<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
Hi Rogier,
<div class="">Further info from an affected Windows laptop. There is no warning appearing in the Task Bar, but the pop-up error message (attached) looks like what you would expect if NCSI checks are failing. </div>
<div class=""><br class="">
</div>
<div class="">This laptop has routing table entries for 0.0.0.0/0, 0.0.0.0/1, and 128.0.0.0/1.</div>
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Louis</div>
<div class=""><br class="">
</div>
<div class=""><img apple-inline="yes" id="20EA6765-19A1-424D-96E1-28C1BC8AB884" src="cid:4E28B910-28B4-4896-BDBD-7FACDCCE9FC1" class=""></div>
<div class=""><br class="">
<div class="">
<div>-------<br class="">
Louis Twomey<br class="">
Technical Architect<br class="">
PGP key: C77D9256<br class="">
HEAnet CLG, Ireland’s National Education and Research Network<br class="">
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland<br class="">
+353 (0)1 6609040 <a href="mailto:louis.twomey@heanet.ie" class="">louis.twomey@heanet.ie</a> <a href="http://www.heanet.ie" class="">www.heanet.ie</a><br class="">
Registered in Ireland, No. 275301. CRA No. 20036270</div>
<div class=""><br class="">
</div>
<br class="Apple-interchange-newline">
</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 10 Jul 2020, at 11:59, Louis Twomey <<a href="mailto:louis.twomey@heanet.ie" class="">louis.twomey@heanet.ie</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
Hi Rogier,
<div class="">Thanks a lot for the clarification, the symptoms certainly do fit with the NCSI issue.</div>
<div class=""><br class="">
</div>
<div class="">For info, here is a portion of the routing table from an affected Windows laptop (x.y.5.128/25 is the eduVPN pool range):</div>
<div class=""><br class="">
</div>
<div class="">IPv4 Route Table<br class="">
===========================================================================<br class="">
Active Routes:<br class="">
Network Destination Netmask Gateway Interface Metric<br class="">
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.165 25<br class="">
0.0.0.0 128.0.0.0 x.y.5.129 x.y.5.135 259<br class="">
x.y.5.128 255.255.255.192 On-link x.y.5.135 259<br class="">
x.y.5.135 255.255.255.255 On-link x.y.5.135 259<br class="">
x.y.5.191 255.255.255.255 On-link x.y.5.135 259<br class="">
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331<br class="">
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331<br class="">
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331<br class="">
128.0.0.0 128.0.0.0 x.y.5.129 x.y.5.135 259</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">I don’t have any other info from an affected Windows machine yet (e.g. whether it shows the “No internet” message), but I’m hoping to receive such info soon.</div>
<div class=""><br class="">
</div>
<div class="">I have also attached a screenshot of the error that appears on an affected MacOS laptop.</div>
<div class=""><span id="cid:543E9EC2-92A6-4D9F-B811-171F4D4DD065"><Screenshot 2020-07-07 at 15.42.21.png></span></div>
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Louis<br class="">
<div class="">
<div class="">-------<br class="">
Louis Twomey<br class="">
Technical Architect<br class="">
PGP key: C77D9256<br class="">
HEAnet CLG, Ireland’s National Education and Research Network<br class="">
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland<br class="">
+353 (0)1 6609040 <a href="mailto:louis.twomey@heanet.ie" class="">louis.twomey@heanet.ie</a> <a href="http://www.heanet.ie/" class="">www.heanet.ie</a><br class="">
Registered in Ireland, No. 275301. CRA No. 20036270</div>
<div class=""><br class="">
</div>
<br class="Apple-interchange-newline">
</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 8 Jul 2020, at 20:09, Rogier Spoor <<a href="mailto:Rogier.Spoor@SURF.nl" class="">Rogier.Spoor@SURF.nl</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe.<br class="">
<br class="">
<br class="">
Hi Louis,<br class="">
<br class="">
<blockquote type="cite" class="">The O365 issue some of our users are experiencing is different to the one described on Github. Our users can successfully access O365 and open documents in the browser, but attempts to open the same documents in local MS apps
fail. And this is happening on both a Windows laptop and a MacOS laptop.<br class="">
</blockquote>
You describe exactly the same issue. In browser it works but not in<br class="">
Outlook app. I notice the ticket is writing about O365, but am sure this<br class="">
is only related to app-usage and not browser.<br class="">
<br class="">
Background is how NCSI – Network Connection Status Indicator is checking<br class="">
'the internet'.<br class="">
(<a href="https://support.microsoft.com/en-us/help/4494446/an-internet-explorer-or-edge-window-opens-when-your-computer-connects" class="">https://support.microsoft.com/en-us/help/4494446/an-internet-explorer-or-edge-window-opens-when-your-computer-connects</a>)<br class="">
<br class="">
In future we might change the NCSI behaviour via the windows-app, maybe<br class="">
by changing the NCSI server to 127.0.0.1 (as suggested here:<br class="">
<a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Windows-NCSI" class="">https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Windows-NCSI</a>). But am<br class="">
not yet sure, needs some further investigation. We'd prefer to fix it in<br class="">
a future OpenVPN release instead of fixing it in the eduVPN app.<br class="">
<br class="">
Regarding macOS I'd guess the root cause is something else. Do you have<br class="">
a screenshot what type of app is being used and what the error is all<br class="">
about?<br class="">
<br class="">
regards,<br class="">
Rogier<br class="">
<br class="">
<br class="">
<br class="">
