DNS resolution fails on macOS

[justMaku]

As already stated in #501 (comment) currently openfortivpn doesn't properly register itself with the macOS.

The issue boils down to the fact that on macOS /etc/resolv.conf is used as a compatibility layer for software that prefers to do DNS resolution directly instead of using the system provided APIs.

This means that while tools like nslookup will happily use whatever openfortivpn writes to /etc/resolv.conf other tools such as ping which gets it's DNS resolution through gethostbyname will still be using the data stored in so called SystemConfiguration framework.

Official FortiClient does that by somewhat strange configuration where it registers itself within the SystemConfiguration as piggybacking on en0.

[etiennedi]

Can confirm, same issue here.

[rizalp]

For now I solve it using

set-dns = 1
pppd-use-peerdns = 1

In the openfortivpn config file

[DimitriPapadopoulos]

@rizalp Option pppd-use-peerdns = 1 delegates DNS updates to pppd and pppd seems to be doing the right thing, unlike openfortivpn. May I suggest you also set option set-dns = 0 to tell openfortivpn not to mess with DNS since pppd has taken over?

set-dns = 0
pppd-use-peerdns = 1

[mrgrauel]

I also have the same issue. Thanks for the workaround 👍

[justMaku]

Can confirm the workaround works.

[DimitriPapadopoulos]

There are two ways we can fix that:

• Let pppd handle everything on macOS (at least by default). However as far as I can understand pppd cannot update the domain search list for DNS lookups.
• Get openfortivpn to use the proper API to update the DNS parameters. Until now openfortivpn has been calling the POSIX API of macOS only, as well as external programs. Calling the C# API is probably not gonna be easy. Running networksetup might do the trick.

[justMaku]

I think you meant Objective-C, but that's also not needed. The SystemConfiguration can be called from C/C++ ~easily~, you just need to use the CoreFoundation types to pass data in.

[DimitriPapadopoulos]

Ah right, I seem to recall now that Objective-C was designed to be highly compatible with C (easily called from C). We probably need to link with an additional SystemConfiguration library though.

[DimitriPapadopoulos]

By the way, the sources of pppd for macOS can be found here:
https://opensource.apple.com/source/ppp/
Perhaps more specifically sys-MacOSX.c:
https://opensource.apple.com/source/ppp/ppp-862/Helpers/pppd/sys-MacOSX.c.auto.html

That might give a clue how to fix this.

[torpesco]

@torpesco If this is still a problem for you, I suggest you open an new issue.

No new issue, thankfully. Just some frustrating nuance of how pppd adds the DNS setting (at least in 10.15.4).

Apparently whatever pppd does with DNS does not work for host or nslookup, but does work for everything else.

Last time, by the time I got to pppd-use-peerdns, host and nslookup failed, so I didn't try anything else. Also, I must have only looked at networksetup -getdnsservers (which doesn't list the VPN connection itself), and the contents of /etc/resolv.conf.

Today, I remembered to check scutil --dns and could see the DNS entry, . host and nslookup still fail, but ping resolves the host IP and pings it. Safari and Chrome work just fine. The DNS entry is listed with flags : Supplemental, whatever that means.

My local router/DNS is 10.0.2.1. I replaced my work with dns1/2:

DNS configuration

resolver #1
  search domain[0] : home-domain
  nameserver[0] : <dns1>
  nameserver[1] : <dns2>
  if_index : 16 (ppp0)
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 100000

resolver #2
  nameserver[0] : 10.0.2.1
  if_index : 4 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)
  order    : 200000

[...]

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : home-domain
  nameserver[0] : 10.0.2.1
  if_index : 4 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  nameserver[0] : <dns1>
  nameserver[1] : <dns2>
  if_index : 16 (ppp0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

Sorry -- you'll probably have to mark this off-topic, too, but I just wanted to note this stupid little detail somewhere in case it's useful for a troubleshooting document note or something.

[lcrownover]

Just wanted to bump this as I've been unable to get name resolution working on 11.6.1 (big sur).

Using settings:

set-dns = 0
pppd-use-peerdns = 1

Which produces the following in scutil --dns:

DNS configuration

resolver #1
  search domain[0] : crownover.net
  nameserver[0] : company-ip1
  nameserver[1] : company-ip2
  if_index : 18 (ppp0)
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 100000

resolver #2
  nameserver[0] : 192.168.1.254
  nameserver[1] : 8.8.8.8
  if_index : 5 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)
  order    : 200000

resolver #3
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #4
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #5
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #6
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #7
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #8
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : crownover.net
  nameserver[0] : 192.168.1.254
  nameserver[1] : 8.8.8.8
  if_index : 5 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  nameserver[0] : company-ip1
  nameserver[1] : company-ip2
  if_index : 18 (ppp0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

I find this odd:

• In the global resolvers (top section), it shows my home search domain crownover.net attached to the DNS servers that the VPN is pulling down.

• In the scoped resolvers (bottom), it shows the correct configuration, where my crownover.net domain is configured for my home network.

Unfortunately, neither of these sections correctly display the search domains that are detected when connecting to the VPN, as displayed by the ns_suffix info log message.

