UDP:1194 split tunnel didn't work in Tunnelblick until I routed all IPv4 traffic through the VPN

[JoeNoPhoto]

I just wanted to mention, by default, the configuration settings tab in Tunnelblick has Route all IPv4 traffic through the VPN unchecked. As a result, the following warning appears shortly after trying to connect:

This computer's apparent public IP address was not different after connecting to [.ovpn file]. It is still [redacted IP address].
This may mean that your VPN is not configured correctly.

Selecting the option and attempting to reconnect seems to have fixed the issue and is the only way I've been able to get it working using the following server/client config file setup:

server.conf

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_[redacted].crt
key /etc/openvpn/easy-rsa/pki/private/server_[redacted].key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.8.0.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
# push "redirect-gateway def1"
client-to-client
# keepalive 1800 3600
keepalive 10 60
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
# cipher AES-256-CBC
cipher AES-128-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 4
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
# performance stuff
fast-io
compress lz4-v2
push "compress lz4-v2"

client.ovpn

client
dev tun
proto udp
remote [redacted] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_[redacted] name
cipher AES-128-GCM
auth SHA256
auth-nocache
verb 4
<ca>
-----BEGIN CERTIFICATE-----
[redacted]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[redacted]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[redacted]
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[redacted]
-----END OpenVPN Static key V1-----
</tls-crypt>

Can you confirm that I haven't done anything "wrong" by selecting that option?

Side Question:
The push "block-outside-dns" line in server.conf causes a warning/error, apparently because the line is for Windows computers. Outside of commenting out the line entirely(which I don't want to do), is something I can add to my non-windows client .ovpn files that would get rid of the warning altogether? I've tried both of the following options, with no luck and keep getting a "files or directories don't exist" even though '/etc/openvpn/update-resolv-conf' is on my VM.

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

and

setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre

If my side question is too far out of the scope of the original issue, I can submit a new one.

Thanks

[rajannpatel]

Upon reviewing your server.conf file and client.ovpn files, it appears you are attempting to set up a Split Tunnel VPN where only your DNS requests are sent over the encrypted VPN connection. This does not encrypt all of your Internet traffic, and only sends enough to the VPN server to achieve ad blocking. Your files are perfect as they are.

The default setting in Tunnelblick to Route all IPv4 traffic through the VPN should be unchecked. It could become costly to send all of your traffic over the VPN Tunnel, so we are only sending the DNS traffic there with these configurations. Please keep it unchecked, this is the desired configuration for this reason. When you surf the Internet, you will be exposing your true IP address, and not the IP Address of your VPN Server.

So why are the ads not being blocked / wrong DNS servers being used when you connect using these settings and configuration files? It is because at some point you manually configured DNS Servers on your Wireless and/or Wired Network Adapters.

Open System Preferences | Network and click on the Network Adapter on the left column. Click the Advanced... button at the bottom right, and select the DNS Tab. Use the - button to remove all the manually entered DNS Servers in the column on the left side. Click OK, and Apply these changes. Reconnect to your VPN using Tunnelblick, and you will see the DNS Server automatically get populated in the Network window. You can verify the ad blocking is working by visiting http://blockads.fivefilters.org and also by performing an "extended" DNS Leak Test at http://dnsleaktest.com

As far as the side question goes, you can toy around with removing the block-outside-dns parameter from the server.conf, but you will break functionality on Android phones and potentially iOS clients that use the OpenVPN Connect or OpenVPN for Android software when you do this. The warning is harmless and can be safely ignored.

As far as the 2 options you have tried, I'm afraid you've lost me. Perhaps we can try and resolve that in a separate issue. If the instructions to remove manually configured DNS Servers on your Network Adapters does not resolve this issue, please let me know what version of macOS and Tunnelblick you are using. If this does resolve your issue, feel free to close this issue out.

[JoeNoPhoto]

I haven't explicitly changed my DNS configuration, and within the DNS tab, there's nothing I'm able to remove, however, it does appear as though my internet company uses 10.0.1.1 as it is grayed out in the DNS server section, and my cable provider's domain is grayed out in the Search Domains area as well. FWIW, full tunnel does work on my iOS and OSX for me at the moment.

re: the options, I've tried, I'm lost as well. I was essentially just throwing stuff at the wall to see what might stick.

[rajannpatel]

I am assuming your IP Address is assigned dynamically (via DHCP) and is not static.

Open System Preferences | Network and click on the Network Adapter on the left column. Make note of the DNS Server that appears here. I suspect it will be your ISPs provided DNS Server, which you said is 10.0.1.1. (The value for the DNS Server should be grayed out text if it was acquired via DHCP.)

Then use Tunnelblick to establish a Split Tunnel VPN Connection to your server.

When the VPN connects, Tunnelblick should have updated the DNS Server to read 10.8.0.1. Do you see this change happening? (I am hoping the answer to this question is Yes.)

If the answer to the question above is not yes - an ugly solution is to set 10.8.0.1 as your DNS Server manually, so it is the very first DNS Server that is queried. If your VPN is not connected, then this DNS Server will be unreachable, and it will default to the next DNS Server in the list.

[JoeNoPhoto]

Tried getting it running all this weekend, but no go...

My IP address is assigned dynamically via DHCP, yes, but 10.0.1.1 is the DNS LAN address created through the Airport Extreme router - not the ones(2) my ISP has assigned. Those can be seen greyed out in my Airport Utility settings under the Internet tab. They also appear as the two DNS servers on the Airport Utility main page when I click Internet.

When the VPN connects, Tunnelblick should have updated the DNS Server to read 10.8.0.1. Do you see this change happening? (I am hoping the answer to this question is Yes.)

Yes, both the DNS Servers and Search Domains change to 10.8.0.1 and 'openvpn' respectively.

I've also tried a few other things with mixed results - either not being able to connect at all, or being able to connect but my IP still remains unchanged.

Added '10.8.0.1' ONLY via System Preferences | Network | Advanced | DNS tab
When disconnected from Tunnelblick: No connection to the internet.
When connected to Tunnelblick: Connection but IP remains unchanged. Tunnelblick Error: Tunnelblick could not fetch IP address information before the connection was made.

Added '10.8.0.1' and '10.0.1.1' in that order
When disconnected from Tunnelblick: Connection but IP remains unchanged.
When connected to Tunnelblick: Connection but IP remains unchanged. Tunnelblick Error: This computer's apparent public IP address was not different after connecting

Added '10.1.1.1' and '10.8.0.1' in that order
When disconnected from Tunnelblick: Connection but IP remains unchanged.
When connected to Tunnelblick: Connection but IP remains unchanged. Tunnelblick Error: This computer's apparent public IP address was not different after connecting

[rajannpatel]

I am curious about how your AirPort Extreme is configured. I am assuming it is not in Bridge mode, and you are using the AirPort Extreme as a Router.

---

1. Open the AirPort Utility application. (It's in Applications → Utilities.) The window shown below appears.
   
2. Click the AirPort Extreme's icon. The status pop-up window appears.
3. Click Edit. The settings window appears.
4. Select the Internet tab. The window shown below appears.
   

---

Do you have a Primary and Secondary DNS Server defined here? If yes, what are they?

[JoeNoPhoto]

They're greyed out, but they're also the same two numbers that appear under Internet:

FWIW it's a Time Capsule, not strictly an Extreme

[rajannpatel]

Wanted to follow up here; are you able to try the Wireguard + Pi-Hole solution?

https://github.com/rajannpatel/Pi-Hole-on-Google-Compute-Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-Wireguard-VPN-Configs