getting openconnect vpn to work through network-manager
Ask Ubuntu Asked by zee on December 1, 2020
this is the same issue as here: Getting openconnect vpn to work through gui , but my additions to it were deleted and i was asked to create a new question.
in fact, there are a number of folks asking similar questions here, all with 0 responses.
software versions: ubuntu 14.04, openconnect 5.02
main issue: i’m trying to add a vpn connection into network-manager, using openconnect. when i supply my vpn username and password, it connects successfully, but i can’t resolve dns.
if i run openconnect in the terminal via sudo, dns works.
sudo openconnect -u <username> https://<vpn concentrator name>
more details:
1a. when connecting via openconnect and network-manager even though i’ve explicitly added dns and a search domain under the ipv4 tab, only the search domain ends up in /etc/resolv.conf. even if i don’t supply dns and search domains, i can see in the logs that it’s getting that information from the vpn concentrator. again, the search domain is updated properly. [log below]
1b. when connecting via sudo on in a terminal, resolv.conf is populated properly with dns and search domains even though i haven’t added that information in the command line or provided a path to a vpnc-script. it must be getting it from the vpn concentrator. [log also below]
2a. when connecting via openconnect and network-manager, a new interface ‘vpn0’ is created.
2b. when connecting via sudo and command line, a new interface ‘tun0’ is created.
log when connecting via network-manager:
NetworkManager[784]: <info> Starting VPN service 'openconnect'...
NetworkManager[784]: <info> VPN service 'openconnect' started (org.freedesktop.NetworkManager.openconnect), PID 4513
NetworkManager[784]: <info> VPN service 'openconnect' appeared; activating connections
NetworkManager[784]: <info> VPN plugin state changed: init (1)
this is where it asks for my password
NetworkManager[784]: <info> VPN plugin state changed: starting (3)
NetworkManager[784]: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/vpn0, iface: vpn0)
NetworkManager[784]: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/vpn0, iface: vpn0): no ifupdown configuration found.
NetworkManager[784]: <warn> /sys/devices/virtual/net/vpn0: couldn't determine device driver; ignoring...
NetworkManager[784]: <info> VPN connection '<connection name>' (Connect) reply received.
openconnect[4544]: Attempting to connect to server <ip address>:443
openconnect[4544]: SSL negotiation with <correctly identified vpn server>
openconnect[4544]: Connected to HTTPS on <correctly identified vpn server>
openconnect[4544]: Got CONNECT response: HTTP/1.1 200 OK
openconnect[4544]: CSTP connected. DPD 30, Keepalive 20
NetworkManager[784]: <info> VPN connection '<connection name>' (IP Config Get) reply received.
NetworkManager[784]: <info> VPN connection '<connection name>' (IP4 Config Get) reply received.
NetworkManager[784]: <info> VPN connection '<connection name>' (IP6 Config Get) reply received.
NetworkManager[784]: <info> VPN Gateway: <ip address>
NetworkManager[784]: <info> Tunnel Device: vpn0
NetworkManager[784]: <info> IPv4 configuration:
NetworkManager[784]: <info> Internal Address: 10.xxx.xxx.xxx
NetworkManager[784]: <info> Internal Prefix: 19
NetworkManager[784]: <info> Internal Point-to-Point Address: 10.xxx.xxx.xxx
NetworkManager[784]: <info> Maximum Segment Size (MSS): 0
NetworkManager[784]: <info> Forbid Default Route: no
NetworkManager[784]: <info> Internal DNS: <ip address>
NetworkManager[784]: <info> Internal DNS: <ip address>
NetworkManager[784]: <info> DNS Domain: '(none)'
NetworkManager[784]: <info> IPv6 configuration:
NetworkManager[784]: <info> Internal Address: <ipv6 ip>
NetworkManager[784]: <info> Internal Prefix: 64
NetworkManager[784]: <info> Internal Point-to-Point Address: <ipv6 ip>
NetworkManager[784]: <info> Maximum Segment Size (MSS): 0
NetworkManager[784]: <info> Forbid Default Route: no
NetworkManager[784]: <info> DNS Domain: '(none)'
openconnect[4544]: Connected vpn0 as <ip address> + <ipv6 ip>, using SSL
openconnect[4544]: Established DTLS connection (using OpenSSL)
NetworkManager[784]: <info> VPN connection '<connection name>' (IP Config Get) complete.
NetworkManager[784]: <info> Policy set '<connection name>' (vpn0) as default for IPv4 routing and DNS.
NetworkManager[784]: <info> Policy set '<connection name>' (vpn0) as default for IPv6 routing and DNS.
NetworkManager[784]: <info> Writing DNS information to /sbin/resolvconf
dnsmasq[1027]: setting upstream servers from DBus
dnsmasq[1027]: using nameserver 127.0.0.1#53 for domain 10.in-addr.arpa
dnsmasq[1027]: using nameserver 127.0.0.1#53 for domain <home search domain>
dnsmasq[1027]: using nameserver 127.0.0.1#53 for domain <vpn search domain>
dnsmasq[1027]: using nameserver <ip address>#53 for domain 10.in-addr.arpa
dnsmasq[1027]: using nameserver <ip address>#53 for domain <home search domain>
dnsmasq[1027]: using nameserver <ip address>#53 for domain <vpn search domain>
dnsmasq[1027]: using nameserver <ip address>#53 for domain 10.in-addr.arpa
dnsmasq[1027]: using nameserver <ip address>#53 for domain <home search domain>
dnsmasq[1027]: using nameserver <ip address>#53 for domain <vpn search domain>
dbus[471]: [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper)
NetworkManager[784]: <info> VPN plugin state changed: started (4)
NetworkManager[784]: keyfile: updating /etc/NetworkManager/system-connections/<connection name>-6a503043-13b0-4ce7-9749-29cd3054cae3
dbus[471]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
despite all the noise in the log about updating resolv.conf it removes the nameservers but doesn’t replace them with the ip addresses in the log. it does update the search domain correctly, so it’s likely not a permissions issue.
