ANSWERED DNS Leakage on Mac OS

[qkxyvtbrsw 1]

Hello AirVPN Team,

 

I would like to use OpenVPN directly on Mac OS X Mountain Lion because I believe that none of the GUI VPN clients on this platform fully support AirVPN features.

 

I installed the TunTap and OpenVPN, created the config file and successfully connected to the AirVPN server.

 

Everything seems to work as it should be except the fact that my DNS is now leaking.

 

How can I force the OpenVPN to use the AirVPN's DNS servers instead of my ISP's?

 

Thank you.

[Staff 9771]

Hello!

 

We have tested that the solution provided into the guide on the experimental package appears to be fully working on Mountain Lion. What is your exact version? Does your system ignore the new DNS (10.4.0.1 being the primary) after you have set them according to the guide? Apparently the only way for which there can be a DNS leak on a Mac/BSD system is when the DNS is set to your router IP address, which in turn re-sends the query in clear.

https://airvpn.org/topic/9325-development-of-os-x-airvpn-client/

 

Kind regards

[qkxyvtbrsw 1]

Thank you for your reply.

 

I am using the binary build of OpenVPN 2.3.1 which was copied directly from Tunnelblick 3.3 beta46.

 

What I had been missing is the sudo networksetup -setdnsservers Wi-Fi 10.4.0.1 line.

 

Now everything works as it should be.

[Staff 9771]

Hello!

 

Thanks for the info, great!

 

It would be relevant for us to understand how a DNS leak was possible, if you have the kindness to tell us how your previous DNS were set.

 

Kind regards

[qkxyvtbrsw 1]

Hello,

 

The answer is very simple. I had not set any DNS servers, lol.

 

I installed TunTap 20111101, copied binary build of OpenVPN 2.3.1 from Tunnelblick 3.3 beta46 to /usr/sbin, downloaded the config file and run the sudo openvpn config.ovpn command.

 

 

I never thought that it is necessary because I never set one when I was using Tunnelblick. I thought that the config file also includes the DNS server addresses.

 

Now I got a few questions

 

i. How can I run the sudo openvpn config.ovpn command in Terminal, so that the process starts in the background?

ii. Or how can I send it to background after a successful connection?

iii. How can I disconnect from the server?

 

Thank you.

[Staff 9771]

Hello,

 

The answer is very simple. I had not set any DNS servers, lol.

 

I installed TunTap 20111101, copied binary build of OpenVPN 2.3.1 from Tunnelblick 3.3 beta46 to /usr/sbin, downloaded the config file and run the sudo openvpn config.ovpn command.

 

 

I never thought that it is necessary because I never set one when I was using Tunnelblick. I thought that the config file also includes the DNS server addresses.

 

Now I got a few questions

 

i. How can I run the sudo openvpn config.ovpn command in Terminal, so that the process starts in the background?

ii. Or how can I send it to background after a successful connection?

iii. How can I disconnect from the server?

 

Thank you.

 

Hello!

 

Thank you for the information.

 

i. We would recommend GNU Screen available (usually by default) on OS X. With it you can create, detach and re-attach terminal sessions and much, much more. See also this quick tutorial. Default GNU Screen in OS X is not compiled to support 256 colors. If you like to have them you need to re-compile screen, please read here.

 

ii. Once you have detached a screen, you can simply close the terminal from which that screen was started. Any detached screen will not be destroyed when you close the terminal and any process inside any detached screen will go on running. When you re-attach its screen from any other terminal, OpenVPN will be just there.

 

iii. You have some options here. You can send a graceful kill signal to OpenVPN "sudo kill " or you can re-attach the screen in which OpenVPN is running and then press CTRL-C. In order to discover OpenVPN PID:

 

ps aux | grep -v grep | grep -i openvpn

 

In both cases OpenVPN will restore your previous routing table. Only if you send a "kill -9" OpenVPN can not do that.

 

Kind regards

[qkxyvtbrsw 1]

Hello AirVPN,

 

First, I would like to thank you. Even the questions in my previous post were not directly related to your service, they were answered in full detail.

 

I am also glad that we have this forum because the amount of information on the web about the usage of OpenVPN directly on the OS X platform is very limited.

 

Currently I am behind some PF rules that only allow me to connect to the Internet when I am connected to one of your servers. I also set your DNS server address as my default and only. Therefore when I login to my computer, I connect to one of your servers in the first place and I never disconnect it until the next reboot.

 

In that case

 

i. Can I simply quit the Terminal application after a successful connection? I am getting the Closing this window will terminate the running processes: openvpn, sudo. warning, but later on everything seems to be working.

 

ii. Can I simply sleep and then wake my computer and continue to work without any interference? This seems to be working too.

