in your script:
I played around with setting tap0 using methods other than DHCP, all got the "permission denied" error, so it looks like I do not have sufficient permission to set tap0. I have admin rights on my Mac, what more must I do to get permission?
Posted: Sun Nov 18, 2007 3:35 Post subject: This solution isn't working for me
This solution doesn't work for me.
I've added the script to the .conf file and set permissions, but I still get the scrolling error=5.
Manually entering " sudo ipconfigg set tap0 DHCP" into a Term window doesn't work either. When I try that the machine locks up and I get the OSX "BSOD" which forces me to hold down the power button and restart.
Anyone have any additional ideas how to get this working?
I'm running the most recent version of Tunnelblick on OSX 10.5
My results are the same as DgtHorse in that I have to manually set tap0 to use DHCP, but after about 5 seconds the connection resets and tunnelblick goes through the process of connecting again. Only to arrive back at error=5.
Instead of using Tunnelblick, you can compile, install, and run openvpn by hand. It's pretty straightforward. That way you'll know you're using the latest versions of everything. I do this and it works perfectly in both Leopard and Tiger.
I have also plagued by the dreaded reoccuring " Input/output error (code=5)" error code. I have tried all the above suggestions (including compiling openvpn from src) and the result is still the same... I get the following rows. i.e. connection but no data flowing..
on Dec 24 23:46:29 2007 OpenVPN 2.0.9 i686-apple-darwin9.1.0 [SSL] [LZO] built on Dec 24 2007
Mon Dec 24 23:46:29 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Dec 24 23:46:29 2007 LZO compression initialized
Mon Dec 24 23:46:29 2007 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Dec 24 23:46:29 2007 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Dec 24 23:46:29 2007 Local Options hash (VER=V4): 'd79ca330'
Mon Dec 24 23:46:29 2007 Expected Remote Options hash (VER=V4): 'f7df56b8'
Mon Dec 24 23:46:29 2007 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Dec 24 23:46:29 2007 UDPv4 link local: [undef]
Mon Dec 24 23:46:29 2007 UDPv4 link remote: 83.xxx.99.yy:1194
Mon Dec 24 23:46:29 2007 TLS: Initial packet from 83.xxx.99.yy:1194, sid=2e0e3da3 2bceb2f7
Mon Dec 24 23:46:30 2007 VERIFY OK: depth=1,
Mon Dec 24 23:46:30 2007 VERIFY OK: nsCertType=SERVER
Mon Dec 24 23:46:30 2007 VERIFY OK: depth=0,
Mon Dec 24 23:46:30 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 24 23:46:30 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 23:46:30 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 24 23:46:30 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 24 23:46:30 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Dec 24 23:46:30 2007 [server] Peer Connection Initiated with 83.xxx.99.yy:1194
Mon Dec 24 23:46:31 2007 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Dec 24 23:46:31 2007 PUSH: Received control message: 'PUSH_REPLY,ping 15,ping-restart 60'
Mon Dec 24 23:46:31 2007 OPTIONS IMPORT: timers and/or timeouts modified
Mon Dec 24 23:46:31 2007 TUN/TAP device /dev/tap0 opened
Mon Dec 24 23:46:31 2007 ./vpn-up.sh tap0 1500 1574 init
Mon Dec 24 23:46:31 2007 GID set to nobody
Mon Dec 24 23:46:31 2007 UID set to nobody
Mon Dec 24 23:46:31 2007 Initialization Sequence Completed
Mon Dec 24 23:46:33 2007 write to TUN/TAP : Input/output error (code=5)
Mon Dec 24 23:46:35 2007 write to TUN/TAP : Input/output error (code=5)
Mon Dec 24 23:46:37 2007 write to TUN/TAP : Input/output error (code=5)
Mon Dec 24 23:46:39 2007 write to TUN/TAP : Input/output error (code=5)
I have noticed that by logging in as su and typing the line ipconfig_set tap0 DHCP the connection is reset and the goes through the initiation sequence, only to result in the same neverending Input/output errors.. Note the above log is taken from my home compiled openvpn, but i am getting the same problem with tunnelblick.
Does anyone have any suggestions? things i could test or look at to come further forward on this?