Hi,
OpenVPN Connect 3.3.6 for OSX.
OS: tested on both Big Sur and Monterey.
Currently I'm building a new OpenVPN environment using Netgate PFsense+ 22.05. We're having several types of VPN clients: Linux, OSX and Windows. On OSX we run into trouble with the OpenVPN Connect client.
From the configuration we push DNS search domains to the client:
---
push "dhcp-option DOMAIN mgmt.domain.com";
push "dhcp-option DOMAIN office.domain.com";
push "dhcp-option DOMAIN domain.com";
push "dhcp-option DOMAIN-SEARCH mgmt.domain.com";
push "dhcp-option DOMAIN-SEARCH office.domain.com";
push "dhcp-option DOMAIN-SEARCH domain.com";
---
This works fine for the Linux clients, I can do a ping to a server without using the FQDN, just the hostname is fine since the client searches mgmt.domain.com for example. When I add an extra push:
---
push "dhcp-option ADAPTER_DOMAIN_SUFFIX mgmt.domain.com";
---
that also doesn't help.
In the log of the client it looks alright:
---
DNS Servers:
172.20.5.50
172.20.5.51
Search Domains:
mgmt.domain.com
office.domain.com
domain.com
Adapter Domain Suffix: mgmt.domain.com
---
and also in the client log:
---
MacDNSAction: FLAGS=F RD=0 SO=5000 DNS=172.20.5.50,172.20.5.51 DOM=mgmt.domain.com,office.domain.com,domain.com ADS=mgmt.domain.com
---
It looks like all the info gets to the client correctly, but it just doesn't add the search-domains. Also, when I use 'scutil --dns' the nameservers are there, also with the domains, but the domain mgmt.domain.com isn't added to the domains to search. resolving works just fine with FQDN, but not with just the hostname.
---
DNS configuration
resolver #1
search domain[0] : fritz.box
nameserver[0] : 192.168.1.1
if_index : 14 (en0)
flags : Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #4
domain : mgmt.domain.com
nameserver[0] : 172.20.5.50
nameserver[1] : 172.20.5.51
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
order : 101400
resolver #5
domain : office.domain.com
nameserver[0] : 172.20.5.50
nameserver[1] : 172.20.5.51
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
order : 101401
resolver #6
domain : domain.com
nameserver[0] : 172.20.5.50
nameserver[1] : 172.20.5.51
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
order : 101402
---
I've also tried to use a script after the connection is 'up', but it seems OpenVPN Connect doesn't support that. In the log it show up as an unused option.
When I add a search domain to the network-settings of OSX it works, but the disadvantage is that when VPN is not up, the search-domains are leaked to the nameserver which is in use when VPN is not in use. Somehow I don't want to leak those to Google DNS...
Is this a bug? Or is there a workaround? Or are we being stupid and doing something wrong?
Kind regards, Jos Andel
Trouble with DNS search domains
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Sep 08, 2022 1:15 pm
Re: Trouble with DNS search domains
Tested with the new OpenVPN Connect 3.4 client on Apple Silicon. This doesn't help, still no search-domains added
Would be nice if @openvpn_inc could reply to this issue...
Would be nice if @openvpn_inc could reply to this issue...
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Trouble with DNS search domains
Hi Jos,
I'm a part-time Mac user, but not really a Mac expert. It looks to me like your fritz.box server is first in line and is the one being consulted, without the search domains. Then your VPN resolvers are listed 3 times, each with a separate search domain.
My guess is that the queries never go to the VPN resolvers. That should be easy enough to test with a tcpdump(8) command.
I'll say also I am not a fan of search domains in general, especially not with multiple domains; you might think you're getting "host.two.example.net" when you lookup "host", but it could actually be "host.one.example.net" or even "host.three.example.net". I know, I know, a lot of users want them, but it is sloppy and could cause issues which are hard to troubleshoot. Yep, I'm a grumpy old man.
I think what you might need to do is check on the Mac side of things to see how to deprioritize your fritz.box DNS. Or perhaps entirely override it with VPN resolvers. That overriding is easy to do in our commercial Access Server software or OpenVPN Cloud service. I don't know how to do it on your Pfsense (nor even if it's possible.) Sorry.
regards, rob0
I'm a part-time Mac user, but not really a Mac expert. It looks to me like your fritz.box server is first in line and is the one being consulted, without the search domains. Then your VPN resolvers are listed 3 times, each with a separate search domain.
My guess is that the queries never go to the VPN resolvers. That should be easy enough to test with a tcpdump(8) command.
I'll say also I am not a fan of search domains in general, especially not with multiple domains; you might think you're getting "host.two.example.net" when you lookup "host", but it could actually be "host.one.example.net" or even "host.three.example.net". I know, I know, a lot of users want them, but it is sloppy and could cause issues which are hard to troubleshoot. Yep, I'm a grumpy old man.
I think what you might need to do is check on the Mac side of things to see how to deprioritize your fritz.box DNS. Or perhaps entirely override it with VPN resolvers. That overriding is easy to do in our commercial Access Server software or OpenVPN Cloud service. I don't know how to do it on your Pfsense (nor even if it's possible.) Sorry.
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support