Running Valet with ExpressVPN not work about valet HOT 21 CLOSED

@drbyte, I tried manually editing the /etc/hosts file as you suggested, and it did serve as a workaround. My local domains are resolving as expected now. However, this seems more like a temporary fix rather than a complete solution...

Thank you for your help so far!

from valet.

When you run the ExpressVPN client directly on your Mac, it interrupts the Mac's already-configured DNS functionality, both for its own internal operations and for Valet's operations via dnsmasq.

If they've removed all configuration settings to allow local DNS serving, then you may have limited options.

I have 2 suggestions:

1. Contact their tech support (they have a Live Chat) and ask for instructions on how to allow local DNS lookups when the Express VPN client is active. Be sure to tell them you're using dnsmasq on 127.0.0.1 to serve "*.test" domains from 127.0.0.1 / localhost.
   Post back with whatever solution they give you. And perhaps encourage them to post an FAQ for it on their website.

2. Alternatively, you could configure your Router to use your ExpressVPN subscription. This would cause ALL internet activity to go through ExpressVPN, (for everyone using your router).
   By removing ExpressVPN from your Mac (and putting it on the wifi/router instead) will allow Valet to function normally for all its own internal *.test websites, but all your regular internet activity would go through the router, which would send it through ExpressVPN automatically.
   Their website shows two ways to do that, depending on the kind of router you have:
   https://www.expressvpn.com/support/vpn-setup/#manual-router
   https://www.expressvpn.com/support/vpn-setup/#router-setup

from valet.

@drbyte I tried to write to support, since their service does not support connecting my router and because I am afraid that I can only make things worse.

Support didn't give me a solution.
"Thanks for that and we're very sorry for the trouble. But we'd like to let you know that currently, when you use ExpressVPN, your DNS requests are handled directly by ExpressVPN, with no exposure to third parties. ExpressVPN runs its own DNS servers and when you are connected to ExpressVPN you automatically use these servers — so no one else can get hold of your information or hijack your connection. Provider.

I'm really sorry, but currently, we don't have an option or feature in the app where you can change the DNS settings. But you may try changing the DNS settings on your device instead and see if it'll work for you."

from valet.

I don't have an ExpressVPN subscription (and don't want to start a trial), so I can't directly test the app.
However, while inspecting the app itself, I see that it still contains language-strings for advanced settings that control the local network.
So, I offer the following...

1. In the application's Preferences screen, is there an "Advanced Settings" window of some sort? Is there a "DNS" sub section to that window? Can you provide screenshots of the various preferences sections?

"preferences_screen.advanced.dns_label.text" = "DNS:";
"preferences_screen.advanced.dns_checkbox.text" = "Only use ExpressVPN DNS servers while connected";

2. Also, sometimes holding down the OPTION key when looking at application menus will expose "hidden" menu options. Does that do anything in the app's menus?
3. The app supports multiple protocols: does changing protocols from Automatic to something else solve the problem?
4. In Preferences, does ticking the box to Allow access to devices on the local network (such as printers or file servers) solve the problem?
5. Does downgrading to v10 solve the problem? https://www.expressvpn.works/clients/mac/expressvpn_mac_10.3.0.49_release.pkg
6. What's the output when you run this from the command line:

defaults read com.expressvpn.ExpressVPN

(Don't post the hex codes or any UUIDs, as those may be private information, and not needed here. I'm more interested in the settings keys that may be registered.)

7. Inside the app is a defaults.plist file which has the following set to true. Changing them probably makes no difference, particularly because they're already set to true, which would seem to be desirable.

	<key>useDNSServers</key>
	<true/>
	<key>allowLANTraffic</key>
	<true/>

from valet.

@drbyte, I've tried all the options you suggested, but unfortunately, none of them worked. Let me provide more details:

