I am using TunnelBlick to connect to an VPN (OpenVPN) with OS X 10.9.2. I can authenticate and pass traffic but the DNS entries injected from the VPN do not work.
Here is the output of scutil --dns
(resolver #1 is the correct DNS server injected by Tunnelblick)
resolver #1
search domain[0] : XXXXX.net
nameserver[0] : 10.10.0.15
if_index : 5 (en1)
flags : Request A records
reach : Reachable
The problem is if_index
should be tap0
and not en1
. From ifconfig
:
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether e4:ce:8f:1b:42:cc
inet6 fe80::e6ce:8fff:fe1b:42cc%en1 prefixlen 64 scopeid 0x5
inet 10.0.1.2 netmask 0xffffff00 broadcast 10.0.1.255
nd6 options=1<PERFORMNUD>
media: autoselect
status: active
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 0a:83:8d:37:dc:b9
inet 10.10.0.100 netmask 0xffff0000 broadcast 10.10.255.255
open (pid 4997)
nslookup
, dig
, and host
all can reach the DNS server correctly but the rest of OS X cannot (I understand these have a standalone resolution mechanism that do not rely on the rest of OS X). I have confirmed with Wireshark that the DNS packets sent by nslookup
et. al. go out tap0
and DNS packets sent by other programs (eg ping
) go out eth0
and of course never get to their destination. Could it be possible that scutil
doesn't actually look at the routing table before sending packets?? If so how can I edit the scutil entry to correct the if_index
?
Tunnelblick is configuration drop down is set for set nameserver
and the relevant portion of my server.conf is shown below. Since I am getting the DNS information correctly I think the problem is with OS X and its scutil setup.
...etc..
server-bridge 10.10.0.15 255.255.0.0 10.10.0.100 10.10.0.200
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 10.10.0.15"
push "dhcp-option DOMAIN wattsworth.net"
...etc...
Best Answer
Struggling with the same problem, I found that running
scselect
command withnew-location-name
set to the same as currently used did reset the network settings and DNS started working through VPN.At the same time
scutil
results remained constant (i.e. it shows theif_index
set to the Ethernet interface).First run
scselect
with no arguments to learn the GUID of currently used location, then again with the intended location as an argument.