log when connecting using sudo openconnect in terminal:
NetworkManager[784]: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
NetworkManager[784]: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
NetworkManager[784]: <warn> /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring...
dbus[471]: [system] Activating service name='org.freedesktop.hostname1' (using servicehelper)
kernel: [ 3258.725774] systemd-hostnamed[4927]: Warning: nss-myhostname is not installed. Changing the local hostname might make it unresolveable. Please install nss-myhostname!
dbus[471]: [system] Successfully activated service 'org.freedesktop.hostname1'
nothing about updating resolv.conf, and yet it properly updates the name servers and the search domain.
update
if i ignore all the warnings in resolv.conf and add the vpn concentrator nameservers to it, i’m instantly able to browse. of course as soon as i disconnect, those changes are overwritten.
there was a bug on this, back in 2012, but it expired. the issue seems to be the vpnc script.
i tried manually updating my vpnc-scripts to the latest versions, but to no avail.
some further research turns up that as of 12.04 resolv.conf is no longer where nameservers go for dns resolution when using network-manager. that’s why it works when i use the command line, but not when using network-manager. rather the nameserver 127.0.1.1 [dnsmasq] is added and that nameserver is told the ip addresses of the actual nameservers.
The big advantage is that if you connect to a VPN, instead of having all your DNS traffic be routed through the VPN like in the past, you’ll instead only send DNS queries related to the subnet and domains announced by that VPN
update
disabling dnsmasq as explained in link above solves the issue because /etc/resolv.conf is populated.
this is not a real solution though it’s a fallback.
2 Answers
So I have resolved this for myself satisfactorily enough. I am on Mint 18 / Ubuntu 16.04
My problem was that once I connected to the Openconnect VPN through NetworkManager I could no longer resolve DNS for domains outside of my work domains. I.e. I lost internet!
My fix was this:
- In NetworkManager, I edited the VPN Connection under "Network Connections".
- In the IPv4 tab, changed method to "Automatic (VPN) Addresses Only"
- Added my work DNS server (e.g. 10.10.10.100) and "Search domain" of "mywork.tld"
- Click on "Routes".
- Add a route that covers my work network, e.g. 10.10.0.0 / 255.255.0.0 and gateway of 10.10.10.253 <-- VPN gateway I got from a "traceroute".
- Then I ticked both options: i. "Ignore automatically optained routes" ii. "Use this connection only for resources on its network"
Works on my computer.
My understanding of what happened is that:
- My /etc/resolv.conf is setup with dnsmasq and is pointing to 127.0.1.1
- dnsmasq is using my ISP's DNS servers for general internet DNS resolution. For example, ISP DNS is let's say 8.8.8.8.
- I connect to VPN, DNS server of 10.10.10.100 is added as an additional server to dnsmasq to be used for "mywork.tld" DNS resolution.
- Once I am on the VPN, my work firewall no longer allows me to use port 53 to 8.8.8.8 so my general internet resolution goes away. DNS should timeout and go to the secondary DNS server, but it doesn't for some reason?
- I am left only with access to DNS resolution for "server01.mywork.tld" because this query goes to 10.10.10.100 which I have access to over the VPN.
- If I query for www.google.com it fails, even though my internal DNS can forward. I can only assume that my internal DNS is never asked.
My fix seems to stay working so long as my work doesn't change their network or DNS server IP address.
I'm a bit hazy about it, but I think it works for me because once this is done my Wireless NIC becomes my default network connection. So DNS queries go to 8.8.8.8 over wifi. Any query for "xyz.mywork.tld" is told by dnsmasq to go to 10.10.10.100. I have set a route for that, so that goes over "vpn0" NIC which returns the correct 10.10.10.x IP address for "xyz.mywork.tld". Bingo bango DNS resolution for internal and external networks and everyone is happy.
Answered by Seanchán on December 1, 2020
Check if there is a mismatch between the host you are trying to resolve via the VPN and the "DNS Domain" that the Cisco VPN server is sending.
To check for this, open a terminal and run:
tail -f /var/log/syslog
Then start openconnect via network manager. You'll see a whole bunch of output come through, including some lines like this:
Dec 5 12:54:31 canoe NetworkManager[1266]: Internal DNS: 10.0.20.21
Dec 5 12:54:31 canoe NetworkManager[1266]: Internal DNS: 10.10.3.32
Dec 5 12:54:31 canoe NetworkManager[1266]: DNS Domain: 'internal.example.com'
And further down you'll see
Dec 5 12:54:31 canoe dnsmasq[1871]: using nameserver 10.0.20.21#53 for domain internal.example.com
This means that the VPN server is instructing the client that the DNS servers should be used to resolve hosts within internal.example.com, such as server.internal.example.com.
In my case, I need to resolve server.example.com (and was not getting any result).
The solution for me was to go into the VPN settings and add example.com as an additional search domain:
Don't forget to disconnect VPN and then re-connect for the setting to take effect.
Answered by jdhildeb on December 1, 2020
Add your own answers!
Ask a Question
Get help from others!
Recent Answers
- Peter Machado on Why fry rice before boiling?
- Jon Church on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?
- haakon.io on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?