Skip to content
Losing DNS server
Got a problem with Viscosity or need help? Ask here!
Thanks for the tests. It seems apparent that the following is occurring:
1. The connection is dropping out or the computer's DHCP lease time is up
2. When the connection is re-established Mac OS X gets new DNS servers from the DHCP server and overwrites the ones set by Viscosity
3. The connection dropout is so short that OpenVPN is not aware that the connection has dropped out at all, and so does not reinitiate the connection (which means the VPN DNS servers would be restored when OpenVPN reconnects).
Using a static IP address, etc, would be the simplest way to avoid the problem in both situations. However making OpenVPN aware of these dropouts would be the best solution. Using TCP (rather than UDP) as the protocol should achieve this, or you can lower the ping/ping-restart times. TCP is more resilient at detecting dropped connections, and so OpenVPN should reconnect and re-add your OpenVPN server (although it depends on how long the drop-out lasts for). The ping/ping-restart commands instruct OpenVPN to check the connection every x seconds to ensure the VPN connection is still in-fact active. You may like to try a very low value to start with and see if it works (you'll most likely have to adjust these on the server to match as well), e.g.:
1. Open Viscosity and edit your connection
2. Click on the Options tab
3. Enter "1" into the Ping field, and "3" into the Ping Restart field (without quotes)
4. Click Save and try connecting
So, just to re-cap, I'd recommend trying the following and see which works best for you:
1. Use static information (IP, DNS, Gateway, etc) instead of DHCP if possible
2. Use TCP as the protocol instead of UDP if possible
3. Try lowering the ping/ping-restart values
4. Try increasing the DHCP lease time on your DHCP server (typically an Internet router or wireless point in a home environment), e.g. to 3 days rather than 1 hour.
In the meantime, I'll see if there is a way to get Viscosity to detect small dropouts and re-add the DNS servers if necessary.
Cheers
James
1. The connection is dropping out or the computer's DHCP lease time is up
2. When the connection is re-established Mac OS X gets new DNS servers from the DHCP server and overwrites the ones set by Viscosity
3. The connection dropout is so short that OpenVPN is not aware that the connection has dropped out at all, and so does not reinitiate the connection (which means the VPN DNS servers would be restored when OpenVPN reconnects).
Using a static IP address, etc, would be the simplest way to avoid the problem in both situations. However making OpenVPN aware of these dropouts would be the best solution. Using TCP (rather than UDP) as the protocol should achieve this, or you can lower the ping/ping-restart times. TCP is more resilient at detecting dropped connections, and so OpenVPN should reconnect and re-add your OpenVPN server (although it depends on how long the drop-out lasts for). The ping/ping-restart commands instruct OpenVPN to check the connection every x seconds to ensure the VPN connection is still in-fact active. You may like to try a very low value to start with and see if it works (you'll most likely have to adjust these on the server to match as well), e.g.:
1. Open Viscosity and edit your connection
2. Click on the Options tab
3. Enter "1" into the Ping field, and "3" into the Ping Restart field (without quotes)
4. Click Save and try connecting
So, just to re-cap, I'd recommend trying the following and see which works best for you:
1. Use static information (IP, DNS, Gateway, etc) instead of DHCP if possible
2. Use TCP as the protocol instead of UDP if possible
3. Try lowering the ping/ping-restart values
4. Try increasing the DHCP lease time on your DHCP server (typically an Internet router or wireless point in a home environment), e.g. to 3 days rather than 1 hour.
In the meantime, I'll see if there is a way to get Viscosity to detect small dropouts and re-add the DNS servers if necessary.
Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Thanks a lot James. I'm checking to see which of these is an option for me.
In the meantime, i've gone the other way with the DNS... adding my VNP name servers to my name server list. I set the use alternative DNS option so that when i'm connected they aren't listed twice. Seems to be working ok like this. Anyone see any issues with this setup?
thanks,
graham
In the meantime, i've gone the other way with the DNS... adding my VNP name servers to my name server list. I set the use alternative DNS option so that when i'm connected they aren't listed twice. Seems to be working ok like this. Anyone see any issues with this setup?
thanks,
graham
- Posts: 14
- Joined: Thu Nov 06, 2008 3:18 am
Post
by troymurray » Fri Nov 14, 2008 3:45 am
James,
I didn't forgot about this. I ticked the "Use alternate DNS support" checkbox and since then I have had NO PROBLEMS with my DNS server being forgotten by the system and replaced with a non-valid server IP address. My connection (be it AirPort or Ethernet) is always DHCP and with this setting enabled my problems have disappeared. Here are my settings if they help someone else. I'm connecting to an Astaro Security Gateway (ASG120 & ASG220) in case anyone is interested.
General Tab
---------------------
Method protocol: tcp
Method device: tun
DNS: Enable DNS/Nameserver support
Certificates Tab
---------------------
Authentication Type: SSL/TLS Client
Direction: Default
Options Tab
---------------------
Ping: <blank>
Ping Restart: <blank>
Persist Tun: True
Persist Local IP: False
Persist Key: True
Persist Remote IP: False
Use Username/Password Authentication: True
Use LZO Compression: True
No Bind: True
Pull Options: True
Networking Tab
---------------------
Send all traffic over VPN connection: False
Default Gateway: <blank>
Route: I have entered my two routes, both have "vpn_gateway" for gateway and "default" for metric
Shaper: <blank>
Fragment: <blank>
Tun MTU: <blank>
Inactive: <blank>
Proxy Tab
---------------------
Connect using proxy: False
Advanced Tab
---------------------
resolv-retry infinite
--proto tcp-client <-- I had to add this line as my connection wouldn't work without it!
auth MD5
cipher AES-128-CBC
tls-remote /C=us/L=XXXXXXXXXXX/O=XXXXXXXX/CN=XXXXXXXX/emailAddress=XXXXXXXXXXXXXXXXXXX
reneg-sec 0
James, I've said it before and I'll say it again, I love Viscosity, great, great application, fantastic job, kudos!!!
