OpenVPN Connect for MacOS doesn't change/set DNS servers
-
- OpenVpn Newbie
- Posts: 4
- Joined: Wed Jan 13, 2021 4:40 am
OpenVPN Connect for MacOS doesn't change/set DNS servers
Hi,
The official OpenVPN Connect client (V3.3.6 4368) for MacOS (Monterey 12.5) isn't setting the server defined DNS servers.
If I use Tunnelblick the DNS servers are set correctly. Without the local DNS servers set on the client, it means I can't resolve any servers or clients on the remote network.
Tried adding:
dhcp-option DNS 10.11.12.1
dhcp-option DOMAIN local
to the client file but it makes no difference.
After connecting to the VPN server, running cat /etc/resolv.conf shows the DNS servers set by the local DHCP server.
The official OpenVPN Connect client (V3.3.6 4368) for MacOS (Monterey 12.5) isn't setting the server defined DNS servers.
If I use Tunnelblick the DNS servers are set correctly. Without the local DNS servers set on the client, it means I can't resolve any servers or clients on the remote network.
Tried adding:
dhcp-option DNS 10.11.12.1
dhcp-option DOMAIN local
to the client file but it makes no difference.
After connecting to the VPN server, running cat /etc/resolv.conf shows the DNS servers set by the local DHCP server.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1332
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenVPN Connect for MacOS doesn't change/set DNS servers
Hi gyrex,
Thank you for bringing this to the correct forum. I was just looking at your post in Server Administration and was going to move it here.
We have had some reports of this, and a bug ticket was opened. I do not know the status of that ticket, however.
Often this issue can be caused outside of OpenVPN, such as by various "security" software products who know your needs better than you do. Cisco Umbrella is a common example.
However since Tunnelblick works, that would seem unlikely to be the cause for you. I would suggest since you're using the community version server, you might be best off just staying with a fine open source client.
If you're interested in pursuing this, the results of this command could be useful:
regards, rob0
Thank you for bringing this to the correct forum. I was just looking at your post in Server Administration and was going to move it here.
We have had some reports of this, and a bug ticket was opened. I do not know the status of that ticket, however.
Often this issue can be caused outside of OpenVPN, such as by various "security" software products who know your needs better than you do. Cisco Umbrella is a common example.
However since Tunnelblick works, that would seem unlikely to be the cause for you. I would suggest since you're using the community version server, you might be best off just staying with a fine open source client.
If you're interested in pursuing this, the results of this command could be useful:
Code: Select all
scutil --dns
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Jul 25, 2023 2:07 pm
Re: OpenVPN Connect for MacOS doesn't change/set DNS servers
@openvpn_inc
I'm having a similar issue. I use to push the dns server from the server to the clients. I have included a dump of first of the error condition, in which, even though the client is connected, DNS is resolving using the assigned DNS, and after disconnecting, then reconnecting, at which point the private DNS queries start working, as they are using the correct resolver (the one pushed by the server).
I have a feeling something is reseting the my Mac's DNS settings?
[VPN CONNECTED BUT CAN NOT RESOLVE PRIVATE DOMAIN]
sbakhtiar@Shawn-Mac-mini-AZ ~ % scutil --dns
DNS configuration
resolver #1
search domain[0] : mtecom.net
nameserver[0] : 10.0.1.1
if_index : 12 (en1)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : mtecom.net
nameserver[0] : 10.0.1.1
if_index : 12 (en1)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
[RECONNECTED VPN, PRIVATE DOMAIN RESOLVING]
sbakhtiar@Shawn-Mac-mini-AZ ~ % scutil --dns
DNS configuration
resolver #1
search domain[0] : mtecom.net
nameserver[0] : 172.31.0.2
flags : Request A records
reach : 0x00000002 (Reachable)
order : 5000
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : mtecom.net
nameserver[0] : 172.31.0.2
if_index : 12 (en1)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)
order : 5000
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
I'm having a similar issue. I use
Code: Select all
push "dhcp-option DNS 172.31.0.2"
Code: Select all
scutil --dns
I have a feeling something is reseting the my Mac's DNS settings?
[VPN CONNECTED BUT CAN NOT RESOLVE PRIVATE DOMAIN]
sbakhtiar@Shawn-Mac-mini-AZ ~ % scutil --dns
DNS configuration
resolver #1
search domain[0] : mtecom.net
nameserver[0] : 10.0.1.1
if_index : 12 (en1)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : mtecom.net
nameserver[0] : 10.0.1.1
if_index : 12 (en1)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)
[RECONNECTED VPN, PRIVATE DOMAIN RESOLVING]
sbakhtiar@Shawn-Mac-mini-AZ ~ % scutil --dns
DNS configuration
resolver #1
search domain[0] : mtecom.net
nameserver[0] : 172.31.0.2
flags : Request A records
reach : 0x00000002 (Reachable)
order : 5000
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : mtecom.net
nameserver[0] : 172.31.0.2
if_index : 12 (en1)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)
order : 5000
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Sep 26, 2023 11:54 am
Re: OpenVPN Connect for MacOS doesn't change/set DNS servers
I'm having a similar issue with Client 3.4.4 on Ventura 13.5.2 with an M2
The DNS Servers are pushed via push "dhcp-option DNS x.x.x.x" and are shown via scutil --dns but only as resolver #2 and also not for scoped queries.
Same when I add the DNS Server to the client config via dhcp-option DNS x.x.x.x.
Using Tunnelblick with the same config it works and I get assigned the pushed DNS Servers as Resolver #1 and also for scoped queries.
I need to use the internal DNS Servers because we are using split DNS.
With tunnelblick it resolves to the internal IPs and with openvpn to the public IPs.
The DNS Servers are pushed via push "dhcp-option DNS x.x.x.x" and are shown via scutil --dns but only as resolver #2 and also not for scoped queries.
Same when I add the DNS Server to the client config via dhcp-option DNS x.x.x.x.
Using Tunnelblick with the same config it works and I get assigned the pushed DNS Servers as Resolver #1 and also for scoped queries.
I need to use the internal DNS Servers because we are using split DNS.
With tunnelblick it resolves to the internal IPs and with openvpn to the public IPs.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Jul 25, 2023 2:07 pm
Re: OpenVPN Connect for MacOS doesn't change/set DNS servers
I've setting up other locations, and not ALL locations are dealing with this issue, but some are. I wonder if this is an OS issue, some kind of DNS reset function being called as a security thing.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Sep 26, 2023 11:54 am
Re: OpenVPN Connect for MacOS doesn't change/set DNS servers
I got an update on my problem.
We got it fixed on the MAC Device.
It was the iCloud Private Relay service that interfered. After disabling it, it works on the MAC.
BUT now we have some Windows clients with the same problem and can't get it to work because there is no such service as iCloud privat relay on Windows.
It is Windows 11 and we are using pfsense as OpenVPN Server. We already tried the Make Win10 Clients block access to DNS and the ifconfig commands for registering dns and flushing dns cache but nothing works.
But as sbakhtiar mentioned it also does not happen on all sites or devices for us.
We got it fixed on the MAC Device.
It was the iCloud Private Relay service that interfered. After disabling it, it works on the MAC.
BUT now we have some Windows clients with the same problem and can't get it to work because there is no such service as iCloud privat relay on Windows.
It is Windows 11 and we are using pfsense as OpenVPN Server. We already tried the Make Win10 Clients block access to DNS and the ifconfig commands for registering dns and flushing dns cache but nothing works.
But as sbakhtiar mentioned it also does not happen on all sites or devices for us.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Jul 25, 2023 2:07 pm
Re: OpenVPN Connect for MacOS doesn't change/set DNS servers
Thanks @bamypamy! You clued me in to checking the Limit IP address tracking function on the interface and sure enough it was turned on! :S
I have turned it off, and will continue to monitor.
You know.... It's scary that Apple turns this crap on by default. In my case, I don't have iCloud Private Relay, it appears you need to have iCloud+ to use it.
I have turned it off, and will continue to monitor.
You know.... It's scary that Apple turns this crap on by default. In my case, I don't have iCloud Private Relay, it appears you need to have iCloud+ to use it.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Sep 26, 2023 11:54 am
Re: OpenVPN Connect for MacOS doesn't change/set DNS servers
Nice, I hope it works for you @sbakhtiar .
Another update - this time for the Windows problem. We also got this one solved by using the community version of the openvpn client.
So by using this one https://openvpn.net/community-downloads/ instead of this one https://openvpn.net/client/client-conne ... r-windows/
Another update - this time for the Windows problem. We also got this one solved by using the community version of the openvpn client.
So by using this one https://openvpn.net/community-downloads/ instead of this one https://openvpn.net/client/client-conne ... r-windows/
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Aug 28, 2024 11:15 am
Re: OpenVPN Connect for MacOS doesn't change/set DNS servers
replying to this old post, i have the same issue with my openvpn client it's pushing the dns and search domains but not pushing them to the scoped query instead i see them in resolver#2, resolver#3 and ...etc and when i try to ping a host it's not finding it unless i use the FQDN (host.domain.com), i tried turning off the limit ip track but it didn't change anything. any idea why this is happening
-
- OpenVpn Newbie
- Posts: 1
- Joined: Mon Sep 23, 2024 12:20 pm
Re: OpenVPN Connect for MacOS doesn't change/set DNS servers
Same issue here with macos. Can ping server.domain.tld but not domain.tld. Works with tunneblick on macos. Works with openvpn (same config) on windows / unix.
when running scutil i can see the dns servers and the search option set to domain.tld
when running scutil i can see the dns servers and the search option set to domain.tld
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Nov 26, 2024 10:32 am
Re: OpenVPN Connect for MacOS doesn't change/set DNS servers
Do you happen to use Little Snitch and if so did you turn of Secure DNS? If so, turn off that option or exclude the domain from secure DNS query with QUIC protocol.