Problems with the DNS search and domain option
2,391 views
Skip to first unread message
Molina-Bulla Harold
Jun 28, 2011, 6:40:14 PM6/28/11
to tunnelbli...@googlegroups.com
Hi,
After upgrade to the lastest beta version (3.2b18) I have problems with the DNS settings in my roadwarrior client.
Now it set:
default openvpn
search openvpn
In the previous versions, it works well and set my correct DNS settings.
The server side config says:
push "dhcp-option DNS 192.168.151.100"
push "dhcp-option DOMAIN mydomain1 mydomain2"
The client log side says:
2011-06-29 00:13:06 *Tunnelblick: OS X 10.6.8; Tunnelblick 3.2beta18 (build 2562); OpenVPN 2.2.0
2011-06-29 00:13:06 *Tunnelblick: Attempting connection with CONFIG; Set nameserver = 1; monitoring connection
2011-06-29 00:13:06 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start CONFIG.tblk 1339 1 0 0 0 49
2011-06-29 00:13:06 *Tunnelblick: Established communication with OpenVPN
2011-06-29 00:13:06 *Tunnelblick: Obtained VPN passphrase from the Keychain
2011-06-29 00:13:06 Multiple --up scripts defined. The previously configured script is overridden.
2011-06-29 00:13:06 Multiple --down scripts defined. The previously configured script is overridden.
2011-06-29 00:13:06 OpenVPN 2.2.0 i386-apple-darwin10.7.3 [SSL] [LZO2] [PKCS11] [eurephia] built on May 14 2011
2011-06-29 00:13:06 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2011-06-29 00:13:06 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2011-06-29 00:13:06 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-06-29 00:13:06 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-06-29 00:13:06 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
2011-06-29 00:13:06 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
2011-06-29 00:13:06 Local Options hash (VER=V4): 'ed844052'
2011-06-29 00:13:06 Expected Remote Options hash (VER=V4): '8a244582'
2011-06-29 00:13:06 UDPv4 link local: [undef]
2011-06-29 00:13:06 UDPv4 link remote: MYOPENVPNGATEWAY:1194
2011-06-29 00:13:06 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn --cd /Users/hmolina/Library/Application Support/Tunnelblick/Configurations/SoloTSC.tblk/Contents/Resources --daemon --management 127.0.0.1 1339 --config /Users/hmolina/Library/Application Support/Tunnelblick/Configurations/CONFIG.tblk/Contents/Resources/config.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Shmolina-SLibrary-SApplication Support-STunnelblick-SConfigurations-SCONFIG.tblk-SContents-SResources-Sconfig.ovpn.1_0_0_0_49.1339.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d --up-restart
2011-06-29 00:13:07 VERIFY OK: depth=1, /C=ES/ST=Madrid/L=MYCITY/O=MYCOMPANY/CN=Autoridad_de_Certificacion
2011-06-29 00:13:07 VERIFY OK: nsCertType=SERVER
2011-06-29 00:13:07 VERIFY OK: depth=0, /C=ES/ST=Madrid/L=MYCITY/O=MYORGANIZATION/OU=Cliente_VPN/CN=MYOPENVPNGATEWAY/emailAddress=root@MYCOMPANY
2011-06-29 00:13:07 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2011-06-29 00:13:07 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-06-29 00:13:07 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2011-06-29 00:13:07 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-06-29 00:13:07 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2011-06-29 00:13:07 [MYOPENVPNGATEWAY] Peer Connection Initiated with MYOPENVPNGATEWAY_ADDRESS:1194
2011-06-29 00:13:09 TUN/TAP device /dev/tun0 opened
2011-06-29 00:13:09 /sbin/ifconfig tun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2011-06-29 00:13:09 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2011-06-29 00:13:09 /sbin/ifconfig tun0 192.168.108.102 192.168.108.101 mtu 1500 netmask 255.255.255.255 up
2011-06-29 00:13:09 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d tun0 1500 1557 192.168.108.102 192.168.108.101 init
No such key
add net 192.168.144.0: gateway 192.168.108.101
add net 10.0.12.0: gateway 192.168.108.101
add net 10.1.12.0: gateway 192.168.108.101
add net 192.168.108.1: gateway 192.168.108.101
2011-06-29 00:13:11 Initialization Sequence Completed
2011-06-29 00:13:11 *Tunnelblick client.up.tunnelblick.sh: Retrieved name server(s) [ 192.168.151.101 192.168.151.100 ] and WINS server(s) [ ] and using default domain name [ openvpn ]
2011-06-29 00:13:11 *Tunnelblick client.up.tunnelblick.sh: Up to two 'No such key' warnings are normal and may be ignored
2011-06-29 00:13:11 *Tunnelblick client.up.tunnelblick.sh: Saved the DNS and WINS configurations for later use
2011-06-29 00:13:11 *Tunnelblick client.up.tunnelblick.sh: Set up to monitor system configuration with leasewatch
2011-06-29 00:13:12 *Tunnelblick: Flushed the DNS cache
2011-06-29 00:13:18 *Tunnelblick leasewatch: A system configuration change was ignored because it was not relevant
Any idea?
