I’m trying to put our openvpn pritunl instance behind an LB. I have ports 80, 443 forwarded along with the right tcp port. Furthermore, I also followed advice given here Pritunl wireguard client does not respect host "Sync Address" - #6 by zach to add the lb dns name as the sync address but the client doesn’t seem to respect it.
The client is trying to connect to the auto assigned public IP and it happens to correspond to an IP address that belongs to a NAT so it won’t go through. Although the thread says it should iterate through and connect to the sync address, it doesn’t work.
The setup works if I set the Public IP address of the host as the load balancer dns name. Then I’m able to connect to the server, but the internet doesn’t work. No packets resolve even though DNS resolution works.
I’m attaching profile logs. First I tried connecting with only sync address being the LB hostname and then I changed the Public IP of the host to LB hostname.
2024-02-22 17:18:48 OpenVPN 2.6.8 arm-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH/RECVDA] [AEAD]
2024-02-22 17:18:48 library versions: OpenSSL 3.2.0 23 Nov 2023, LZO 2.10
2024-02-22 17:18:48 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:18:48 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:18:48 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:18:52 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:18:52 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:18:53 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:18:53 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:18:53 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:18:57 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:18:57 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:18:58 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:18:58 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:18:58 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:19:02 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:19:02 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:19:03 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:19:03 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:19:03 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:19:07 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:19:07 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:19:08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:19:08 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:19:08 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:19:12 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:19:12 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:19:14 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:19:14 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:19:14 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:19:18 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:19:19 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:19:23 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:19:23 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:19:23 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:19:27 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:19:27 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:19:35 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:19:35 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:19:35 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:19:39 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:19:39 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:19:48 SIGINT[hard,init_instance] received, process exiting
2024-02-22 17:19:49 OpenVPN 2.6.8 arm-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH/RECVDA] [AEAD]
2024-02-22 17:19:49 library versions: OpenSSL 3.2.0 23 Nov 2023, LZO 2.10
2024-02-22 17:19:49 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:19:49 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:19:49 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:19:53 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:19:53 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:19:54 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:19:54 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:19:54 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:19:58 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:19:58 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:19:59 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:19:59 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:19:59 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:20:03 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:20:03 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:20:04 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:20:04 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:20:04 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:20:08 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:20:08 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:20:09 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:20:09 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:20:09 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:20:13 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:20:13 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:20:15 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:20:15 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:20:15 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:20:19 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:20:19 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:20:23 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:20:23 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:20:23 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:20:27 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:20:27 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:20:35 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:20:35 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:20:35 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:20:39 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:20:39 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:20:55 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:20:55 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:20:55 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:20:59 SIGINT[hard,init_instance] received, process exiting
2024-02-22 17:21:48 OpenVPN 2.6.8 arm-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH/RECVDA] [AEAD]
2024-02-22 17:21:48 library versions: OpenSSL 3.2.0 23 Nov 2023, LZO 2.10
2024-02-22 17:21:48 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:21:48 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:21:48 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:21:52 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:21:52 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:21:53 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:21:53 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:21:53 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:21:57 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:21:57 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:21:58 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:21:58 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:21:58 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:22:02 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:22:02 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:22:03 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:22:03 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:22:03 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:22:07 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:22:07 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:22:08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:22:08 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:22:08 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:22:12 TCP: connect to [AF_INET]NAT_IP:11000 failed: Operation timed out
2024-02-22 17:22:12 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-02-22 17:22:14 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:22:14 TCP/UDP: Preserving recently used remote address: [AF_INET]NAT_IP:11000
2024-02-22 17:22:14 Attempting to establish TCP connection with [AF_INET]NAT_IP:11000
2024-02-22 17:22:15 SIGINT[hard,init_instance] received, process exiting
2024-02-22 17:23:15 OpenVPN 2.6.8 arm-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH/RECVDA] [AEAD]
2024-02-22 17:23:15 library versions: OpenSSL 3.2.0 23 Nov 2023, LZO 2.10
2024-02-22 17:23:15 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-02-22 17:23:15 TCP/UDP: Preserving recently used remote address: [AF_INET]LB_IP:11000
2024-02-22 17:23:15 Attempting to establish TCP connection with [AF_INET]LB_IP:11000
2024-02-22 17:23:15 TCP connection established with [AF_INET]LB_IP:11000
2024-02-22 17:23:15 TCPv4_CLIENT link local: (not bound)
2024-02-22 17:23:15 TCPv4_CLIENT link remote: [AF_INET]LB_IP:11000
2024-02-22 17:23:16 VERIFY SCRIPT OK: depth=1, O=5d1f1af07ed7d50012972b69, CN=5d1f1af07ed7d50012972b70
2024-02-22 17:23:16 NOTE: --mute triggered...
2024-02-22 17:23:17 8 variation(s) on previous 3 message(s) suppressed by --mute
2024-02-22 17:23:17 [60d478f57ed7d500120be6f4] Peer Connection Initiated with [AF_INET]LB_IP:11000
2024-02-22 17:23:23 Opened utun device utun5
2024-02-22 17:23:23 /sbin/ifconfig utun5 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2024-02-22 17:23:23 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2024-02-22 17:23:23 /sbin/ifconfig utun5 192.168.232.105 192.168.232.105 netmask 255.255.255.0 mtu 1500 up
add net 192.168.232.0: gateway 192.168.232.105
2024-02-22 17:23:23 /tmp/pritunl/c299e9aff3396e97-block.sh utun5 1500 0 192.168.232.105 255.255.255.0 init
add net LB_IP: gateway 192.168.29.1
add net 0.0.0.0: gateway 192.168.232.1
add net 128.0.0.0: gateway 192.168.232.1
2024-02-22 17:23:24 Initialization Sequence Completed
2024-02-22 17:23:24 Data Channel: cipher 'AES-128-GCM', peer-id: 0, compression: 'stub'
2024-02-22 17:23:24 NOTE: --mute triggered...
2024-02-22 17:23:48 1 variation(s) on previous 3 message(s) suppressed by --mute
2024-02-22 17:23:48 event_wait : Interrupted system call (fd=-1,code=4)
2024-02-22 17:23:48 /tmp/pritunl/c299e9aff3396e97-down.sh utun5 1500 0 192.168.232.105 255.255.255.0 init
delete net LB_IP: gateway 192.168.29.1
delete net 0.0.0.0: gateway 192.168.232.1
delete net 128.0.0.0: gateway 192.168.232.1
2024-02-22 17:23:51 Closing TUN/TAP interface
2024-02-22 17:23:51 /tmp/pritunl/c299e9aff3396e97-block.sh utun5 1500 0 192.168.232.105 255.255.255.0 init
2024-02-22 17:23:51 SIGINT[hard,] received, process exiting