DNS server address 127.0.0.1 is a private address but is not being routed through the VPN.
7,403 views
Skip to first unread message
divxt...@gmail.com
Jun 19, 2019, 10:30:58 AM6/19/19
to tunnelblick-discuss
When I launch the tunnelblick a popup shows with below message:
One or more possible problems with DNS were found:
• DNS server address 127.0.0.1 is a private address but is not being routed through the VPN.
• DNS server address 192.168.1.1 is a private address but is not being routed through the VPN.
My question is how can I access 127.0.0.1 on the server? I have mysql running on my client and on server, when I connect with VPN I would like to use 127.0.0.1 from the server.
total newbie to VPN but have configured successfully OpenVPN and able to connect on the internet, Thanks for any help
Tunnelblick developer
Jun 19, 2019, 11:09:42 AM6/19/19
to tunnelblick-discuss
You can't : )
127.0.0.0 - 127.255.255.255 are reserved addresses:
IPv4 network standards reserve the entire address block 127.0.0.0/8 (more than 16 million addresses) for loopback purposes.[2] That means any packet sent to any of those addresses is looped back. The address 127.0.0.1 is the standard address for IPv4 loopback traffic; the rest are not supported by all operating systems. [1]
These addresses always go to the local machine, that is, the machine that is trying to access them. So having DNS set to 127.0.0.1 on your computer means that your computer will use itself as a DNS server, which implies that your computer is running a DNS server. That's unusual, and probably an error.
You should probably remove the dhcp-option "DNS 127.0.0.1" line from your OpenVPN client configuration or the "push" line containing it from your OpenVPN server configuration.
Dshah H
Jun 19, 2019, 5:21:45 PM6/19/19
to tunnelblick-discuss
Thanks for pointing that out, I am actually using ssh tunnel ( ssh MYHOST -L 3307:127.0.0.1:3306 -N -C ) to connect and it works great for me to administrate my remote databases , there is only a little bit latency/slow connection, I read somewhere if I can use VPN it will be much faster so that's what I tried, if it can't connect I will stick with ssh tunnel.
Tunnelblick developer
Jun 19, 2019, 5:46:25 PM6/19/19
to tunnelblick-discuss
OK. OpenVPN is powerful, fast, and secure, but it is extremely difficult to set up properly.
We're experts on Tunnelblick, not OpenVPN. If you want to get OpenVPN working you should refer to the following sources of info on OpenVPN from our Support page):
Dshah H
Jun 20, 2019, 6:10:59 PM6/20/19
to tunnelblick-discuss
Thank you a lot I actually figured it out and will leave the solution for someone else below, I have installed OpenVPN on my centos server and used Tunnelblick to connect with OpenVPN from my Mac, Now to access databases from my server on my local phpmyadmin, I had to create a user on server's MySQL and give access like
GRANT ALL ON *.* to USERNAME@'%' IDENTIFIED BY 'PASSWORD'; FLUSH PRIVILEGES;
and also in /etc/my.conf changed bind-address to 0.0.0.0,
I was able to login using the VPN Server IP 10.8.0.1 instead of 127.0.0.0, but to be honest ssh tunnel is much faster than this approach.
pab4ex...@riseup.net
Jul 20, 2019, 8:54:10 PM7/20/19
to tunnelblick-discuss
I am also experiencing this popup warning using version 3.8.0 (build 5370):
"One or more possible problems with DNS were found:
DNS server address 192.xxx.xxx.xxx is not a public IP address and is not being routed through the VPN."
I notice this on my macbook pro laptop when I have both a wired Ethernet connection and a Wifi connection, i.e., when I boot up with an Ethernet cable connected, however, I do NOT see this warning when I have just a Wifi connection with NO Ethernet cable connected.
