IPv6 DNS is not working on macos >= 13.2

Got a problem with Viscosity or need help? Ask here!

kaloprominat

Posts: 1
Joined: Fri Mar 10, 2023 3:25 am

Post by kaloprominat » Fri Mar 10, 2023 3:58 am
Hi!

I've been using viscosity in environment without ipv6, but my vpn connection provides ipv6 connectivity and dns settings for it. Before upgrading to macOS Ventura 13.2 ipv6 resolution worked well on default configuration. After upgrading to 13.2 and 13.2.1 i see that it stopped working. I've been able to reproduce this in VMs with macos 13.1 and 13.2

Providing here some diagnostic information in attached files.

As you may see in these files, in case of macos 13.2 scutil --nwi shows no ipv6-enabled interfaces and ipv6 hostname resolution not working.

Both test cases was made with identical connection configurations and latest Viscosity 1.10.5 version.
Attachments
viscosity_diag_13_2.txt
for macos 13.1, ipv6 dns not working
(7.89 KiB) Downloaded 549 times

viscosity_diag_13_1.txt
for macos 13.1, ipv6 dns working
(8.2 KiB) Downloaded 554 times

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Mar 13, 2023 8:25 pm
Hi kaloprominat,

The problem here looks to be the unusual IPv6 routing. It appears instead of using "redirect-gateway ipv6" to instruct OpenVPN to route all traffic through the VPN connection, the routes "::/1" and "2000::/3" are being used to cover most (but not all) of the IPv6 scope.

Viscosity will not consider this routing setup one that routes all IPv6 traffic through the VPN connection by default. This can affect its Automatic DNS Mode logic (but that doesn't appear to be an issue in this case) and the "Block IPv6 traffic while connected to IPv6-only VPN connections" option (under Settings->Advanced). It can also affect OpenVPN's "block-ipv6" logic. macOS will also only resolve IPv6 addresses if it considers the IPv6 stack reachable, and it may not with just the above IPv6 routes being used (this behaviour may have changed in 13.2).

There are a number of ways to fix this issue:

1. Edit the VPN connection in Viscosity, go to the Networking tab, and set the "All Traffic" option to either "Send all traffic over VPN connection" or "Send all IPv6 traffic over VPN connection". Click Save.

2. Edit the OpenVPN server's configuration and instead of pushing the routes "::/1" and "2000::/3", push "redirect-gateway def1 ipv6" (for both IPv4 and IPv6 traffic) or "redirect-gateway ipv6 !ipv4" (for just IPv6).

3. Instead of using the routes "::/1" and "2000::/3", use "::/3", "2000::/4", "3000::/4" and "fc00::/7". These are the routes OpenVPN consider as routing all IPv6 traffic.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

reshippie

Posts: 1
Joined: Thu Aug 03, 2023 7:19 am

Post by reshippie » Thu Aug 03, 2023 7:23 am
I'm seeing the same issues on 13.4 and 13.5.
I've tried tunneling all IPv6 traffic and _all_ traffic over the tunnel with no luck. I've also tried using the VPN DNS for all lookups without any luck.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Aug 07, 2023 3:58 am
Hi reshippie,

Your VPN connection needs to support IPv6 traffic to be able to resolve IPv6 addresses. It'll need to have a valid IPv6 IP address, with the OpenVPN server configured to support IPv6 traffic. If in doubt you should get in touch with your VPN Provider to check whether IPv6 is enabled. I'm afraid simply setting the VPN connection to tunnel all traffic if it has no IPv6 support will not work.
https://www.sparklabs.com/support/kb/ar ... ovider-is/

If your normal network connection has IPv6 support, but you're unable to resolve IPv6 addresses when connected to the VPN connection, it likely means the VPN connection is IPv4 only. To work-around this you can use Split DNS mode, so the VPN DNS servers are only used for VPN related domains, and your standard network is used for all other resolutions.
https://www.sparklabs.com/support/kb/ar ... #dns-modes

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
4 posts Page 1 of 1