I am using TunnelBlick to connect to an VPN (OpenVPN) with OS X 10.9.2. I can authenticate and pass traffic but the DNS entries injected from the VPN do not work.
Here is the output of scutil --dns
(resolver #1 is the correct DNS server injected by Tunnelblick)
resolver #1
search domain[0] : XXXXX.net
nameserver[0] : 10.10.0.15
if_index : 5 (en1)
flags : Request A records
reach : Reachable
The problem is if_index
should be tap0
and not en1
. From ifconfig
:
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether e4:ce:8f:1b:42:cc
inet6 fe80::e6ce:8fff:fe1b:42cc%en1 prefixlen 64 scopeid 0x5
inet 10.0.1.2 netmask 0xffffff00 broadcast 10.0.1.255
nd6 options=1<PERFORMNUD>
media: autoselect
status: active
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 0a:83:8d:37:dc:b9
inet 10.10.0.100 netmask 0xffff0000 broadcast 10.10.255.255
open (pid 4997)
nslookup
, dig
, and host
all can reach the DNS server correctly but the rest of OS X cannot (I understand these have a standalone resolution mechanism that do not rely on the rest of OS X). I have confirmed with Wireshark that the DNS packets sent by nslookup
et. al. go out tap0
and DNS packets sent by other programs (eg ping
) go out eth0
and of course never get to their destination. Could it be possible that scutil
doesn't actually look at the routing table before sending packets?? If so how can I edit the scutil entry to correct the if_index
?
Tunnelblick is configuration drop down is set for set nameserver
and the relevant portion of my server.conf is shown below. Since I am getting the DNS information correctly I think the problem is with OS X and its scutil setup.
...etc..
server-bridge 10.10.0.15 255.255.0.0 10.10.0.100 10.10.0.200
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 10.10.0.15"
push "dhcp-option DOMAIN wattsworth.net"
...etc...
Struggling with the same problem, I found that running scselect
command with new-location-name
set to the same as currently used did reset the network settings and DNS started working through VPN.
At the same time scutil
results remained constant (i.e. it shows the if_index
set to the Ethernet interface).
First run scselect
with no arguments to learn the GUID of currently used location, then again with the intended location as an argument.
User contributions licensed under CC BY-SA 3.0