[wookiesh]

Hi all, stumbled upon this issue as I was trying to get dns options ironed out.
I am on Monterey 12.0.1 and using version 1.17.1.

Connection works perfectly fine and using --pppd-use-peerdns=1, dns resolution is working partially. Indeed, the dns searchdomains which are configured server side seems to be correctly received by the client:
INFO: Got addresses: [x.x.x.x], ns [x.x.x.x], ns_suffix [suffix1, suffix2] (redacted)

but not used by osx: I can for example ping (or safari,...) name.suffix{1,2}, but not name.

In resolvconf, the name servers and search domains are present, and in scutil --dns, there is a resolver with the received name servers, but listing the content of the different DNS related keys (list .*/DNS*), I can check for the key containing the same name servers, and there no search domain are defined.

I tried adding them manually with a:

d.add SearchDomains * suffix1 suffix2
notify [key]

on both the resolver key and State:/Network/Global/DNS but I must have missed something as it's not effective. My idea was to add it as a script for the --script option of openfortivpn.

Has someone experienced the same troubles ?

[wookiesh]

Oh and also, if I add a file in /etc/resolver with search suffix1, suffix2, it works, but I'd prefer to avoid always sending these requests.

[wookiesh]

Finally it only works with the first suffix...

[torpesco]

Oh and also, if I add a file in /etc/resolver with search suffix1, suffix2, it works, but I'd prefer to avoid always sending these requests.

Re. "a file" -- I needed one file per suffix I wanted to add nameserver entries for. I'd never actually bothered with 'search' lines, but just did a quick test and it seemed to work for me on macOS 12.2.1.

I did this to test split DNS. I'm sure there's a better way to simply add DNS servers and search suffixes for general use.

From my ip-ip script:

#!/bin/bash

# (actually sourced from /etc/ppp/common -- ip-down removes the files)
domains=()
domains+=('suffix1.com')
domains+=('corp.suffix1.com')
domains+=('suffix2.com')
...
for domain in ${domains[@]}; do
    cat > /etc/resolver/${domain} <<EOF
nameserver 10.0.11.20
nameserver 10.0.12.20
search ${domain}
EOF
done

All of ping a, ping b and ping c work where a is a.suffix1.com, b is b.corp.suffix1.com, and c is c.suffix2.com.

[DimitriPapadopoulos]

See also #987.

[DimitriPapadopoulos]

@beremour Meanwhile, you could give OpenConnect a try. Does it work any better?

[foss4ever]

Like many others, I was able to work around this DNS problem by adding:

set-dns = 1
pppd-use-peerdns = 1

to my openfortivpn config.

I don't know if this has been brought up already, but one of our devs is on Ubuntu and using the official FortiClient deb from FortiNet, and has been having similar problems. So seems like this DNS issue is also affecting the official version...

[DimitriPapadopoulos]

Instead you should be using:

set-dns = 0
pppd-use-peerdns = 1

The problem is similar on macOS and GNU/Linux, but not identical. On both platforms, the API to modify DNS parameters evolved:

• on mac0S, from directly changing /etc/resolv.conf to running scutilor calling the SystemConfiguration API,
• on GNU/linux, from directly changing /etc/resolv.conf to running one of the resolvconf implementations or calling the systemd API.

We have not been able to find the resources to support all of those quickly evolving APIs. The fact that FortiClient does not work well on Ubuntu (with DNS leaks and other mishaps) shows it is not straightforward. The best course of action would probably be to change openfortivpn to run the same script as OpenConnect, that is vpnc-scripts. However, vpnc-scripts itself still fails to properly support recent APIs, such as systemd on GNU/Linux (openconnect/vpnc-scripts!43).

[tomlawton67]

Sorry to add something so trivial, but it tripped me up as a n00b, and is at least easily fixed!:
In the OPTIONS section of the man page, the option which is actually --pppd-use-peerdns is listed as --use-peer-dns. It appears correctly in the USAGE response, and in the CONFIGURATION section of the man page.
(This was from brew install openfortivpn, which gave version 1.17.3)

[DimitriPapadopoulos]

I cannot find use-peer-dns anywhere in the source code.

[tomlawton67]

Here's what I see:

[tomlawton67]

The man page must in some way be Mac-specific, as it contains a reference to the homebrew cellar:

CONFIGURATION
Options can be taken from a configuration file. Options passed in
the command line will override those from the configuration file,
though. The default configuration file is /usr/local/etc/open-
fortivpn/openfortivpn/config, but this can be set using the -c
option. An empty template for the configuration file is
installed to /usr/local/Cellar/openfortivpn/1.17.3/share/open-
fortivpn/config.template

[DimitriPapadopoulos]

Ah right, thank you for pointing me to the exact location. Fixed in #1003.

The man page is not specific, it just contains a macro that points to the location of the config file defined at build time.

[eusahn]

Still does not work on MacOS.
Tried all recommended configs in this thread.

[DimitriPapadopoulos]

What did you try exactly? What do you mean by "does not work"? Which version of MacOS and openfortivpn?

Because openfortivpn currently lacks the code to properly set the DNS servers on recent MacOS systems, I had suggested to let pppd handle that. Please use exclusively:

set-dns = 0
pppd-use-peerdns = 1

[eusahn]

What did you try exactly? What do you mean by "does not work"? Which version of MacOS and openfortivpn?

