Is it possible / how can one configure 2 connections for simultaneous use to different networks?

[Jeff L]

Hi all,

Is it possible / how can one configure 2 connections for simultaneous use to different networks?  I've searched this forum and the web and wasn't able to find a solution so I'm hoping someone here can help.

We have 2 Google Cloud projects (Prod & QA) each with different IP ranges x.y.0.0/16 and a.b.0.0/16.  Both projects are running an instance of OpenVPN 2.3.11 x86_64-redhat-linux-gnu. And both have a local named (BIND 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6) serving DNS.  We can connect to both and route to internal IPs & the Internet w/o issue if we use one or the other connection.

Clients are running Tunnelblick 3.6.5 (build 4566).

If both connections are active DNS will only work on the first activated connection.  The 2nd connection doesn't update the local DNS list nor the dhcp-option search so it can only route via the IP (i.e. DNS fails to resolve).

I do get the warning from Tunnelblick rgd 2 nameservers being set:

Multiple simultaneous connections would be created (2 with 'Set nameserver', 0 without 'Set nameserver').

Disconnecting from the first connection fails to unset DNS & search option.  Bouncing the WiFi connection is the only way to revert to local LAN-assigned DHCP for DNS & search.

If possible I'd prefer to avoid manually editing hosts file or setting up client-side DNS servers.

Any help would be greatly appreciated.

[Tunnelblick developer]

It's possible, but Tunnelblick's built-in scripts that handle DNS will probably not do what you want; you might have to create your own (probably by modifying one of the built-in scripts).

It isn't clear to me what you want, though. If both VPNs are connected, where do you want DNS queries to go? (OS X does not send DNS queries to all resolvers, as Windows does.)

[Jeff L]

Thanks for the reply.  Yeah - I was hoping if it didn't find the name in the first DNS that it would look in the other.  What would the logic of the script(s) look like?

Thx again!

[Tunnelblick developer]

What the scripts would look like would depend on how you want DNS queries to be handled.

[Jeff L]

I'm not sure what the options are.  I guess I'd like it to resolve: 

   1) Prod 

   2) QA 

   3) Internet

Is that what you mean?

[Tunnelblick developer]

Please don't take this as an insult, but you seem to not know much about DNS and what it does. I think you should consult a networking expert.

It is possible that I am just not understanding you, of course, so I'll try to help.

Can you set up the DNS servers on the two networks (Prod & QA) so that both of them resolve all the names on both networks? If so, you can connect Prod (for example) normally, and then use "Do not set nameserver" when connecting to QA. Then the "Prod" DNS server would resolve all names. Or you could do it the other way around, of course.

[Jeff L]

Evidently what I'd like to accomplish isn't a supported config so we're just going to leave things as I have it (each env w/ its own DNS being pushed to the client).  Unfortunately this means we'll have mutex VPN connections since if 2 nameservers are pushed to the client Tunnelblick fails to correctly unravel the DNS when disconnecting thus requiring bounce of the WiFi/LAN connection is necessary to reset DNS/Search from local DHCP.

Thanks for your time.

[Tunnelblick developer]

I'm still trying to understand what your naming scheme is – can the names known by the two nameservers be distinguished? (For example, *.prod.example.com are the names on the Prod VPN, and qa.example.com are the names on the QA VPN.)

If so, then a "split tunnel" technique can be used, where the Prod nameserver can be used for *.prod.example.com and the QA nameserver can be used for *.qa.example.com.

If there isn't anything special about the names for each VPN, then making it work would require changes on the servers or setting up a new nameserver.