4:52 p.m.
Hello,
I'm using Fedora 34. For some services I need to connect to my corporate
VPN (Cysco). I use openconnect with NetworkManager, which connects fine
to the vpn server. But there is a weird problem and I can not figure
out, where to change something.
If I use the AnyConnect-Client, the client creates on connect a
resolv.conf and saves the simlink to a backup file which is restored
upon disconnect. After it connects it modifies the resolv.conf with
entries on domain, dns servers etc. So I can call urls only available
within the vpn network.
I i use openconnect (which I prefer, because it keeps my network printer
available), it doenst do almost anything with resolve.conf. It only adds
a search entry, no dns, nothing. In this case I have to enter the ip
address of the services I need within the vpn network. I can resolve
this by adding an entry into hosts.conf, but nevertheless this bugs me.
I already searched the internet, tried a lot with nmcli, systemd-
resolved, but nothing helped. It seems, that openconnect doesn't
populate some vital dns entries.
What could I try?
Regards,
Tibor
--
Dr. Tibor Attila Anca
Pastor
Ev.-luth. Kirchengemeinde Dollbergen-Schwüblingsen
Fuhsestr. 19,
31311 Uetze OT Dollbergen
Gemeindebüro Telefon: +49 (0)5177 922144
Gemeindebüro Telefax: +49 (0)5177 922145
Direkter Kontakt:
Telefon: +49 (0)5132 5045860
Telefax: +49 (0)5132 5045861
5:20 p.m.
On 2021-05-19 2:52 p.m., Anca, Tibor wrote:
I'm using Fedora 34. For some services I need to connect to my
corporate
VPN (Cysco). I use openconnect with NetworkManager, which connects fine
to the vpn server. But there is a weird problem and I can not figure
out, where to change something.
If I use the AnyConnect-Client, the client creates on connect a
resolv.conf and saves the simlink to a backup file which is restored
upon disconnect. After it connects it modifies the resolv.conf with
entries on domain, dns servers etc. So I can call urls only available
within the vpn network.
I i use openconnect (which I prefer, because it keeps my network printer
available), it doenst do almost anything with resolve.conf. It only adds
a search entry, no dns, nothing. In this case I have to enter the ip
address of the services I need within the vpn network. I can resolve
this by adding an entry into hosts.conf, but nevertheless this bugs me.
I already searched the internet, tried a lot with nmcli, systemd-
resolved, but nothing helped. It seems, that openconnect doesn't
populate some vital dns entries.
Is there any indication in logs that openconnect is getting DNS info?
If not, then if you edit the connection settings in the control panel,
you can add the DNS info. I think systemd-resolved is supposed to be
able to handle split DNS like that. Or otherwise, I guess the VPN DNS
should get all requests.
6:22 p.m.
Am Mittwoch, dem 19.05.2021 um 15:20 -0700 schrieb Samuel Sieb:
Is there any indication in logs that openconnect is getting DNS info?
you can add the DNS info. I think systemd-resolved is supposed to be
should get all requests.
Where do I see those logs? If I run systemctl status systemd-resolved
than I see this:
vpn0: Bus client set DNS server list to: 192.168.x.x, 192.168.x,y
Now, those two entries are added by the AnyConnect-Client to
/etc/resolv.conf.
I cant figure out, why NM is not doing that...
7:46 p.m.
On 20/05/2021 07:22, Anca, Tibor wrote:
Am Mittwoch, dem 19.05.2021 um 15:20 -0700 schrieb Samuel Sieb:
> Is there any indication in logs that openconnect is getting DNS info?
> you can add the DNS info. I think systemd-resolved is supposed to be
> should get all requests.
Where do I see those logs? If I run systemctl status systemd-resolved
than I see this:
vpn0: Bus client set DNS server list to: 192.168.x.x, 192.168.x,y
Now, those two entries are added by the AnyConnect-Client to
/etc/resolv.conf.
I cant figure out, why NM is not doing that...
First, when using NM and the openconnect plugin I'm assuming you've not disabled
systemd-resolved.