I redacted the relevant portion of the diagnostic log for when I have the Ethernet connection AND Wifi connection here:
13:03:10 *Tunnelblick: **********************************************
13:03:10 *Tunnelblick: Start of output from client.up.tunnelblick.sh
13:03:12 *Tunnelblick: Retrieved from OpenVPN: name server(s) [ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_ ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
13:03:12 *Tunnelblick: Not aggregating ServerAddresses because running on macOS 10.6 or higher
13:03:12 *Tunnelblick: Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
13:03:13 *Tunnelblick: Saved the DNS and SMB configurations so they can be restored
13:03:13 *Tunnelblick: Changed DNS ServerAddresses setting from '_SOME_REDACTED_LOCAL_IP_ADDR_OF_MY_ROUTER_AND_DNS_SERVER_ _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_2_ _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_1_' to '_SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_'
13:03:13 *Tunnelblick: Changed DNS SearchDomains setting from '' to 'openvpn'
13:03:13 *Tunnelblick: Changed DNS DomainName setting from 'domain' to 'openvpn'
13:03:13 *Tunnelblick: Did not change SMB NetBIOSName setting of ''
13:03:13 *Tunnelblick: Did not change SMB Workgroup setting of ''
13:03:13 *Tunnelblick: Did not change SMB WINSAddresses setting of ''
13:03:13 *Tunnelblick: DNS servers '_SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_' will be used for DNS queries when the VPN is active
13:03:13 *Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
13:03:13 *Tunnelblick: Flushed the DNS cache via dscacheutil
13:03:13 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
13:03:13 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
13:03:13 *Tunnelblick: Notified mDNSResponderHelper that the DNS cache was flushed
13:03:13 *Tunnelblick: Setting up to monitor system configuration with process-network-changes
13:03:13 *Tunnelblick: End of output from client.up.tunnelblick.sh
13:03:13 *Tunnelblick: **********************************************
2019-07-20 13:03:13.828591 Initialization Sequence Completed
2019-07-20 13:03:13.828644 MANAGEMENT: >STATE:1563652993,CONNECTED,SUCCESS,_SOME_REDACTED_CLASS_B_LOCAL_IP_ADDR_,_SOME_REDACTED_PUBLIC_IP_ADDR_ASSIGNED_BY_MY_VPN_SERVICE_PROVIDER_,443,,
2019-07-20 13:03:14.055214 *Tunnelblick: Warning: DNS server address _SOME_REDACTED_LOCAL_IP_ADDR_OF_MY_ROUTER_AND_DNS_SERVER_ is not a public IP address and is not being routed through the VPN.
2019-07-20 13:03:14.162888 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ is being routed through the VPN
2019-07-20 13:03:14.270498 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_ is being routed through the VPN
2019-07-20 13:03:14.383782 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_1_ is being routed through the VPN
2019-07-20 13:03:14.494185 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_2_ is being routed through the VPN
2019-07-20 13:03:18.338501 *Tunnelblick: process-network-changes: A system configuration change was ignored
13:03:10 *Tunnelblick: Start of output from client.up.tunnelblick.sh
13:03:12 *Tunnelblick: Retrieved from OpenVPN: name server(s) [ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_ ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
13:03:12 *Tunnelblick: Not aggregating ServerAddresses because running on macOS 10.6 or higher
13:03:12 *Tunnelblick: Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
13:03:13 *Tunnelblick: Saved the DNS and SMB configurations so they can be restored
13:03:13 *Tunnelblick: Changed DNS ServerAddresses setting from '_SOME_REDACTED_LOCAL_IP_ADDR_OF_MY_ROUTER_AND_DNS_SERVER_ _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_2_ _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_1_' to '_SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_'
13:03:13 *Tunnelblick: Changed DNS SearchDomains setting from '' to 'openvpn'
13:03:13 *Tunnelblick: Changed DNS DomainName setting from 'domain' to 'openvpn'
13:03:13 *Tunnelblick: Did not change SMB NetBIOSName setting of ''
13:03:13 *Tunnelblick: Did not change SMB Workgroup setting of ''
13:03:13 *Tunnelblick: Did not change SMB WINSAddresses setting of ''
13:03:13 *Tunnelblick: DNS servers '_SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_' will be used for DNS queries when the VPN is active
13:03:13 *Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
13:03:13 *Tunnelblick: Flushed the DNS cache via dscacheutil
13:03:13 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
13:03:13 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
13:03:13 *Tunnelblick: Notified mDNSResponderHelper that the DNS cache was flushed
13:03:13 *Tunnelblick: Setting up to monitor system configuration with process-network-changes
13:03:13 *Tunnelblick: End of output from client.up.tunnelblick.sh
13:03:13 *Tunnelblick: **********************************************
2019-07-20 13:03:13.828591 Initialization Sequence Completed
2019-07-20 13:03:13.828644 MANAGEMENT: >STATE:1563652993,CONNECTED,SUCCESS,_SOME_REDACTED_CLASS_B_LOCAL_IP_ADDR_,_SOME_REDACTED_PUBLIC_IP_ADDR_ASSIGNED_BY_MY_VPN_SERVICE_PROVIDER_,443,,
2019-07-20 13:03:14.055214 *Tunnelblick: Warning: DNS server address _SOME_REDACTED_LOCAL_IP_ADDR_OF_MY_ROUTER_AND_DNS_SERVER_ is not a public IP address and is not being routed through the VPN.
