5
3
I am using TunnelBlick to connect to an VPN (OpenVPN) with OS X 10.9.2. I can authenticate and pass traffic but the DNS entries injected from the VPN do not work.
Here is the output of scutil --dns
(resolver #1 is the correct DNS server injected by Tunnelblick)
resolver #1
search domain[0] : XXXXX.net
nameserver[0] : 10.10.0.15
if_index : 5 (en1)
flags : Request A records
reach : Reachable
The problem is if_index
should be tap0
and not en1
. From ifconfig
:
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether e4:ce:8f:1b:42:cc
inet6 fe80::e6ce:8fff:fe1b:42cc%en1 prefixlen 64 scopeid 0x5
inet 10.0.1.2 netmask 0xffffff00 broadcast 10.0.1.255
nd6 options=1<PERFORMNUD>
media: autoselect
status: active
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 0a:83:8d:37:dc:b9
inet 10.10.0.100 netmask 0xffff0000 broadcast 10.10.255.255
open (pid 4997)
nslookup
, dig
, and host
all can reach the DNS server correctly but the rest of OS X cannot (I understand these have a standalone resolution mechanism that do not rely on the rest of OS X). I have confirmed with Wireshark that the DNS packets sent by nslookup
et. al. go out tap0
and DNS packets sent by other programs (eg ping
) go out eth0
and of course never get to their destination. Could it be possible that scutil
doesn't actually look at the routing table before sending packets?? If so how can I edit the scutil entry to correct the if_index
?
Tunnelblick is configuration drop down is set for set nameserver
and the relevant portion of my server.conf is shown below. Since I am getting the DNS information correctly I think the problem is with OS X and its scutil setup.
...etc..
server-bridge 10.10.0.15 255.255.0.0 10.10.0.100 10.10.0.200
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 10.10.0.15"
push "dhcp-option DOMAIN wattsworth.net"
...etc...
Please include your Tunnelblick configuration and the OpenVPN server configuration... You should have a
push "dhcp-option DNS ..."
statement server-side, and in the Tunnelblick config "set nameserver" for the'Set DNS/WINS'
drop-down. – milli – 2014-03-26T17:20:03.763