So, your /etc/resolv.conf is a symlink on the order of
lrwxrwxrwx. 1 root root 39 Oct 31 2020 /etc/resolv.conf ->
../run/systemd/resolve/stub-resolv.conf
If that is the case, then can you compare the output of "resolvectl" for
dis-connected/connected?
I only use openvpn. But it looks like so:
disconnected
[egreshko@f34k ~]$ resolvectl
Global
Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp1s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.122.1
DNS Servers: 192.168.122.1
DNS Domain: greshko.com
connected
Global
Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp1s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.122.1
DNS Servers: 192.168.122.1
DNS Domain: greshko.com
Link 3 (tun0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 25.0.0.1
DNS Servers: 25.0.0.1
--
Remind me to ignore comments which aren't germane to the thread.
5:49 a.m.
Hello,
Am Donnerstag, dem 20.05.2021 um 08:46 +0800 schrieb Ed Greshko:
disconnected
My output on disconnected is:
Global
Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp2s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.178.1
DNS Servers: 192.168.178.1
DNS Domain: fritz.box
Link 3 (wlp4s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.178.1
DNS Servers: fd00::e228:6dff:fec6:b89a 192.168.178.1
DNS Domain: fritz.box
Link 4 (virbr0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Link 5 (vpn0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
DNS Servers: 192.168.3.133
connected
When connected:
Global
Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp2s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.178.1
DNS Servers: 192.168.178.1
DNS Domain: fritz.box
Link 3 (wlp4s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.178.1
DNS Servers: fd00::e228:6dff:fec6:b89a 192.168.178.1
DNS Domain: fritz.box
Link 4 (virbr0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Link 5 (vpn0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.3.33
DNS Servers: 192.168.3.33 192.168.3.133
DNS Domain: vpn.domain.de
And yes, systemd-resolved is running, /etc/resolv.conf is a symlink.
What do you read out of these outputs?
Regards
Tibor
--
Dr. Tibor Attila Anca
Pastor
Ev.-luth. Kirchengemeinde Dollbergen-Schwüblingsen
Fuhsestr. 19,
31311 Uetze OT Dollbergen
Gemeindebüro Telefon: +49 (0)5177 922144
Gemeindebüro Telefax: +49 (0)5177 922145
Direkter Kontakt:
Telefon: +49 (0)5132 5045860
Telefax: +49 (0)5132 5045861
6:14 a.m.
On 20/05/2021 18:49, Anca, Tibor wrote:
Link 5 (vpn0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.3.33
DNS Servers: 192.168.3.33 192.168.3.133
DNS Domain: vpn.domain.de
And yes, systemd-resolved is running, /etc/resolv.conf is a symlink.
What do you read out of these outputs?
How are you specifying the hostname you want to reach on the remote side?
If you are just using "Aname" then when the request is sent to 192.168.3.33 it
will become
a request for an A (or AAAA) record for "Aname.vpn.domain.de"
If you the actual FQDN is different than that you'd need to spell it out or add the
additional
"Search Domain" under the IPv4 Tab in the openconnect configuration of NM.
You can always use the "host" command to test/try different combination and
direct the
request only to that one DNS server.
host Aname 192.168.3.33 for example
--
Remind me to ignore comments which aren't germane to the thread.
6:27 a.m.
Hi,
Am Donnerstag, dem 20.05.2021 um 19:14 +0800 schrieb Ed Greshko:
How are you specifying the hostname you want to reach on the remote
side?
If you are just using "Aname" then when the request is sent to
192.168.3.33 it will become
a request for an A (or AAAA) record for "Aname.vpn.domain.de"
I mus admit, I don't really get it...
If you the actual FQDN is different than that you'd need to spell
it
out or add the additional
"Search Domain" under the IPv4 Tab in the openconnect configuration of
NM.
You can always use the "host" command to test/try different
combination and direct the
request only to that one DNS server.
host Aname 192.168.3.33 for example
I added a few days ago in /etc/hosts a line:
ip.add.re.ss host.name.de
By doing this Firefox finds the target website, even if I only use the
url. Without this entry I must specify the ip of the website. The
difference is: anyconnect populates the nameservers, openconnect
doesn't.
6:33 a.m.
On 20/05/2021 19:27, Anca, Tibor wrote:
Hi,
Am Donnerstag, dem 20.05.2021 um 19:14 +0800 schrieb Ed Greshko:
> How are you specifying the hostname you want to reach on the remote
> side?