2019-07-20 13:03:14.162888 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ is being routed through the VPN
2019-07-20 13:03:14.270498 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_ is being routed through the VPN
2019-07-20 13:03:14.383782 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_1_ is being routed through the VPN
2019-07-20 13:03:14.494185 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_2_ is being routed through the VPN
2019-07-20 13:03:18.338501 *Tunnelblick: process-network-changes: A system configuration change was ignored
------------------------------------------------------------------------------------------------------------------------------------------------
2.) I redacted the relevant portion of the diagnostic log for when I have only the Wifi connection (No Ethernet cable attached) here:
15:37:55 *Tunnelblick: **********************************************
15:37:55 *Tunnelblick: Start of output from client.up.tunnelblick.sh
15:37:57 *Tunnelblick: Retrieved from OpenVPN: name server(s) [ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_ ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
15:37:57 *Tunnelblick: Not aggregating ServerAddresses because running on macOS 10.6 or higher
15:37:57 *Tunnelblick: Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
15:37:58 *Tunnelblick: Saved the DNS and SMB configurations so they can be restored
15:37:58 *Tunnelblick: Changed DNS ServerAddresses setting from '_SOME_REDACTED_LOCAL_IP_ADDR_OF_MY_ROUTER_AND_DNS_SERVER_ _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_2_ _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_1_' to '_SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_'
15:37:58 *Tunnelblick: Changed DNS SearchDomains setting from '' to 'openvpn'
15:37:58 *Tunnelblick: Changed DNS DomainName setting from 'domain' to 'openvpn'
15:37:58 *Tunnelblick: Did not change SMB NetBIOSName setting of ''
15:37:58 *Tunnelblick: Did not change SMB Workgroup setting of ''
15:37:58 *Tunnelblick: Did not change SMB WINSAddresses setting of ''
15:37:58 *Tunnelblick: DNS servers '_SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_' will be used for DNS queries when the VPN is active
15:37:58 *Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
15:37:58 *Tunnelblick: Flushed the DNS cache via dscacheutil
15:37:58 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
15:37:58 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
15:37:58 *Tunnelblick: Notified mDNSResponderHelper that the DNS cache was flushed
15:37:58 *Tunnelblick: Setting up to monitor system configuration with process-network-changes
15:37:58 *Tunnelblick: End of output from client.up.tunnelblick.sh
15:37:58 *Tunnelblick: **********************************************
2019-07-20 15:37:58.772786 Initialization Sequence Completed
2019-07-20 15:37:58.772838 MANAGEMENT: >STATE:1563662278,CONNECTED,SUCCESS,_SOME_REDACTED_CLASS_B_LOCAL_IP_ADDR_,_SOME_REDACTED_PUBLIC_IP_ADDR_ASSIGNED_BY_MY_VPN_SERVICE_PROVIDER_,443,,
2019-07-20 15:37:59.082228 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ is being routed through the VPN
2019-07-20 15:37:59.093404 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_ is being routed through the VPN
2019-07-20 15:38:03.105899 *Tunnelblick: process-network-changes: A system configuration change was ignored
15:37:55 *Tunnelblick: Start of output from client.up.tunnelblick.sh
