Tunnelblick doesn't understand 'push "redirect-gateway ipv6"', leaks DNS
751 views
Skip to first unread message
Jen H
Apr 7, 2017, 9:44:31 AM4/7/17
to tunnelblick-discuss
Steps to reproduce:
1. Configure a default gateway for IPv6 in your server.conf using:
push "redirect gateway ipv6"
or
push "redirect-gateway-ipv6 def1"
Actual result:
- Connect with IPv6 device using OpenVPN client: Both syntax styles are accepted and DNS route and gateway from server gets pushed to client. No DNS leaks.
- Connect with IPv6 using Tunnelblick: Tunnelblick connects but throws an error (Options error: unknown --redirect-gateway flag: ipv6 ) and DNS leaks.
Actual result:
Tunnelblick understands and applies the ipv6 gateway. No DNS leaks.
Tested on 3.7.0 and 3.7.2 beta 2, same result.
1. Configure a default gateway for IPv6 in your server.conf using:
push "redirect gateway ipv6"
or
push "redirect-gateway-ipv6 def1"
Actual result:
- Connect with IPv6 device using OpenVPN client: Both syntax styles are accepted and DNS route and gateway from server gets pushed to client. No DNS leaks.
- Connect with IPv6 using Tunnelblick: Tunnelblick connects but throws an error (Options error: unknown --redirect-gateway flag: ipv6 ) and DNS leaks.
Actual result:
Tunnelblick understands and applies the ipv6 gateway. No DNS leaks.
Tested on 3.7.0 and 3.7.2 beta 2, same result.
Jen H
Apr 7, 2017, 9:45:36 AM4/7/17
to tunnelblick-discuss
Expected result is that Tunnelblick understands the option, that is. ;)
Tunnelblick developer
Apr 7, 2017, 10:14:01 AM4/7/17
to tunnelblick-discuss
- OpenVPN does not have a "redirect" option, nor does it have a "redirect-gateway-ipv6" option, so neither of your configurations would work on any OpenVPN setup. I assume those were just typos and you meant "redirect-gateway ipv6" and "redirect-gateway ipv6 def1".
- IPv6 DNS and other leaks can be prevented by putting a check in Tunnelblick's "Disable IPv6 (tun only)" checkbox for the configuration.
- Tunnelblick itself does not support IPv6 (except via #2 above); the only other support for IPv6 it has is whatever is included in the version of OpenVPN that is being used.
- The error message "Options error: unknown --redirect-gateway flag: ipv6" comes from OpenVPN, not Tunnelblick. It is appearing because you are using a version of OpenVPN that does not support the "ipv6" flag. You can select the version of OpenVPN that Tunnelblick uses on the "Settings" tab of the "VPN Details" window.
In the future, please follow the instructions at Read Before You Post to get the info needed to diagnose problems and then post that info with a description of the problem.
On Friday, April 7, 2017 at 9:44:31 AM UTC-4, Jen H wrote:
Jen H
Apr 7, 2017, 10:32:58 AM4/7/17
to tunnelblick-discuss
On Friday, April 7, 2017 at 10:14:01 AM UTC-4, Tunnelblick developer wrote:
- OpenVPN does not have a "redirect" option, nor does it have a "redirect-gateway-ipv6" option, so neither of your configurations would work on any OpenVPN setup. I assume those were just typos and you meant "redirect-gateway ipv6" and "redirect-gateway ipv6 def1".
Yeah, a typo, the option in server config is "push redirect-gateway ipv6"
- IPv6 DNS and other leaks can be prevented by putting a check in Tunnelblick's "Disable IPv6 (tun only)" checkbox for the configuration.
Disable IPv6 is checked.
- Tunnelblick itself does not support IPv6 (except via #2 above); the only other support for IPv6 it has is whatever is included in the version of OpenVPN that is being used.
This is an IPv4-only server setup, the gateway is set up to route IPv6 devices to it anyway.
- The error message "Options error: unknown --redirect-gateway flag: ipv6" comes from OpenVPN, not Tunnelblick. It is appearing because you are using a version of OpenVPN that does not support the "ipv6" flag. You can select the version of OpenVPN that Tunnelblick uses on the "Settings" tab of the "VPN Details" window.
Yes, but Tunnelblick installs OpenVPN - this is on the client side. When I check to see what was installed by Tunnelblick, it shows openvpn-2.1.4, not 2.3.14, as one would this expect.
Could this be an upgrade bug? Do you not update OpenVPN in Tunnelblick.app/Contents/Resources/openvpn during upgrade?
Could this be an upgrade bug? Do you not update OpenVPN in Tunnelblick.app/Contents/Resources/openvpn during upgrade?
In the future, please follow the instructions at Read Before You Post to get the info needed to diagnose problems and then post that info with a description of the problem.
I did, actually, but I think we've got an upgrade bug that's worth catching. I can route around it, but an upgrading user not paying attention might miss this and leak DNS.
Tunnelblick developer
Apr 7, 2017, 10:38:30 AM4/7/17
to tunnelblick-discuss
Please post the diagnostic info showing the problem.
Jen H
Apr 7, 2017, 11:11:09 AM4/7/17
to tunnelblick-discuss
Turns out this is not an upgrade bug, but my bad on a bad locate cache - locate openvpn on the command line still shows openvpn-2.1.4 installs, but it's a ghost. 2.3.14 and 2.4.1 are in the right spot and the log shows 2.3.14 is being called correctly. Ran OpenVPN 2.3.14 on the command line and got the same result, looks like you're right -- got bit by the manual static DNS settings here.
Reply all
Reply to author
Forward
0 new messages