DNS semi working...

Got a problem with Viscosity or need help? Ask here!

JSamuel

Posts: 5
Joined: Sat Nov 01, 2008 11:07 am

Post by JSamuel » Sat Nov 01, 2008 11:16 am
Hi guys,

Just stumbled across Viscosity after looking for an OpenVPN client after moving from Win32 to OS X.

Mac OS X: v10.5.5 (Buggy?!)
Viscosity: v1.0.0
OpenVPN Server: Linux CentOS (OpenVPN 2.1_rc7 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Mar 31 2008)

Server
Code: Select all
dev tap
ifconfig ***.***.107.250 255.255.255.248
push "dhcp-option DNS 195.178.107.250"
tls-server key
ping 10
verb 3
mute 10
float
local ***.***.106.29
port 443
proto udp
Client
Code: Select all
#-- Config Auto Generated By Viscosity --#

#viscosity startonopen true
#viscosity dnssupport true
#viscosity name Hidden VPN
route-gateway ***.***.107.250
pull
tls-client
remote ***.***.106.29 443
persist-key
ca ca.crt
proto udp
ping 10
redirect-gateway def1
dev tap
persist-tun
cert cert.crt
ping-restart 120
key key.key
nobind
float
ifconfig ***.***.107.252 255.255.255.248
This config works wonders on the OpenVPN in Win32 or on a *nix flavour, but Viscosity and OS X are complaining. Mind you, this worked for awhile, so somethign has changed with either Viscosity or OS X (both have been updated lately)

When I create the tunnel, everything works IP-based, but DNS does not. However, even after dscacheutil -flushcache, dig/nslookup etc in terminal work fine, and show the correct DNS IP, so does /etc/resolv.conf.. but my web browser and any program that relies on DNS, doesn't.

Quite bizzare, but perhaps something quite simple.
No idea where to go from here...

Any help/thoughts would be appreciated :)

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sat Nov 01, 2008 9:23 pm
Hi JSamuel,

A few things to try:

1. Go to Preferences->Advanced and tick "Use alternate DNS support", and then try reconnecting. Viscosity will use an alternate method to inform Mac OS X about the DNS server/s, which may or may not help in your case.

2. If the above doesn't help, try turning it back off and instead add "route-delay 20" on a new line (without quotes) under Preferences->Edit your connection->Advanced. Try reconnecting.

3. If it still doesn't work, what does "scutil --dns" report when entered into the Terminal while connected?

Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

JSamuel

Posts: 5
Joined: Sat Nov 01, 2008 11:07 am

Post by JSamuel » Sat Nov 01, 2008 11:34 pm
Hi James,

Thanks for your response.
Problem (which is weird is) that DNS comes up (dig/nslookup etc) work fine in the sense, DNS settings are being propagated throughout the system, but programs aren't picking it up, but terminal can dig just fine.

Tried points 1/2, no luck :(

scutil --dns shows:
Code: Select all
Js-iMac:~ j$ scutil --dns
DNS configuration

resolver #1
  domain : viscosity.default.search.domain
  nameserver[0] : 195.178.107.250
  order   : 200000

resolver #2
  domain : local
  options : mdns
  timeout : 2
  order   : 300000

resolver #3
  domain : 254.169.in-addr.arpa
  options : mdns
  timeout : 2
  order   : 300001

resolver #4
  domain : 8.e.f.ip6.arpa
  options : mdns
  timeout : 2
  order   : 300002

resolver #5
  domain : 9.e.f.ip6.arpa
  options : mdns
  timeout : 2
  order   : 300003

resolver #6
  domain : a.e.f.ip6.arpa
  options : mdns
  timeout : 2
  order   : 300004

resolver #7
  domain : b.e.f.ip6.arpa
  options : mdns
  timeout : 2
  order   : 300005
While normally..
Code: Select all
Js-iMac:~ j$ scutil --dns
DNS configuration

resolver #1
  domain : lan
  search domain[0] : lan
  nameserver[0] : 192.168.1.254
  order   : 200000

resolver #2
  domain : local
  options : mdns
  timeout : 2
  order   : 300000

resolver #3
  domain : 254.169.in-addr.arpa
  options : mdns
  timeout : 2
  order   : 300001

resolver #4
  domain : 8.e.f.ip6.arpa
  options : mdns
  timeout : 2
  order   : 300002

resolver #5
  domain : 9.e.f.ip6.arpa
  options : mdns
  timeout : 2
  order   : 300003

resolver #6
  domain : a.e.f.ip6.arpa
  options : mdns
  timeout : 2
  order   : 300004

resolver #7
  domain : b.e.f.ip6.arpa
  options : mdns
  timeout : 2
  order   : 300005

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sun Nov 02, 2008 12:03 am
Well that certainly seems a little odd. Some command line utilities will still work by getting DNS information from resolve.conf, rather than the Mac OS X DNS system (which can sometimes explain why tools like nslookup might work, but not Safari, etc). However the latter appears to being set correctly in your case, but still not working.

What about if you set a search domain? For example, by adding "dhcp-option DOMAIN mydomain.com" (without quotes) on a new line in the Preferences->Edit connection->Advanced area (where mydomain.com should be replaced with the base domain for your connection)?

Another troubleshooting idea that springs to mind: what happens if you change both Viscosity and the server to use tun (rather than tap) or the connection?

