Custom DNS

[Aleksandr]

Hey! Is it somehow possible to set custom DNS? Eg. edit the VPN config files. Thanks!

[Tunnelblick Developer]

You can edit the OpenVPN configuration files in Tunnelblick, see Edit or Examine an OpenVPN Configuration File.

Tunnelblick is technically, an interface to OpenVPN, which is the program that creates and destroys an OpenVPN VPN.

DNS in OpenVPN, and thus in Tunnelblick, is manipulated in separate programs, usually called scripts (although they are technically just a command, which can run a script, a program, or execute a built-in command). See Using Scripts.

Current versions of OpenVPN and Tunnelblick currently use "up" and "down" scripts, which are executed by OpenVPN when the VPN is established (up) and torn down (down). OpenVPN on macOS itself does not provide such scripts. Tunnelblick provides several sets of up/down scripts; users choose which one they want to use in Tunnelblick's "Set DNS/WINS" setting, or the VPN configuration can include custom up/down scripts.

OpenVPN 2.7, due soon, will introduce a new type of script to manipulate DNS, "dns-updown" scripts.

[Aleksandr]

Hey! Thanks for the reply! You mean the contents inside .tblk files, right? Cause I have the option "Show Package Contents" with the .tblk version of the VPN configuration and inside it I can see the client down and client up files. With the .ovpn version of the VPN configuration file I don't have that option.

So do I understand correctly that I have to edit the up and down files to enforce custom DNS servers?

[Tunnelblick Developer]

If all you want to do is use different DNS servers while the VPN is active, you can do that with OpenVPN's "dhcp-option dns" option. For more information about the option, see the OpenVPN 2.6 man page.

Specify the option in your OpenVPN configuration file, with a line or lines containing "dhcp-option dns". For example:

     dhcp-option dns 1.1.1.1

     dhcp-option dns 8.8.8.8

to use Quad 1 DNS and Google DNS.

On macOS, the first DNS server is used until it stops responding for some period of time, whereupon the second DNS server is used.

To edit the OpenVPN configuration file to add options, see Edit or Examine an OpenVPN Configuration File.

If you have specified specific DNS servers in macOS System Settings >> Network >> service-name >> Details... >> DNS, you need to tell Tunnelblick to allow that manual setting to be overridden: Tunnelblick >> VPN Details >> Configurations >> (select the configuration(s)) >> Settings >> Advanced >> Connecting & Disconnecting >> Allow changes to manually0set network settings.

[Aleksandr]

Thank you again for the reply!

I edited the .ovpn file and added:
dhcp-option dns 185.228.168.168
dhcp-option dns 185.228.169.168

Oddly enough when I check my DNS via terminal it seems to work:
scutil --dns | grep nameserver
  nameserver[0] : 185.228.168.168
  nameserver[1] : 185.228.169.168
  nameserver[0] : 185.228.168.168
  nameserver[1] : 185.228.169.168

But when I do a DNS check online it shows 45.134.142.206

So it didn't actually seem to change the DNS. I also tried checking the "Allow changes to manually-set network settings" box in Tunnelblick settins but that didn't seem to help.

[Tunnelblick Developer]

Please post the diagnostic info obtained by following the instructions at Read Before You Post. It's long, so include it as an attachment if you can, otherwise just paste it.

[Aleksandr]

Hm, I couldn't find a way to attach the text file so I uploaded it to Pastebin, I hope that's okay. Thanks! https://pastebin.com/xKrheHJM

[Tunnelblick Developer]

Pastebin is fine.

I apologize, it should be "dhcp-option DNS", not "dhcp-option dns". It's case sensitive.

[Aleksandr]

Tried that, still doesn't seem to fix the issue. https://pastebin.com/JRmLqi0Z

[Tunnelblick Developer]

That diagnostic info (https://pastebin.com/JRmLqi0Z) is missing the Tunnelblick log, which we need. Please be sure to follow all the instructions exactly.

[Aleksandr]

Sorry, just tried again, following all the instructions  - https://pastebin.com/fzNYS2gg

But yea even though I've got this in the config file:

1. dhcp-option DNS 185.228.168.168
2. dhcp-option DNS 185.228.169.168

When I go to https://dnsleaktest.com/results.html it shows the DNS IP as 144.202.121.253

[Tunnelblick Developer]

Thanks. The log shows:

WARNING: Ignoring ServerAddresses '185.228.168.168 185.228.169.168 10.15.0.1' because ServerAddresses was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified

So go to Tunnelblick >> VPN Details >> Configurations >> Settings, select the configuration in the list on the left, click the "Advanced" button, and, on the "Connecting & Disconnecting" panel, put a check in the checkbox for "Allow changes to manually-set network settings".

[Aleksandr]

Hey, turns out the VPN service hijacks DNS. I had to use a different port and add:
pull-filter ignore "dhcp-option DNS"

Thanks again!