DNS not changing after VPN connection made

changr...@gmail.com

unread,

Feb 13, 2018, 4:40:39 PM2/13/18

to tunnelblick-discuss

Not sure if this is an unusual issue. I'm on MacOS 10.13.3. I am able to get tunnelblick to connect to my VPN server but the DNS is not changing to the one provided by the VPN server. I have tried all the "Set DNS/WINS" choices but none of them are setting the DNS upon successful VPN connection.

*Tunnelblick: OS X 10.13.3; Tunnelblick 3.7.4b (build 4921); Admin user

git commit 88763bb2b2bfcc7debb3ddc78cdf5a350722717c

Configuration client

"Sanitized" condensed configuration file for /Users/cyong/Library/Application Support/Tunnelblick/Configurations/client.tblk:

client

dev tap

proto udp

remote XXX.XXX.XXX.XXX 12974

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

cipher AES-128-CBC

comp-lzo

verb 5

script-security 2

up dhcp-client-request.sh

================================================================================

Non-Apple kexts that are loaded:

Index Refs Address Size Wired Name (Version) UUID <Linked Against>

33 0 0xffffff7f85a44000 0x110000 0x110000 com.ni.driver.nipalk (2.9.1) D74E3D96-0578-3E6A-48E5-89EF613CB305 <32 12 5 4 3>

87 0 0xffffff7f811ad000 0x17c000 0x17c000 at.obdev.nke.LittleSnitch (5116) 67B9951B-2573-3684-AC08-396F1B4D8E2A <7 5 4 3 1>

================================================================================

Unusual files in client.tblk:

Contents/Resources/dhcp-client-request.sh

================================================================================

Configuration preferences:

useDNS = 1

-notMonitoringConnection = 0

-routeAllTrafficThroughVpn = 1

-runMtuTest = 0

-useRouteUpInsteadOfUp = 1

-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0

-keepConnected = 0

-loggingLevel = 3

-lastConnectionSucceeded = 1

-prependDomainNameToSearchDomains = 0

================================================================================

Wildcard preferences:

-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0

================================================================================

Program preferences:

launchAtNextLogin = 1

tunnelblickVersionHistory = (

"3.7.4b (build 4921)"

)

statusDisplayNumber = 0

lastLaunchTime = 540243573.926268

lastLanguageAtLaunchWasRTL = 0

connectionWindowDisplayCriteria = showWhenConnecting

maxLogDisplaySize = 102400

lastConnectedDisplayName = client

keyboardShortcutIndex = 1

updateCheckAutomatically = 1

NSWindow Frame ConnectingWindow = 525 529 389 187 0 0 1440 877

detailsWindowFrameVersion = 4921

detailsWindowFrame = {{39, 326}, {920, 468}}

detailsWindowLeftFrame = {{0, 0}, {165, 350}}

detailsWindowViewIndex = 0

detailsWindowConfigurationsTabIdentifier = log

leftNavSelectedDisplayName = client

AdvancedWindowTabIdentifier = connectingAndDisconnecting

haveDealtWithOldTunTapPreferences = 1

haveDealtWithOldLoginItem = 1

SUEnableAutomaticChecks = 1

SUScheduledCheckInterval = 86400

SULastCheckTime = 2018-02-13 19:39:34 +0000

SUHasLaunchedBefore = 1

WebKitDefaultFontSize = 16

WebKitStandardFont = Times

================================================================================

Tunnelblick Log:

2018-02-13 13:10:56 *Tunnelblick: openvpnstart starting OpenVPN

*Tunnelblick: OS X 10.13.3; Tunnelblick 3.7.4b (build 4921)

2018-02-13 13:10:56 *Tunnelblick: Attempting connection with client using shadow copy; Set nameserver = 769; monitoring connection

2018-02-13 13:10:56 *Tunnelblick: openvpnstart start client.tblk 1337 769 0 1 0 1098610 -ptADGNWradsgnw 2.4.4-openssl-1.0.2n

2018-02-13 13:10:58 *Tunnelblick: openvpnstart log:

Loading tap-signed.kext

OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2n/openvpn

--daemon

--log

/Library/Application Support/Tunnelblick/Logs/-SUsers-Scyong-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1098610.1337.openvpn.log

--cd

/Library/Application Support/Tunnelblick/Users/cyong/client.tblk/Contents/Resources

--setenv

IV_GUI_VER

"net.tunnelblick.tunnelblick 4921 3.7.4b (build 4921)"

--verb

3

--config

/Library/Application Support/Tunnelblick/Users/cyong/client.tblk/Contents/Resources/config.ovpn

--verb

3

--cd

/Library/Application Support/Tunnelblick/Users/cyong/client.tblk/Contents/Resources

--management

127.0.0.1

1337

--management-query-passwords

--management-hold

--redirect-gateway

def1

--script-security

2

--route-up

/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw

--down

/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw

--route-pre-down

/Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw

2018-02-13 13:10:57 OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Dec 7 2017

2018-02-13 13:10:57 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10

2018-02-13 13:10:57 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337

2018-02-13 13:10:57 Need hold release from management interface, waiting...

