My post-disconnect.sh is not getting executed

[samd]

I have set up Tunnelblick 3.2beta28 and have successfully been using it to connect to an OpenVPN server.

Now I want to perform some tasks that should be executed when I disconnect.

So inside ~/Library/Application Support/Tunnelblick/Configurations I put a file called "post-disconnect.sh" that contains these lines:

#!/bin/bash

mkdir /Users/samd/Desktop/asdf

But this doesn't seem to get executed when I disconnect from my VPN server (i.e. when I manually choose "disconnect" from the Tunnelblick menu), i.e. the asdf directory doesn't get created on my desktop.

I have tried restarting Tunnelblick and reconnecting, I have tried set up the VPN configuration again (while leaving the post-disconnect.sh where it is), and I have also tried doing a "chmod 777" on my post-disconnect.sh file. But nothing seems to be working. That script is not getting called.

Any ideas?

[jkbull...gmail.com]

The "post-disconnect.sh" does not go directly into the Configurations folder because it is a per-configuration script. It must be located inside a Tunnelblick VPN Configuration. See Using Scripts for details about using custom scripts.

[jkbull...gmail.com]

Also, please note that

"All scripts are run as root so they can make network configuration changes; thus caution is advised when modifying these scripts or using customized scripts."

and

"The post-disconnect script is not run unless Tunnelblick is running at the time the disconnection occurs"

Tunnelblick will be running when the disconnection occurs except for configurations set to "Connect when computer starts". In the case of a disconnection because of fast-user-switching, I don't know if the script execution completes before switching to the new user.

[samd]

Ah, you're right. Turns out I was using an OpenVPN configuration (provided by Giganews), and not a Tunnelblick VPN configurations.

I can use a regular down script though right?

I tried adding the line "down down.sh" to my OpenVPN .conf file and renamed my post-disconnect.sh to down.sh. Then I imported the .conf again into Tunnelblick. But the script still isn't getting executed. Do you know why?

[jkbull...gmail.com]

From Using Scripts (emphasis added):

To run the scripts, Tunnelblick passes OpenVPN "--up", "--down" options. This means that any "up" or "down" options specified in the OpenVPN configuration file are ignored. To use your own custom scripts from within the configuration file, select "Do not set nameserver".

[jkbull...gmail.com]

Please read the docs. The down script gets executed during restarts. The post-disconnect script doesn't. So it all depends on what you want the script to do.

[samd]

Thanks, turning off nameserver worked like a charm. I have final two questions (the 2nd one a bit unrelated):

1) Can turning off nameserver have any other adverse effects that I should know about?

2) How can I know whether *all* (not just a portion) of my internet traffic is going through my VPN connection?

[jkbull...gmail.com]

1. Turning off "set nameserver" means that DNS and WINS settings are not modified by Tunnelblick. Often, the VPN server sends the addresses of DNS and/or WINS servers that are to be used when the connection is active, but everything depends on the configurations of the server and the client. Sometimes computers use their ISP's DNS server, and some of those servers ignore requests that come from outside the ISP. If that's the case, your computer won't be able to resolve names when you are connected to the VPN server. The standard way of dealing with this is to have the VPN server "push" DNS server address to the client. "Set nameserver" accepts such addresses and temporarily (while the tunnel is active) changes the computer's DNS server addresses to the ones pushed by the VPN server. If you are not using "Set nameserver", another solution is to use a manually-entered DNS address such as Google DNS or OpenDNS.
2. See How do I know the VPN is working?
   

[samd]

About 2, I don't see any "redirect-gateway def1" line in my .conf file. Still, my web traffic seems to be going through the VPN server -- judging from any "my ip" website, the ip address shown is the one of the VPN server and not my own IP address.

The following is the .conf file provided to me with Giganews. Is there anything else in there that is causing traffic (hopefully all traffic?) to go through the VPN server?

client

dev tun

proto udp

remote eu1.vpn.giganews.com 443

resolv-retry infinite

nobind

persist-key

persist-tun

persist-remote-ip

ca ca.vyprvpn.com.crt

tls-remote eu1.vpn.giganews.com

auth-user-pass

comp-lzo

verb 3

auth SHA256

cipher AES-256-CBC

keysize 256

tls-cipher DHE-RSA-AES256-SHA:DHC-DSS-AES256-SHA:AES356-SHA

[jkbull...gmail.com]

The Giganews VPN server may be pushing the -redirect-gateway" option. Ask them or look in the log (on the VPN Details… window) to see if it is mentioned.

[samd]

Ah, you're right. The logs indeed show that they are pushing the redirect-gateway for me. Thanks!