Set nameserver (alternate 1) causes write to TUN/TAP : Input/output error (code=5)

140 views
Skip to first unread message

ch...@christopher-shaw.com

unread,
Apr 29, 2016, 12:14:29 PM4/29/16
to tunnelblick-discuss
So I'm having an issue where I'm getting the error: write to TUN/TAP : Input/output error (code=5) when I change Set DNS/WINS to Set nameserver (alternate 1).

I suspect anyone else can reproduce this issue by specifying dhcp-option DNS xxx.xxx.xxx.xxx in their client config and changing Set DNS/WINS to Set nameserver (alternate 1)

This issue appears to happen on both the stable version and latest beta (Tunnelblick 3.6.3beta02 (build 4559)).

Here's my client config (excluding certificates and with my public domain name removed):
dev tap
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote *SANITIZED* 1194 udp
lport 0
verify-x509-name *SANITIZED* name
ns-cert-type server
comp-lzo adaptive
lladdr *SANITIZED*
dhcp-option DNS 172.16.0.12
dhcp-option DNS 172.16.0.13
dhcp-option DNS 192.168.0.254 

Below is the log file:

*Tunnelblick: OS X 10.11.4; Tunnelblick 3.6.2 (build 4558); prior version 3.6.0a (build 4543.4546)

2016-04-29 11:28:50 *Tunnelblick: Attempting connection with config; Set nameserver = 781; not monitoring connection

2016-04-29 11:28:50 *Tunnelblick: openvpnstart start config.tblk 1337 781 0 3 1 1065330 -ptADGNWradsgnw 2.3.10

2016-04-29 11:28:50 *Tunnelblick: openvpnstart starting OpenVPN

2016-04-29 11:28:51 *Tunnelblick: openvpnstart log:

     Loading tap-signed.kext

     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

     

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.10/openvpn

          --daemon

          --log

          /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sconfig.tblk-SContents-SResources-Sconfig.ovpn.781_0_3_1_1065330.1337.openvpn.log

          --cd

          /Library/Application Support/Tunnelblick/Shared/config.tblk/Contents/Resources

          --verb

          3

          --config

          /Library/Application Support/Tunnelblick/Shared/config.tblk/Contents/Resources/config.ovpn

          --verb

          3

          --cd

          /Library/Application Support/Tunnelblick/Shared/config.tblk/Contents/Resources

          --management

          127.0.0.1

          1337

          --management-query-passwords

          --management-hold

          --script-security

          2

          --up

          /Applications/Tunnelblick.app/Contents/Resources/client.3.up.tunnelblick.sh -9 -a -d -f -w -ptADGNWradsgnw

          --down

          /Applications/Tunnelblick.app/Contents/Resources/client.3.down.tunnelblick.sh -9 -a -d -f -w -ptADGNWradsgnw


2016-04-29 11:28:51 *Tunnelblick: Established communication with OpenVPN

2016-04-29 11:28:51 OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Apr 23 2016

2016-04-29 11:28:51 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09

2016-04-29 11:28:51 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337

2016-04-29 11:28:51 Need hold release from management interface, waiting...

2016-04-29 11:28:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337

2016-04-29 11:28:51 MANAGEMENT: CMD 'pid'

2016-04-29 11:28:51 MANAGEMENT: CMD 'state on'

2016-04-29 11:28:51 MANAGEMENT: CMD 'state'

2016-04-29 11:28:51 MANAGEMENT: CMD 'bytecount 1'

2016-04-29 11:28:51 MANAGEMENT: CMD 'hold release'

2016-04-29 11:28:51 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2016-04-29 11:28:51 Control Channel Authentication: tls-auth using INLINE static key file

2016-04-29 11:28:51 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2016-04-29 11:28:51 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2016-04-29 11:28:51 Socket Buffers: R=[196724->196724] S=[9216->9216]

2016-04-29 11:28:51 MANAGEMENT: >STATE:1461943731,RESOLVE,,,

2016-04-29 11:28:51 UDPv4 link local (bound): [undef]

2016-04-29 11:28:51 UDPv4 link remote: [AF_INET]*SANITIZED*

2016-04-29 11:28:51 MANAGEMENT: >STATE:1461943731,WAIT,,,

2016-04-29 11:28:51 MANAGEMENT: >STATE:1461943731,AUTH,,,

2016-04-29 11:28:51 TLS: Initial packet from [AF_INET]*SANITIZED*:1194, sid=5e31b703 8f4362ff