1. There is no DNS section in the "Advanced Settings." Here are some screenshots:

2. Holding the Option key doesn't have any effect.

3. Changing the protocols doesn't resolve the issue.

4. The relevant setting is already ticked.

5. Downgrading is not an option for me; when I install either v10.0 or v10.39, I can't even sign in.

6. Here are my current settings:

{
"MASPreferences AppLauncherPreferences Frame": "{{0, 0}, {568, 273}}",
"MASPreferences Frame Top Left": "{1687, 1233}",
"MASPreferences ProtocolPreferences Frame": "{{0, 0}, {568, 406}}",
"MASPreferences Selected Identifier View": "GeneralPreferences",
"MASPreferences ThreatManagerPreferences Frame": "{{0, 0}, {569, 204}}",
"NSWindow Frame LocationPickerWindow": "1981 535 366 605 0 0 3008 1667 ",
"NSWindow Frame MainWindow": "1607 535 366 605 0 0 3008 1667 ",
"ShouldShowClickToConnectHintKey": 0,
"SigninDelayHintMsgKey": 20,
"XVActivatationDate": "ANONYMIZED",
"XVCurrentIAMDisplayDurationKey": 1800,
"XVCurrentIAMDisplayTimeKey": "ANONYMIZED",
"XVCurrentIAMIndexKey": 1,
"XVFMInstallationId": "ANONYMIZED",
"XVLastConnectTimeArray": "ANONYMIZED",
"XVPreferencesLaunchOnStartupScreenIsDoneKey": 1,
"XVReportingScreenIsDoneKey": 1,
"XVVPNBrowserExtensionPromobarAlreadyClicked": 1,
"allowLANTraffic": 1,
"com.launchDarkly.ConnectionInformationStore.connectionInformationKey": "ANONYMIZED",
"com.launchdarkly.DiagnosticCache.diagnosticData.mob-e04a4355-a5f5-46ea-b501-8e0006293fd5": "ANONYMIZED",
"enableNetworkLock": 1,
"enableXVCA": 1,
"hasWarnedUserAboutProtocol": 1,
"kExpressVPNLaunchCountKey": 19,
"kXVAppLauncherHasBeenShownKey": 1,
"launchOnStartup": 0,
"ldDeviceIdentifier": "ANONYMIZED",
"previousVersion": "11.39.0",
"protocol": "auto",
"recentLocations": [
"ANONYMIZED",
"Smart Location"
]
}

7. Also, I can't locate a "defaults.plist" file within the ExpressVPN.app directory. Only an "Info.plist" file is present, which doesn't include the "useDNSServers" and "allowLANTraffic" keys.

from valet.

7. I can't locate a "defaults.plist" file within the ExpressVPN.app directory

This was where I found it:
/Applications/ExpressVPN.app/Contents/Resources/Defaults.plist
.. but I'm not sure if "Defaults" means it's used "once" (and thus editing it is pointless), or if it's read regularly.
I suspect it's used to set things into the defaults database on the mac registry.
And probably only the useDNSServers setting would be relevant ... but might not be what we're looking for anyway.

Unfortunately they dropped the Split Tunneling feature for MacOS 11 and above, else it could be another thing to try. In fact maybe that's what they used behind the scenes to offer the former tickbox that allowed the local bypass.

from valet.

One workaround I saw posted on a Linux-related article was to go oldschool and manually edit /etc/hosts and add each of your local domains there, each on a separate line.
ie: 127.0.0.1 foo.test
That's the grassroots way to handle local DNS. Tools like dnsmasq allow slightly more complex handling via additional services, but ExpressVPN is bypassing those services.

from valet.

Question: both before-and-after-connecting to ExpressVPN, what's in your /etc/resolv.conf file?
(By default it's basically reflecting whatever's in your MacOS Network System Preferences pane for DNS settings. Valet works best when nameserver 127.0.0.1 is listed there (and put there automatically via the Preferences app). It probably also contains "search lan", which is fine.)
I'm not sure whether ExpressVPN changes that file's contents when connected or not.

from valet.

One workaround I saw posted on a Linux-related article was to go oldschool and manually edit /etc/hosts and add each of your local domains there, each on a separate line. ie: 127.0.0.1 foo.test That's the grassroots way to handle local DNS. Tools like dnsmasq allow slightly more complex handling via additional services, but ExpressVPN is bypassing those services.

Ok, I see. I will try that. As for 'defaults,' it's a matter of capitalization. I used 'defaults.plist' instead of 'Def...'.

And the contents of my /etc/resolv.conf file remain the same before and after connecting to ExpressVPN. Here is what I see:

#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver MY_IP

from valet.

Would it be helpful if I provide the output of the scutil --dns command? This will show the current DNS configuration that my macOS system is actually using.

from valet.

Would it be helpful if I provide the output of the scutil --dns command? This will show the current DNS configuration that my macOS system is actually using.

Sure. Can't hurt.

See if it's different when connected too.

from valet.