T.I.A
“En una época mentira universal, decir la verdad constituye un acto revolucionario”
George Orwell (1984)
Harold Molina-Bulla Ph.D.
Jonathan K. Bullard
Jun 28, 2011, 7:11:52 PM6/28/11
to tunnelbli...@googlegroups.com
You should be able to connect using "Set nameserver (3.1)" -- which is available on the "Settings" tab of the "VPN Details…" window.
But I would like to find out what's going on, so when you have a chance, set it back to "Set nameserver", then edit the configuration file so that it includes "verb 4" (it is probably "verb 3" now), and post the log that results from a connection attempt. "verb 4" will provide more details. If you could post your configuration file, that would help, also. Thanks in advance!
Nicholas
Jun 28, 2011, 11:56:13 PM6/28/11
to tunnelblick-discuss
I see two problems here. The first problem is this part of your server
configuration:
push "dhcp-option DOMAIN mydomain1 mydomain2"
Per the OpenVPN documentation, this option is invalid. You cannot
specify more than one search domain. While the server will technically
push this option for you, the behavior is undefined in this case. The
primary reason for this is because there are no DHCP clients (Windows,
Mac OS X, Linux, Debian, etc.) that support multiple search domains.
Imagine the conflicts it would cause. What if your search domains were
"corporate1.com" and "corporate2.com" and someone entered the DNS
search "mail." That's a fairly common domain name, and there's a good
chance both mail.corporate1.com and mail.corporate2.com exist. Which
one is the DNS client supposed to return a result for? That question
and the lack of a good answer for it is why the developers of DHCP and
DNS clients declined to support multiple search domains.
The second problem is that there is a bug in the "Set nameserver" up
script.
Jonathan, look at line 501 of client.up.tunnelblick.sh. I made it:
domain="$(trim "${vOptions[nOptionIndex-1]//dhcp-option DOMAIN /}")"
But I should have made it:
sDomainName="$(trim "${vOptions[nOptionIndex-1]//dhcp-option
DOMAIN /}")"
Because that's how it's referenced in the rest of the
configureOpenVpnDns function.
We will get that bug fixed in the next beta release I'm sure. If you
are even a little script savy and don't mind getting your hands dirty,
you can make that change yourself and it should start setting the
search domain for you again (that would also help us confirm that
that's the only problem with the script). To do so:
- Open your Applications folder
- Right-click on Tunnelblick and click "Show Package Contents"
- In the window that opens, Double-click on Content and then Resources
- Edit the file client.up.tunnelblick.sh and make that change to line
501. If you have TextWrangler installed, it will take care of
unlocking the file and will ask you for your password to save it. If
you don't, you will need to move the file to your desktop, edit it,
save it, move it back into Resources and reset the permissions.
Jonathan might have better instructions for you.
Please note that even with this fix, multiple search domains are still
not supported. Its behavior is undefined if you set multiple search
domains. More than likely, your computer will only pay attention to
one of them. So you should contact your system administrator and have
them remove the extra domain from the push option (or, if you are the
admin, you should remove the extra domain).
