Skip to content
IPv6 DNS is not working on macos >= 13.2
Got a problem with Viscosity or need help? Ask here!
- Posts: 1
- Joined: Fri Mar 10, 2023 3:25 am
Hi!
I've been using viscosity in environment without ipv6, but my vpn connection provides ipv6 connectivity and dns settings for it. Before upgrading to macOS Ventura 13.2 ipv6 resolution worked well on default configuration. After upgrading to 13.2 and 13.2.1 i see that it stopped working. I've been able to reproduce this in VMs with macos 13.1 and 13.2
Providing here some diagnostic information in attached files.
As you may see in these files, in case of macos 13.2 scutil --nwi shows no ipv6-enabled interfaces and ipv6 hostname resolution not working.
Both test cases was made with identical connection configurations and latest Viscosity 1.10.5 version.
I've been using viscosity in environment without ipv6, but my vpn connection provides ipv6 connectivity and dns settings for it. Before upgrading to macOS Ventura 13.2 ipv6 resolution worked well on default configuration. After upgrading to 13.2 and 13.2.1 i see that it stopped working. I've been able to reproduce this in VMs with macos 13.1 and 13.2
Providing here some diagnostic information in attached files.
As you may see in these files, in case of macos 13.2 scutil --nwi shows no ipv6-enabled interfaces and ipv6 hostname resolution not working.
Both test cases was made with identical connection configurations and latest Viscosity 1.10.5 version.
Attachments
viscosity_diag_13_2.txt
viscosity_diag_13_1.txt
for macos 13.1, ipv6 dns not working
(7.89 KiB) Downloaded 1057 times
(7.89 KiB) Downloaded 1057 times
viscosity_diag_13_1.txt
for macos 13.1, ipv6 dns working
(8.2 KiB) Downloaded 1091 times
(8.2 KiB) Downloaded 1091 times
Hi kaloprominat,
The problem here looks to be the unusual IPv6 routing. It appears instead of using "redirect-gateway ipv6" to instruct OpenVPN to route all traffic through the VPN connection, the routes "::/1" and "2000::/3" are being used to cover most (but not all) of the IPv6 scope.
Viscosity will not consider this routing setup one that routes all IPv6 traffic through the VPN connection by default. This can affect its Automatic DNS Mode logic (but that doesn't appear to be an issue in this case) and the "Block IPv6 traffic while connected to IPv6-only VPN connections" option (under Settings->Advanced). It can also affect OpenVPN's "block-ipv6" logic. macOS will also only resolve IPv6 addresses if it considers the IPv6 stack reachable, and it may not with just the above IPv6 routes being used (this behaviour may have changed in 13.2).
There are a number of ways to fix this issue:
1. Edit the VPN connection in Viscosity, go to the Networking tab, and set the "All Traffic" option to either "Send all traffic over VPN connection" or "Send all IPv6 traffic over VPN connection". Click Save.
2. Edit the OpenVPN server's configuration and instead of pushing the routes "::/1" and "2000::/3", push "redirect-gateway def1 ipv6" (for both IPv4 and IPv6 traffic) or "redirect-gateway ipv6 !ipv4" (for just IPv6).
3. Instead of using the routes "::/1" and "2000::/3", use "::/3", "2000::/4", "3000::/4" and "fc00::/7". These are the routes OpenVPN consider as routing all IPv6 traffic.
Cheers,
James
The problem here looks to be the unusual IPv6 routing. It appears instead of using "redirect-gateway ipv6" to instruct OpenVPN to route all traffic through the VPN connection, the routes "::/1" and "2000::/3" are being used to cover most (but not all) of the IPv6 scope.
Viscosity will not consider this routing setup one that routes all IPv6 traffic through the VPN connection by default. This can affect its Automatic DNS Mode logic (but that doesn't appear to be an issue in this case) and the "Block IPv6 traffic while connected to IPv6-only VPN connections" option (under Settings->Advanced). It can also affect OpenVPN's "block-ipv6" logic. macOS will also only resolve IPv6 addresses if it considers the IPv6 stack reachable, and it may not with just the above IPv6 routes being used (this behaviour may have changed in 13.2).
There are a number of ways to fix this issue:
1. Edit the VPN connection in Viscosity, go to the Networking tab, and set the "All Traffic" option to either "Send all traffic over VPN connection" or "Send all IPv6 traffic over VPN connection". Click Save.
2. Edit the OpenVPN server's configuration and instead of pushing the routes "::/1" and "2000::/3", push "redirect-gateway def1 ipv6" (for both IPv4 and IPv6 traffic) or "redirect-gateway ipv6 !ipv4" (for just IPv6).
3. Instead of using the routes "::/1" and "2000::/3", use "::/3", "2000::/4", "3000::/4" and "fc00::/7". These are the routes OpenVPN consider as routing all IPv6 traffic.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Bluesky: https://bsky.app/profile/sparklabs.com
Support: https://www.sparklabs.com/support
Bluesky: https://bsky.app/profile/sparklabs.com
Hi reshippie,
Your VPN connection needs to support IPv6 traffic to be able to resolve IPv6 addresses. It'll need to have a valid IPv6 IP address, with the OpenVPN server configured to support IPv6 traffic. If in doubt you should get in touch with your VPN Provider to check whether IPv6 is enabled. I'm afraid simply setting the VPN connection to tunnel all traffic if it has no IPv6 support will not work.
https://www.sparklabs.com/support/kb/ar ... ovider-is/
If your normal network connection has IPv6 support, but you're unable to resolve IPv6 addresses when connected to the VPN connection, it likely means the VPN connection is IPv4 only. To work-around this you can use Split DNS mode, so the VPN DNS servers are only used for VPN related domains, and your standard network is used for all other resolutions.
https://www.sparklabs.com/support/kb/ar ... #dns-modes
Cheers,
James
Your VPN connection needs to support IPv6 traffic to be able to resolve IPv6 addresses. It'll need to have a valid IPv6 IP address, with the OpenVPN server configured to support IPv6 traffic. If in doubt you should get in touch with your VPN Provider to check whether IPv6 is enabled. I'm afraid simply setting the VPN connection to tunnel all traffic if it has no IPv6 support will not work.
https://www.sparklabs.com/support/kb/ar ... ovider-is/
If your normal network connection has IPv6 support, but you're unable to resolve IPv6 addresses when connected to the VPN connection, it likely means the VPN connection is IPv4 only. To work-around this you can use Split DNS mode, so the VPN DNS servers are only used for VPN related domains, and your standard network is used for all other resolutions.
https://www.sparklabs.com/support/kb/ar ... #dns-modes
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Bluesky: https://bsky.app/profile/sparklabs.com
Support: https://www.sparklabs.com/support
Bluesky: https://bsky.app/profile/sparklabs.com
- Posts: 1
- Joined: Sun Nov 03, 2024 4:09 am
Hi,
I got exactly the same problem on macOS 15. Digging a bit, it turned out that the issue is caused by some macOS weirdness.
Viscosity adds an entry in the registry (in my case that is State:/Network/Service/com.sparklabs.Viscosity.utun10/IPv6), however it sets the real interface name to utunX which, as highlighted in the github link above, doesn't seem to be picked up by macOS.
I've worked around by adding this up/down script (/opt/viscosity-dns-fix.sh):
I got exactly the same problem on macOS 15. Digging a bit, it turned out that the issue is caused by some macOS weirdness.
Viscosity adds an entry in the registry (in my case that is State:/Network/Service/com.sparklabs.Viscosity.utun10/IPv6), however it sets the real interface name to utunX which, as highlighted in the github link above, doesn't seem to be picked up by macOS.
I've worked around by adding this up/down script (/opt/viscosity-dns-fix.sh):
Code: Select all
I've added the to my openvpn configuration in the Advanced tab using the following:#!/bin/bash
#
# Register/deregister an ipv6 service so that ipv6 resolution works.
#
if [[ "$script_type" = up ]]; then
/usr/sbin/scutil <<EOF
d.init
d.add Addresses * $ifconfig_ipv6_local
d.add InterfaceName gif0
d.add Router $ifconfig_ipv6_remote
set State:/Network/Service/vpn/IPv6
EOF
elif [ "$script_type" = down ]; then
/usr/sbin/scutil <<EOF
remove State:/Network/Service/vpn/IPv6
EOF
fi
exit $?
Code: Select all
To make this work, I had to enable "Allow unsafe OpenVPN commands to be used" in the advanced settings.down /opt/viscosity-dns-fix.sh
script-security 2
up /opt/viscosity-dns-fix.sh
Last edited by aleofreddi on Sun Nov 03, 2024 4:25 am, edited 1 time in total.
5 posts
Page 1 of 1