default route, and dns

David Woodhouse dwmw2 at infradead.org
Thu Jul 2 03:25:24 PDT 2015 

On Thu, 2015-06-25 at 22:18 -0700, Openconnect User wrote:
> Hi.
> 
> Why does openconnect add a default route through the vpn?  Since the 
> existing default is still there now I have two.  (This is openconnect on 
> osx from homebrew.)  Traceroutes to various systems inside and outside 
> the remote end seem to go the right way though.

By default, openconnect (well, vpnc-script) will set up the routes that
the server tells it to.

Some VPN servers use a 'split tunnel' configuration, where only certain
IP ranges are routed to the VPN.

Others are 'full tunnel', and we're supposed to route *everything* to
the VPN. (Except the packets which run over the real Internet to the
VPN server, of course. Otherwise it gets silly.)

> It doesn't add default routes on my linux box with openconnect that I 
> built myself, but maybe I removed something from the vpnc-script. It has 
> been a while since I set it up so I can't remember.

Possibly. Another option is to just use a trivial wrapper around vpnc
-script, which sets the CISCO_SPLIT_INC* variables for the IP ranges
you *do* want to route to the VPN, then invokes the real vpnc-script.
If any include routes are set, then it won't set a default route.

> I'd also like to know what people do about dns.  On windows with the 
> cisco client, dns magically works, resolving through the vpn to internal 
> dns servers when necessary.  For linux/osx openconnect clients I run a 
> caching dns server with forwarders for domains inside the vpn.  The 
> problem is I don't know every possible domain I should forward, as the 
> company is big and uses a lot of them.

If adding '-v' to the openconnect command line doesn't show the list in
some header somewhere, I'm not quite sure how the Windows client can
get this right. Does it really do *all* the domains that you need?

See the response I just sent to Patrick O'Brien on precisely this
topic. NetworkManager will do it for the single domain that we *do* get
from the Cisco server — and I think NetworkManager can also be told a
list of additional domains. We could make vpnc-script do it too.

(Note that we'd also want our dnsmasq setup to do reverse IP searches
in the in-addr.arpa and ip6.arpa domains corresponding to the addresses
which are routed to the VPN).

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150702/b3768341/attachment-0001.bin>

More information about the openconnect-devel mailing list