15:37:57 *Tunnelblick: Retrieved from OpenVPN: name server(s) [ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_ ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
15:37:57 *Tunnelblick: Not aggregating ServerAddresses because running on macOS 10.6 or higher
15:37:57 *Tunnelblick: Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
15:37:58 *Tunnelblick: Saved the DNS and SMB configurations so they can be restored
15:37:58 *Tunnelblick: Changed DNS ServerAddresses setting from '_SOME_REDACTED_LOCAL_IP_ADDR_OF_MY_ROUTER_AND_DNS_SERVER_ _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_2_ _SOME_REDACTED_IP_ADDR_OF_MY_INTERNET_SERVICE_PROVIDER_DNS_SERVER_1_' to '_SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_'
15:37:58 *Tunnelblick: Changed DNS SearchDomains setting from '' to 'openvpn'
15:37:58 *Tunnelblick: Changed DNS DomainName setting from 'domain' to 'openvpn'
15:37:58 *Tunnelblick: Did not change SMB NetBIOSName setting of ''
15:37:58 *Tunnelblick: Did not change SMB Workgroup setting of ''
15:37:58 *Tunnelblick: Did not change SMB WINSAddresses setting of ''
15:37:58 *Tunnelblick: DNS servers '_SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_' will be used for DNS queries when the VPN is active
15:37:58 *Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
15:37:58 *Tunnelblick: Flushed the DNS cache via dscacheutil
15:37:58 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
15:37:58 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
15:37:58 *Tunnelblick: Notified mDNSResponderHelper that the DNS cache was flushed
15:37:58 *Tunnelblick: Setting up to monitor system configuration with process-network-changes
15:37:58 *Tunnelblick: End of output from client.up.tunnelblick.sh
15:37:58 *Tunnelblick: **********************************************
2019-07-20 15:37:58.772786 Initialization Sequence Completed
2019-07-20 15:37:58.772838 MANAGEMENT: >STATE:1563662278,CONNECTED,SUCCESS,_SOME_REDACTED_CLASS_B_LOCAL_IP_ADDR_,_SOME_REDACTED_PUBLIC_IP_ADDR_ASSIGNED_BY_MY_VPN_SERVICE_PROVIDER_,443,,
2019-07-20 15:37:59.082228 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_1_ is being routed through the VPN
2019-07-20 15:37:59.093404 *Tunnelblick: DNS address _SOME_REDACTED_IP_ADDR_OF_MY_VPN_SERVICE_PROVIDER_DNS_SERVER_2_ is being routed through the VPN
2019-07-20 15:38:03.105899 *Tunnelblick: process-network-changes: A system configuration change was ignored
------------------------------------------------------------------------------------------------------------------------------------------------
As can be seen, the DNS servers from my ISP provider are also being routed through the VPN for some reason in addition to the DNS servers from my VPN service provider when there is both an Ethernet cable connected and the Wifi is connected (automatically).
Is this normal behavior? I don't remember seeing this warning when
using version 3.7.8, the last stable version I was able to use before
the DNS clobbering issue I reported over a month ago.
Regards.
Tunnelblick developer
Jul 20, 2019, 10:32:36 PM7/20/19
to tunnelblick-discuss
pab4ex0wa0qu: I gather that your question is how you could get the message with one networking setup and not with another. The answer is that two different setups are, well, different.
The reason you didn't see this message in Tunnelblick 3.7.8 is that the detection of this situation was not done in Tunnelblick 3.7.8, it is only in more recent versions of Tunnelblick.
