Go Back   The macosxhints Forums > OS X Help Requests > Networking



Reply
 
Thread Tools Rating: Thread Rating: 3 votes, 3.67 average. Display Modes
Old 01-30-2010, 05:00 PM   #1
garaden
Prospect
 
Join Date: Jan 2010
Posts: 8
Question PPTP VPN won't resolve DNS unless "Send all traffic" is selected

My electrical engineering department at my school requires a PPTP VPN in order to open remote desktop sessions. However, they also indicated that "send all traffic" must be set in order to use it. While I've heard about problems with "send all traffic" in Snow Leopard, that setup works fine for me except for one problem: I'd rather not send all traffic!

So, I disabled the option to see if I could get it to work more like my employer's OpenVPN with Tunnelblick: it sets up a few routes to the company subnets and sets the OS X DNS client to query the company DNS server. Ideally, it'd only query the company DNS when asked to resolve a company domain name, but that sounds like more trouble than it's worth. Other than querying the company DNS for all domain names, that setup leaves all other traffic alone. Now to try to get that to work with the academic network:

After disabling "send all traffic", I checked netstat -rn and verified that there was a route for 129.2.90/23 to 129.2.91.140 (the gateway for ppp0, which is the VPN interface). So I could ping some of the internal IPs. Unfortunately, the DNS servers were on a different subnet (they are 10.112.1.180 and 10.113.1.180), so I had to run
Code:
sudo route add -net 10 -netmask 255.0.0.0 129.2.91.140
After that, I was able to ping the DNS servers and resolve internal domain names if I specified them manually. But I still can't get OS X's DNS client to query those servers by default unless I select "send all traffic"!

I tried the same thing using Fusion and Windows 7, bridging the VM's connection. It worked fine with the company OpenVPN, but when using the academic VPN, it defaulted to selecting the "use default gateway on remote network" and increased the routing table metrics for all non-VPN routes by about 4000, thereby routing all traffic through the VPN.

After disabling that option, the 10 route was still missing, so I added that. After that, everything worked fine on Windows 7! The routes were set up properly, the metrics were all at reasonable values, there was no default route set up for the VPN and the academic DNS servers were being queried.

To recap:
  1. It's clear that whoever's configuring the VPN server needs to add a route to the 10 network to the VPN's configuration parameters. I'll contact them about that once I've got this figured out.
  2. Somehow, OS X needs to set the DNS to the internal servers.

I've been poking around with scutil for half a day now and I've found a few promising things (most notably the scutil --dns command... boy, would that have saved me some time), but things like OverridePrimary and SupplementaryMatchDomains don't seem to work properly. Checking the Tunnelblick source code and this article confirmed that scutil is the most proper way to do this, but both of those methods are hacks specifically for OpenVPN.

I mean, the most obvious solution is to convince the department that PPTP is insecure, and that they should switch to OpenVPN >:) But they've got some other kind of proprietary, web-based black magic going on that I suspect depends on PPTP. Anything I'm missing, or am I out of luck?
garaden is offline   Reply With Quote
Old 03-18-2010, 02:08 PM   #2
egrieco
Prospect
 
Join Date: Oct 2004
Posts: 4
Unfortunately this has nothing to do with PPTP vs. OpenVPN and everything to do with the way DNS resolution is broken in 10.6.

I've been looking for a solution to this issue for a while now with no luck.
egrieco is offline   Reply With Quote
Old 03-18-2010, 07:32 PM   #3
garaden
Prospect
 
Join Date: Jan 2010
Posts: 8
Blech, that's unfortunate. Too bad. Actually, after talking with the department they told me that they'd rather not have people connected to other networks as well as the VPN for security reasons, so it's kind of moot. But it would still be nice.
garaden is offline   Reply With Quote
Reply

Tags
dns, pptp, scutil, snow leopard, vpn

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 05:27 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.