DNS issues only with multiple interfaces configured

[Enrico Cavalli]

Hello everybody, I just subscribed to this group to see if anyone experienced the same issue I'm having.

latest osx sierra 10.12.5 and latest beta version Tunnelblick 3.7.2beta02 (build 4830)

My server configuration pushes redirect-gateway def1, one private DNS resolver and the two google public dns resolvers.

It's working since a number of years... 

I noticed on a new mac that it only works if I use a network location with just one interace (wifi)

If i use the default network location (with wifi, thunderbolt bridge, usb and other network interaces) tunnelblick seems to work : below the output from client.up script

BUT, what really happens is that /etc/resolv.conf does not change and scutil reports no changes. tunnel is up and testing manually the dns resolution works perfectly well (tcp/ip is ok). Another intersting fact is that tcpdump  does not show any dns query on any interfaces.

Any suggestion on where to investigate : i suppose a "bug" in the up script? I didn't find anything similar in the google group or github issues.

Best regards

Enrico

 

 Start of output from client.up.tunnelblick.sh

 Disabled IPv6 for 'Wi-Fi'

Disabled IPv6 for 'Apple USB Ethernet Adapter'

Disabled IPv6 for 'iPhone'

 Disabled IPv6 for 'Bluetooth PAN'

  Disabled IPv6 for 'Thunderbolt Bridge'

 Retrieved from OpenVPN: name server(s) [ 10.250.1.23 ], domain name [ XXXXX ], search domain(s) [  ], and SMB server(s) [  ]

Not aggregating ServerAddresses because running on OS X 10.6 or higher

Prepending 'XXXXXX' to search domains '' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was selected

 Saved the DNS and SMB configurations so they can be restored

 Changed DNS ServerAddresses setting from '8.8.8.8 8.8.4.4' to '10.250.1.23'

Changed DNS SearchDomains setting from '' to 'XXXXX'

 Changed DNS DomainName setting from '' to 'XXXXX'

 Did not change SMB NetBIOSName setting of ''

 Did not change SMB Workgroup setting of ''

Did not change SMB WINSAddresses setting of 'YYYYYYY'

 DNS servers '10.250.1.23' will be used for DNS queries when the VPN is active

 NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.

 Flushed the DNS cache via dscacheutil

/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil

   Notified mDNSResponder that the DNS cache was flushed

Setting up to monitor system configuration with process-network-changes

End of output from client.up.tunnelblick.sh

                                        **********************************************

[Tunnelblick developer]

Please follow the instructions at Read Before You Post to get the info needed to diagnose problems and then post that info.

[๏̯͡๏ Guido Barosio]

Unset google dns's, letting your dns provider set their dns. Tunnelblick appears not to be happy when he finds out that you hardcoded your dns.

At least that worked for me. Might not be your case!

Best,

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.
Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.

--

Guido Barosio about.me/gbarosio

[Enrico Cavalli]

> Il giorno 23 giu 2017, alle ore 04:07, Tunnelblick developer <jkbu...@gmail.com> ha scritto:
>
> Please follow the instructions at Read Before You Post to get the info needed to diagnose problems and then post that info.
>

Please find attached the required logs (other settings are verified). not-working.txt refers to the default network locations
working.txt refers to a network location with only the wi-fi interface enabled.

Best regards,
Enrico.

[Tunnelblick developer]

Thanks. Everything looks pretty normal as far as I can tell.

Can you describe what the "iPhone" interface is? Do you have your iPhone plugged into your Mac? Are you "tethering" the mac and the iPhone?

The only slightly unusual things I see are the "iPhone" and "Apple USB Ethernet Adapter" interfaces. Can you try the VPN when only they are disabled? That is, with Wi-Fi, Bluetooth PAN, and "Thunderbolt Bridge" all enabled? If that works, then try enabling "iPhone" and "Apple USB Ethernet Adapter" individually.

I'm hoping to see if only one of them (I suspect the iPhone) is causing this problem.

 

On Friday, June 23, 2017 at 2:31:34 AM UTC-4, Enrico Cavalli wrote:

[Enrico Cavalli]

> Il giorno 23 giu 2017, alle ore 13:57, Tunnelblick developer <jkbu...@gmail.com> ha scritto:
>
> Thanks. Everything looks pretty normal as far as I can tell.
>
> Can you describe what the "iPhone" interface is? Do you have your iPhone plugged into your Mac? Are you "tethering" the mac and the iPhone?

I suppose it was automatically created once I used the iPhone via usb for tethering . Surely I didn't created it.

>
> The only slightly unusual things I see are the "iPhone" and "Apple USB Ethernet Adapter" interfaces. Can you try the VPN when only they are disabled? That is, with Wi-Fi, Bluetooth PAN, and "Thunderbolt Bridge" all enabled? If that works, then try enabling "iPhone" and "Apple USB Ethernet Adapter" individually.
>
> I'm hoping to see if only one of them (I suspect the iPhone) is causing this problem.

Unfortunately no, disabling both of them does not change the results.


I did a couple of things and the beavhiour is erratic

1) DEAFAULT NETWORK location
- works with only wifi enabled
- also works with wifi and Bluetooth PAN enabled
- it stops working when I enable any other interface (usb ethernet, or iPhone USB, or thunderbolt bridge)

2) NEW CUSTOM NETWORK LOCATION
- it works with only wifi
- BUT in this case WIFI and Bluetooth PAN DOES NOT WORK <<<---- REALLY WEIRD.

