connecting to dynamic dns

Kevin Cernekee cernekee at
Sat Nov 29 15:26:32 PST 2014

On Sat, Nov 29, 2014 at 5:54 AM, David Woodhouse <dwmw2 at> wrote:
> On Sat, 2014-11-29 at 08:29 +0100, Nikos Mavrogiannopoulos wrote:
>> When connecting to an IP which is dynamic, it may often change and
>> require a reconnection. However, cstp_reconnect() will attempt to
>> connect to the cached IP and never fallback. The attached patch fixes
>> the issue for me, but what would be the best approach?
>> 1. Don't cache the IP at all
> Hm, the problem with this is that you may now be using a DNS server *on*
> the VPN. So it's unlikely that the DNS lookup will succeed. And even if
> it *does* work because you still have a live DTLS connection, if you
> have schizoDNS you might find that the hostname either doesn't exist in
> the internal view or resolves to something different.
> And then if you have full tunnel routing you're going to need to change
> the routes so that the new server IP address isn't routed through the
> VPN...

For the special case of Android, you can ask the OS to route traffic
over the "primary" network connection (bypassing the VPN) on a per-fd
basis.  We already do this through the protect_socket() callback for
CSTP/DTLS reconnections.  DNS might be a bigger challenge, unless you
wanted to bypass the resolver built into libc.

Not sure if there is a clean, portable way to make this work with
vpnc-script though.

> 1. "The new DNS is routed through the VPN": That is a configuration issue, nothing openconnect can solve.

Well, in a corporate installation, that is pretty much the norm
because you'll want people to be able to look up internal hostnames.
And the schizoDNS setup that David referred to is more likely.

But on a dyndns installation (presumably somebody's home cable/DSL
line) maybe the goals are different.  The various "bypass GFW"
tutorials I've seen online have often instructed the ocserv
administrator to configure DNS using a public server like and
to push a long list of split tunnel routes allowing access to specific
blocked services.  Likewise, if somebody is using ocserv to provide
access to their home LAN, they might push a route for
and allow other traffic to use the primary network connection.

If somebody is using ocserv to circumvent e.g. OpenDNS parental
controls or as a full tunnel to avoid workplace snooping, then
(currently) they would want to be using a static IP.

Do you think it makes sense for ocserv to pass a hint to the client
that the server's IP is dynamic?

More information about the openconnect-devel mailing list