Of course, it's possible that Tunnelblick is wrong, and that the address is being routed through the VPN, but you've redacted so much information that it is impossible to determine. The way that Tunnelblick checks routing is with by testing each DNS address with the following command: route -n get <dns-server-ipaddress> and looking for the interface it is being routed through. ("-inet6" is inserted before the address if it is an IPv6 address.)
If the server is not being routed through a "tunNNN" or "utunNNN" device (for a "tun" configuration) or a "tapNNN" device (for a "tap" configuration), then Tunnelblick considers it as not being routed through the VPN.
pab4ex...@riseup.net
Jul 21, 2019, 2:47:08 PM7/21/19
to tunnelbli...@googlegroups.com
OK, thanks. I don't think it's anything to be worried about on my end,
was just curious.
I do see that in the "Start of output from client.up.tunnelblick.sh"
section delimited by asterisks, Tunnelblick announces that it retrieves
the 2 DNS servers from my VPN service provider, it then changes DNS
ServerAddress from my local router/DNS server IP address and ISP DNS
servers to those 2 retrieved DNS servers from my VPN service provider,
and then Tunnelblick further announces that it will use those 2
retrieved DNS servers from my VPN service provider for DNS queries when
the VPN is active. It was just throwing me off a bit because shortly
after the "End of output from client.up.tunnelblick.sh" section, it
announces that not only is it routing the 2 retrieved DNS servers, it's
also routing the 2 DNS servers from my ISP, which I guess is not a big
deal anyway, since when I do nslookup or dig at the command prompt, it
always shows the searches are coming from the first retrieved DNS server
from my VPN server.
Regards.
On 2019-07-20 07:32 PM, Tunnelblick developer wrote:
> PAB4EX0WA0QU: I gather that your question is how you could get the
> You received this message because you are subscribed to a topic in the
> Google Groups "tunnelblick-discuss" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/tunnelblick-discuss/Nx4ZWOKsCIM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> tunnelblick-dis...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/tunnelblick-discuss/9697dbc1-9a17-4ca5-bff6-6d81d8510b5c%40googlegroups.com
> [1].
>
>
> Links:
> ------
> [1]
> https://groups.google.com/d/msgid/tunnelblick-discuss/9697dbc1-9a17-4ca5-bff6-6d81d8510b5c%40googlegroups.com?utm_medium=email&utm_source=footer
was just curious.
I do see that in the "Start of output from client.up.tunnelblick.sh"
section delimited by asterisks, Tunnelblick announces that it retrieves
the 2 DNS servers from my VPN service provider, it then changes DNS
ServerAddress from my local router/DNS server IP address and ISP DNS
servers to those 2 retrieved DNS servers from my VPN service provider,
and then Tunnelblick further announces that it will use those 2
retrieved DNS servers from my VPN service provider for DNS queries when
the VPN is active. It was just throwing me off a bit because shortly
after the "End of output from client.up.tunnelblick.sh" section, it
announces that not only is it routing the 2 retrieved DNS servers, it's
also routing the 2 DNS servers from my ISP, which I guess is not a big
deal anyway, since when I do nslookup or dig at the command prompt, it
always shows the searches are coming from the first retrieved DNS server
from my VPN server.
Regards.
On 2019-07-20 07:32 PM, Tunnelblick developer wrote:
> PAB4EX0WA0QU: I gather that your question is how you could get the
> message with one networking setup and not with another. The answer is
> that two different setups are, well, different.
>
> The reason you didn't see this message in Tunnelblick 3.7.8 is that
> the detection of this situation was not done in Tunnelblick 3.7.8, it
> is only in more recent versions of Tunnelblick.
>
> Of course, it's possible that Tunnelblick is wrong, and that the
> address is being routed through the VPN, but you've redacted so much
> information that it is impossible to determine. The way that
> Tunnelblick checks routing is with by testing each DNS address with
> the following command: ROUTE -N GET <DNS-SERVER-IPADDRESS> and looking
> that two different setups are, well, different.
>
> The reason you didn't see this message in Tunnelblick 3.7.8 is that
> the detection of this situation was not done in Tunnelblick 3.7.8, it
> is only in more recent versions of Tunnelblick.