Because openfortivpn currently lacks the code to properly set the DNS servers on recent MacOS systems, I had suggested to let pppd handle that. Please use exclusively:

set-dns = 0
pppd-use-peerdns = 1

Still doesn't work, get ERR_NAME_NOT_RESOLVED
when I try to navigate to my company's namespace on chrome.

Had flags set to --set-dns=0 --pppd-use-peerdns=1

macOS Monterey 12.5.1

Works fine with openconnect with stock settings.

Not sure what I need to provide for debugging purposes.

[DimitriPapadopoulos]

As far I can understand, the VPN tunnel is created, but DNS resolution fails because the company DNS servers are not taken into account. Can you ping company servers by IP address, not by name? As always, (redacted) logs would help.

[stevium]

For me --set-dns=0 --pppd-use-peerdns=1 works for accessing domains within VPN, and only partially for outside VPN. For example I cannot access stackoverflow.com or github.com when I'm connected, but can google.comor facebook.com. Any idea what may be causing this strange DNS resolving behaviour?

I'm using macOS Ventura 13.0.1 and openfortivpn 1.19.0

[stevium]

Actually ping is only working for domains inside VPN, but outside of VPN it timeouts.

[stevium]

I can confirm that openconnect --protocol=fortinet fortigate.example.com works without issues for me.
So I will stick to it for the time being.

[DimitriPapadopoulos]

When you say you cannot access stackoverflow.com or github.com, is that because of a routing or DNS issue?

• Can you ping these servers by address? Try ping 151.101.1.69, ping 140.82.121.3.
• Can you resolve the DNS names of the servers? Try dscacheutil -q host -a name stackoverflow.com, dscacheutil -q host -a name github.com.

[stevium]

Sorry, looks like I was wrong, it might be a routing issue.

• Ping timeouts for both addresses
• dscacheutil -q host -a name stackoverflow.com outputs following

ip_address: 151.101.1.69
ip_address: 151.101.129.69
ip_address: 151.101.65.69
ip_address: 151.101.193.69

[eusahn]

I can confirm that openconnect --protocol=fortinet fortigate.example.com works without issues for me.
So I will stick to it for the time being.

This has been the answer for me. Openconnect just works.

[DimitriPapadopoulos]

If it is a routing issue, netstat -r may help us by showing routing differences:

• without VPN,
• with the OpenConnect tunnel,
• with the openfortivpn tunnel.

One significant difference between OpenConnect and openfortivpn is IPv6 support. But then, you are unable to ping the IPv4 address 151.101.1.69 of stackoverflow.com too, so I am not certain this is an IPv6 issue here.

[stevium]

Here is the netstat -r outcome:

without VPN

Routing tables

Internet:

Destination	Gateway	Flags	Netif	Expire
default	192.168.0.1	UGScg	en0
127	localhost	UCS	lo0
localhost	localhost	UH	lo0
169.254	link#15	UCS	en0	!
192.168.0	link#15	UCS	en0	!
192.168.0.1/32	link#15	UCS	en0	!
192.168.0.1	38:43:7d:e0:da:8a	UHLWIir	en0	1188
192.168.0.101/32	link#15	UCS	en0	!
192.168.0.123	a4:c3:f0:d5:46:61	UHLWIi	en0	216
192.168.0.164	a4:c3:f0:d5:46:61	UHLWI	en0	218
224.0.0/4	link#15	UmCS	en0	!
224.0.0.251	1:0:5e:0:0:fb	UHmLWI	en0
239.255.255.250	1:0:5e:7f:ff:fa	UHmLWI	en0
255.255.255.255/32	link#15	UCS	en0	!

Internet6:

