One(!) OpenVPN client re-connects hundreds of times each day

sundialsvcs · 06-20-2017, 03:57 PM

We use OpenVPN to connect to a remote server, and have used script-generated duplicate configurations for each one. Nearly all of these operate flawlessly ... except clients who are within the client's place of business. We see their OpenVPN server re-connnecting to us literally hundreds of times a day, every day. The client experiences erratic network performance connecting to our administrative web-site through this tunnel. No one else does. I believe that the reconnections are occurring because the tunnel has dropped, but the server-side log files give little indication. (UDP, not TCP/IP, is used for the data transfer.) The reconnections are always uneventful.

In trying to understand the problem, we installed an OpenVPN client on a couple of machines within their network and had users use this client to connect. They experienced similar problems if they connect from the office.

A significant finding in their client log is this:

Code:

2017-06-19 07:59:52 Tunnelblick[452] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)
2017-06-19 07:59:53 Tunnelblick[452] CFNetwork SSLHandshake failed (-9806)

... and the second message is repeated 4 times.

This continues once a second for about 32 seconds, then we see this:

Code:

2017-06-19 07:57:28 Tunnelblick[510] currentIPInfo(Name): IP address info could not be fetched within 32.3 seconds; the error was 'Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." 
UserInfo={_kCFStreamErrorCodeKey=-9806, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x106435220 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." 
UserInfo={NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9806,
 _kCFStreamPropertySSLClientCertificateState=0, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.,
 _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, _kCFStreamErrorCodeKey=-9806}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., 
NSErrorFailingURLKey=https://www.tunnelblick.net/ipinfo, NSErrorFailingURLStringKey=https://www.tunnelblick.net/ipinfo,
 _kCFStreamErrorDomainKey=3}'; the response was '(null)'

The machine in question is an OS/X box, and I don't know if this log is actually related to the network instability that we are experiencing. (It could well be something peculiar to the OpenVPN client program, which is TunnelBlick.) I am trying to obtain log files from their primary OpenVPN client router.

My suspicion is that the client has intermittent internet connectivity but might not be aware of it. Still, I need to gather more evidence of this.

business_kid · 06-21-2017, 06:32 AM

It seems to be bellyaching about SSL. What's the story there?
Also, some other errors caught my attention

Code:

bash: syntax error near unexpected token `('
bash: you: command not found
bash: SSL: command not found

Looks like some scripting syntax error is loose. Have fun. One other thing to check is that there isn't a $PATH enviroment variable set in your script leaving out important directories.

sundialsvcs · 06-21-2017, 07:38 AM

I'm beginning to decide that this must be something that TunnelBlick is doing on its own – e.g. "phoning home." But it isn't succeeding. I don't think I yet have the necessary clue here. I've asked for a copy of the OpenVPN client log of the actual machine that's bouncing.