Here is the output from scutil --dns before and after connecting to ExpressVPN:

DNS configuration

resolver #1
  nameserver[0] : [REDACTED]
  if_index : 12 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

resolver #8
  domain   : test
  nameserver[0] : 127.0.0.1
  flags    : Request A records, Request AAAA records
  reach    : 0x00030002 (Reachable,Local Address,Directly Reachable Address)

DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : [REDACTED]
  if_index : 12 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

DNS configuration

resolver #1
  search domain[0] : expressvpn
  nameserver[0] : [REDACTED]
  flags    : Request A records
  reach    : 0x00000002 (Reachable)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

resolver #8
  domain   : test
  nameserver[0] : 127.0.0.1
  flags    : Request A records, Request AAAA records
  reach    : 0x00030002 (Reachable,Local Address,Directly Reachable Address)

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : expressvpn
  nameserver[0] : [REDACTED]
  if_index : 12 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

from valet.

When I use ProtonVPN, the output of scutil --dns shows that ProtonVPN added itself after my localhost dnsmasq service:

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : lan
  nameserver[0] : 127.0.0.1
  if_index : 5 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00030002 (Reachable,Local Address,Directly Reachable Address)

resolver #2
  nameserver[0] : 10.1.0.1
  if_index : 14 (ipsec0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

... and that lets me serve stuff locally.

EDIT: And, while there's a risk that having dnsmasq handling lookups could lead to Dns-Leakage if configured to use 3rd party DNS providers, when I test for leakage when ProtonVPN is activated, I'm seeing no leakage reported.

So ... if we do come up with a way to let dnsmasq still work locally, a VERY important question to ask is: "why" you're using a VPN in the first place. If it's to completely hide all your online activity then DNS-Leakage would be a concern to be diligent about; If the VPN is instead merely to access certain destination hosts without disclosing your own ISP IP to them, then dns leakage is less of a worry point.

from valet.

Are there any files in /var/run/expressvpn/config/ directory? If yes, what's in them?

from valet.

If you understand a bunch about resolv.conf and networking configurations, this post contains some information that may be interesting to explore, albeit requiring translation to macos instead of unix:
https://unix.stackexchange.com/a/688325
(I'm kinda just posting this here for simple future reference when I have more time to dig.)

from valet.

And probably only the useDNSServers setting would be relevant

This is probably where that boolean setting could be set:
~/Library/Application Support/com.expressvpn.ExpressVPN/ExpressVPNConfigurationOverrides.plist

from valet.

Hello @drbyte,

Apologies for the delayed response.

In exploring /var/run/expressvpn/config/, I came across the following:

At the moment, I haven't delved into the intricacies of resolv.conf; however, I appreciate your suggestion, and I might explore it further at a later time!

If you understand a bunch about resolv.conf and networking configurations..

As for the ExpressVPNConfigurationOverrides.plist file, I find myself a bit uncertain. Currently, my file structure looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict/>
</plist>

I am pondering whether I need to incorporate the following lines into it:

<key>useDNSServers</key>
	<false/>

Could you possibly shed some light on this?

Thank you!

from valet.

What's the content of that /var/run/expressvpn/config/he4106649726 file?

It'd be worth exploring whether these changes make any difference to ExpressVPNConfigurationOverrides.plist

<plist version="1.0">
-<dict/>
+<dict>
+	<key>useDNSServers</key>
+	<true/>
+</dict>
</plist>

from valet.

I'm facing an issue where the /var/run/expressvpn/config/he4106649726 file is consistently empty. I tried to include updates to ExpressVPNConfigurationOverrides.plist, the issue persists.

from valet.

Okay. It looks like there's only 3 options left:

• dump ExpressVPN and use another service that's less restrictive
• keep editing your/etc/hosts file manually whenever you need to support a new local domain name
• get ExpressVPN's tech support to get an advanced engineer involved to see how to make it possible to allow a localhost DNS service to operate while the VPN is still connected

Editing hosts files can obviously be done from the command-line, and that's the best way: sudo nano /etc/hosts
I just researched available host-file-editor apps for MacOS and found the following 3 choices. I have NOT used them though, and am not sure if they're compatible with your OS version.
You might ask the folks at Herd if they'd incorporate a local hostsfile editor into their Mac app.

• https://switchhosts.vercel.app (looks like they have a newer unofficial release under the Releases tab on github)
• https://github.com/2ndalpha/gasmask
• https://github.com/specialunderwear/Hosts.prefpane/

from valet.

Closing this issue because it's inactive, already solved, old or not relevant anymore. Feel to open up a new issue if you're still experiencing this.

from valet.