Destination	Gateway	Flags	Netif	Expire
default	fe80::3a43:7dff:fe	UGcg	en0
default	fe80::%utun0	UGcIg	utun0
default	fe80::%utun1	UGcIg	utun1
default	fe80::%utun2	UGcIg	utun2
default	fe80::%utun3	UGcIg	utun3
default	fe80::%utun4	UGcIg	utun4
localhost	localhost	UHL	lo0
2a02-8388-0701-b08	link#15	UC	en0
2a02-8388-0701-b08	bc:d0:74:71:d0:4	UHL	lo0
2a02-8388-0701-b08	bc:d0:74:71:d0:4	UHL	lo0
2a02-8388-0701-b08	link#15	UHLWI	en0
2a02-8388-0701-b08	a4:c3:f0:d5:46:61	UHLWI	en0
2a02-8388-0701-b08	bc:d0:74:71:d0:4	UHL	lo0
fe80::%lo0	miloss-macbook-pro	UcI	lo0
miloss-macbook-pro	link#1	UHLI	lo0
fe80::%anpi2	link#4	UCI	anpi2
miloss-macbook-pro	66:9e:10:7c:a1:ff	UHLI	lo0
fe80::%anpi0	link#5	UCI	anpi0
miloss-macbook-pro	66:9e:10:7c:a1:fd	UHLI	lo0
fe80::%anpi1	link#6	UCI	anpi1
miloss-macbook-pro	66:9e:10:7c:a1:fe	UHLI	lo0
fe80::%ap1	link#14	UCI	ap1
miloss-macbook-pro	be:d0:74:71:d0:4	UHLI	lo0
fe80::%en0	link#15	UHLWI	en0
fe80::%en0	link#15	UCI	en0
fe80::56:8efb:78cd	92:13:81:65:2d:d0	UHLWI	en0
miloss-macbook-pro	bc:d0:74:71:d0:4	UHLI	lo0
fe80::3a43:7dff:fe	38:43:7d:e0:da:8a	UHLWIir	en0
fe80::4064:f2c8:f8	a4:c3:f0:d5:46:61	UHLWI	en0
fe80::3cc5:c3ff:fe	3e:c5:c3:8a:b5:b9	UHLI	lo0
fe80::3cc5:c3ff:fe	3e:c5:c3:8a:b5:b9	UHLI	lo0
fe80::%utun0	miloss-macbook-pro	UcI	utun0
miloss-macbook-pro	link#19	UHLI	lo0
fe80::%utun1	miloss-macbook-pro	UcI	utun1
miloss-macbook-pro	link#20	UHLI	lo0
fe80::%utun2	miloss-macbook-pro	UcI	utun2
miloss-macbook-pro	link#21	UHLI	lo0
fe80::%utun3	miloss-macbook-pro	UcI	utun3
miloss-macbook-pro	link#28	UHLI	lo0
fe80::%utun4	miloss-macbook-pro	UcI	utun4
miloss-macbook-pro	link#29	UHLI	lo0
ff00::	localhost	UmCI	lo0
ff00::	link#4	UmCI	anpi2
ff00::	link#5	UmCI	anpi0
ff00::	link#6	UmCI	anpi1
ff00::	link#14	UmCI	ap1
ff00::	link#15	UmCI	en0
ff00::	link#17	UmCI	awdl0
ff00::	link#18	UmCI	llw0
ff00::	miloss-macbook-pro	UmCI	utun0
ff00::	miloss-macbook-pro	UmCI	utun1
ff00::	miloss-macbook-pro	UmCI	utun2
ff00::	miloss-macbook-pro	UmCI	utun3
ff00::	miloss-macbook-pro	UmCI	utun4
ff01::%lo0	localhost	UmCI	lo0
ff01::%anpi2	link#4	UmCI	anpi2
ff01::%anpi0	link#5	UmCI	anpi0
ff01::%anpi1	link#6	UmCI	anpi1
ff01::%ap1	link#14	UmCI	ap1
ff01::%en0	link#15	UmCI	en0
ff01::%utun0	miloss-macbook-pro	UmCI	utun0
ff01::%utun1	miloss-macbook-pro	UmCI	utun1
ff01::%utun2	miloss-macbook-pro	UmCI	utun2
ff01::%utun3	miloss-macbook-pro	UmCI	utun3
ff01::%utun4	miloss-macbook-pro	UmCI	utun4
ff02::%lo0	localhost	UmCI	lo0
ff02::%anpi2	link#4	UmCI	anpi2
ff02::%anpi0	link#5	UmCI	anpi0
ff02::%anpi1	link#6	UmCI	anpi1
ff02::%ap1	link#14	UmCI	ap1
ff02::%en0	link#15	UmCI	en0
ff02::%utun0	miloss-macbook-pro	UmCI	utun0
ff02::%utun1	miloss-macbook-pro	UmCI	utun1
ff02::%utun2	miloss-macbook-pro	UmCI	utun2
ff02::%utun3	miloss-macbook-pro	UmCI	utun3
ff02::%utun4	miloss-macbook-pro	UmCI	utun4

with OpenConnect

Routing tables

Internet:

