Correct Way to set up OpenVPN Client on Mac OS X

The Problem

You want to run an OpenVPN Client on Mac OS X. Your OpenVPN server will be serving DHCP, as well as pushing down DNS server addresses. You’ve tried connecting, and it just doesn’t seem to work. Perhaps you even see a large number of errors of the type:

write to TUN/TAP : Input/output error (code=5)

The Solution

When you connect via OpenVPN, it is the responsibility of the client to process pushed dhcp-options (including the DNS server rules), and do something useful with them. On a linux system, you could, for example, incorporate these into /etc/resolv.conf. Consult your distro’s openvpn documentation for more information.

However, this does not work on a Mac, because Mac software (even down to ssh and ping) doesn’t use /etc/resolv.conf under OS X 10.4… Oops. The solution? A combination of two tools: ipconfig and scutil. These together can manage 10.4′s new DNS configuration system, and set the tap device to obtain an address via DHCP. The problem is discussed further on nicholas riley’s blog, though his solution, a python script, a) is complicated to install, and b) did not actually work for me once installed, though I didn’t dig deep enough to understand why.

The best solution is to run an “up” script as part of the OpenVPN connection process, which will handle the necessary configuration for you. The script is provided on the Openvpn-users mailing list, by Ben Low.

Here’s how to use it with the excellent OpenVPN client Tunnelblick:

  1. Install Tunnelblick, and create your OpenVPN config. I’ll assume that you know how to do this, or you wouldn’t be here. If not, consult the documentation for OpenVPN.
  2. Download this script (copied from the openvpn-users mailing list). Save it to ~/Library/openvpn, the folder where your Tunnelblick OpenVPN configuration lives.

    OpenVPN TAP up-down Script: tap-up-down.sh

  3. Now, make the script executable, by running:

    chmod +x ~/Library/openvpn/tap-up-down.sh

  4. Edit your configuration file to include these lines:

    up ./tap-up-down.sh
    down ./tap-up-down.sh

  5. Changing your configuration file will have disconnected Tunnelblick if it was connected. Tunnelblick will also prompt you again for your administrator password, since security-sensitive files have been modified.
  6. Time to test! Open a Terminal window, and run the command:

    scutil –dns

    to see the current configuration of DNS resolvers. Then connect to your VPN in Tunnelblick, and run the command again:

    scutil –dns

    If all goes as planned, you will see your VPN DNS resolver properly included in the configuration. Congratulations!

  7. You should now be able to ping internal hosts by their internal DNS names, e.g.:

    ping internal-server

Good luck!

Updated 11/30/2007 to add chmod +x. Thanks Karel!

14 thoughts on “Correct Way to set up OpenVPN Client on Mac OS X

  1. Justin

    Hi – Thanks for positing!

    I tried this on leopard using tunnelblick 3.0b6 but am still getting the tap/tun error=5 errors. The output from scutil –dns also doesn’t seem to change.

    Have you tried this fix on leopard? Any help would be greatly appreciated!

    Thanks!

    Reply
  2. Hartleigh

    Hi there,

    I am glad in a way that others are having problems with Tunnelblick… I am not able to get this fix working. I have saved the script you provided and made it executable…

    ITD001:~/Library/openvpn hburton$ ls -la
    total 56
    drwxr-xr-x 7 hburton hburton 238 Jan 24 12:01 .
    drwx—— 40 hburton hburton 1360 Jan 24 08:03 ..
    -rw-r–r– 1 hburton hburton 6148 Jan 24 10:49 .DS_Store
    -rwxrwxrwx 1 hburton hburton 1237 Feb 20 2006 ca.crt
    -rw-r–r– 1 root wheel 164 Jan 24 12:01 openvpn.conf
    -rwxrwxrwx 1 hburton hburton 636 Feb 20 2006 ta.key
    -rwxr-xr-x 1 hburton hburton 4339 Jan 24 10:46 tap-up-down.sh

    Edited my configuration file so it has the required changes…

    verb 1
    client
    dev tap
    proto udp
    remote xxx.xxx.xxx.xxx 1194
    ca “ca.crt”
    tls-auth “ta.key” 1
    comp-lzo
    auth-user-pass
    up ./tap-up-down.sh
    down ./tap-up-down.sh

    Previously Tunnelblick would ask for my username/password then establish a connection with the server and give the code=5 error message. However now with this new script in place it will not even attempt to connect. When I press the connect button it will briefly flash to connecting and then back to disconnected with no ouput to the log at all. I am using v3.0b6 on OSX 10.4.11. If anyone has any details that might help it would be greatly appreciated.

    Reply
  3. Hartleigh

    Fixed it!

    I removed the down ./tap-up-down.sh line from the config file and now everything works as it should. Config file now looks like this…

    verb 1
    client
    dev tap
    proto udp
    remote xxx.xxx.xxx.xxx 1194
    ca “ca.crt”
    tls-auth “ta.key” 1
    comp-lzo
    auth-user-pass
    up ./tap-up-down.sh

    Reply
  4. Rola

    Hi.

    i’m just a beginner in using openvpn, let alone using it on mac os. Can anyone point me to where i can find some documentation on how to set up the Certificate Authority (CA) and generate certificates and keys for an OpenVPN server and client?

    Thanks

    Reply
  5. brent

    We use the webmin plugin (OpenVPN + CA) to manage 3 instances of OpenVPN and two CAs. It’s very easy to use – although requires that the CA reside on the OpenVPN server, which could lack some security.
    I would recommend it.

    Reply
  6. Pingback: Correct way to set up OpenVPN client on Mac OSX | Nixadmins.net

  7. Wes

    Using Tunnelblick 3.0 (Build 1437). If you have the “Set nameserver” flag in the UI set then up scripts are not executed. I added the following line to invoke the standard up script as part of tap-up-down.sh. You may have Tunnelblick installed in a different directory, so modify, as appropriate.

    up)
    # Invoke standard up script before setting tap0 to DHCP
    /Applications/Utilities/Tunnelblick.app/Contents/Resources/client.up.osx.sh $1

    I’ve put something in the down) section, but I’m not sure it’s needed.

    This is a known issue in the current Tunnelblick builds (http://code.google.com/p/tunnelblick/wiki/KnownIssues).

    Reply
  8. Patrick

    I’m running 10.6.4, and this script works, but after 5-10 minutes, the newly added resolver disappears, and DNS queries go haywire. Any suggestions?

    Reply
  9. Pingback: Tunnelblick gives the error “write to TUN/TAP : Input/output error (code=5)” Drija

  10. Pingback: Guide to Setting up OpenVPN and Tunnelblick | Brendan Sheehy

  11. Pingback: » OpenVPN: Update Client DNS on Mac OS X using from the command line.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>