Jump to content
Not connected, Your IP: 44.220.43.170
Sign in to follow this  
strideram

Tunnelblick - How to force using AirVPN dns when connected and Router's DNS when disconnected?

Recommended Posts

The router has the Google DNS hardcoded in it. If I don't explicitly set a dns in my network adapter, it will use the router's DNS which is the Google DNS. I have setup Tunnelblick as mentioned in AirVPN's guide. I had to additionally enable the Tunnelblick setting to force all traffic through the VPN. That apart I haven't changed any setting. On connecting to the VPN the following is the Tunnelblick log

 

 

2014-06-03 00:48:22 *Tunnelblick: OS X 10.9.3; Tunnelblick 3.4beta26 (build 3828)
2014-06-03 00:48:22 *Tunnelblick: Attempting connection with AirVPN Asia UDP 443 using shadow copy; Set nameserver = 1; monitoring connection
2014-06-03 00:48:22 *Tunnelblick: openvpnstart start AirVPN\ Asia\ UDP\ 443.tblk 1337 1 0 1 0 17200 -ptADGNWradsgnw 2.3.4
2014-06-03 00:48:22 *Tunnelblick: openvpnstart starting OpenVPN
2014-06-03 00:48:22 *Tunnelblick: openvpnstart log:
     Tunnelblick:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.4/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SUsers-Samith-SLibrary-SApplication Support-STunnelblick-SConfigurations-SAirVPN Asia UDP 443.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_17200.1337.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Users/amith/AirVPN Asia UDP 443.tblk/Contents/Resources
          --config
          /Library/Application Support/Tunnelblick/Users/amith/AirVPN Asia UDP 443.tblk/Contents/Resources/config.ovpn
          --cd
          /Library/Application Support/Tunnelblick/Users/amith/AirVPN Asia UDP 443.tblk/Contents/Resources
          --management
          127.0.0.1
          1337
          --management-query-passwords
          --management-hold
          --redirect-gateway
          def1
          --script-security
          2
          --up
          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw
          --down
          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw

2014-06-03 00:48:22 *Tunnelblick: Established communication with OpenVPN
2014-06-03 00:48:22 OpenVPN 2.3.4 i386-apple-darwin10.8.0 [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on May  2 2014
2014-06-03 00:48:22 library versions: OpenSSL 1.0.1g 7 Apr 2014, LZO 2.06
2014-06-03 00:48:22 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2014-06-03 00:48:22 Need hold release from management interface, waiting...
2014-06-03 00:48:22 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2014-06-03 00:48:22 MANAGEMENT: CMD 'pid'
2014-06-03 00:48:22 MANAGEMENT: CMD 'state on'
2014-06-03 00:48:22 MANAGEMENT: CMD 'state'
2014-06-03 00:48:22 MANAGEMENT: CMD 'bytecount 1'
2014-06-03 00:48:22 MANAGEMENT: CMD 'hold release'
2014-06-03 00:48:22 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2014-06-03 00:48:22 Control Channel Authentication: tls-auth using INLINE static key file
2014-06-03 00:48:22 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2014-06-03 00:48:22 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2014-06-03 00:48:22 Socket Buffers: R=[196724->65536] S=[9216->65536]
2014-06-03 00:48:22 MANAGEMENT: >STATE:1401736702,RESOLVE,,,
2014-06-03 00:48:23 UDPv4 link local: [undef]
2014-06-03 00:48:23 UDPv4 link remote: [AF_INET]103.10.197.186:443
2014-06-03 00:48:23 MANAGEMENT: >STATE:1401736703,WAIT,,,
2014-06-03 00:48:23 MANAGEMENT: >STATE:1401736703,AUTH,,,
2014-06-03 00:48:23 TLS: Initial packet from [AF_INET]<ip-address>:443, sid=8458ea6e 2a6f894c
2014-06-03 00:48:30 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
2014-06-03 00:48:30 Validating certificate key usage
2014-06-03 00:48:30 ++ Certificate has key usage  00a0, expects 00a0
2014-06-03 00:48:30 VERIFY KU OK
2014-06-03 00:48:30 Validating certificate extended key usage
2014-06-03 00:48:30 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2014-06-03 00:48:30 VERIFY EKU OK
2014-06-03 00:48:30 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
2014-06-03 00:48:34 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2014-06-03 00:48:34 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2014-06-03 00:48:34 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2014-06-03 00:48:34 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2014-06-03 00:48:34 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
2014-06-03 00:48:34 [server] Peer Connection Initiated with [AF_INET]103.10.197.186:443
2014-06-03 00:48:35 MANAGEMENT: >STATE:1401736715,GET_CONFIG,,,
2014-06-03 00:48:36 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2014-06-03 00:48:36 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.9.114 10.4.9.113'
2014-06-03 00:48:36 OPTIONS IMPORT: timers and/or timeouts modified
2014-06-03 00:48:36 OPTIONS IMPORT: LZO parms modified
2014-06-03 00:48:36 OPTIONS IMPORT: --ifconfig/up options modified
2014-06-03 00:48:36 OPTIONS IMPORT: route options modified
2014-06-03 00:48:36 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2014-06-03 00:48:36 Opened utun device utun0
2014-06-03 00:48:36 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2014-06-03 00:48:36 MANAGEMENT: >STATE:1401736716,ASSIGN_IP,,10.4.9.114,
2014-06-03 00:48:36 /sbin/ifconfig utun0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2014-06-03 00:48:36 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2014-06-03 00:48:36 /sbin/ifconfig utun0 10.4.9.114 10.4.9.113 mtu 1500 netmask 255.255.255.255 up
2014-06-03 00:48:36 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw utun0 1500 1558 10.4.9.114 10.4.9.113 init
                                        **********************************************
                                        Start of output from client.up.tunnelblick.sh
                                        Retrieved from OpenVPN: name server(s) [ 10.4.0.1 ], search domain(s) [  ] and SMB server(s) [  ] and using default domain name [ openvpn ]
                                        ServerAddresses '10.4.0.1' ignored because ServerAddresses was set manually
                                        Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
                                        Saved the DNS and SMB configurations so they can be restored
                                        Set ServerAddresses to 8.8.8.8 8.8.4.4
                                        Set SearchDomains   to openvpn
                                        Set DomainName       to openvpn
                                        Flushed the DNS Cache
                                        Setting up to monitor system configuration with process-network-changes
                                        End of output from client.up.tunnelblick.sh
                                        **********************************************
2014-06-03 00:48:40 *Tunnelblick: No 'connected.sh' script to execute
2014-06-03 00:48:40 /sbin/route add -net 103.10.197.186 192.168.11.1 255.255.255.255
                                        add net 103.10.197.186: gateway 192.168.11.1
2014-06-03 00:48:40 /sbin/route add -net 0.0.0.0 10.4.9.113 128.0.0.0
                                        add net 0.0.0.0: gateway 10.4.9.113
2014-06-03 00:48:40 /sbin/route add -net 128.0.0.0 10.4.9.113 128.0.0.0
                                        add net 128.0.0.0: gateway 10.4.9.113
2014-06-03 00:48:40 MANAGEMENT: >STATE:1401736720,ADD_ROUTES,,,
2014-06-03 00:48:40 /sbin/route add -net 10.4.0.1 10.4.9.113 255.255.255.255
                                        add net 10.4.0.1: gateway 10.4.9.113
2014-06-03 00:48:40 Initialization Sequence Completed
2014-06-03 00:48:40 MANAGEMENT: >STATE:1401736720,CONNECTED,SUCCESS,10.4.9.114,103.10.197.186
2014-06-03 00:48:44 *Tunnelblick process-network-changes: A system configuration change was ignored
 