Destination	Gateway	Flags	Netif	Expire
default	192.168.0.1	UGScg	en0
2.*.*/22	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
3.*.*.*/32	nj0********.ice***.	UGSc	utun5
10	nj0********.ice***.	UGSc	utun5
nj0********.ice***.	nj0********.ice***.	UH	utun5
10.100.1.152/32	link#30	UCS	utun5
13.*.*.*/32	nj0********.ice***.	UGSc	utun5
18.*.*.*/32	nj0********.ice***.	UGSc	utun5
20.*.*.*/32	nj0********.ice***.	UGSc	utun5
23.*.*.*/32	nj0********.ice***.	UGSc	utun5
31.*.*.*/32	nj0********.ice***.	UGSc	utun5
31.*.*/*	nj0********.ice***.	UGSc	utun5
31.*.*.*/32	nj0********.ice***.	UGSc	utun5
31.*.*.*/32	nj0********.ice***.	UGSc	utun5
31.*.*.*/32	nj0********.ice***.	UGSc	utun5
31.*.*.*/32	nj0********.ice***.	UGSc	utun5
31.*.*.*/32	nj0********.ice***.	UGSc	utun5
31.*.*.*/32	nj0********.ice***.	UGSc	utun5
31.*.*.*/32	nj0********.ice***.	UGSc	utun5
31.*.*.*/32	nj0********.ice***.	UGSc	utun5
31.*.*.*/32	nj0********.ice***.	UGSc	utun5
31.*.*.*/32	nj0********.ice***.	UGSc	utun5
34.*.*.*/32	nj0********.ice***.	UGSc	utun5
35.*.*.*/32	nj0********.ice***.	UGSc	utun5
35.*.*.*/32	nj0********.ice***.	UGSc	utun5
35.*.*.*/32	nj0********.ice***.	UGSc	utun5
40.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
52.*.*.*/32	nj0********.ice***.	UGSc	utun5
54.*.*.*/32	nj0********.ice***.	UGSc	utun5
54.*.*.*/32	nj0********.ice***.	UGSc	utun5
62.*.*.*/32	nj0********.ice***.	UGSc	utun5
62.*.*.*/32	nj0********.ice***.	UGSc	utun5
81.*.*.*/32	nj0********.ice***.	UGSc	utun5
83.*.*.*/32	nj0********.ice***.	UGSc	utun5
88.*.*.*/32	nj0********.ice***.	UGSc	utun5
91.*.*.*/32	nj0********.ice***.	UGSc	utun5
91.*.*.*/32	nj0********.ice***.	UGSc	utun5
91.*.*.*/32	nj0********.ice***.	UGSc	utun5
91.*.*.*/32	nj0********.ice***.	UGSc	utun5
91.*.*.*/32	nj0********.ice***.	UGSc	utun5
91.*.*.*/32	nj0********.ice***.	UGSc	utun5
91.*.*.*/32	nj0********.ice***.	UGSc	utun5
91.*.*.*/32	nj0********.ice***.	UGSc	utun5
93.*.*.*/32	nj0********.ice***.	UGSc	utun5
93.*.*.*/32	nj0********.ice***.	UGSc	utun5
93.*.*/*	nj0********.ice***.	UGSc	utun5
93.*.*.*/32	nj0********.ice***.	UGSc	utun5
94.*.*.*/32	nj0********.ice***.	UGSc	utun5
94.*.*.*/32	nj0********.ice***.	UGSc	utun5
94.*.*.*/32	nj0********.ice***.	UGSc	utun5
99.*.*/*	nj0********.ice***.	UGSc	utun5
104.*.*.*/32	nj0********.ice***.	UGSc	utun5
104.*.*.*/32	nj0********.ice***.	UGSc	utun5
109.*.*.*/32	nj0********.ice***.	UGSc	utun5
127	localhost	UCS	lo0
localhost	localhost	UH	lo0
134.*.*.*/32	nj0********.ice***.	UGSc	utun5
134.*.*.*/32	nj0********.ice***.	UGSc	utun5
134.*.*.*/32	nj0********.ice***.	UGSc	utun5
143.*.*/*	nj0********.ice***.	UGSc	utun5
169.254	link#15	UCS	en0	!
172.*	nj0********.ice***.	UGSc	utun5
172.*/*	nj0********.ice***.	UGSc	utun5
172.*	nj0********.ice***.	UGSc	utun5
178.*.*.*/32	nj0********.ice***.	UGSc	utun5
178.*.*.*/32	nj0********.ice***.	UGSc	utun5
178.*.*.*/32	nj0********.ice***.	UGSc	utun5
178.*.*.*/32	nj0********.ice***.	UGSc	utun5
178.*.*.*/32	nj0********.ice***.	UGSc	utun5
178.*.*.*/32	nj0********.ice***.	UGSc	utun5
192.*.*/*	nj0********.ice***.	UGSc	utun5
192.168.0	link#15	UCS	en0	!
192.168.0.1/32	link#15	UCS	en0	!
192.168.0.1	38:43:7d:e0:da:8a	UHLWIir	en0	1186
192.168.0.101/32	link#15	UCS	en0	!
192.168.0.123	a4:c3:f0:d5:46:61	UHLWI	en0	902
192.168.0.164	a4:c3:f0:d5:46:61	UHLWI	en0	904
195.*.*	nj0********.ice***.	UGSc	utun5
remote-***.its****	192.168.0.1	UGHS	en0
195.*.*	nj0********.ice***.	UGSc	utun5
203.*.*/*	nj0********.ice***.	UGSc	utun5
204.*.*.*/32	nj0********.ice***.	UGSc	utun5
212.*.*.*/32	nj0********.ice***.	UGSc	utun5
212.*.*.*/32	nj0********.ice***.	UGSc	utun5
212.*.*.*/32	nj0********.ice***.	UGSc	utun5
212.*.*.*/32	nj0********.ice***.	UGSc	utun5
212.*.*.*/32	nj0********.ice***.	UGSc	utun5
213.*.*.*/32	nj0********.ice***.	UGSc	utun5
213.*.*.*/32	nj0********.ice***.	UGSc	utun5
213.*.*.*/32	nj0********.ice***.	UGSc	utun5
213.*.*.*/32	nj0********.ice***.	UGSc	utun5
213.*.*.*/32	nj0********.ice***.	UGSc	utun5
213.*.*.*/32	nj0********.ice***.	UGSc	utun5
213.*.*.*/32	nj0********.ice***.	UGSc	utun5
213.*.*.*/32	nj0********.ice***.	UGSc	utun5
224.0.0/4	link#15	UmCS	en0	!
224.0.0/4	link#30	UmCSI	utun5
224.0.0.251	1:0:5e:0:0:fb	UHmLWI	en0
239.255.255.250	1:0:5e:7f:ff:fa	UHmLWI	en0
239.255.255.250	link#30	UHmW3I	utun5	8
255.255.255.255/32	link#15	UCS	en0	!
255.255.255.255/32	link#30	UCSI	utun5

