OpenConnect does not revert DNS after disconnecting from VPN
Daniel Lenski
dlenski at gmail.com
Fri Nov 13 13:09:07 EST 2020
On Fri, Nov 13, 2020 at 2:41 AM Jędrek Domański
<jedrek.domanski at gmail.com> wrote:
>
> Hello,
> I am using OpenConnect on Ubuntu 16.04 to connect to my client's IT
> infrustructure and am having problems after disconnecting VPN. Prior
> connecting to VPN my /etc/resolv.conf looks like this:
>
> nameserver 127.0.1.1
> search home
>
> After connecting to VPN my /etc/resolv.conf gets changed and I get
> nameserver and search from my client's server configuration, which is
> fine, however after disconnecting VPN my /etc/resolv.conf stays the
> same and my internet connection speed is dramatically degraded and it
> takes almost 10 seconds for every page to load. I have checked my
> network configuration and have confirmed with my ISP provider that the
> correct DNS servers are provided for me and that the issue comes from
> openconnect not reverting the changed configuration file
> /etc/resolv.conf. The nameserver I am left off with is the Google DNS
> 8.8.8.8 which I get from my client's server, because they might be
> using it inside of their infrastructure for some reason. I've tried it
> on my Mac and after disconnecting VPN /etc/resolv.conf is reverted to
> what it was prior establishing the connection. This should also happen
> on Linux but it does not. Why does this not happen and how do I fix
> this?
Technically, this is not because of OpenConnect itself, but because of
the vpnc-script
(https://gitlab.com/openconnect/vpnc-scripts/blob/master/vpnc-script)
which OpenConnect calls for all routing and DNS setup.
Assuming you're using the version of the vpnc-script that's actually
distributed with Ubuntu 16.04, it's *ancient*
(https://packages.ubuntu.com/xenial/vpnc-scripts).
We've made a ton of modifications and improvements to DNS handling
since then (approximate diff:
https://gitlab.com/openconnect/vpnc-scripts/-/compare/a64e23b1b6602095f73c4ff7fdb34cccf7149fd5...master#47d6c67f7e3c5408337ca1a557416fa846c6efc4).
Most likely your Mac has a much more modern version of the vpnc-script.
First thing you try is using a modern version of the vpnc-script and
see if that fixes the situation. If that doesn't work, add --script
"sh -x /path/to/the/vpnc-script" to your OpenConnect command-line;
this will give a trace of all the commands run by the vpnc-script, and
aid greatly in debugging.
Dan
More information about the openconnect-devel
mailing list