One user believed they fixed the problem by flushing their routing table<br class="">
- I suspect that flushing the table was not actually relevant at all but<br class="">
while looking into this I discovered the difference in behaviour between<br class="">
the two versions of MacOS eduVPN client.<br class="">
<blockquote type="cite" class=""><br class="">
Regards,<br class="">
Louis<br class="">
-------<br class="">
Louis Twomey<br class="">
Technical Architect<br class="">
PGP key: C77D9256<br class="">
HEAnet CLG, Ireland’s National Education and Research Network<br class="">
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland<br class="">
+353 (0)1 6609040 <a href="mailto:louis.twomey@heanet.ie" class="">louis.twomey@heanet.ie</a> <a href="http://www.heanet.ie/" class="">www.heanet.ie</a><br class="">
Registered in Ireland, No. 275301. CRA No. 20036270<br class="">
<br class="">
<br class="">
<br class="">
<blockquote type="cite" class="">On 8 Jul 2020, at 16:51, Rogier Spoor <<a href="mailto:Rogier.Spoor@SURF.nl" class="">Rogier.Spoor@SURF.nl</a>> wrote:<br class="">
<br class="">
CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe.<br class="">
<br class="">
<br class="">
hi Louis,<br class="">
<br class="">
The v1.2.1. macOS app (DMG installer) is an old app version. We strongly<br class="">
advice user with macOS 10.14 and higher to deinstall this app and<br class="">
install the Appstore version:<br class="">
<a href="https://www.eduvpn.org/blog/new-macos-app.html" class="">https://www.eduvpn.org/blog/new-macos-app.html</a><br class="">
<br class="">
The Appstore app integrates more nicely with macOS because it uses a<br class="">
NetworkExtensions API. This should be the most solid way to integrate in<br class="">
the OS.<br class="">
<br class="">
To be honest I don't really understand the logic of the<br class="">
"networkextensions" routing table. I notice /32-like routing entries for<br class="">
the nameservers and other destinations, but I really have no clue why.<br class="">
<br class="">
Tried to find sometime ago documentation about this new routing table<br class="">
approach but so far didn't find any explanation.<br class="">
<br class="">
I did noticed WireGuard, which also is using NetworkExtensions API, has<br class="">
same kind of strange routing table entries.<br class="">
<br class="">
Regarding the O365 issue. For windows this is a known issue. Can be<br class="">
'fixed' by adding a 0.0.0.0 route on the eduVPN server. All details and<br class="">
background about this issue:<br class="">
<a href="https://github.com/Amebis/eduVPN/issues/136" class="">https://github.com/Amebis/eduVPN/issues/136</a><br class="">
<br class="">
Hope this helps.<br class="">
<br class="">
cheers,<br class="">
Rogier<br class="">
<br class="">
<br class="">
<br class="">
On 07/07/2020 18:35, Louis Twomey via eduVPN-deploy wrote:<br class="">
<blockquote type="cite" class="">Hi,<br class="">
I am troubleshooting a problem where some of our staff occasionally experience problems when accessing O365 services via our eduVPN servers. They can access Sharepoint, and they can open Sharepoint documents in the browser, but they can’t open the same documents
in their local apps - the nature of the error suggests a possible networking issue.<br class="">
<br class="">
The problem affected two staff members today, at least one of them is using a MacOS 10.15.5 laptop and a recent version of the eduVPN client, v2.1.7 (837). I have not experienced this problem, I have a MacOS 10.15.5 laptop too, but my eduVPN client is v1.2.1.<br class="">
<br class="">
When looking at the routing table on my laptop, and the affected laptop, they are very different and I wonder whether this is because the newer eduVPN client behaves differently?<br class="">
<br class="">
My laptop routing table is very short and very “clean", my older eduVPN client adds only 6 routes via the virtual/tunnel interface (for: 0/1,128.0/1, 192.168.0.0/25, 192.168.0.128/25, host route for gateway IP of eduVPN server, eduVPN pool range). By complete
contrast, the laptop with the newer eduVPN client has over 30 additional routes and most of them are host routes, here is a snippet of the IPv4 table:<br class="">
<br class="">
Internet:<br class="">
Destination Gateway Flags Netif Expire<br class="">
default link#18 UCS utun2<br class="">
default 192.168.0.1 UGScI en0<br class="">
1.1.1.1 link#18 UHW3I utun2 2<br class="">
1.2.3.4 link#18 UHW3I utun2 1<br class="">
8.8.8.8 link#18 UHW3I utun2 3<br class="">
13.88.28.53 link#18 UHWIi utun2<br class="">
40.126.1.143 link#18 UHWIi utun2<br class="">
<br class="">
Is it standard behaviour of the newer MacOS eduVPN client to add a “default” route as above, and to add multiple host routes?<br class="">
<br class="">
Thanks,<br class="">
Louis<br class="">
-------<br class="">
Louis Twomey<br class="">
Technical Architect<br class="">
PGP key: C77D9256<br class="">
HEAnet CLG, Ireland’s National Education and Research Network<br class="">
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland<br class="">
+353 (0)1 6609040 <a href="mailto:louis.twomey@heanet.ie" class="">louis.twomey@heanet.ie</a> <a href="http://www.heanet.ie" class="">www.heanet.ie</a><br class="">
Registered in Ireland, No. 275301. CRA No. 20036270<br class="">
<br class="">
<br class="">
<br class="">
_______________________________________________<br class="">
eduVPN-deploy mailing list<br class="">
<a href="mailto:eduVPN-deploy@list.surfnet.nl" class="">eduVPN-deploy@list.surfnet.nl</a><br class="">
<a href="https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy" class="">https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy</a><br class="">
<br class="">
</blockquote>
</blockquote>
<br class="">
</blockquote>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>