Internet6:

Destination	Gateway	Flags	Netif	Expire
default	fe80::3a43:7dff:fe	UGcg	en0
default	fe80::%utun0	UGcIg	utun0
default	fe80::%utun1	UGcIg	utun1
default	fe80::%utun2	UGcIg	utun2
default	fe80::%utun3	UGcIg	utun3
default	fe80::%utun4	UGcIg	utun4
localhost	localhost	UHL	lo0
2a02-8388-0701-b08	link#15	UC	en0
2a02-8388-0701-b08	bc:d0:74:71:d0:4	UHL	lo0
2a02-8388-0701-b08	bc:d0:74:71:d0:4	UHL	lo0
2a02-8388-0701-b08	link#15	UHLWI	en0
2a02-8388-0701-b08	a4:c3:f0:d5:46:61	UHLWI	en0
2a02-8388-0701-b08	bc:d0:74:71:d0:4	UHL	lo0
fe80::%lo0	miloss-macbook-pro	UcI	lo0
miloss-macbook-pro	link#1	UHLI	lo0
fe80::%anpi2	link#4	UCI	anpi2
miloss-macbook-pro	66:9e:10:7c:a1:ff	UHLI	lo0
fe80::%anpi0	link#5	UCI	anpi0
miloss-macbook-pro	66:9e:10:7c:a1:fd	UHLI	lo0
fe80::%anpi1	link#6	UCI	anpi1
miloss-macbook-pro	66:9e:10:7c:a1:fe	UHLI	lo0
fe80::%ap1	link#14	UCI	ap1
miloss-macbook-pro	be:d0:74:71:d0:4	UHLI	lo0
fe80::%en0	link#15	UHLWI	en0
fe80::%en0	link#15	UCI	en0
fe80::56:8efb:78cd	92:13:81:65:2d:d0	UHLWI	en0
miloss-macbook-pro	bc:d0:74:71:d0:4	UHLI	lo0
fe80::3a43:7dff:fe	38:43:7d:e0:da:8a	UHLWIir	en0
fe80::4064:f2c8:f8	a4:c3:f0:d5:46:61	UHLWI	en0
fe80::bf:aeff:fe98	2:bf:ae:98:a4:e5	UHLI	lo0
fe80::bf:aeff:fe98	2:bf:ae:98:a4:e5	UHLI	lo0
fe80::%utun0	miloss-macbook-pro	UcI	utun0
miloss-macbook-pro	link#19	UHLI	lo0
fe80::%utun1	miloss-macbook-pro	UcI	utun1
miloss-macbook-pro	link#20	UHLI	lo0
fe80::%utun2	miloss-macbook-pro	UcI	utun2
miloss-macbook-pro	link#21	UHLI	lo0
fe80::%utun3	miloss-macbook-pro	UcI	utun3
miloss-macbook-pro	link#28	UHLI	lo0
fe80::%utun4	miloss-macbook-pro	UcI	utun4
miloss-macbook-pro	link#29	UHLI	lo0
ff00::	localhost	UmCI	lo0
ff00::	link#4	UmCI	anpi2
ff00::	link#5	UmCI	anpi0
ff00::	link#6	UmCI	anpi1
ff00::	link#14	UmCI	ap1
ff00::	link#15	UmCI	en0
ff00::	link#17	UmCI	awdl0
ff00::	link#18	UmCI	llw0
ff00::	miloss-macbook-pro	UmCI	utun0
ff00::	miloss-macbook-pro	UmCI	utun1
ff00::	miloss-macbook-pro	UmCI	utun2
ff00::	miloss-macbook-pro	UmCI	utun3
ff00::	miloss-macbook-pro	UmCI	utun4
ff01::%lo0	localhost	UmCI	lo0
ff01::%anpi2	link#4	UmCI	anpi2
ff01::%anpi0	link#5	UmCI	anpi0
ff01::%anpi1	link#6	UmCI	anpi1
ff01::%ap1	link#14	UmCI	ap1
ff01::%en0	link#15	UmCI	en0
ff01::%utun0	miloss-macbook-pro	UmCI	utun0
ff01::%utun1	miloss-macbook-pro	UmCI	utun1
ff01::%utun2	miloss-macbook-pro	UmCI	utun2
ff01::%utun3	miloss-macbook-pro	UmCI	utun3
ff01::%utun4	miloss-macbook-pro	UmCI	utun4
ff02::%lo0	localhost	UmCI	lo0
ff02::%anpi2	link#4	UmCI	anpi2
ff02::%anpi0	link#5	UmCI	anpi0
ff02::%anpi1	link#6	UmCI	anpi1
ff02::%ap1	link#14	UmCI	ap1
ff02::%en0	link#15	UmCI	en0
ff02::%utun0	miloss-macbook-pro	UmCI	utun0
ff02::%utun1	miloss-macbook-pro	UmCI	utun1
ff02::%utun2	miloss-macbook-pro	UmCI	utun2
ff02::%utun3	miloss-macbook-pro	UmCI	utun3
ff02::%utun4	miloss-macbook-pro	UmCI	utun4

with openfortivpn

Routing tables

Internet:

