Tunnelblick VPN works anywhere but at home

Hello ​@MSlokom 

Did your KPN modem/router receive an update to the new KPN firmware?

If so, it could be that the new firewall blocking a needed port for Tunnelblick.

If you set it to Standaard (in the red part) then it should not be blocking anything, you can change it in the KPN modem/router:

Hoe pas ik de instellingen voor de uitgaande firewall aan? 

1. Open een browser en ga naar 192.168.2.254 of mijnmodem.kpn
2. Vul je wachtwoord in en klik op Inloggen.
3. Klik links op Beveiliging
4. Je komt op deze pagina:

In het blauwe blok kun je instellen of het modem reageert op pingverzoeken. Het gaat hier om verzoeken die vanaf het internet komen. Je kunt een ping zelf gebruiken om van buitenshuis te kunnen controleren of je Box 12 nog actief is. Zet je dit schuifje uit, dan kan dat niet meer. 

In het rode blok stel je het beveiligingsniveau in. Er zijn vier opties die hieronder worden uitgelegd. Als je het niveau wijzigt krijg je een pop-up om de wijziging te bevestigen:

See also: 

Hi ​@MSlokom, welcome to the community. Have you tried the suggestion GeSp provided? Did that help in your situation?

Hi ​@Jasper van KPN and ​@GeSp 
Thank you for your help. I have made the change but the VPN did not wor. 

log:
 

2025-05-17 21:39:24.653017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2025-05-17 21:39:24.664960 TCP/UDP: Preserving recently used remote address: [AF_INET]192.16.191.40:1194

2025-05-17 21:39:24.665138 Socket Buffers: R=[786896->786896] S=[9216->9216]

2025-05-17 21:39:24.665156 UDPv4 link local: (not bound)

2025-05-17 21:39:24.665169 UDPv4 link remote: [AF_INET]192.16.191.40:1194

2025-05-17 21:39:24.665204 MANAGEMENT: >STATE:1747510764,WAIT,,,,,,

Bests,

Manel

​@MSlokom Try to turn off IPv6 in the KPN modem

This is very strange, the messages are from OpenVPN trying to make a TLS connection to a IPv4 server which is specified by address on UDP port 1194. Switching off IPv6 will not help. On KPN box 10 this works without any problem with outgoing firewall on standard or customized/allow all, the medium setting works too.

Did the connection failure coincide with the upgrade of the router firmware or some other change ?

If I am not wrong, the IPv6 is already off. 
Still, the VPN is not working. 

​@hmmsjan_2 How can I know which KPN box I have? I remember that VPN was working fine, until one day it does not work anymore. I did not change anything. I suspect that something happened from KPN side (e.g., updates!). 

In the admin portal status page.

KPN recently blocked PPTP protocol, but Tunnelblick uses OpenVPN en would never be blocked, neither by modem firewall nor KPN side.

But which subnet does CWI use? If it uses the subnet 192.168.2.xxx, VPN does not work with default subnet of KPN modem.

In principle you should have got a SMS just before the router has been upgraded. 

The box type can be found on it’s admin page at http://192.168.2.254. You even do not have to login with the new firmware version to see the box type and firmware versions.  

The firmware upgrade introduces a firewall for outgoing packets, before all outgoing traffic was allowed. In the “medium” setting, some protocols sending username and passwords in plain text over the wire are blocked. OpenVPN on port 1194 should not be blocked. Firewall “standard” in this context means “just as it was before”, so this setting should block nothing.

Since the aim of the new firmware is having the same software on all different hardware, a working connection on box 10 should be a working connection on all other boxes. 

In the “port forwarding” section of the router, there is no need for OpenVPN/1194UDP entries, may be someone suggested this for troubleshooting. This is only needed if you run an own OpenVPN server. In theory (and praxis) they should not interfere, unless (may be) openvpn is configured to use port 1194 as source port. If you have such a port forwarding entry, try to switch it off, but I do not expect improvement.

Other changes in KPN environment are transition from DSL to fiber, where the IP address changes. Since you mention “from anywhere but home”, I assume your institute does not use whitelists to restrict access, but let check for blacklisting.

Sorry for going silent for a while! I was not home in the last period. 

If I understand ​@hmmsjan_2 correctly, I have to check the status of “Forwarding port” and it has to be off. Actually it is the case, it is by default off. 

Port forwarding is not needed for outgoing traffic, but you didn't answer my question, which subnet does CWI use? If it overlaps with KPN subnet (default 192.168.2.0/24), a VPN connection won't work

As the log indicates, the connection does not reach the stage that a VPN interface is created with a possibly overlapping IP address. 

If you have easy contact with your IT, you can ask them to run “tcpdump” on the routers WAN side, filtered with your external IP address, at the same time that you setup a connection from home to see whether something comes in. If not, I do not understand because the outgoing firewall should pass the packets.

But this will probably be only possible with a very small IT organization not busy with processing a stack  of tickets. 

Hi ​@TDN thanks for your help!

Any idea where I can find CWI’s subnet. 
Is it in this log <marked in red>:
 

2025-05-30 11:46:33.178680 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2025-05-30 11:46:33.184332 TCP/UDP: Preserving recently used remote address: [AF_INET]192.16.191.40:1194

2025-05-30 11:46:33.184488 Socket Buffers: R=[786896->786896] S=[9216->9216]

2025-05-30 11:46:33.184508 UDPv4 link local: (not bound)

2025-05-30 11:46:33.184523 UDPv4 link remote: [AF_INET]192.16.191.40:1194

2025-05-30 11:46:33.184556 MANAGEMENT: >STATE:1748598393,WAIT,,,,,,

2025-05-30 11:47:33.855200 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

2025-05-30 11:47:33.855353 TLS Error: TLS handshake failed

​@MSlokom 192.16.191.0/24 is the public IP range of CWI. You can see the private IP range of CWI when you're at work and go to network setting of the network card. You can ask the CWI administrator too.

CWI (the national research institute for mathematics and computer science of Netherlands) is not small and has enough know-hows in ICT

When using mobile data, I manage to use VPN. Here is the log:

 

2025-05-30 12:08:09.668828 Initialization Sequence Completed

2025-05-30 12:08:09.668850 MANAGEMENT: >STATE:1748599689,CONNECTED,SUCCESS,192.168.38.67,192.16.191.40,1194,,

2025-05-30 12:08:09.668856 Data Channel: cipher 'AES-128-GCM', peer-id: 13

2025-05-30 12:08:09.668860 Timers: ping 10, ping-restart 60

2025-05-30 12:08:09.668863 Protocol options: explicit-exit-notify 1

2025-05-30 12:08:10.914678 *Tunnelblick: DNS address 192.16.184.42 is being routed through the VPN

Right! I will check this point with the IT person on Monday. 
Previously, he checked with me the issue and did not know what is wrong :) .