Skip to content

Instantly share code, notes, and snippets.

@pgrenaud

pgrenaud/northsec-2023-additional-vpn-instructions-for-macos.md

Last active May 20, 2023 23:08
Show Gist options
  • Save pgrenaud/ba980b101be0cc0d8175729b590525da to your computer and use it in GitHub Desktop.
Save pgrenaud/ba980b101be0cc0d8175729b590525da to your computer and use it in GitHub Desktop.
Download ZIP
NorthSec 2023 additional VPN instructions for macOS
Raw
northsec-2023-additional-vpn-instructions-for-macos.md

I found a functional workaround to make the DNS works on macOS Ventura and Monterey (should work on both Intel and Apple Silicon). It involve installing and configuring dnsmasq as the sole DNS provider for you main network interface. I try other less intrusive solution (live setting resolver for nsec and ctf in /etc/resolver, but that was not enough). I might have forgot something, so let me know if something is not working.

  1. First, follow macOS specific instructions at https://nsec.io/vpn/
  2. Disconect the VPN and close Tunnelblick.
  3. Install homebrew if not installed already: https://brew.sh/
  4. Install dnsmasq:
brew install dnsmasq
  1. Configure dnsmasq to only listen locally (optional):
/usr/bin/sed -Ei '' 's/^#?listen-address=.*$/listen-address=127.0.0.1/g' "$HOMEBREW_PREFIX/etc/dnsmasq.conf"
  1. Enable dnsmasq config directory:
/usr/bin/sed -i '' "s|^#\(conf-dir=${HOMEBREW_PREFIX}/etc/dnsmasq.d\)$|\1|g" "$HOMEBREW_PREFIX/etc/dnsmasq.conf"
  1. Configure the desired DNS servers:
cat >> "$HOMEBREW_PREFIX/etc/dnsmasq.d/nsec" <<EOL
server=/nsec/2602:fc62:ef:2::1
server=/ctf/2602:fc62:ef:2::1
server=8.8.4.4
server=8.8.8.8
EOL
  1. Restart dnsmasq:
sudo brew services restart dnsmasq
  1. Validate that dnsmasq is working properly (you should obtain an IP address):
dig google.ca @127.0.0.1

  1. Open System preferences, then go to Network, select your network interface (should be Wi-Fi), click Advanced..., select DNS tab and add 127.0.0.1 as the sole DNS server.

  2. Validate that dnsmasq is still working properly (you should obtain an IP address from the server 127.0.0.1):

dig google.ca

  1. Open Tunnelblick, go to the Configurations main tab, select your team VPN, go to the Settings inner tab and set Set DNS/WINS to Do not set nameserver.

  2. Connect to the VPN.

  3. Validate that dnsmasq is working properly (you should obtain a reply for each):

dig google.ca
dig www.nsec

  1. Check that everything is working by visiting https://test.nsec/ in your web browser.

  2. You might need to flush the DNS cache:

sudo killall -HUP mDNSResponder; sudo killall mDNSResponderHelper; sudo dscacheutil -flushcache

  1. You might also need to disable all network interfaces but the one that you need, restart Tunnelblick or restart macOS.

  2. Other useful commands:

scutil --dns
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment