OpenVPN Connect for MacOS doesn't change/set DNS servers

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
gyrex
OpenVpn Newbie
Posts: 4
Joined: Wed Jan 13, 2021 4:40 am

OpenVPN Connect for MacOS doesn't change/set DNS servers

Post by gyrex » Tue Aug 02, 2022 1:48 pm

Hi,

The official OpenVPN Connect client (V3.3.6 4368) for MacOS (Monterey 12.5) isn't setting the server defined DNS servers.

If I use Tunnelblick the DNS servers are set correctly. Without the local DNS servers set on the client, it means I can't resolve any servers or clients on the remote network.

Tried adding:
dhcp-option DNS 10.11.12.1
dhcp-option DOMAIN local

to the client file but it makes no difference.

After connecting to the VPN server, running cat /etc/resolv.conf shows the DNS servers set by the local DHCP server.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Post by openvpn_inc » Sun Aug 07, 2022 11:33 am

Hi gyrex,

Thank you for bringing this to the correct forum. I was just looking at your post in Server Administration and was going to move it here.

We have had some reports of this, and a bug ticket was opened. I do not know the status of that ticket, however.

Often this issue can be caused outside of OpenVPN, such as by various "security" software products who know your needs better than you do. Cisco Umbrella is a common example.

However since Tunnelblick works, that would seem unlikely to be the cause for you. I would suggest since you're using the community version server, you might be best off just staying with a fine open source client.

If you're interested in pursuing this, the results of this command could be useful:

Code: Select all

scutil --dns
regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

sbakhtiar
OpenVpn Newbie
Posts: 3
Joined: Tue Jul 25, 2023 2:07 pm

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Post by sbakhtiar » Tue Aug 01, 2023 4:26 pm

@openvpn_inc

I'm having a similar issue. I use

Code: Select all

push "dhcp-option DNS 172.31.0.2"
to push the dns server from the server to the clients. I have included a dump of

Code: Select all

scutil --dns
first of the error condition, in which, even though the client is connected, DNS is resolving using the assigned DNS, and after disconnecting, then reconnecting, at which point the private DNS queries start working, as they are using the correct resolver (the one pushed by the server).

I have a feeling something is reseting the my Mac's DNS settings?

[VPN CONNECTED BUT CAN NOT RESOLVE PRIVATE DOMAIN]
sbakhtiar@Shawn-Mac-mini-AZ ~ % scutil --dns
DNS configuration

resolver #1
search domain[0] : mtecom.net
nameserver[0] : 10.0.1.1
if_index : 12 (en1)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200

resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400

resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600

resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800

resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000

DNS configuration (for scoped queries)

resolver #1
search domain[0] : mtecom.net
nameserver[0] : 10.0.1.1
if_index : 12 (en1)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)






[RECONNECTED VPN, PRIVATE DOMAIN RESOLVING]
sbakhtiar@Shawn-Mac-mini-AZ ~ % scutil --dns
DNS configuration

resolver #1
search domain[0] : mtecom.net
nameserver[0] : 172.31.0.2
flags : Request A records
reach : 0x00000002 (Reachable)
order : 5000

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200

resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400

resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600

resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800

resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000

DNS configuration (for scoped queries)

resolver #1
search domain[0] : mtecom.net
nameserver[0] : 172.31.0.2
if_index : 12 (en1)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)
order : 5000
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %

bamypamy
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 26, 2023 11:54 am

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Post by bamypamy » Tue Sep 26, 2023 12:03 pm

I'm having a similar issue with Client 3.4.4 on Ventura 13.5.2 with an M2
The DNS Servers are pushed via push "dhcp-option DNS x.x.x.x" and are shown via scutil --dns but only as resolver #2 and also not for scoped queries.
Same when I add the DNS Server to the client config via dhcp-option DNS x.x.x.x.

Using Tunnelblick with the same config it works and I get assigned the pushed DNS Servers as Resolver #1 and also for scoped queries.
I need to use the internal DNS Servers because we are using split DNS.
With tunnelblick it resolves to the internal IPs and with openvpn to the public IPs.

sbakhtiar
OpenVpn Newbie
Posts: 3
Joined: Tue Jul 25, 2023 2:07 pm

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Post by sbakhtiar » Mon Oct 02, 2023 2:14 pm

I've setting up other locations, and not ALL locations are dealing with this issue, but some are. I wonder if this is an OS issue, some kind of DNS reset function being called as a security thing.

bamypamy
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 26, 2023 11:54 am

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Post by bamypamy » Thu Oct 12, 2023 6:03 am

I got an update on my problem.
We got it fixed on the MAC Device.
It was the iCloud Private Relay service that interfered. After disabling it, it works on the MAC.

BUT now we have some Windows clients with the same problem and can't get it to work because there is no such service as iCloud privat relay on Windows.
It is Windows 11 and we are using pfsense as OpenVPN Server. We already tried the Make Win10 Clients block access to DNS and the ifconfig commands for registering dns and flushing dns cache but nothing works.

But as sbakhtiar mentioned it also does not happen on all sites or devices for us.

sbakhtiar
OpenVpn Newbie
Posts: 3
Joined: Tue Jul 25, 2023 2:07 pm

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Post by sbakhtiar » Thu Oct 12, 2023 9:09 pm

Thanks @bamypamy! You clued me in to checking the Limit IP address tracking function on the interface and sure enough it was turned on! :S

I have turned it off, and will continue to monitor.

You know.... It's scary that Apple turns this crap on by default. In my case, I don't have iCloud Private Relay, it appears you need to have iCloud+ to use it.

bamypamy
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 26, 2023 11:54 am

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Post by bamypamy » Fri Oct 13, 2023 5:25 am

Nice, I hope it works for you @sbakhtiar .

Another update - this time for the Windows problem. We also got this one solved by using the community version of the openvpn client.
So by using this one https://openvpn.net/community-downloads/ instead of this one https://openvpn.net/client/client-conne ... r-windows/

alexd1
OpenVpn Newbie
Posts: 1
Joined: Wed Aug 28, 2024 11:15 am

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Post by alexd1 » Wed Aug 28, 2024 11:18 am

replying to this old post, i have the same issue with my openvpn client it's pushing the dns and search domains but not pushing them to the scoped query instead i see them in resolver#2, resolver#3 and ...etc and when i try to ping a host it's not finding it unless i use the FQDN (host.domain.com), i tried turning off the limit ip track but it didn't change anything. any idea why this is happening

garnoux
OpenVpn Newbie
Posts: 1
Joined: Mon Sep 23, 2024 12:20 pm

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Post by garnoux » Mon Sep 23, 2024 12:21 pm

Same issue here with macos. Can ping server.domain.tld but not domain.tld. Works with tunneblick on macos. Works with openvpn (same config) on windows / unix.
when running scutil i can see the dns servers and the search option set to domain.tld

ruurd
OpenVpn Newbie
Posts: 1
Joined: Tue Nov 26, 2024 10:32 am

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Post by ruurd » Tue Nov 26, 2024 10:33 am

Do you happen to use Little Snitch and if so did you turn of Secure DNS? If so, turn off that option or exclude the domain from secure DNS query with QUIC protocol.

Post Reply