2018-02-13 13:10:58 *Tunnelblick: Established communication with OpenVPN

2018-02-13 13:10:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337

2018-02-13 13:10:58 MANAGEMENT: CMD 'pid'

2018-02-13 13:10:58 MANAGEMENT: CMD 'state on'

2018-02-13 13:10:58 MANAGEMENT: CMD 'state'

2018-02-13 13:10:58 MANAGEMENT: CMD 'bytecount 1'

2018-02-13 13:10:58 MANAGEMENT: CMD 'hold release'

2018-02-13 13:10:58 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

2018-02-13 13:10:58 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2018-02-13 13:10:58 MANAGEMENT: >STATE:1518556258,RESOLVE,,,,,,

2018-02-13 13:10:58 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.YYY.YYY:12974

2018-02-13 13:10:58 Socket Buffers: R=[196724->196724] S=[9216->9216]

2018-02-13 13:10:58 UDP link local: (not bound)

2018-02-13 13:10:58 UDP link remote: [AF_INET]XXX.XXX.YYY.YYY:12974

2018-02-13 13:10:58 MANAGEMENT: >STATE:1518556258,WAIT,,,,,,

2018-02-13 13:10:58 MANAGEMENT: >STATE:1518556258,AUTH,,,,,,

2018-02-13 13:10:58 TLS: Initial packet from [AF_INET]XXX.XXX.YYY.YYY:12974, sid=a1d6f7ba 1e18a3cb

2018-02-13 13:10:58 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear CA, name=EasyRSA, emailAddress=mail@netgear

2018-02-13 13:10:58 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=server, name=EasyRSA, emailAddress=mail@netgear

2018-02-13 13:10:58 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

2018-02-13 13:10:58 [server] Peer Connection Initiated with [AF_INET]XXX.XXX.YYY.YYY:12974

2018-02-13 13:10:59 Key [AF_INET]XXX.XXX.YYY.YYY:12974 [0] not initialized (yet), dropping packet.

2018-02-13 13:10:59 MANAGEMENT: >STATE:1518556259,GET_CONFIG,,,,,,

2018-02-13 13:10:59 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

2018-02-13 13:10:59 PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120,route-delay 10,route-gateway 192.168.1.1,redirect-gateway def1'

2018-02-13 13:10:59 OPTIONS IMPORT: timers and/or timeouts modified

2018-02-13 13:10:59 OPTIONS IMPORT: route options modified

2018-02-13 13:10:59 OPTIONS IMPORT: route-related options modified

2018-02-13 13:10:59 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key

2018-02-13 13:10:59 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication

2018-02-13 13:10:59 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key

2018-02-13 13:10:59 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication

2018-02-13 13:10:59 TUN/TAP device /dev/tap0 opened

2018-02-13 13:10:59 dhcp-client-request.sh tap0 1500 1590 init

2018-02-13 13:11:09 /sbin/route add -net XXX.XXX.YYY.YYY 10.75.224.1 255.255.255.255

add net XXX.XXX.YYY.YYY: gateway 10.75.224.1

2018-02-13 13:11:09 /sbin/route add -net 0.0.0.0 192.168.1.1 128.0.0.0

add net 0.0.0.0: gateway 192.168.1.1

2018-02-13 13:11:09 /sbin/route add -net 128.0.0.0 192.168.1.1 128.0.0.0

add net 128.0.0.0: gateway 192.168.1.1

**********************************************

Start of output from client.up.tunnelblick.sh

NOTE: No network configuration changes need to be made.

WARNING: Will NOT monitor for other network configuration changes.

DNS servers 'ZZZ.ZZZ.ZZZ.ZZZ ZZZ.ZZZ.ZZZ.ZZY' will be used for DNS queries when the VPN is active

The DNS servers include only free public DNS servers known to Tunnelblick.

Flushed the DNS cache via dscacheutil

/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil

Notified mDNSResponder that the DNS cache was flushed

End of output from client.up.tunnelblick.sh

**********************************************

2018-02-13 13:11:11 *Tunnelblick: No 'connected.sh' script to execute

2018-02-13 13:11:11 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

2018-02-13 13:11:11 Initialization Sequence Completed

2018-02-13 13:11:11 MANAGEMENT: >STATE:1518556271,CONNECTED,SUCCESS,,XXX.XXX.YYY.YYY,12974,,

2018-02-13 13:11:30 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed

2018-02-13 13:11:31 *Tunnelblick: No 'pre-disconnect.sh' script to execute

2018-02-13 13:11:31 *Tunnelblick: Disconnecting using 'kill'

2018-02-13 13:11:31 event_wait : Interrupted system call (code=4)

2018-02-13 13:11:31 /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1590 init

**********************************************

Start of output from client.route-pre-down.tunnelblick.sh

WARNING: No saved Tunnelblick DNS configuration found; not doing anything.