Hope this helps everyone. Let me know if there are any questions.
Nick
> 2011-06-29 00:13:06 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn --cd /Users/hmolina/Library/Application Support/Tunnelblick/Configurations/SoloTSC.tblk/Contents/Resources --daemon --management 127.0.0.1 1339 --config /Users/hmolina/Library/Application Support/Tunnelblick/Configurations/CONFIG.tblk/Contents/Resources/config.ov pn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Shmolina-SLibrary-SApplication Support-STunnelblick-SConfigurations-SCONFIG.tblk-SContents-SResources-Scon fig.ovpn.1_0_0_0_49.1339.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d --up-restart
> h.mol...@gmail.org
>
> smime.p7s
> 4KViewDownload
configuration:
push "dhcp-option DOMAIN mydomain1 mydomain2"
specify more than one search domain. While the server will technically
push this option for you, the behavior is undefined in this case. The
primary reason for this is because there are no DHCP clients (Windows,
Mac OS X, Linux, Debian, etc.) that support multiple search domains.
Imagine the conflicts it would cause. What if your search domains were
"corporate1.com" and "corporate2.com" and someone entered the DNS
search "mail." That's a fairly common domain name, and there's a good
chance both mail.corporate1.com and mail.corporate2.com exist. Which
one is the DNS client supposed to return a result for? That question
and the lack of a good answer for it is why the developers of DHCP and
DNS clients declined to support multiple search domains.
The second problem is that there is a bug in the "Set nameserver" up
script.
Jonathan, look at line 501 of client.up.tunnelblick.sh. I made it:
domain="$(trim "${vOptions[nOptionIndex-1]//dhcp-option DOMAIN /}")"
But I should have made it:
sDomainName="$(trim "${vOptions[nOptionIndex-1]//dhcp-option
DOMAIN /}")"
Because that's how it's referenced in the rest of the
configureOpenVpnDns function.
We will get that bug fixed in the next beta release I'm sure. If you
are even a little script savy and don't mind getting your hands dirty,
you can make that change yourself and it should start setting the
search domain for you again (that would also help us confirm that
that's the only problem with the script). To do so:
- Open your Applications folder
- Right-click on Tunnelblick and click "Show Package Contents"
- In the window that opens, Double-click on Content and then Resources
- Edit the file client.up.tunnelblick.sh and make that change to line
501. If you have TextWrangler installed, it will take care of
unlocking the file and will ask you for your password to save it. If
you don't, you will need to move the file to your desktop, edit it,
save it, move it back into Resources and reset the permissions.
Jonathan might have better instructions for you.
Please note that even with this fix, multiple search domains are still
not supported. Its behavior is undefined if you set multiple search
domains. More than likely, your computer will only pay attention to
one of them. So you should contact your system administrator and have
them remove the extra domain from the push option (or, if you are the
admin, you should remove the extra domain).
Hope this helps everyone. Let me know if there are any questions.
Nick
>
> smime.p7s
> 4KViewDownload
jkbull...gmail.com
Jun 29, 2011, 1:26:41 AM6/29/11
to tunnelbli...@googlegroups.com
Thanks, Nicholas -- your explanation was very clear.
I have released Tunnelblick 3.2beta20, which fixes this bug in the "Set nameserver" up script. It is available on the Downloads page and via update from older 3.2beta versions.
(I don't usually release so often, but this bug could impact many people, no other bugs had been reported, and only about 10% of the beta testers had downloaded 3.2beta18, so I got it out quickly.)
Molina-Bulla Harold
Jun 29, 2011, 6:13:17 AM6/29/11
to tunnelbli...@googlegroups.com
Hi,
Thanks for your help.
I made the changes in the client.up.tunnelblick.sh script and now works very well.
The problem about the extra domain2 definition do not introduce problems. It takes the first one.
Thanks again for your help.
Harold Molina-Bulla
“En una época mentira universal, decir la verdad constituye un acto revolucionario”
George Orwell (1984)
Harold Molina-Bulla Ph.D.
Reply all
Reply to author
Forward
0 new messages