Trouble with dns and routing while connected

Sean smalder73 at gmail.com
Thu Nov 3 09:07:47 PDT 2016 

Hi, just following up on the issue regarding dns resolution...

This seems to be a problem with access to update resolv.conf through
using the -s 'sudo -E /etc/vpnc/vpnc' flag.  IF I run openconnect as
root and remove the -s flag is not used,  /etc/resolv.conf gets
updated correctly and shows commented headings stating that it was
updated by vpnc.  Everything works.

As an standard user, I modified the -s flag to include a printenv
command prior to the sudo command.  Running the openconnect comand
then prints all of the environment settings needed for vpnc (like
INTERNAL_IP4_DNS) which has two correct addresses for VPN servers as
its value.  I don't quite understand why updating /etc/resolv.conf
through the vpnc script does not happen when executed through the -s
flag as suggested on the nonroot.html page of the website (linked
previously).  There are no selinux denials in the audit log - we're
running in Enforcing mode.

I guess the new question is in regards to the security of running
openconnect as root through sudo versus running the vpnc script as
root through sudo.  If there is not a significant difference in risk,
I can rework our configuration to run openconnect as root.  Can anyone
provide any reasons why one method would present more risk than the
other?

Thanks!

--Sean


On Wed, Nov 2, 2016 at 6:34 AM, Sean <smalder73 at gmail.com> wrote:
> Yes, even in the latest version, it does not support authentication
> with pkcs#11 smart cards -
> https://wiki.gnome.org/Projects/NetworkManager/PKCS11
>
> I was following guidance from
> http://www.infradead.org/openconnect/pkcs11.html,
> http://www.infradead.org/openconnect/nonroot.html and Mr. Woodhouse in
> configuring my systems this way.
>
> --Sean
>
>
> On Wed, Nov 2, 2016 at 4:46 AM, Nikos Mavrogiannopoulos
> <n.mavrogiannopoulos at gmail.com> wrote:
>> On Tue, Nov 1, 2016 at 8:37 PM, Sean <smalder73 at gmail.com> wrote:
>>> Hi,
>>> I am using openconnect from Enterprise Linux 7 distributions to
>>> connect to a Cisco VPN, authenticating with a PCKS#11 smart card.
>>> When an unprivileged user connects externally two issues arise.
>>>
>>> 1. Name resolution doesn't get updated with the VPN's name servers.  I
>>> guess this is because NetworkManager sets /etc/resolv.conf, and
>>> openconnect is being executed outside of NetworkManager, though I'm
>>> not certain.
>>
>> Since you are using network manager, have you tried using the
>> networkmanager-openconnect plugin from epel? That would integrate with
>> the rest of the system.
>>
>> regards,
>> Nikos

More information about the openconnect-devel mailing list