Destination	Gateway	Flags	Netif	Expire
default	ppp0	UScg	ppp0
default	link#27	UCSIg	ppp0
dns.google	link#27	UHWIig	ppp0
dns.google	link#27	UHWIig	ppp0
atv**********.icep	link#27	UHWIig	ppp0
17.*.*.*	link#27	UHWIig	ppp0
17.*.*.*	link#27	UHWIig	ppp0
17.*.*.*	link#27	UHWIig	ppp0
17.*.*.*	link#27	UHWIig	ppp0
17.*.*.*	link#27	UHW3Ig	ppp0	1
17.*.*.*	link#27	UHWIig	ppp0
40.*.*.*	link#27	UHWIig	ppp0
127	localhost	UCS	lo0
localhost	localhost	UH	lo0
169.254	link#15	UCS	en0	!
169.*.*.*	gbl********.ice***	UH	ppp0
192.168.0	link#15	UCS	en0	!
192.168.0.1/32	link#15	UCS	en0	!
192.168.0.1	38:43:7d:e0:da:8a	UHLWIir	en0	1166
192.168.0.101/32	link#15	UCS	en0	!
192.168.0.123	a4:c3:f0:d5:46:61	UHLWI	en0	1183
192.168.0.164	a4:c3:f0:d5:46:61	UHLWI	en0	1185
192.168.1.183	link#27	UHW3Ig	ppp0	!
remote-***.its****	192.168.0.1	UGHS	en0
224.0.0/4	link#15	UmCS	en0	!
224.0.0/4	link#27	UmCSI	ppp0
224.0.0.251	1:0:5e:0:0:fb	UHmLWI	en0
239.255.255.250	1:0:5e:7f:ff:fa	UHmLWI	en0
239.255.255.250	link#27	UHmW3I	ppp0	!
255.255.255.255/32	link#15	UCS	en0	!
255.255.255.255/32	link#27	UCSI	ppp0

Internet6:

Destination	Gateway	Flags	Netif	Expire
default	fe80::3a43:7dff:fe	UGcg	en0
default	fe80::%utun0	UGcIg	utun0
default	fe80::%utun1	UGcIg	utun1
default	fe80::%utun2	UGcIg	utun2
default	fe80::%utun3	UGcIg	utun3
default	fe80::%utun4	UGcIg	utun4
localhost	localhost	UHL	lo0
2a02-8388-0701-b08	link#15	UC	en0
2a02-8388-0701-b08	bc:d0:74:71:d0:4	UHL	lo0
2a02-8388-0701-b08	bc:d0:74:71:d0:4	UHL	lo0
2a02-8388-0701-b08	link#15	UHLWI	en0
2a02-8388-0701-b08	a4:c3:f0:d5:46:61	UHLWI	en0
2a02-8388-0701-b08	bc:d0:74:71:d0:4	UHL	lo0
fe80::%lo0	miloss-macbook-pro	UcI	lo0
miloss-macbook-pro	link#1	UHLI	lo0
fe80::%anpi2	link#4	UCI	anpi2
miloss-macbook-pro	66:9e:10:7c:a1:ff	UHLI	lo0
fe80::%anpi0	link#5	UCI	anpi0
miloss-macbook-pro	66:9e:10:7c:a1:fd	UHLI	lo0
fe80::%anpi1	link#6	UCI	anpi1
miloss-macbook-pro	66:9e:10:7c:a1:fe	UHLI	lo0
fe80::%ap1	link#14	UCI	ap1
miloss-macbook-pro	be:d0:74:71:d0:4	UHLI	lo0
fe80::%en0	link#15	UHLWI	en0
fe80::%en0	link#15	UCI	en0
fe80::56:8efb:78cd	92:13:81:65:2d:d0	UHLWI	en0
miloss-macbook-pro	bc:d0:74:71:d0:4	UHLI	lo0
fe80::3a43:7dff:fe	38:43:7d:e0:da:8a	UHLWIir	en0
fe80::4064:f2c8:f8	a4:c3:f0:d5:46:61	UHLWI	en0
fe80::3cc5:c3ff:fe	3e:c5:c3:8a:b5:b9	UHLI	lo0
fe80::3cc5:c3ff:fe	3e:c5:c3:8a:b5:b9	UHLI	lo0
fe80::%utun0	miloss-macbook-pro	UcI	utun0
miloss-macbook-pro	link#19	UHLI	lo0
fe80::%utun1	miloss-macbook-pro	UcI	utun1
miloss-macbook-pro	link#20	UHLI	lo0
fe80::%utun2	miloss-macbook-pro	UcI	utun2
miloss-macbook-pro	link#21	UHLI	lo0
fe80::%utun3	miloss-macbook-pro	UcI	utun3
miloss-macbook-pro	link#28	UHLI	lo0
fe80::%utun4	miloss-macbook-pro	UcI	utun4
miloss-macbook-pro	link#29	UHLI	lo0
ff00::	localhost	UmCI	lo0
ff00::	link#4	UmCI	anpi2
ff00::	link#5	UmCI	anpi0
ff00::	link#6	UmCI	anpi1
ff00::	link#14	UmCI	ap1
ff00::	link#15	UmCI	en0
ff00::	link#17	UmCI	awdl0
ff00::	link#18	UmCI	llw0
ff00::	miloss-macbook-pro	UmCI	utun0
ff00::	miloss-macbook-pro	UmCI	utun1
ff00::	miloss-macbook-pro	UmCI	utun2
ff00::	miloss-macbook-pro	UmCI	utun3
ff00::	miloss-macbook-pro	UmCI	utun4
ff01::%lo0	localhost	UmCI	lo0
ff01::%anpi2	link#4	UmCI	anpi2
ff01::%anpi0	link#5	UmCI	anpi0
ff01::%anpi1	link#6	UmCI	anpi1
ff01::%ap1	link#14	UmCI	ap1
ff01::%en0	link#15	UmCI	en0
ff01::%utun0	miloss-macbook-pro	UmCI	utun0
ff01::%utun1	miloss-macbook-pro	UmCI	utun1
ff01::%utun2	miloss-macbook-pro	UmCI	utun2
ff01::%utun3	miloss-macbook-pro	UmCI	utun3
ff01::%utun4	miloss-macbook-pro	UmCI	utun4
ff02::%lo0	localhost	UmCI	lo0
ff02::%anpi2	link#4	UmCI	anpi2
ff02::%anpi0	link#5	UmCI	anpi0
ff02::%anpi1	link#6	UmCI	anpi1
ff02::%ap1	link#14	UmCI	ap1
ff02::%en0	link#15	UmCI	en0
ff02::%utun0	miloss-macbook-pro	UmCI	utun0
ff02::%utun1	miloss-macbook-pro	UmCI	utun1
ff02::%utun2	miloss-macbook-pro	UmCI	utun2
ff02::%utun3	miloss-macbook-pro	UmCI	utun3
ff02::%utun4	miloss-macbook-pro	UmCI	utun4

