DirectoryService and personalVPN™

From Witopiawiki

Contents 1 Problem description 1.1 Typical susceptible configuration 2 Background information 3 Solution 3.1 Steps to resolve 3.2 Technical details 4 Footnotes 5 Attribution and licensing

Problem description

When using personalVPN™ or any other OpenVPN-based VPN system on Mac OS X 10.4 (and potentially earlier versions), the DirectoryService process crashes upon connection and continues to do so, as often as once per second or perhaps more frequently, until the VPN tunnel is broken.

Typical susceptible configuration

A laptop on which personalVPN™ is installed (as TunnelBlick), running Mac OS X 10.4¹ in a NAT-enabled LAN of mixed Mac and Windows systems, such as a small office-home office (SOHO) environment or home WiFi network, when not connected to personalVPN™.

Background information

The DirectoryService process is the foundation of Apple's Open Directory architecture, responsible for managing users, groups, host names, networks, file system mount points, and so forth. In other words, a constantly crashing DirectoryService is a risk to the stability and security of one's system.

Previous research at WiTopia and Open Directory², the Apple Support Discussions, the OpenVPN wiki and mailing list archives, and searches via Google offered no assistance in troubleshooting the problem. What seems like 50 crash logs were sent to Apple, who always offered thanks for submitting the information but never a solution.

For quite some time, it seemed that no one else in the known universe experienced the same problem.

Solution

After months of frustration and diminishing tolerance for constant DirectoryService crashing, a solution finally became apparent. The problem lies in the fact that when the system connects to personalVPN™ (or any VPN service, OpenVPN-based or otherwise), it is assigned a new IP address by the VPN server. Depending on the configuration of the VPN server, the client software, and a multitude of other factors, when a tunnel is established, the client may or may not be capable of reaching other systems on the same LAN.³

Steps to resolve

1. Open Directory Access inside the Utilities folder of the Applications folder.
2. Click the lock to authenticate as an administrative user. (You must have Administrative access to configure Directory Access.)
3. Click the SMB/CIFS line, then click Configure.
4. Make sure the "WINS Server" is empty.
5. Uncheck the box beside SMB/CIFS.
6. Click Apply and then quit Directory Access.
   • It's OK to leave the SMB/CIFS box unchecked in Directory Access. If your system needs it to access a Windows share, for example, DirectoryService will load it on-the-fly. In general, unless you have a specific need to turn on Netinfo, AppleTalk, or some other service, it's better to leave everything unchecked except Bonjour, which cannot be disabled.
   • No reboot is required.

Technical details

If the WINS Server is set to a system on the LAN, it will be unavailable while the OpenVPN tunnel is established. Whenever the tunnel is first built, configd(8) posts the IP address change, which causes DirectoryService to attempt communication with the WINS Server specified in Directory Access. When it cannot, it crashes; many would call this a bug in DirectoryService.

In my personal experience, I had inadvertently set my WINS Server to the IP address of my Windows XP desktop system on my home LAN. When connecting to personalVPN™ — and earlier, to HotSpotVPN — either at home or at a public hotspot, DirectoryService tried to establish communication with my XP desktop and crashed with a Segmentation Fault or a Bus Error. Because DirectoryService is such a fundamental part of the operating system, it (rightly so) is configured to respawn itself (via launchd(8)) should it die, so it was constantly crashing and respawning in an infinite loop.

Footnotes

1. It is unknown at this time whether earlier versions of Mac OS X, or the as-yet unreleased 10.5 "Leopard," are susceptible to this problem.
2. This article does not intend to argue the merits of any particular VPN service provider. However, in full disclosure, the original author of this page had previously been a customer of HotSpotVPN before switching to WiTopia personalVPN™.
3. Some VPN software intentionally blocks LAN access for security purposes; others intentionally allow it for convenience. OpenVPN permits server-side configuration to suit the needs of the service provider.

Attribution and licensing

This page was adapted from DirectoryService, OpenVPN, and TunnelBlick at paX∞ :: peace unbounded by the original author, Billy Halsey. The original article is licensed under the Creative Commons Attribution-NonCommercial-No Derivatives 3.0 United States License, but the version appearing on the WiTopia wiki has been relicensed by the author as Creative Commons Attribution-Share Alike 2.5 (also known as "CC-Wiki").