End of output from client.route-pre-down.tunnelblick.sh

**********************************************

2018-02-13 13:11:32 /sbin/route delete -net XXX.XXX.YYY.YYY 10.75.224.1 255.255.255.255

delete net XXX.XXX.YYY.YYY: gateway 10.75.224.1

2018-02-13 13:11:32 /sbin/route delete -net 0.0.0.0 192.168.1.1 128.0.0.0

delete net 0.0.0.0: gateway 192.168.1.1

2018-02-13 13:11:32 /sbin/route delete -net 128.0.0.0 192.168.1.1 128.0.0.0

delete net 128.0.0.0: gateway 192.168.1.1

2018-02-13 13:11:32 Closing TUN/TAP interface

2018-02-13 13:11:32 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1590 init

**********************************************

Start of output from client.down.tunnelblick.sh

WARNING: Not restoring DNS settings because no saved Tunnelblick DNS information was found.

Flushed the DNS cache via dscacheutil

/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil

Notified mDNSResponder that the DNS cache was flushed

End of output from client.down.tunnelblick.sh

**********************************************

2018-02-13 13:11:33 SIGTERM[hard,] received, process exiting

2018-02-13 13:11:33 MANAGEMENT: >STATE:1518556293,EXITING,SIGTERM,,,,,

2018-02-13 13:11:34 *Tunnelblick: No 'post-disconnect.sh' script to execute

2018-02-13 13:11:34 *Tunnelblick: Expected disconnection occurred.

================================================================================

"Sanitized" full configuration file

client

dev tap

proto udp

remote XXX.XXX.XXX.XXX 12974

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

cipher AES-128-CBC

comp-lzo

verb 5

script-security 2

up dhcp-client-request.sh

================================================================================

ifconfig output:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>

inet 127.0.0.1 netmask 0xff000000

inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

nd6 options=201<PERFORMNUD,DAD>

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

XHC20: flags=0<> mtu 0

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether b8:e8:56:1a:6b:8c

inet6 fe80::1c22:6eba:6337:5350%en0 prefixlen 64 secured scopeid 0x5

inet 10.75.229.24 netmask 0xfffff800 broadcast 10.75.231.255

nd6 options=201<PERFORMNUD,DAD>

media: autoselect

status: active

p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304

ether 0a:e8:56:1a:6b:8c

media: autoselect

status: inactive

awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484

ether 5e:69:ba:42:15:29

inet6 fe80::5c69:baff:fe42:1529%awdl0 prefixlen 64 scopeid 0x7

nd6 options=201<PERFORMNUD,DAD>

media: autoselect

status: active

en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

options=60<TSO4,TSO6>

ether 32:00:1b:e5:80:00

media: autoselect <full-duplex>

status: inactive

bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=63<RXCSUM,TXCSUM,TSO4,TSO6>

ether 32:00:1b:e5:80:00

Configuration:

id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0

maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200

root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0

ipfilter disabled flags 0x2

member: en1 flags=3<LEARNING,DISCOVER>

ifmaxaddr 0 port 8 priority 0 path cost 0

nd6 options=201<PERFORMNUD,DAD>

media: <unknown type>

status: inactive

utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000

inet6 fe80::70a9:294e:2042:21d8%utun0 prefixlen 64 scopeid 0xa

nd6 options=201<PERFORMNUD,DAD>

utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380

inet6 fe80::a93d:b8e4:d137:2063%utun1 prefixlen 64 scopeid 0xc

nd6 options=201<PERFORMNUD,DAD>

================================================================================

Console Log:

2018-02-13 11:19:44 Tunnelblick[14917] startDisconnectingUserKnows: while already disconnecting 'client'; OpenVPN state = 'DISCONNECTING'

2018-02-13 11:19:45 Tunnelblick[14917] startDisconnectingUserKnows: while already disconnecting 'client'; OpenVPN state = 'DISCONNECTING'

2018-02-13 11:19:46 Tunnelblick[14917] startDisconnectingUserKnows: while already disconnecting 'client'; OpenVPN state = 'DISCONNECTING'

2018-02-13 11:19:56 Tunnelblick[14917] startDisconnectingUserKnows: while already disconnecting 'client'; OpenVPN state = 'RECONNECTING'

2018-02-13 11:22:38 Tunnelblick[14917] applicationShouldTerminate: termination because of restart; delayed until 'shutdownTunnelblick' finishes