For the sake of privacy I have marked the specific address parts with *

[ICHx]

Instead you should be using:

set-dns = 0
pppd-use-peerdns = 1

The problem is similar on macOS and GNU/Linux, but not identical. On both platforms, the API to modify DNS parameters evolved:

* on mac0S, from directly changing `/etc/resolv.conf` to running `scutil`or calling the `SystemConfiguration` API,

* on GNU/linux, from directly changing `/etc/resolv.conf` to running one of the `resolvconf` implementations or calling the `systemd` API.

We have not been able to find the resources to support all of those quickly evolving APIs. The fact that FortiClient does not work well on Ubuntu (with DNS leaks and other mishaps) shows it is not straightforward. The best course of action would probably be to change openfortivpn to run the same script as OpenConnect, that is vpnc-scripts. However, vpnc-scripts itself still fails to properly support recent APIs, such as systemd on GNU/Linux (openconnect/vpnc-scripts!43).

This worked for a while for me, until today the company DNS restricted to internal domains only.

Using this allows digging the right ip in terminal, but not in any other apps, including ping and other Mac application:

set-dns = 1
pppd-use-peerdns = 0

[kthuno]

Just wanted to bump this as I've been unable to get name resolution working on 11.6.1 (big sur).

Using settings:

set-dns = 0
pppd-use-peerdns = 1

Which produces the following in scutil --dns:

DNS configuration

resolver #1
  search domain[0] : crownover.net
  nameserver[0] : company-ip1
  nameserver[1] : company-ip2
  if_index : 18 (ppp0)
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 100000

resolver #2
  nameserver[0] : 192.168.1.254
  nameserver[1] : 8.8.8.8
  if_index : 5 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)
  order    : 200000

resolver #3
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #4
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #5
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #6
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #7
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #8
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : crownover.net
  nameserver[0] : 192.168.1.254
  nameserver[1] : 8.8.8.8
  if_index : 5 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  nameserver[0] : company-ip1
  nameserver[1] : company-ip2
  if_index : 18 (ppp0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

I find this odd:

• In the global resolvers (top section), it shows my home search domain crownover.net attached to the DNS servers that the VPN is pulling down.
• In the scoped resolvers (bottom), it shows the correct configuration, where my crownover.net domain is configured for my home network.

Unfortunately, neither of these sections correctly display the search domains that are detected when connecting to the VPN, as displayed by the ns_suffix info log message.

I have this exact same situation and have come to no avail in regards to solving this. And to make it even more frustrating I just tried Openconnect which failed on me in some other aspect... What to do?

[AlexeySaff]

it seems that --set-dns=1 is adding lines in the beginning of the file. keeping the existing lines on the bottom and they are conflicting

[jmada]

Using

set-dns = 0
pppd-use-peerdns = 1

in my .config file worked perfectly in macOS Sonoma 14.7.2.

[AlexeySaff]

this doesn't work with domain search