MAC OSX 10.6 configd overwrites DNS and routing from OpenVPN

Michael Hieb michael.hieb at celoso.net
Sun Feb 7 10:53:58 PST 2010 

Yes. I may have missed a trick, so tell me if you think I got it wrong.

1. Can be used to change DNS setting permanently for interfaces which 
exist in the configd configuration, e.g. Ethernet/Airport
2. Cannot be used to put default routing in the configd configuration.

What you need (and I haven't been able to figure out how to do this) is 
a way to use networksetup to tell configd about the tap interface and 
what DNS and routing are associated with the tap interface. Sort of like 
what you can do in the dynamic configuration with ifconfig and scutil 
which works until configd comes along and clobbers your settings.

So networksetup will do things like

networksetup --setdnsserver [ETHERNET|AIRPORT] x.x.x.x

When what you want is something like

networksetup --setdnsserver [TAP] x.x.x.x
networksetup -setdefaultroute [TAP] g.g.g.g

If you see what I mean...

On 07/02/2010 18:25, Bradley Giesbrecht wrote:
> Have you looked into networksetup?
>
> man networksetup
>
>
> // Brad
>
> On Feb 7, 2010, at 5:51 AM, Michael Hieb wrote:
>
>> Apologies if this is covered elsewhere. I've looked and found no 
>> definitive answers.
>>
>> Problem:
>>
>> Using standard install macports openvpn2: OpenVPN creates a tunnel on 
>> a virtual network interface tap0 which is configured via DHCP. Once 
>> up a script is called to update the routing tables and set DNS. On 
>> linux and windows this works and is very stable because static 
>> routing configurations are employed. On Mac OS X v10.6 routing 
>> configurations are dynamic and managed by configd. Once the virtual 
>> interface comes up the routing tables and DNS can be changed, but 
>> after a short while, configd will come along and change the routing 
>> and DNS configurations and break the VPN.
>>
>> This is covered in some detail in this article.
>> http://www.afp548.com/article.php?story=20041015131913324
>>
>> Question: How to write the DNS and routing entries into preferences 
>> at the time OpenVPN comes up so that they will persist when configd 
>> updates the system?
>>
>> Details:
>>
>> 1. Commands used by OpenVPN script to update the routing table and DNS
>>
>> /usr/sbin/ipconfig set "$dev" DHCP
>>
>> /usr/sbin/scutil <<EOF
>> d.init
>> get State:/Network/Service/DHCP-$dev/DNS
>> d.add SupplementalMatchDomains * $domain_name
>> set State:/Network/Service/DHCP-$dev/DNS
>> EOF
>>
>> Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: Sun Feb 7 11:19:36 2010 
>> /sbin/route add -net 192.168.120.1 192.168.1.1 255.255.255.255
>> Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: add net 192.168.120.1: 
>> gateway 192.168.1.1
>> Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: Sun Feb 7 11:19:36 2010 
>> /sbin/route delete -net 0.0.0.0 192.168.1.1 0.0.0.0
>> Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: delete net 0.0.0.0: 
>> gateway 192.168.1.1
>> Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: Sun Feb 7 11:19:36 2010 
>> /sbin/route add -net 0.0.0.0 192.168.110.1 0.0.0.0
>> Feb 7 11:19:36 MacBook-Pro org.openvpn[44]: add net 0.0.0.0: gateway 
>> 192.168.110.1
>>
>> 2. Every looks good for a few minutes
>>
>> MacBook-Pro:~ user$ netstat -r
>> Routing tables
>>
>> Internet:
>> Destination Gateway Flags Refs Use Netif Expire
>> default 192.168.110.1 UGSc 0 0 tap0
>> default 192.168.110.1 UGScI 41 88 tap0
>> 127 localhost UCS 0 0 lo0
>> localhost localhost UH 0 0 lo0
>> 169.254 link#5 UCS 0 0 en1
>> 192.168.1 link#5 UC 1 0 en1
>> 192.168.1.1 0:1e:e5:86:79:22 UHLWI 1 17 en1 1187
>> 192.168.1.101 localhost UHS 0 0 lo0
>> 192.168.110 link#7 UCS 2 0 tap0
>> 192.168.110.1 0:17:3f:9b:e3:e2 UHLWI 43 8 tap0 1182
>> 192.168.110.3 0:1c:c0:f:90:3b UHLWI 12 137213 tap0 454
>> 192.168.110.29 localhost UHS 0 0 lo0
>> 192.168.120.1/32 192.168.1.1 UGSc 1 0 en1
>>
>> MacBook-Pro:~ user$ sudo scutil --dnsDNS configuration
>>
>> resolver #1
>> domain : celoso.net
>> search domain[0] : celoso.net
>> nameserver[0] : 208.67.222.222
>> nameserver[1] : 208.67.220.220
>> nameserver[2] : 4.2.2.3
>> order : 200000
>>
>> resolver #2
>> domain : celoso.net
>> nameserver[0] : 192.168.110.3
>> nameserver[1] : 192.168.110.3
>> order : 100400
>>
>> 3. Then something will trigger configd to update the DNS or routing 
>> tables, the only evidence of which I have been able to find is the 
>> following message in the system.log
>>
>> Feb 7 11:20:34 MacBook-Pro configd[13]: network configuration changed.
>>
>> 4. And either the DNS or routing tables will be changed e.g.
>>
>> MacBook-Pro:~ user$ sudo /usr/sbin/scutil --dns
>> Password:
>> DNS configuration
>>
>> resolver #1
>> domain : celoso.net
>> search domain[0] : celoso.net
>> nameserver[0] : 208.67.222.222
>> nameserver[1] : 208.67.220.220
>> nameserver[2] : 4.2.2.3
>> order : 200000
>>
>> resolver #2
>> domain : local
>> options : mdns
>> timeout : 2
>> order : 300000
>>
>> MacBook-Pro:~ user$ netstat -r
>> Routing tables
>>
>> Internet:
>> Destination Gateway Flags Refs Use Netif Expire
>> default 192.168.1.1 UGSc 0 0 en1
>> default 192.168.110.1 UGScI 52 81 tap0
>> 127 localhost UCS 0 0 lo0
>> localhost localhost UH 0 0 lo0
>> 169.254 link#5 UCS 0 0 en1
>> 192.168.1 link#5 UC 1 0 en1
>> 192.168.1.1 0:1e:e5:86:79:22 UHLWI 1 17 en1 1196
>> 192.168.1.101 localhost UHS 0 0 lo0
>> 192.168.110 link#7 UCS 2 0 tap0
>> 192.168.110.1 0:17:3f:9b:e3:e2 UHLWI 54 5 tap0 1199
>> 192.168.110.3 0:1c:c0:f:90:3b UHLWI 0 34 tap0 1161
>> 192.168.110.29 localhost UHS 0 0 lo0
>> 192.168.120.1/32 192.168.1.1 UGSc 1 0 en1
>> _______________________________________________
>> macports-users mailing list
>> macports-users at lists.macosforge.org 
>> <mailto:macports-users at lists.macosforge.org>
>> http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-users/attachments/20100207/a5570624/attachment.html>

More information about the macports-users mailing list