When Mac OS X decides to spit a dummy, often creating a new network location (under Apple Menu->System Preferences-Network) and re-configuring the network under that new location can correct the issue.

I've only had one other user report running into the same problem during beta testing - he reinstalled Leopard and then used the Migrate Assistant to restore the system to resolve the problem.

Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

JSamuel

Posts: 5
Joined: Sat Nov 01, 2008 11:07 am

Post by JSamuel » Sun Nov 02, 2008 12:43 am
Hi James,

Still nothing :(
I can't make this a tun (not tap) as it's a multiple-client VPN system, and while I do have access to do so, I would be knocking people offline etc, multiple client configs would need to be changed all over the world.
Code: Select all
#-- Config Auto Generated By Viscosity --#

#viscosity startonopen true
#viscosity dnssupport true
#viscosity name Hidden VPN
route-gateway ***.***.107.250
pull
tls-client
remote ***.***.106.29 443
persist-key
ca ca.crt
proto udp
ping 10
redirect-gateway def1
dev tap
persist-tun
cert cert.crt
ping-restart 120
key key.key
float
route-delay 20
ifconfig ***.***.107.252 255.255.255.248
Deleting the Airport in SystemPref and re-creating a new one didn't work either... I'll try doing a new location in a bit, unfortunately I've got too many network things hooked up for that to be a quick job :oops:

Any other ideas? It's bizzare that terminal works (resolv.conf is correct, scutil reports correct, dig works, nslookup works etc) but OS X refuses to let applications work :(

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sun Nov 02, 2008 2:58 am
Any other ideas? It's bizzare that terminal works (resolv.conf is correct, scutil reports correct, dig works, nslookup works etc) but OS X refuses to let applications work
Well I'd be inclined to blame an OS X setting or bug. Here are two more things you could try:

1. Go to the directory "/etc/resolver" (in the Finder select Go->Go to folder). If it exists, delete any files inside (you may want to back them up first) and then restart your computer. Try connecting your VPN connection again and see how it goes.

2. Go to Apple Menu->System Preferences->Sharing. Make sure "Internet Sharing" is unticked. Click the Edit button and also make sure "Use dynamic global host name" is also unticked. Restart, and then try connecting again.

Also, to test if it is a domain issue, please try the following commands in the Terminal while connected and reply back with their output:

1. "nslookup http://www.viscosityvpn.com"
From your previous comments I understand this should work

2. "ping -c 1 viscosityvpn.com"
Testing whether ping works for base level domains

3. "ping -c 1 http://www.viscosityvpn.com"
Test whether ping works for sub domains

[Edit] Another thought: If you are connected to your network using wireless, how do you go if you connect via ethernet instead (or vice-versa)?

Thanks
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

JSamuel

Posts: 5
Joined: Sat Nov 01, 2008 11:07 am

Post by JSamuel » Sun Nov 02, 2008 4:22 am
Hi james,

1. No such dir (looked via terminal...)
2. All sharing already disabled, and dynamic global host was on, now off, restarted, but not fixed.

nslookup, ping etc all work fine from terminal app's.
my router is on a different floor, so i cant do a wired connection. my wired connection is actually just a static IP to a linux box next to me which is running smb services (network shares) which is basically a big NAS device, that itself does not have connectivity to anything else and doesn't perform any other functions.

This is quite baffling to say the least.. *scratches head*

Thanks,
Joel.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sun Nov 02, 2008 4:53 pm
dynamic global host was on, now off, restarted, but not fixed.
It might be worth looking at the post at the very bottom of this page. The author had a similar problem, however merely un-ticking the box didn't help: he had to do some extra steps to make it stick.
my wired connection is actually just a static IP to a linux box next to me
Does unplugging this and then trying to connect make any difference? It shouldn't, but for such a weird issue anything goes!

So what applications can you confirm are not working? Safari? Firefox? Mail? Anything else? It surprises me thing ping would get a DNS resolution, but not something like Safari. Could you have a proxy set up under Apple menu->System Preferences->Network->Airport/Ethernet->Advanced->Proxies?

Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

JSamuel

Posts: 5
Joined: Sat Nov 01, 2008 11:07 am

Post by JSamuel » Sun Nov 02, 2008 8:41 pm
Strange.
ping -c 1 on microsoft.com and http://www.microsoft.com (website I never visit, so it won't be cached!) gets an IP, but isn't able to actually ping (100% packet loss)

I'll try that thread now,
and unplugging didn't take affect. Ethernet is 100% manual, and only has IP and a very narrow subnet allocation (which is different from any other subnet I'm dealing with elsewhere, to ensure no conflict) and no gateway specified, so nothing should ever try to route through it.

Safari, FireFox, Mail, MSN Messenger (don't use much else?) Terminal works, but that's because I use it via IP for the servers I connect to. And no proxies set-up anywhere.

Sorry to be such a pain james, I appreciate your help!
(I'm very very reluctant to reinstall OS X, but it appeats 10.5.5 is fried!)

I do have Parallels and XP installed, I may just get an OpenVPN Gui for XP and use that to VPN, that way my OS X acts normal. I can then get a Win32 client for anything that does need to run via VPN etc... Long way round it, but it'll work?!

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Nov 03, 2008 4:57 pm
but isn't able to actually ping (100% packet loss)
Microsoft have their website firewalled against pings - so it's not something wrong at your end :)
Long way round it, but it'll work?!
Yes, that should work.

Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
10 posts Page 1 of 1