 

Thank you.

[Staff 9771]

Hello!

 

Thank you, your feedback is much appreciated.

 

i. Provided that you detached the screen where OpenVPN runs, you can do that. And you should not receive any warning message about OpenVPN.

 

ii. When your computer sleeps, the connection to the VPN is lost. When you awake it, normally OpenVPN will re-try a connection (at least with our configuration files). However, before working as usual you will need to wait that the connection is re-established (a matter of a few seconds anyway). In any case, please check with care, behavior after a wake-up may vary according to hardware and software.

 

Kind regards

AirVPN Support Team

[qkxyvtbrsw 1]

Hello,

 

i. Provided that you detached the screen where OpenVPN runs, you can do that. And you should not receive any warning message about OpenVPN.

 

Yes. But what happens if I quit the Terminal application without detaching the process in the first place? Because when I do that, although I am getting a warning message, everything seems to work as it should be.

 

ii. When your computer sleeps, the connection to the VPN is lost. When you awake it, normally OpenVPN will re-try a connection (at least with our configuration files). However, before working as usual you will need to wait that the connection is re-established (a matter of a few seconds anyway).

 

I was also expecting that behaviour but that is not what is happening. When I wake my computer and the wi-fi connection is established, OpenVPN connection is already active. Also there is not a single line about the disconnection/reconnection on the OpenVPN Terminal log.

 

Thank you.

[Staff 9771]

Hello,

 

 

Yes. But what happens if I quit the Terminal application without detaching the process in the first place? Because when I do that, although I am getting a warning message, everything seems to work as it should be.

 

 

I was also expecting that behaviour but that is not what is happening. When I wake my computer and the wi-fi connection is established, OpenVPN connection is already active. Also there is not a single line about the disconnection/reconnection on the OpenVPN Terminal log.

 

Thank you.

 

Hello!

 

If you see OpenVPN process running, everything's fine then, even if you do not detach the screen before closing the terminal. On top of that you have the pf configuration that would not allow packets if the computer were not connected to one of Air VPN servers, correct?

 

About the sleeping mode, as written there can be differences between different hardware and software. In your case, your Mac most probably does not turn off the network card and the connection is not lost. Some laptops might turn off WiFi card in sleeping mode, for example, to save battery etc.

 

Just out of curiosity, are you still using the OpenVPN binaries from Tunnelblick or are you testing the binaries we built from OpenVPN source code? Probably there's no difference, just a curiosity.

 

Kind regards

[qkxyvtbrsw 1]

Hello,

 

If you see OpenVPN process running, everything's fine then, even if you do not detach the screen before closing the terminal.

 

Yes, openvpn process is still listed under the System Processes title in Activity Monitor even if I quit the Terminal application without detaching the screen first.

 

I have also checked my info on ipleak.net, both my IP and DNS addresses are listed as they should be.

 

On top of that you have the pf configuration that would not allow packets if the computer were not connected to one of Air VPN servers, correct?

 

Correct. When I kill the openvpn process, all traffic stops immediately.

 

In your case, your Mac most probably does not turn off the network card and the connection is not lost.

 

You are correct again. In the Energy Saver prefpane of System Preferences, Wake for network access option is enabled. In order to detect the activity, it would be turned on even when the computer sleeps.

 

Just out of curiosity, are you still using the OpenVPN binaries from Tunnelblick or are you testing the binaries we built from OpenVPN source code?

 

Yes, I am still using the OpenVPN binary from Tunnelblick. I was going to use yours but when I read the line below I have changed my mind.

 

By default, navigation does not work. There are issues with DNS.

 

Thank you.

[Staff 9771]

Hello!

 

But... we provided the solution in the very same guide and you applied it! With Tunnelblick OpenVPN binaries you had exactly that issue, remember? And you solved it with our guide.

 

The problem is related to the fact that in order to accept the DNS push from an OpenVPN server, the client needs up & down scripts to set DNS that we don't have (yet).

 

Kind regards

[qkxyvtbrsw 1]

Hello,

 

You should have understood it by now that I am a command line rookie. Most of the time I copy and paste stuff even not knowing what I am doing. It takes some time for me to figure out what I am up to.

 

But... we provided the solution in the very same guide and you applied it!

 

Yes, you did it.

 

With Tunnelblick OpenVPN binaries you had exactly that issue, remember?

 

Yes, but when I read the post, I was not aware of it. I thought that the problem was specific to your binary build of OpenVPN.

 

The problem is related to the fact that in order to accept the DNS push from an OpenVPN server, the client needs up & down scripts to set DNS that we don't have (yet).

 

I am pretty sure you will solve that problem soon. You are doing damn good work here.

 

Thank you.