Tunnelblick: "Warning: DNS server address 10.1.0.1 is not a public IP address and is not being routed through the VPN" (but everything works)

[ItalyPaleAle]

Checklist

• I read the README
• I read the FAQ
• I searched the issues
• My issue is about the script, and not OpenVPN itself (I believe)

Describe the issue
I set up an OpenVPN server using this script. The server runs on Debian 10. The client is macOS.

When I connect with Tunnelblick, I always get this warning: "Warning: DNS server address 10.1.0.1 is not a public IP address and is not being routed through the VPN."

In this case, 10.1.0.1 is the IP of my DNS server within the LAN that I would normally connect to (this is set through DHCP so it's not static). In Tunnelblick I've manually enabled "Route all IPv4 traffic through the VPN".

Everything works, and there's no DNS leak (I can confirm that). However, this warning persists.

I'm using the latest version of Tunnelblick: "Tunnelblick: macOS 10.15.5 (19F101); Tunnelblick 3.8.2a (build 5481)"

Server if applicable):

• OS: Debian 10

Client (if applicable):

• OS: macOS 10.15.5
• Client: Tunnelblick 3.8.2a (build 5481)

Additional context
Note that this is not the first OpenVPN solution I set up. In fact, I've been connecting from this same laptop to an OpenVPN server running in my firewall (pfSense) for years, and I've never seen this warning before. Only when connecting to an OpenVPN server created with openvpn-install I see this warning (but again, it's just a warning and everything works as expected)

[TinCanTech]

When I connect with Tunnelblick, I always get this warning: "Warning: DNS server address 10.1.0.1 is not a public IP address and is not being routed through the VPN."

This is a Tunnelblick warning.

I've manually enabled "Route all IPv4 traffic through the VPN"

Does Tunnelblick know that you are "manually routing via the tunnel" ?

[randshell]

See Tunnelblick forums first, it's not an issue with this script. Here is the discussion https://groups.google.com/d/msg/tunnelblick-discuss/lPrltf1UrTw/6ZIKXVM0BQAJ.

Their answer to fix this warning is:

The best practice is to have the VPN server also be a DNS server, because that avoids ARP poison routing.

Your VPN server can "push" the DNS addresses to Tunnelblick as the VPN connection is established, using the push "dhcp-option DNS a.b.c.d" option. That will be in effect only when the VPN is active.

The interesting thing is that we are doing it...

openvpn-install/openvpn-install.sh

Lines 801 to 802 in eca5be8

	echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf
	echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf

If it doesn't fix the other problem, please make sure you have checked the box for "Route all IPv4 traffic through the VPN".
If that doesn't help, please reply in this discussion and include new diagnostic info obtained after fixing the first problem.

You may want to post this issue there.

[ItalyPaleAle]

Ok, thank you!

I posted it here because the issue does not happen with my other VPN setup (using pfSense as OpenVPN server).

I am using the Cloudflare DNS so I'm not looking at setting up a DNS server in the VPN. Also, I'm still confused on how setting up a DNS server would help, given that its IP would be different than 10.1.0.1 anyways?

Does Tunnelblick know that you are "manually routing via the tunnel" ?

Yes that's a checkbox on Tunnelblick itself.

[TinCanTech]

Does Tunnelblick know that you are "manually routing via the tunnel" ?

Yes that's a checkbox on Tunnelblick itself

10.1.0.1 is in your client local LAN, which is why you see the warning.

The link @randomshell pointed you to explains it clearly.

[AxelRann]

Digging up an old thread, but it could help someone.

Even though it's already spelled out in your "10.1.0.1 is in your client local LAN, which is why you see the warning." I'd like to reword it for people like me that did not quite catch it on the first read ;)

This issue happens because your client trying to connect to the VPN has a LAN network like 10.x.x.x. This is normal, but becomes a problem once you connect to the VPN since the target LAN you are trying to access via this VPN is also in 10.x.x.x, which creates an overlap.

Since you are already connected to a 10.x.x.x network, OpenVPN looks for the DNS server in your LAN instead of through the VPN. Of course, it fails to find it.

The only solution I have is to change the network on one side to something else that won't overlap (192.168.50.0/24 on the client side for example).

[randshell]

I am using the Cloudflare DNS so I'm not looking at setting up a DNS server in the VPN

I pasted the wrong text. It works for public DNS too.

The best practice is to have the VPN server also be a DNS server, because that avoids ARP poison routing.
Second best (and used by many, perhaps most people) is to use a public DNS server such as Google Public DNS or Quad9, or a server elsewhere on the VPN network.

---

I posted it here because the issue does not happen with my other VPN setup (using pfSense as OpenVPN server).

If you have time to remove the sensitive parts I might take a look, but I wouldn't know what's the problem based on the forum answer.

[TinCanTech]

The answer is that the VPN is not pushing a DNS server and so Tunnelblick is warning the user that 10.1.0.1 is not a public DNS server and it is not being routed via the VPN.

My initial interest was that this could have been a Tunnelblick bug but it is not.

[randshell]

@TinCanTech Why do you say that the VPN is not pushing a DNS server? He chose Cloudflare DNS.

openvpn-install/openvpn-install.sh

Lines 801 to 802 in eca5be8

	echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf
	echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf

@ItalyPaleAle can you confirm you have push "dhcp-option DNS 1.0.0.1" and push "dhcp-option DNS 1.1.1.1" in your server.conf?

[TinCanTech]

Either the VPN is not pushing DNS or Tunnelblick is not configured correctly. Your script is not at fault and the warning in the log is correct.

[ItalyPaleAle]

Here's the full server.conf:

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
dh dh.pem
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_xxx.crt
key server_xxx.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

So yes, those two lines are there.

However, looking at this file I do see something interesting... The script created a virtual network that is 10.8.0.0/24, which conflicts with my LAN's address range 10.0.0.0/8.

Do you think that might be why I'm getting this warning?

[randshell]

Other ideas I found from their FAQ:

You don't have "Monitor connection" checked. When DHCP is renewed, the change is ignored (because "Monitor connection" isn't checked) and the VPN-supplied DNS server is replaced with the DHCP-supplied server. Often a DHCP-supplied server will only respond to queries which originate within that network. Since the DNS queries originate from the VPN, which is outside of that network, the queries will not be answered. Put a check next to "Monitor network".

Try to enable this option in Tunnelblick.

If OpenVPN connects to the server properly but your IP address does not change, you are probably missing the "--redirect-gateway" option. Add the following line:
--redirect-gateway def1 to your configuration file.

Try to change push "redirect-gateway def1 bypass-dhcp" to push "redirect-gateway def1".

Do you think that might be why I'm getting this warning?

I don't think so, it talks specifically about DNS. As a last try, you could change the subnet (remove ipp.txt too) or look at other differences between this configuration and the psense one. Don't forget to restart openvpn after every change.

If none of this works, comment on their forum linking to this issue and the solutions you tried.