Correct Way to set up OpenVPN Client on Mac OS X
Colin M | October 6, 2007 | 3:27 pmThe Problem
You want to run an OpenVPN Client on Mac OS X. Your OpenVPN server will be serving DHCP, as well as pushing down DNS server addresses. You’ve tried connecting, and it just doesn’t seem to work. Perhaps you even see a large number of errors of the type:
write to TUN/TAP : Input/output error (code=5)
The Solution
When you connect via OpenVPN, it is the responsibility of the client to process pushed dhcp-options (including the DNS server rules), and do something useful with them. On a linux system, you could, for example, incorporate these into /etc/resolv.conf. Consult your distro’s openvpn documentation for more information.
However, this does not work on a Mac, because Mac software (even down to ssh and ping) doesn’t use /etc/resolv.conf under OS X 10.4… Oops. The solution? A combination of two tools: ipconfig and scutil. These together can manage 10.4′s new DNS configuration system, and set the tap device to obtain an address via DHCP. The problem is discussed further on nicholas riley’s blog, though his solution, a python script, a) is complicated to install, and b) did not actually work for me once installed, though I didn’t dig deep enough to understand why.
The best solution is to run an “up” script as part of the OpenVPN connection process, which will handle the necessary configuration for you. The script is provided on the Openvpn-users mailing list, by Ben Low.
Here’s how to use it with the excellent OpenVPN client Tunnelblick:
- Install Tunnelblick, and create your OpenVPN config. I’ll assume that you know how to do this, or you wouldn’t be here. If not, consult the documentation for OpenVPN.
- Download this script (copied from the openvpn-users mailing list). Save it to
~/Library/openvpn, the folder where your Tunnelblick OpenVPN configuration lives.OpenVPN TAP up-down Script: tap-up-down.sh
- Now, make the script executable, by running:
chmod +x ~/Library/openvpn/tap-up-down.sh
- Edit your configuration file to include these lines:
up ./tap-up-down.sh
down ./tap-up-down.sh - Changing your configuration file will have disconnected Tunnelblick if it was connected. Tunnelblick will also prompt you again for your administrator password, since security-sensitive files have been modified.
- Time to test! Open a Terminal window, and run the command:
scutil –dns
to see the current configuration of DNS resolvers. Then connect to your VPN in Tunnelblick, and run the command again:
scutil –dns
If all goes as planned, you will see your VPN DNS resolver properly included in the configuration. Congratulations!
- You should now be able to ping internal hosts by their internal DNS names, e.g.:
ping internal-server
Good luck!
Updated 11/30/2007 to add chmod +x. Thanks Karel!
Hi,
thank you very much! Works absolutely brilliant :)
(Maybe just add reminder to chmod +x the .sh script, so people like me don’t forget to do that :))
Cheers,
Karel
Hi – Thanks for positing!
I tried this on leopard using tunnelblick 3.0b6 but am still getting the tap/tun error=5 errors. The output from scutil –dns also doesn’t seem to change.
Have you tried this fix on leopard? Any help would be greatly appreciated!
Thanks!
I also am having the same issue on 10.5.1 Justin. Any headway? I wish I could get this working.
Hi there,
I am glad in a way that others are having problems with Tunnelblick… I am not able to get this fix working. I have saved the script you provided and made it executable…
ITD001:~/Library/openvpn hburton$ ls -la
total 56
drwxr-xr-x 7 hburton hburton 238 Jan 24 12:01 .
drwx—— 40 hburton hburton 1360 Jan 24 08:03 ..
-rw-r–r– 1 hburton hburton 6148 Jan 24 10:49 .DS_Store
-rwxrwxrwx 1 hburton hburton 1237 Feb 20 2006 ca.crt
-rw-r–r– 1 root wheel 164 Jan 24 12:01 openvpn.conf
-rwxrwxrwx 1 hburton hburton 636 Feb 20 2006 ta.key
-rwxr-xr-x 1 hburton hburton 4339 Jan 24 10:46 tap-up-down.sh
Edited my configuration file so it has the required changes…
verb 1
client
dev tap
proto udp
remote xxx.xxx.xxx.xxx 1194
ca “ca.crt”
tls-auth “ta.key” 1
comp-lzo
auth-user-pass
up ./tap-up-down.sh
down ./tap-up-down.sh
Previously Tunnelblick would ask for my username/password then establish a connection with the server and give the code=5 error message. However now with this new script in place it will not even attempt to connect. When I press the connect button it will briefly flash to connecting and then back to disconnected with no ouput to the log at all. I am using v3.0b6 on OSX 10.4.11. If anyone has any details that might help it would be greatly appreciated.
Fixed it!
I removed the down ./tap-up-down.sh line from the config file and now everything works as it should. Config file now looks like this…
verb 1
client
dev tap
proto udp
remote xxx.xxx.xxx.xxx 1194
ca “ca.crt”
tls-auth “ta.key” 1
comp-lzo
auth-user-pass
up ./tap-up-down.sh
Hi.
i’m just a beginner in using openvpn, let alone using it on mac os. Can anyone point me to where i can find some documentation on how to set up the Certificate Authority (CA) and generate certificates and keys for an OpenVPN server and client?
Thanks
We use the webmin plugin (OpenVPN + CA) to manage 3 instances of OpenVPN and two CAs. It’s very easy to use – although requires that the CA reside on the OpenVPN server, which could lack some security.
I would recommend it.
[...] So checkout the article at http://www.mccambridge.org/blog/2007/10/correct-way-to-set-up-openvpn-client-on-mac-os-x/ [...]
scutil –dns does not work on 10.4
Using Tunnelblick 3.0 (Build 1437). If you have the “Set nameserver” flag in the UI set then up scripts are not executed. I added the following line to invoke the standard up script as part of tap-up-down.sh. You may have Tunnelblick installed in a different directory, so modify, as appropriate.
up)
# Invoke standard up script before setting tap0 to DHCP
/Applications/Utilities/Tunnelblick.app/Contents/Resources/client.up.osx.sh $1
I’ve put something in the down) section, but I’m not sure it’s needed.
This is a known issue in the current Tunnelblick builds (http://code.google.com/p/tunnelblick/wiki/KnownIssues).