Link to home
Start Free TrialLog in
Avatar of Admin Senior
Admin Senior

asked on

Macbook Sierra OS OpenVPN issue

A macbook is upgraded from yosemite/captain to newly released Sierra(10.12) yesterday. In Sierra, the OpenVPN connects successfully but could not access our internal sites which was and is working fine in yosemite/captain. I spent lot of time trying to figure out the issue on the sierra macbook, also tried Tunnelblick instead OpenVPN client but,  in Tunnelblick,  it works for 1 min and after that the situation is same that I couldn't access our sites. Mostly that it's not properly resolving the dns only in Sierra os. Today another machine is upgrade to Sierra and it also facing the same issue.

I had to do this as a workaround,
- collect ips of our internal sites with nslookup from any working vpn connected macbook(yosemite/captain)
- Add manually the host entries for each site with their own ip in /etc/hosts on non working macbook(sierra)
- Then I could access my sites.

Anybody has any fix for this?, any troubleshooting tips to make it work on macbook Sierra os?


Thank you!
Avatar of David
David
Flag of United States of America image

I just updated to Sierra too. What can I say ... Tunnelblk works just fine for me, and the other VPN client I use, Forte, was tagged by the O/S as not being compatible so it doesn't load.

There probably isn't a work around for OpenVPN that doesn't involve modifying source code.  So best I can do is tell you that Tunnelblick 3.6.7 (build 4602) works for me, so you should run that as a work-around.  (I have been online for 15 mins approx).    I'll check back in either after a few hours or if it drops me.    

Are you running this build of Tunnelblick??  If not, try it.
Avatar of Admin Senior
Admin Senior

ASKER

Same issue with the Tunnelblick 3.6.7. Now, out of 4 upgraded macbooks, 2 works fine with OpenVPN client itself and 2 are not with vpn dns issue. Out of 2 with vpn issue,  1 got fixed(somehow) as the user was saying changing the macbook hostname fixed the vpn dns issue. The same technique(of course dosen't make sense) I tried on the other non working Sierra, but didn't work. I'm going mad....
I've had no problems with Tunnelblick, have been logged on, no drops several days. only reason session wasn't longer is I installed one of their updates, which also doesn't drop.

Seems to me problem is not the client, but VPN server settings.
But we can successfully connect and access all of our sites without any issue on Yosemite and EI Captain edition of mac.
Be specific, what, EXACTLY is the problem?   Is a certain port blocked, is it not routing properly, DNS, bad ARP entry, whatever.    I've had all sorts of VPN problems over my career and there is always a point where things go south.  Log files are a wonderful thing, especially when it comes to VPN,  so many things have to happen to establish the connection & routing and resolution ..

Suggestion, enable logging and try to connect with Sierra, and El Capitain and compare.  There HAS to be a difference, and that will reveal where the problem is.
From the incidents, that on two of the Sierra macbooks it's working fine but another two Sierra macbooks facing the issue. From this it's sure the problem lies in the os itself. It's mostly improper DNS resolution and routing issue but not exactly sure how to debug this. Already checking the logs of openvpn and system.log, still could find any traces of issues in logs. I'm investigating the logs if i'm missing anything which is overlooked....

I intentionally upgraded one backup macbook for specifically testing this, now this also facing the same openvpn issue.
I found the better fix, it's the issue with the openvpn client dns routing.
In my routes in Sierra(route get command), for openvpn dns server ip(let 169.254.254.254),  I found my router IP(192.168.1.1) as gateway instead of the openvpn gateway(let 172.16.16.16). But netstat shows correct vpn gateway for the dns server.

Let the openvpn dns ip is 169.254.254.254 and openvpn gateway is 172.16.16.16. By adding the route manually as shown below in Sierra,  everything works normally and I could access all our sites(of course I removed all the manual vpn entries in /etc/hosts).
sudo route -n add -net 169.254.254.254/32 172.16.16.16

Open in new window


But it says 'File exists' which means OpenVPN client already added this route. Yes, this route is already there as I checked with netstat before adding above rule manually after connecting to vpn.

Now the question is how to make the OpenVPN client rectify this or make manually adding route a permanent solution
SOLUTION
Avatar of David
David
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I found one more thing. What ever the gateway '172.16.16.16' I said is taken from working yosemite macbook. So, I applied the above route fix manually in Sierra using this gateway and it stared working.
Actually I overlooked gateway in Sierra when vpn is established, while checking the Sierra logs, i found that the gateway listed in logs is different and is 172.16.25.16 instead of 172.16.16.16.

This means vpn server itself assigning wrong gateway?, then how it's correctly assigning for Yosemite and Captain?, what could be wrong where?

BTW, after creating the script, wondering how to autorun trigger when vpn is connected...

Any thoughts?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If I had it, it's getting removed automatically on VPN disconnect!
I would like to close this. Thanks for your interest.