Unable to Set DNS Servers with Mac Client
Posted: Fri Mar 06, 2020 10:13 am
Hello,
We have a working OpenVPN setup where clients connect to our server using a TAP config. They then get their IPv4 config info (IP, default route, and DNS servers) from the DHCP server on the subnet that they've just been connected to. The clients use SLAAC on the vtap interface to configure IPv6 (IP and default route). All traffic gets routed over the VPN.
This (usually) works okay enough, but we have been tasked to come up with a client-side config that will only direct our internal networks toward the VPN, allowing all other traffic to go out over normal (non-VPN) paths. I believe that I have the network routing parts set up and working correctly. Once connected, traffic that should go over the VPN, goes over the VPN. Traffic that shouldn't go over the VPN, doesn't.
Unfortunately, I cannot get DNS to work. Initially, I tried to get the config to work with DHCP-provided DNS, which is what the normal, I'll-take-ALL-your-traffic config does. Once the connection came up and was marked as connected, DNS queries failed. I could dig against the name servers and got responses, but using dscacheutil returned nothing. Checking the DNS server config with `scutil --dns` showed the original DNS server settings from before the VPN connection was established.
In an effort to get something working, I feel back to pinning the DNS servers in the VPN client config. I changed the DNS mode to "Full DNS" and put the IPv4 addresses of the two main recursive name servers that the clients should be using. Again, I connected, but things failed just as they had when I tried to get the DNS servers via DHCP. I returned to the config, checked the "Ignore DNS settings set by VPN server" option (even though the VPN server sends no DNS settings) and tried again, but to no avail.
I had one of my co-workers who uses Windows try this config on his laptop. It does work in Windows. (Additionally, the "DNS from DHCP" config didn't work for him and a split DNS config did work.)
There is a warning in the logs that kind of bothers me, but I see it every time I connect to the VPN server, even with the (working) config where all traffic is sent to the VPN.
Does _anyone_ have any ideas?
We have a working OpenVPN setup where clients connect to our server using a TAP config. They then get their IPv4 config info (IP, default route, and DNS servers) from the DHCP server on the subnet that they've just been connected to. The clients use SLAAC on the vtap interface to configure IPv6 (IP and default route). All traffic gets routed over the VPN.
This (usually) works okay enough, but we have been tasked to come up with a client-side config that will only direct our internal networks toward the VPN, allowing all other traffic to go out over normal (non-VPN) paths. I believe that I have the network routing parts set up and working correctly. Once connected, traffic that should go over the VPN, goes over the VPN. Traffic that shouldn't go over the VPN, doesn't.
Unfortunately, I cannot get DNS to work. Initially, I tried to get the config to work with DHCP-provided DNS, which is what the normal, I'll-take-ALL-your-traffic config does. Once the connection came up and was marked as connected, DNS queries failed. I could dig against the name servers and got responses, but using dscacheutil returned nothing. Checking the DNS server config with `scutil --dns` showed the original DNS server settings from before the VPN connection was established.
In an effort to get something working, I feel back to pinning the DNS servers in the VPN client config. I changed the DNS mode to "Full DNS" and put the IPv4 addresses of the two main recursive name servers that the clients should be using. Again, I connected, but things failed just as they had when I tried to get the DNS servers via DHCP. I returned to the config, checked the "Ignore DNS settings set by VPN server" option (even though the VPN server sends no DNS settings) and tried again, but to no avail.
I had one of my co-workers who uses Windows try this config on his laptop. It does work in Windows. (Additionally, the "DNS from DHCP" config didn't work for him and a split DNS config did work.)
There is a warning in the logs that kind of bothers me, but I see it every time I connect to the VPN server, even with the (working) config where all traffic is sent to the VPN.
Code: Select all
Both the Mac and Windows clients are version 1.8.4.2020-03-05 16:45:04: Initialization Sequence Completed
2020-03-05 16:45:04: DNS mode set to Full
2020-03-05 16:45:04: State changed to Connected
2020-03-05 16:45:04: DNS change detected, restoring DNS settings
2020-03-05 16:45:08: DNS change detected, restoring DNS settings
2020-03-05 16:47:51: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1557,1557] remote->local=[1557,1557]
2020-03-05 17:01:14: State changed to Disconnecting
Does _anyone_ have any ideas?