I didn't forgot about this. I ticked the "Use alternate DNS support" checkbox and since then I have had NO PROBLEMS with my DNS server being forgotten by the system and replaced with a non-valid server IP address. My connection (be it AirPort or Ethernet) is always DHCP and with this setting enabled my problems have disappeared. Here are my settings if they help someone else. I'm connecting to an Astaro Security Gateway (ASG120 & ASG220) in case anyone is interested.
General Tab
---------------------
Method protocol: tcp
Method device: tun
DNS: Enable DNS/Nameserver support
Certificates Tab
---------------------
Authentication Type: SSL/TLS Client
Direction: Default
Options Tab
---------------------
Ping: <blank>
Ping Restart: <blank>
Persist Tun: True
Persist Local IP: False
Persist Key: True
Persist Remote IP: False
Use Username/Password Authentication: True
Use LZO Compression: True
No Bind: True
Pull Options: True
Networking Tab
---------------------
Send all traffic over VPN connection: False
Default Gateway: <blank>
Route: I have entered my two routes, both have "vpn_gateway" for gateway and "default" for metric
Shaper: <blank>
Fragment: <blank>
Tun MTU: <blank>
Inactive: <blank>
Proxy Tab
---------------------
Connect using proxy: False
Advanced Tab
---------------------
resolv-retry infinite
--proto tcp-client <-- I had to add this line as my connection wouldn't work without it!
auth MD5
cipher AES-128-CBC
tls-remote /C=us/L=XXXXXXXXXXX/O=XXXXXXXX/CN=XXXXXXXX/emailAddress=XXXXXXXXXXXXXXXXXXX
reneg-sec 0
James, I've said it before and I'll say it again, I love Viscosity, great, great application, fantastic job, kudos!!!
--
Troy Murray
Troy Murray
-
gfawcett
Post
by gfawcett » Fri Dec 05, 2008 11:47 am
I have exactly this problem and I can replicate it.
The problem is this: I am using TUN, as required by the OpenVPN server I am using. When I bring up the VPN, the "up" script writes the new remote DNS server addresses into my network preferences, removing the ones on my local network. However, when my DHCP lease expires, the DHCP request goes out on my local network and the response overwrites the remote DNS server addresses with the local ones.
Other users can verify that this is the problem by going into network preferences, clicking on the interface they are using (the first green one), clicking the "Advanced" button, clicking on "TCP/IP", and pressing the "Renew DHCP lease" button. Their active VPN connection should stop working, although they can still ping an external numerical (not named) server address using Network Utility.
Bringing down the VPN connection and bringing it up again fixes the problem because it runs the "up" script again. Alternatively, using a static DNS address will work but then the local network cannot be used when the VPN connection is down. Both are a real drag. What is needed is for Viscosity to periodically fix the DNS address while the VPN is up (by running that section of the "up" script). Then a DHCP lease expiry/renewal will not make the active VPN unusable for long.
The problem is this: I am using TUN, as required by the OpenVPN server I am using. When I bring up the VPN, the "up" script writes the new remote DNS server addresses into my network preferences, removing the ones on my local network. However, when my DHCP lease expires, the DHCP request goes out on my local network and the response overwrites the remote DNS server addresses with the local ones.
Other users can verify that this is the problem by going into network preferences, clicking on the interface they are using (the first green one), clicking the "Advanced" button, clicking on "TCP/IP", and pressing the "Renew DHCP lease" button. Their active VPN connection should stop working, although they can still ping an external numerical (not named) server address using Network Utility.
Bringing down the VPN connection and bringing it up again fixes the problem because it runs the "up" script again. Alternatively, using a static DNS address will work but then the local network cannot be used when the VPN connection is down. Both are a real drag. What is needed is for Viscosity to periodically fix the DNS address while the VPN is up (by running that section of the "up" script). Then a DHCP lease expiry/renewal will not make the active VPN unusable for long.
Hi All,
I've put the latest internal build (which addresses this issue) online for you guys to try seeing as it seems to be in demand. We did plan to test it further before making it available, so please note that is is a HIGHLY EXPERIMENTAL build. It can be downloaded at:
http://www.viscosityvpn.com/download/Vi ... build4.zip [3 MB]
A few things of note:
- It should detect when a DHCP reply overwrites the DNS settings. The VPN DNS settings should be restored within a few seconds
- It is only available for the standard DNS support (so please turn off the alternate DNS support option if you'd like to give it a try)
- If you are using this build keep an eye on memory usage, processor usage, etc to make sure everything is normal
If you have any comments/bugs about this build please visit this topic.
Cheers
James
I've put the latest internal build (which addresses this issue) online for you guys to try seeing as it seems to be in demand. We did plan to test it further before making it available, so please note that is is a HIGHLY EXPERIMENTAL build. It can be downloaded at:
http://www.viscosityvpn.com/download/Vi ... build4.zip [3 MB]
A few things of note:
- It should detect when a DHCP reply overwrites the DNS settings. The VPN DNS settings should be restored within a few seconds
- It is only available for the standard DNS support (so please turn off the alternate DNS support option if you'd like to give it a try)
- If you are using this build keep an eye on memory usage, processor usage, etc to make sure everything is normal
If you have any comments/bugs about this build please visit this topic.
Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs