I am using TunnelBlick to connect to an VPN (OpenVPN) with OS X 10.9.2. I can authenticate and pass traffic but the DNS entries injected from the VPN do not work.
Here is the output of
scutil --dns (resolver #1 is the correct DNS server injected by Tunnelblick)
resolver #1 search domain : XXXXX.net nameserver : 10.10.0.15 if_index : 5 (en1) flags : Request A records reach : Reachable
The problem is
if_index should be
tap0 and not
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether e4:ce:8f:1b:42:cc inet6 fe80::e6ce:8fff:fe1b:42cc%en1 prefixlen 64 scopeid 0x5 inet 10.0.1.2 netmask 0xffffff00 broadcast 10.0.1.255 nd6 options=1<PERFORMNUD> media: autoselect status: active tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether 0a:83:8d:37:dc:b9 inet 10.10.0.100 netmask 0xffff0000 broadcast 10.10.255.255 open (pid 4997)
host all can reach the DNS server correctly but the rest of OS X cannot (I understand these have a standalone resolution mechanism that do not rely on the rest of OS X). I have confirmed with Wireshark that the DNS packets sent by
nslookup et. al. go out
tap0 and DNS packets sent by other programs (eg
ping) go out
eth0 and of course never get to their destination. Could it be possible that
scutil doesn't actually look at the routing table before sending packets?? If so how can I edit the scutil entry to correct the
Tunnelblick is configuration drop down is set for
set nameserver and the relevant portion of my server.conf is shown below. Since I am getting the DNS information correctly I think the problem is with OS X and its scutil setup.
...etc.. server-bridge 10.10.0.15 255.255.0.0 10.10.0.100 10.10.0.200 # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. push "dhcp-option DNS 10.10.0.15" push "dhcp-option DOMAIN wattsworth.net" ...etc...
Struggling with the same problem, I found that running
scselect command with
new-location-name set to the same as currently used did reset the network settings and DNS started working through VPN.
At the same time
scutil results remained constant (i.e. it shows the
if_index set to the Ethernet interface).
scselect with no arguments to learn the GUID of currently used location, then again with the intended location as an argument.
User contributions licensed under CC BY-SA 3.0