 

Specifically, the following two lines in the logfile

 

ServerAddresses '10.4.0.1' ignored because ServerAddresses was set manually
...
Set ServerAddresses to 8.8.8.8 8.8.4.4
 

If I perform a DNS leak test, I see the Google servers as the result. Also the automatic hulu/netflix unblocking doesn't work.

 

As I mentioned at the start, the wifi adapter is configured to get dchp settings from the router. The tunnelblick is configured to `Set nameservers`. Reading the Tunnelblick documentation, this ought to work.

 

 

Share this post


Link to post

Hello!

 

In OS X 10.9.x, each network card has it own DNS. This is a DNS implementation that causes exactly the bad problems Windows is affected and that you're experiencing.

 

In Eddie 2.2 for OS X a "forced VPN DNS" option is planned.

 

In the meantime, in order to prevent DNS leaks you should make sure that no network card DNS is set to query the router. The VPN DNS server IP address, reachable regardless of the port you connect to, is 10.4.0.1.

 

Kind regards

Share this post


Link to post

Hmm... I restarted my machine and seems everything is working now! All this was done before I read your reply...

 

- Off the three network cards shown under Network Preferences, only the Wifi one is active. The Bluetooth PAN and Thunderbolt Bridge are shown as not connected. The Wifi adapter is set to fetch DNS from DHCP. When I view the DNS tab for this card, I see the google dns values (in gray). Googling a bit tells me that these gray values were not manually set and instead were fetched from the DHCP.

- The Tunnelblick is configured to "Set Nameservers" for the AirVPN connection.

- Now when I connect to the VPN, it is able to properly set the DNS values to 10.4.0.1. Visiting ipleak.net doesn't show the Google servers, it instead show a netherland based server (even though I connected to Asia and my current ip is a signapore based one.)

- Hulu works properly. However some websites don't seem to load at all. For eg Netflix. When open netflix.com, the tab is stuck at waiting for netflix.com nslookup returns the following

➜  ~  nslookup netflix.com
Server:        10.4.0.1
Address:    10.4.0.1#53

Name:    netflix.com
Address: 69.53.236.17
 

- I disconnected and reconnected the VPN a few more times. The DNS kept switching between Google and non Google as expected. But each time while the VPN was connected, I couldn't open netflix.com.

 

QUESTIONS

 

- Any thoughts what's happening?

- Where can I find the mac client? I found the windows client at http://airvpn.org/windows_ex. Is there a similar url for the mac client? 

- In the interim are you suggesting I hardcode the DNS server address to 10.4.0.1 even when I am not connected to the vpn? Will that even work?

 

Thanks in advance,

 

Amith

Share this post


Link to post

Hello!

 

Eddie for OS X is not available at the moment. We're running internally an alpha version which is not ready to be released. Eddie for Linux is available here: https://airvpn.org/linux_ex (if you run different distros, other than your current Ubuntu, make sure to read the platforms/environments notes here: https://airvpn.org/forum/35-client-software-platforms-environments ).

 

About your case with OS X: Tunnelblick takes care about the VPN server DNS push, EXCEPT when "ServerAddresses" is set manually (as it was in your case, according to the logs).

 

Kind regards

Share this post


Link to post

About your case with OS X: Tunnelblick takes care about the VPN server DNS push, EXCEPT when "ServerAddresses" is set manually (as it was in your case, according to the logs).

 

Hmm, I am pretty sure the dns servers weren't hardcoded in the adapters (the values were gray). Anyway restarting the laptop fixed the issue ... All's good.

 

Any thoughts on why netflix.com won't even open? I visited other sites like hulu.com, abc.co, pandora, comedycentral etc and they all open and fuction properly.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...