I did not get diagnostic logs


When it does not work /etc/hosts does not change and scutil reports no changes

Enrico.

--
Enrico Cavalli - enrico....@gmail.com
jabber: enrico....@gmail.com skype: enricocavalli
PGP Fingerprint: 3762 7B1B 743E 029C 8F94 8ADE BC4B 43A7 0485 30E5

[Tunnelblick developer]

It is troubling that the up script does not see that scutil does not show the changes. I will look into warning about that.

I don't think additional diagnostic logs will help.

I think the installation of the USB tethering made some changes to the networking setup that are causing this. I would think that using a new "location" would be a way to avoid it, but apparently not.

You might be able  to completely remove the Default network location and get macOS to create a new one for you, but given that a new location doesn't help, that probably won't help either.

You could try using a new custom network location in a new user account, to see if something about the user account is causing this.

You might do an Internet search to see how to restore the network settings (to the way they were before the USB-tethering was installed).

Sorry, but I can't think of anything else.

On Friday, June 23, 2017 at 8:32:07 AM UTC-4, Enrico Cavalli wrote:

[Enrico Cavalli]

> Il giorno 23 giu 2017, alle ore 15:33, Tunnelblick developer <jkbu...@gmail.com> ha scritto:
>
> It is troubling that the up script does not see that scutil does not show the changes. I will look into warning about that.
>
> I don't think additional diagnostic logs will help.
>
> I think the installation of the USB tethering made some changes to the networking setup that are causing this. I would think that using a new "location" would be a way to avoid it, but apparently not.

At least not consistently...

>
> You might be able to completely remove the Default network location and get macOS to create a new one for you, but given that a new location doesn't help, that probably won't help either.

Tried removing the USB tethering but does not work

I'll try being more radical and let you know if I find anything interesting.
Thank you for your help.
Enrico.

[Tunnelblick developer]

If you can't fix the underlying problem, you might make using the VPN easier if you included a "pre-connect.sh" and a "post-disconnect.sh" script in your configuration. Have the scripts disable all interfaces except Wi-Fi and then re-enable them. See Using Scripts for details.

On Friday, June 23, 2017 at 8:32:07 AM UTC-4, Enrico Cavalli wrote:

[Enrico Cavalli]

> Il giorno 23 giu 2017, alle ore 16:07, Tunnelblick developer <jkbu...@gmail.com> ha scritto:
>
> If you can't fix the underlying problem, you might make using the VPN easier if you included a "pre-connect.sh" and a "post-disconnect.sh" script in your configuration. Have the scripts disable all interfaces except Wi-Fi and then re-enable them. See Using Scripts for details.

Thank you for your suggestions. I was more radical and followed this suggestion:

Navigate to the /Library/Preferences/SystemConfiguration/ folder and delete:

com.apple.airport.preferences.plist
preferences.plist

rebooted and now with the default network location can connect without any DNS issue.

[Enrico Cavalli]

> Il giorno 23 giu 2017, alle ore 16:07, Tunnelblick developer <jkbu...@gmail.com> ha scritto:
>
> If you can't fix the underlying problem, you might make using the VPN easier if you included a "pre-connect.sh" and a "post-disconnect.sh" script in your configuration. Have the scripts disable all interfaces except Wi-Fi and then re-enable them. See Using Scripts for details.
>

It must have been USB iPhone when used for tethering because, after re-connecting the iPhone, a brand new "iPhone usb" network connection appeared. But now it is not considered by tunnelblick:


Disabled IPv6 for 'LPSS Serial Adapter (1)'
Disabled IPv6 for 'LPSS Serial Adapter (2)'
Disabled IPv6 for 'Wi-Fi'

Disabled IPv6 for 'Bluetooth PAN'
Disabled IPv6 for 'Thunderbolt Bridge'

(I didn't know what are LPSS Serial adapters so i deleted them before)


Thank you again.
Enrico.

[Tunnelblick developer]

Thanks for the updates. Maybe this will help someone who has a similar problem.

I don't understand why the new iPhone interface doesn't show up, but the USB tethering seems to be problematic, so I won't investigate that further unless I hear of other instances of Tunnelblick not detecting an interface.

On Friday, June 23, 2017 at 10:22:29 AM UTC-4, Enrico Cavalli wrote:

[Tunnelblick developer]

If you can reproduce the problem, it would be interesting to see what extra logging by the up script would show about the changes to /etc/resolv.conf and scutil. You can enable such extra logging by typing the following into Terminal (/Applications/Utilities/Terminal):

defaults write net.tunnelblick.tunnelblick DB-UP  -bool YES

To disable the extra logging:

defaults delete net.tunnelblick.tunnelblick DB-UP

[Enrico Cavalli]

unfortunately right now I'm not able to reproduce the issue 

actually the "iPhone usb" interface now looks very different : as you can see below this is how it appears now  (used for tethering via USB cable)

Before I didn't have any "configure ipv4" settings  but only a checkbox that said "show next time this phone is connected" 

I don't know hot to reproduce the situation

-- 
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.
Visit this group at https://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.