PPTP VPN won't resolve DNS unless "Send all traffic" is selected

garaden · 01-30-2010, 05:00 PM

My electrical engineering department at my school requires a PPTP VPN in order to open remote desktop sessions. However, they also indicated that "send all traffic" must be set in order to use it. While I've heard about problems with "send all traffic" in Snow Leopard, that setup works fine for me except for one problem: I'd rather not send all traffic!

So, I disabled the option to see if I could get it to work more like my employer's OpenVPN with Tunnelblick: it sets up a few routes to the company subnets and sets the OS X DNS client to query the company DNS server. Ideally, it'd only query the company DNS when asked to resolve a company domain name, but that sounds like more trouble than it's worth. Other than querying the company DNS for all domain names, that setup leaves all other traffic alone. Now to try to get that to work with the academic network:

After disabling "send all traffic", I checked netstat -rn and verified that there was a route for 129.2.90/23 to 129.2.91.140 (the gateway for ppp0, which is the VPN interface). So I could ping some of the internal IPs. Unfortunately, the DNS servers were on a different subnet (they are 10.112.1.180 and 10.113.1.180), so I had to run

Code:

sudo route add -net 10 -netmask 255.0.0.0 129.2.91.140

After that, I was able to ping the DNS servers and resolve internal domain names if I specified them manually. But I still can't get OS X's DNS client to query those servers by default unless I select "send all traffic"!

I tried the same thing using Fusion and Windows 7, bridging the VM's connection. It worked fine with the company OpenVPN, but when using the academic VPN, it defaulted to selecting the "use default gateway on remote network" and increased the routing table metrics for all non-VPN routes by about 4000, thereby routing all traffic through the VPN.

After disabling that option, the 10 route was still missing, so I added that. After that, everything worked fine on Windows 7! The routes were set up properly, the metrics were all at reasonable values, there was no default route set up for the VPN and the academic DNS servers were being queried.

To recap:

It's clear that whoever's configuring the VPN server needs to add a route to the 10 network to the VPN's configuration parameters. I'll contact them about that once I've got this figured out.
Somehow, OS X needs to set the DNS to the internal servers.

I've been poking around with scutil for half a day now and I've found a few promising things (most notably the scutil --dns command... boy, would that have saved me some time), but things like OverridePrimary and SupplementaryMatchDomains don't seem to work properly. Checking the Tunnelblick source code and this article confirmed that scutil is the most proper way to do this, but both of those methods are hacks specifically for OpenVPN.

I mean, the most obvious solution is to convince the department that PPTP is insecure, and that they should switch to OpenVPN >:) But they've got some other kind of proprietary, web-based black magic going on that I suspect depends on PPTP. Anything I'm missing, or am I out of luck?

egrieco · 03-18-2010, 02:08 PM

Unfortunately this has nothing to do with PPTP vs. OpenVPN and everything to do with the way DNS resolution is broken in 10.6.

I've been looking for a solution to this issue for a while now with no luck.

garaden · 03-18-2010, 07:32 PM

Blech, that's unfortunate. Too bad. Actually, after talking with the department they told me that they'd rather not have people connected to other networks as well as the VPN for security reasons, so it's kind of moot. But it would still be nice.

01-30-2010, 05:00 PM	#1
garaden Prospect Join Date: Jan 2010 Posts: 8	PPTP VPN won't resolve DNS unless "Send all traffic" is selected My electrical engineering department at my school requires a PPTP VPN in order to open remote desktop sessions. However, they also indicated that "send all traffic" must be set in order to use it. While I've heard about problems with "send all traffic" in Snow Leopard, that setup works fine for me except for one problem: I'd rather not send all traffic! So, I disabled the option to see if I could get it to work more like my employer's OpenVPN with Tunnelblick: it sets up a few routes to the company subnets and sets the OS X DNS client to query the company DNS server. Ideally, it'd only query the company DNS when asked to resolve a company domain name, but that sounds like more trouble than it's worth. Other than querying the company DNS for all domain names, that setup leaves all other traffic alone. Now to try to get that to work with the academic network: After disabling "send all traffic", I checked netstat -rn and verified that there was a route for 129.2.90/23 to 129.2.91.140 (the gateway for ppp0, which is the VPN interface). So I could ping some of the internal IPs. Unfortunately, the DNS servers were on a different subnet (they are 10.112.1.180 and 10.113.1.180), so I had to run Code: sudo route add -net 10 -netmask 255.0.0.0 129.2.91.140 After that, I was able to ping the DNS servers and resolve internal domain names if I specified them manually. But I still can't get OS X's DNS client to query those servers by default unless I select "send all traffic"! I tried the same thing using Fusion and Windows 7, bridging the VM's connection. It worked fine with the company OpenVPN, but when using the academic VPN, it defaulted to selecting the "use default gateway on remote network" and increased the routing table metrics for all non-VPN routes by about 4000, thereby routing all traffic through the VPN. After disabling that option, the 10 route was still missing, so I added that. After that, everything worked fine on Windows 7! The routes were set up properly, the metrics were all at reasonable values, there was no default route set up for the VPN and the academic DNS servers were being queried. To recap: It's clear that whoever's configuring the VPN server needs to add a route to the 10 network to the VPN's configuration parameters. I'll contact them about that once I've got this figured out. Somehow, OS X needs to set the DNS to the internal servers. I've been poking around with scutil for half a day now and I've found a few promising things (most notably the scutil --dns command... boy, would that have saved me some time), but things like OverridePrimary and SupplementaryMatchDomains don't seem to work properly. Checking the Tunnelblick source code and this article confirmed that scutil is the most proper way to do this, but both of those methods are hacks specifically for OpenVPN. I mean, the most obvious solution is to convince the department that PPTP is insecure, and that they should switch to OpenVPN >:) But they've got some other kind of proprietary, web-based black magic going on that I suspect depends on PPTP. Anything I'm missing, or am I out of luck?

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

03-18-2010, 02:08 PM	#2
egrieco Prospect Join Date: Oct 2004 Posts: 4	Unfortunately this has nothing to do with PPTP vs. OpenVPN and everything to do with the way DNS resolution is broken in 10.6. I've been looking for a solution to this issue for a while now with no luck.

03-18-2010, 07:32 PM	#3
garaden Prospect Join Date: Jan 2010 Posts: 8	Blech, that's unfortunate. Too bad. Actually, after talking with the department they told me that they'd rather not have people connected to other networks as well as the VPN for security reasons, so it's kind of moot. But it would still be nice.