2018-02-13 11:22:38 Tunnelblick[14917] Finished shutting down Tunnelblick; allowing termination

2018-02-13 11:23:36 Tunnelblick[395] Tunnelblick: OS X 10.13.3; Tunnelblick 3.7.4b (build 4921)

2018-02-13 11:31:58 Tunnelblick[886] Tunnelblick: OS X 10.13.3; Tunnelblick 3.7.4b (build 4921)

2018-02-13 11:31:59 Tunnelblick[886] Sparkle: ===== Tunnelblick =====

2018-02-13 11:31:59 Tunnelblick[886] Sparkle: Verified appcast signature

2018-02-13 11:39:17 Tunnelblick[886] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes

2018-02-13 11:39:18 Tunnelblick[886] Finished shutting down Tunnelblick; allowing termination

2018-02-13 11:39:33 Tunnelblick[1015] Tunnelblick: OS X 10.13.3; Tunnelblick 3.7.4b (build 4921)

2018-02-13 11:39:34 Tunnelblick[1015] Sparkle: ===== Tunnelblick =====

2018-02-13 11:39:34 Tunnelblick[1015] Sparkle: Verified appcast signature

2018-02-13 11:39:53 Tunnelblick[1015] Using icon set 'TunnelBlick-black-white.TBMenuIcons' without Retina images

2018-02-13 11:50:49 tunnelblickd[1128] Status = 1 from tunnelblick-helper command 'down 2'

2018-02-13 11:50:49 Tunnelblick[1015] tunnelblickd status from down: 1

tunnelblickd stdout:

'Executing client.2.down.tunnelblick.sh in /Applications/Tunnelblick.app/Contents/Resources...

client.2.down.tunnelblick.sh returned with status 1

'

Tunnelblick developer

unread,

Feb 13, 2018, 4:48:05 PM2/13/18

to tunnelblick-discuss

Your OpenVPN server isn't "pushing" any DNS changes:

'PUSH_REPLY,ping 10,ping-restart 120,route-delay 10,route-gateway 192.168.1.1,redirect-gateway def1'

changr...@gmail.com

unread,

Feb 13, 2018, 6:16:06 PM2/13/18

to tunnelblick-discuss

Ok, that makes sense now. That VPN service runs on a Netgear Orbi router. I don't see any option on the admin page for the router to enable/disable DNS service. I'll just post this question on Netgear's community site. Thanks!

changr...@gmail.com

unread,

Feb 16, 2018, 3:05:49 PM2/16/18

to tunnelblick-discuss

In the Netgear Orbi router VPN service configuration screen, i can choose these options for "Clients will use this VPN connection to access" with the following choices:

- Auto

- All sites on the Internet & Home network

- Home Network only

Originally, i selected "All sites on the internet & home network". It is this option that prevented the DNS from being pushed to the VPN client.

When i select "Auto", the DNS is now being correctly pushed to the VPN client. But the IP address is not changing. I looked at the troubleshooting guide and added "redirect-gateway def1" to the configuration file but i am getting this error:

NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing.

Do you know what does this mean?

Thanks for your help!

On Tuesday, February 13, 2018 at 1:48:05 PM UTC-8, Tunnelblick developer wrote:

Tunnelblick developer

unread,

Feb 16, 2018, 4:31:10 PM2/16/18

to tunnelblick-discuss

Sorry, I don't; it's an OpenVPN message.

If nobody else helps, you'll have to contact Netgear or ask on their forums.

bagg...@gmail.com

unread,

Mar 2, 2018, 9:25:47 AM3/2/18

to tunnelblick-discuss

I had a similar problem and struggled with it for a long time.

Then it turned out that it was necessary to add `push "route-delay 10"` on the server side.

Here is an example of my configuration in which the VPN server works as a bridge using DHCP from the local network:

server-bridge

push "redirect-gateway def1"

push "route-delay 10"

This is to ensure that the routes on the client are updated 10 seconds after setting up the VPN connection and receiving a response from the DHCP.

пятница, 16 февраля 2018 г., 23:05:49 UTC+3 пользователь Changren Yong написал:

Tunnelblick developer

unread,

Mar 3, 2018, 4:56:23 AM3/3/18

to tunnelblick-discuss

As an alternative if you don't control the OpenVPN server, you could add a "route-delay 10" option in each client OpenVPN configuration file – that is, add it directly in the client instead of having the server push it to the client.

changr...@gmail.com

unread,

Mar 6, 2018, 2:32:50 PM3/6/18

to tunnelblick-discuss

Adding "route-delay 10" to the OpenVON config file didn't help.

So on version 3.7.4a of Tunnelblick, when my Orbi router's VPN service is set to Auto, its DNS gets pushed to the VPN client.

However on version 3.7.5 of Tunnelblick, the DNS is not pushed to the VPN client.

Reply all

Reply to author

Forward