tunnel-all-dns=true with Mac OS X & iOS tethering issues

[Liviu Andreicut]

Hello, 

I've stumbled upon an issue that was very difficult to isolate, because it happens only if all the above conditions are met:
using Mac OS X (Sierra, but tested also on El Capitan)
single Internet connection through an iOS device setup as hotspot (iOS 10, but tested also on 8 and 9)
ocserv option tunnel-all-dns=true
split routing enabled (route = A.B.C.D/P)
Using this, the result is that the client is only able to reach the prefixes specified as routes in ocserv's config file, with no access to the Internet and no DNS resolving. What actually happens in the client is that the default route is not used, as seen below (note the "I" flag). 
Ping-ing 8.8.8.8 results in:
ping 8.8.8.8 
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host

netstat -nrt Routing tables
Internet: Destination Gateway Flags Refs Use Netif Expire
default 172.20.10.1 UGScI 12 0 en0
Note that 172.20.10.1 is the IP address of the hotspot (the iOS device), and that one responds to ICMP requests and also the internal resources advertised over the tunnel respond properly.

The above issue is overcome by using split-dns on the ocserv configuration and disabling tunnel-all-dns, but that configuration exhibits other issues on Linux.

Does anyone have an idea of this?
--
Liviu Andreicut