Tunnelblick does not restore local DHCP DNS servers on disconnecting

[john.l...@yoti.com]

We are using TunnelBlick 3.7.4b (Stable) under either Sierra 10.12.6 or High Sierra 10.13.2 to connect to several corporate VPN systems, this works fine. When connected the VPN server pushes settings to the client to tell the client to use the matching company DNS server, this also works fine.

What does not work as expected is that when you disconnect the VPN sessions, Tunnelblick does not restore to the original setting of DHCP provided DNS servers, it leaves the VPN pushed DNS servers in place instead.

(Unplugging the Ethernet cable or turning WiFi off and back on, does restore the original DHCP provided DNS settings.)

As a comparison, using the built-in Apple VPN client on a Mac to connect to a VPN server can also get DNS servers pushed via the VPN connection, but in this case it will correctly revert to DHCP provided DNS servers when the VPN connection is disconnected.

I would therefore consider this to be a 'bug'.

[Tunnelblick developer]

This is likely to be a misconfiguration of your setup, but you didn't post the diagnostic info from Before You Post, so I can't be more specific.

[tut...@gmail.com]

I came here to post the same "bug" but I believe I found the culprit. I believe, by default, that the latest stable version has "reset the primary interface after disconnecting" disabled.  This setting can be found via...

VPN Details -> Configurations -> Settings

Alternatively, the VPN service generated configuration may forget the enable this. 

Either way, at least for me, checking this seemed to fix the problem.  I hope this helps.

macOS High Sierra

Tunnelblick 3.7.4b

[Tunnelblick developer]

@tutcove - "Reset primary interface after disconnecting" has always defaulted to "off"; that isn't something new in "the latest stable release".

As I wrote elsewhere, in response to a similar report, which failed to restore routing properly after a disconnection:

This is usually due to an OpenVPN misconfiguration.

For example, including "user nobody" and "group nogroup" in a configuration that relies on OpenVPN doing the routing (as yours apparently does). The problem is that with "user nobody", OpenVPN is running as "nobody" when the disconnect occurs, and "nobody" does not have the permissions needed to restore the routes. (Without "user nobody", OpenVPN continues running as "root", so when the disconnect occurs, OpenVPN can restore the routes.

You can solve that problem by removing "user nobody" and "group nogroup" from the OpenVPN configuration file. (A computer administrator must do this.)

Another solution that usually works, and which can be done by a non-computer-administrator, is to have Tunnelblick reset the primary interface when there is a disconnect:

• In older versions of Tunnelblick (prior to 3.7.5beta03), use the "Reset the primary interface after disconnecting" checkbox on the "Settings" tab on the "Configurations" panel of Tunnelblick's "VPN Details" window.

• On newer versions of Tunnelblick, 3.7.5beta03 and higher), set both the "On expected disconnect" and the "On unexpected disconnect" settings to "Reset Primary Interface". They are on the "Settings" tab on the "Configurations" panel of Tunnelblick's "VPN Details" window.
  

Note that when making a change to almost any Tunnelblick setting, the change will be applied to all configurations that are selected in the list on the left side of the "Configurations" panel, so you can change the settings for multiple configurations at one time.