2016-04-29 11:28:51 VERIFY OK: *SANITIZED*

2016-04-29 11:28:51 VERIFY OK: nsCertType=SERVER

2016-04-29 11:28:51 VERIFY X509NAME OK: *SANITIZED*

2016-04-29 11:28:51 VERIFY OK: *SANITIZED*

2016-04-29 11:28:51 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key

2016-04-29 11:28:51 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2016-04-29 11:28:51 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key

2016-04-29 11:28:51 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2016-04-29 11:28:53 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

2016-04-29 11:28:53 [*SANITIZED*] Peer Connection Initiated with [AF_INET]*SANITIZED*:1194

2016-04-29 11:28:54 MANAGEMENT: >STATE:1461943734,GET_CONFIG,,,

2016-04-29 11:28:55 SENT CONTROL [*SANITIZED*]: 'PUSH_REQUEST' (status=1)

2016-04-29 11:28:55 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN *SANITIZED*,ping 10,ping-restart 60'

2016-04-29 11:28:55 OPTIONS IMPORT: timers and/or timeouts modified

2016-04-29 11:28:55 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

2016-04-29 11:28:55 TUN/TAP device /dev/tap0 opened

2016-04-29 11:28:55 /sbin/ifconfig tap0 lladdr *SANITIZED*

2016-04-29 11:28:55 TUN/TAP link layer address set to *SANITIZED*

2016-04-29 11:28:55 /Applications/Tunnelblick.app/Contents/Resources/client.3.up.tunnelblick.sh -9 -a -d -f -w -ptADGNWradsgnw tap0 1500 1590   init

                                          No such key

2016-04-29 11:28:57 *Tunnelblick client.3.up.tunnelblick.sh: Up to two 'No such key' warnings are normal and may be ignored

2016-04-29 11:28:57 *Tunnelblick client.3.up.tunnelblick.sh: Saved the DNS and WINS configurations for later use

2016-04-29 11:28:57 Initialization Sequence Completed

2016-04-29 11:28:57 MANAGEMENT: >STATE:1461943737,CONNECTED,SUCCESS,,*SANITIZED*

2016-04-29 11:28:57 write to TUN/TAP : Input/output error (code=5)

2016-04-29 11:28:57 write to TUN/TAP : Input/output error (code=5)

2016-04-29 11:28:57 write to TUN/TAP : Input/output error (code=5)

2016-04-29 11:28:57 write to TUN/TAP : Input/output error (code=5)

2016-04-29 11:28:57 *Tunnelblick: No 'connected.sh' script to execute

2016-04-29 11:28:58 write to TUN/TAP : Input/output error (code=5)

2016-04-29 11:28:58 write to TUN/TAP : Input/output error (code=5)

2016-04-29 11:28:58 write to TUN/TAP : Input/output error (code=5)

2016-04-29 11:28:59 write to TUN/TAP : Input/output error (code=5)

2016-04-29 11:28:59 write to TUN/TAP : Input/output error (code=5)


If I change Set DNS/WINS to any other option my VPN works properly but it doesn't use the DNS servers I want. Also if I remove the three dhcp-option DNS settings from my client config the Set nameserver (alternate 1) option works. Because the vpn pushes one DNS server (192.168.0.254) my the DHCP assigned DNS servers are all overwritten making it so I can't resolve anything that's internal to the network I'm initially connected to. An option to Append nameservers would be ideal for me since I want to keep my already assigned DNS servers and just append any DNS servers that are returned when connecting to the VPN.

Jonathan K. Bullard

unread,
Apr 29, 2016, 12:25:13 PM4/29/16
to tunnelbli...@googlegroups.com
The only setting that is really supported is the default "Set DNS" setting; the other settings are for backward compatibility. ("Do not set nameserver" is supported, too, of course!)

I think what you want is "split DNS": use one nameserver for some domains, and use another nameserver for everything else. Tunnelblick does not have that sort of setup built in, you would have to create your own.

Note: DNS on OS X works differently than on Windows when you have specified multiple nameservers.

On Windows, when you request name resolution Windows sends a request to all of the nameservers you have and then returns the result from the first server that answers.

On OS X, when you request name resolution OS X sends a request only to the first nameserver. If that nameserver does not respond within 30 seconds, OS X sends the request (and all further requests) to the second nameserver. If the second nameserver does not respond, OS X moves on to try the third, etc.

So when you specify nameservers of A and B on OS X, it will use A. It will only use B if A fails to respond, which is unusual.




--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.
Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages