OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

OpenVPN Connect for MacOS doesn't change/set DNS servers

https://forums.openvpn.net/viewtopic.php?t=34612

Page 1 of 1

OpenVPN Connect for MacOS doesn't change/set DNS servers

Posted: Tue Aug 02, 2022 1:48 pm
by gyrex
Hi,

The official OpenVPN Connect client (V3.3.6 4368) for MacOS (Monterey 12.5) isn't setting the server defined DNS servers.

If I use Tunnelblick the DNS servers are set correctly. Without the local DNS servers set on the client, it means I can't resolve any servers or clients on the remote network.

Tried adding:
dhcp-option DNS 10.11.12.1
dhcp-option DOMAIN local

to the client file but it makes no difference.

After connecting to the VPN server, running cat /etc/resolv.conf shows the DNS servers set by the local DHCP server.

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Posted: Sun Aug 07, 2022 11:33 am
by openvpn_inc
Hi gyrex,

Thank you for bringing this to the correct forum. I was just looking at your post in Server Administration and was going to move it here.

We have had some reports of this, and a bug ticket was opened. I do not know the status of that ticket, however.

Often this issue can be caused outside of OpenVPN, such as by various "security" software products who know your needs better than you do. Cisco Umbrella is a common example.

However since Tunnelblick works, that would seem unlikely to be the cause for you. I would suggest since you're using the community version server, you might be best off just staying with a fine open source client.

If you're interested in pursuing this, the results of this command could be useful:

Code: Select all

scutil --dns
regards, rob0

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Posted: Tue Aug 01, 2023 4:26 pm
by sbakhtiar
@openvpn_inc

I'm having a similar issue. I use

Code: Select all

push "dhcp-option DNS 172.31.0.2"
to push the dns server from the server to the clients. I have included a dump of

Code: Select all

scutil --dns
first of the error condition, in which, even though the client is connected, DNS is resolving using the assigned DNS, and after disconnecting, then reconnecting, at which point the private DNS queries start working, as they are using the correct resolver (the one pushed by the server).

I have a feeling something is reseting the my Mac's DNS settings?

[VPN CONNECTED BUT CAN NOT RESOLVE PRIVATE DOMAIN]
sbakhtiar@Shawn-Mac-mini-AZ ~ % scutil --dns
DNS configuration

resolver #1
search domain[0] : mtecom.net
nameserver[0] : 10.0.1.1
if_index : 12 (en1)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200

resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400

resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600

resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800

resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000

DNS configuration (for scoped queries)

resolver #1
search domain[0] : mtecom.net
nameserver[0] : 10.0.1.1
if_index : 12 (en1)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)






[RECONNECTED VPN, PRIVATE DOMAIN RESOLVING]
sbakhtiar@Shawn-Mac-mini-AZ ~ % scutil --dns
DNS configuration

resolver #1
search domain[0] : mtecom.net
nameserver[0] : 172.31.0.2
flags : Request A records
reach : 0x00000002 (Reachable)
order : 5000

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200

resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400

resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600

resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800

resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000

DNS configuration (for scoped queries)

resolver #1
search domain[0] : mtecom.net
nameserver[0] : 172.31.0.2
if_index : 12 (en1)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)
order : 5000
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %
sbakhtiar@Shawn-Mac-mini-AZ ~ %

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Posted: Tue Sep 26, 2023 12:03 pm
by bamypamy
I'm having a similar issue with Client 3.4.4 on Ventura 13.5.2 with an M2
The DNS Servers are pushed via push "dhcp-option DNS x.x.x.x" and are shown via scutil --dns but only as resolver #2 and also not for scoped queries.
Same when I add the DNS Server to the client config via dhcp-option DNS x.x.x.x.

Using Tunnelblick with the same config it works and I get assigned the pushed DNS Servers as Resolver #1 and also for scoped queries.
I need to use the internal DNS Servers because we are using split DNS.
With tunnelblick it resolves to the internal IPs and with openvpn to the public IPs.

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Posted: Mon Oct 02, 2023 2:14 pm
by sbakhtiar
I've setting up other locations, and not ALL locations are dealing with this issue, but some are. I wonder if this is an OS issue, some kind of DNS reset function being called as a security thing.

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Posted: Thu Oct 12, 2023 6:03 am
by bamypamy
I got an update on my problem.
We got it fixed on the MAC Device.
It was the iCloud Private Relay service that interfered. After disabling it, it works on the MAC.

BUT now we have some Windows clients with the same problem and can't get it to work because there is no such service as iCloud privat relay on Windows.
It is Windows 11 and we are using pfsense as OpenVPN Server. We already tried the Make Win10 Clients block access to DNS and the ifconfig commands for registering dns and flushing dns cache but nothing works.

But as sbakhtiar mentioned it also does not happen on all sites or devices for us.

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Posted: Thu Oct 12, 2023 9:09 pm
by sbakhtiar
Thanks @bamypamy! You clued me in to checking the Limit IP address tracking function on the interface and sure enough it was turned on! :S

I have turned it off, and will continue to monitor.

You know.... It's scary that Apple turns this crap on by default. In my case, I don't have iCloud Private Relay, it appears you need to have iCloud+ to use it.

Re: OpenVPN Connect for MacOS doesn't change/set DNS servers

Posted: Fri Oct 13, 2023 5:25 am
by bamypamy
Nice, I hope it works for you @sbakhtiar .

Another update - this time for the Windows problem. We also got this one solved by using the community version of the openvpn client.
So by using this one https://openvpn.net/community-downloads/ instead of this one https://openvpn.net/client/client-conne ... r-windows/
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/