Trouble with dns and routing while connected

Sean smalder73 at gmail.com
Tue Nov 1 12:37:32 PDT 2016 

Hi,

I am using openconnect from Enterprise Linux 7 distributions to
connect to a Cisco VPN, authenticating with a PCKS#11 smart card.
When an unprivileged user connects externally two issues arise.

1. Name resolution doesn't get updated with the VPN's name servers.  I
guess this is because NetworkManager sets /etc/resolv.conf, and
openconnect is being executed outside of NetworkManager, though I'm
not certain.

2. A split tunnel is created.  I hope that's the right language, if
not, I hope this will explain the behavior:  From a windows system
connecting to the vpn with the Cisco client, all traffic is routed
through the vpn tunnel... when I start the vpn client from within and
RDP session, my RDP session will disconnect, so I'd expect an ssh
connection to disconnect when openconnect establishes the vpn
connection and that is not the case.

Syslog shows messages that imply that NetworkManager understands
what's going on when openconnect is run, but these issues persist....

NetworkManager[2677]: <info>  Policy set 'vpn0' (vpn0) as default for
IPv4 routing and DNS.
NetworkManager[2677]: <info>  (vpn0): Activation: successful, device activated.

Here's the client side configuration:

I've setup a systemd service that plumbs the interface vpn0 using the
following command:

/usr/sbin/ip tuntap add vpn0 mode tun group vpnusers

I have a vpn-wrapper script that the users execute which runs the
following openconnect command:

/usr/sbin/openconnect -q -i vpn0 -c 'pkcs11:<certificate token
string>' -s 'sudo /etc/vpnc/vpnc-script' vpn.example.com

I also have deployed a sudoers rule file for the vpnusers group with
the following rules:

Defaults        env_keep += "reason VPNGATEWAY TUNDEV
INTERNAL_IP4_ADDRESS INTERNAL_IP4_NETMASK"
Defaults        env_keep += "INTERNAL_IP4_NETMASKLEN
INTERNAL_IP4_NETADDR INTERNAL_IP4_DNS"
Defaults        env_keep += "INTERNAL_IP4_NBNS CISCO_DEF_DOMAIN
CISCO_BANNER CISCO_SPLIT_INC"
Defaults        env_keep += "CISCO_SPLIT_INC_%d_ADDR
CISCO_SPLIT_INC_%d_MASK CISCO_SPLIT_INC_%d_MASKLEN"
Defaults        env_keep += "CISCO_SPLIT_INC_%d_PROTOCOL
CISCO_SPLIT_INC_%d_SPORT"
Defaults        env_keep += "CISCO_SPLIT_INC_%d_DPORT"
%vpnusers ALL = (root) /etc/vpnc/vpnc-script

NOTE that we seem to have an issue with users running sudo -E so, I've
added the environment variables documented in the vpnc-script to the
sudo rules and this seems to work save the issues listed above.

Can you help?  Thank you kindly!

--Sean

More information about the openconnect-devel mailing list