>
> Of course, it's possible that Tunnelblick is wrong, and that the
> address is being routed through the VPN, but you've redacted so much
> information that it is impossible to determine. The way that
> Tunnelblick checks routing is with by testing each DNS address with
> for the interface it is being routed through. ("-inet6" is inserted
> before the address if it is an IPv6 address.)
>
> If the server is not being routed through a "tunNNN" or "utunNNN"
> device (for a "tun" configuration) or a "tapNNN" device (for a "tap"
> configuration), then Tunnelblick considers it as not being routed
> through the VPN.
>
> On Saturday, July 20, 2019 at 8:54:10 PM UTC-4, pab4ex0wa0qu wrote:
>
>> I am also experiencing this popup warning using version 3.8.0 (build
>> 5370):
>>
>> "One or more possible problems with DNS were found:
>>
>> DNS server address 192.xxx.xxx.xxx is not a public IP address and is
>> not being routed through the VPN."
>>
>> I notice this on my macbook pro laptop when I have both a wired
>> Ethernet connection and a Wifi connection, i.e., when I boot up with
>> an Ethernet cable connected, however, I do NOT see this warning when
>> I have just a Wifi connection with NO Ethernet cable connected.
>>
>> I redacted the relevant portion of the diagnostic log for when I
>> have the Ethernet connection AND Wifi connection here:
>
> --
> before the address if it is an IPv6 address.)
>
> If the server is not being routed through a "tunNNN" or "utunNNN"
> device (for a "tun" configuration) or a "tapNNN" device (for a "tap"
> configuration), then Tunnelblick considers it as not being routed
> through the VPN.
>
> On Saturday, July 20, 2019 at 8:54:10 PM UTC-4, pab4ex0wa0qu wrote:
>
>> I am also experiencing this popup warning using version 3.8.0 (build
>> 5370):
>>
>> "One or more possible problems with DNS were found:
>>
>> DNS server address 192.xxx.xxx.xxx is not a public IP address and is
>> not being routed through the VPN."
>>
>> I notice this on my macbook pro laptop when I have both a wired
>> Ethernet connection and a Wifi connection, i.e., when I boot up with
>> an Ethernet cable connected, however, I do NOT see this warning when
>> I have just a Wifi connection with NO Ethernet cable connected.
>>
>> I redacted the relevant portion of the diagnostic log for when I
>> have the Ethernet connection AND Wifi connection here:
>
> You received this message because you are subscribed to a topic in the
> Google Groups "tunnelblick-discuss" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/tunnelblick-discuss/Nx4ZWOKsCIM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> tunnelblick-dis...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/tunnelblick-discuss/9697dbc1-9a17-4ca5-bff6-6d81d8510b5c%40googlegroups.com
> [1].
>
>
> Links:
> ------
> [1]
> https://groups.google.com/d/msgid/tunnelblick-discuss/9697dbc1-9a17-4ca5-bff6-6d81d8510b5c%40googlegroups.com?utm_medium=email&utm_source=footer
Tunnelblick developer
Jul 21, 2019, 4:30:14 PM7/21/19
to tunnelblick-discuss
The problem is that neither nslookup and dig use the standard macOS DNS resolution services that almost everything else on macOS uses. (A few other command also do their own DNS, like ping.) So you don't know what DNS is really being used, just what nslookup and dig think is being used..
You could check where DNS packets are going using the route command, which has nothing to do with DNS and thus isn't affected, to see where packets to your DNS servers are going to go. (That's what Tunnelblick does.)
The only DNS server address that is guaranteed to go through the VPN is the address of the DNS server itself because it is the only one that can't be hijacked without the VPN itself not working properly – assuming the VPN was set up properly, of course. That's because of various poisoning attacks and even by BGP route errors such as the recent BGP route leak.
It all depends on your tolerance for risk. My understanding is that most user's are comfortable with using DNS servers at different addresses than the VPN server, and I think that's how most VPN service provider's do it.
Reply all
Reply to author
Forward
0 new messages