The Problem

You want to run an OpenVPN Client on Mac OS X. Your OpenVPN server will be serving DHCP, as well as pushing down DNS server addresses. You’ve tried connecting, and it just doesn’t seem to work. Perhaps you even see a large number of errors of the type:

write to TUN/TAP : Input/output error (code=5)

The Solution

When you connect via OpenVPN, it is the responsibility of the client to process pushed dhcp-options (including the DNS server rules), and do something useful with them. On a linux system, you could, for example, incorporate these into /etc/resolv.conf. Consult your distro’s openvpn documentation for more information.

However, this does not work on a Mac, because Mac software (even down to ssh and ping) doesn’t use /etc/resolv.conf under OS X 10.4… Oops. The solution? A combination of two tools: ipconfig and scutil. These together can manage 10.4’s new DNS configuration system, and set the tap device to obtain an address via DHCP. The problem is discussed further on nicholas riley’s blog, though his solution, a python script, a) is complicated to install, and b) did not actually work for me once installed, though I didn’t dig deep enough to understand why.

The best solution is to run an “up” script as part of the OpenVPN connection process, which will handle the necessary configuration for you. The script is provided on the Openvpn-users mailing list, by Ben Low.

Here’s how to use it with the excellent OpenVPN client Tunnelblick:

1. Install Tunnelblick, and create your OpenVPN config. I’ll assume that you know how to do this, or you wouldn’t be here. If not, consult the documentation for OpenVPN.
2. Download this script (copied from the openvpn-users mailing list). Save it to ~/Library/openvpn, the folder where your Tunnelblick OpenVPN configuration lives.

   OpenVPN TAP up-down Script: tap-up-down.sh

3. Now, make the script executable, by running:

   chmod +x ~/Library/openvpn/tap-up-down.sh

4. Edit your configuration file to include these lines:

   up ./tap-up-down.sh
   down ./tap-up-down.sh

5. Changing your configuration file will have disconnected Tunnelblick if it was connected. Tunnelblick will also prompt you again for your administrator password, since security-sensitive files have been modified.
6. Time to test! Open a Terminal window, and run the command:

   scutil –dns

   to see the current configuration of DNS resolvers. Then connect to your VPN in Tunnelblick, and run the command again:

   scutil –dns

   If all goes as planned, you will see your VPN DNS resolver properly included in the configuration. Congratulations!

7. You should now be able to ping internal hosts by their internal DNS names, e.g.:

   ping internal-server

Good luck!

Updated 11/30/2007 to add chmod +x. Thanks Karel!