>
> If you are just using "Aname" then when the request is sent to
> 192.168.3.33 it will become
> a request for an A (or AAAA) record for "Aname.vpn.domain.de"
I mus admit, I don't really get it...
> If you the actual FQDN is different than that you'd need to spell it
> out or add the additional
> "Search Domain" under the IPv4 Tab in the openconnect configuration of
> NM.
>
> You can always use the "host" command to test/try different
> combination and direct the
> request only to that one DNS server.
>
> host Aname 192.168.3.33 for example
>
I added a few days ago in /etc/hosts a line:
ip.add.re.ss host.name.de
By doing this Firefox finds the target website, even if I only use the
url. Without this entry I must specify the ip of the website. The
difference is: anyconnect populates the nameservers, openconnect
doesn't.
Does
host host.name.de 192.168.3.33
Return the IP address you expect?
--
Remind me to ignore comments which aren't germane to the thread.
8:46 a.m.
On 20/05/2021 20:59, Anca, Tibor wrote:
Am Donnerstag, dem 20.05.2021 um 19:33 +0800 schrieb Ed Greshko:
> Does
>
> host host.name.de 192.168.3.33
>
> Return the IP address you expect?
Yes. But it also returns:
Host xyz not found: 3(NXDOMAIN)
One of my problems is I can't find a way to give sound advice when the actual
information
is obfuscated.
But, is the above with or without the /etc/hosts entry?
--
Remind me to ignore comments which aren't germane to the thread.
9:19 a.m.
Hello,
Am Donnerstag, dem 20.05.2021 um 21:46 +0800 schrieb Ed Greshko:
But, is the above with or without the /etc/hosts entry?
I just checked, it is with added entry, with established VPN-Connection.
--
Dr. Tibor Attila Anca
Pastor
Ev.-luth. Kirchengemeinde Dollbergen-Schwüblingsen
Fuhsestr. 19,
31311 Uetze OT Dollbergen
Gemeindebüro Telefon: +49 (0)5177 922144
Gemeindebüro Telefax: +49 (0)5177 922145
Direkter Kontakt:
Telefon: +49 (0)5132 5045860
Telefax: +49 (0)5132 5045861
9:24 a.m.
On 20/05/2021 22:19, Anca, Tibor wrote:
Hello,
Am Donnerstag, dem 20.05.2021 um 21:46 +0800 schrieb Ed Greshko:
> But, is the above with or without the /etc/hosts entry?
I just checked, it is with added entry, with established VPN-Connection.
How about with the entry removed?
--
Remind me to ignore comments which aren't germane to the thread.
9:23 a.m.
On Thu, 2021-05-20 at 12:59 +0000, Anca, Tibor wrote:
Am Donnerstag, dem 20.05.2021 um 19:33 +0800 schrieb Ed Greshko:
> Does
>
> host host.name.de 192.168.3.33
>
> Return the IP address you expect?
Yes. But it also returns:
Host xyz not found: 3(NXDOMAIN)
Are you trying to use just the hostname without the fully qualified
domain name?
systemd resolved won't modify the nameservers listed in
/etc/resolv.conf. It uses different name servers based on the
interface. It won't query your VPN name servers if you only specify a
hostname. It will only use your VPN name servers if you specify a
domain name that matches the domain names of your VPN.
This article gives a good overview of how it works, including on vpns.
https://fedoramagazine.org/systemd-resolved-introduction-to-split-dns/
7:10 p.m.
On 2021-05-19 5:52 p.m., Anca, Tibor wrote:
I'm using Fedora 34. For some services I need to connect to my
corporate
VPN (Cysco). I use openconnect with NetworkManager, which connects fine
to the vpn server. But there is a weird problem and I can not figure
out, where to change something.
If I use the AnyConnect-Client, the client creates on connect a
resolv.conf and saves the simlink to a backup file which is restored
upon disconnect. After it connects it modifies the resolv.conf with
entries on domain, dns servers etc. So I can call urls only available
within the vpn network.
I i use openconnect (which I prefer, because it keeps my network printer
available), it doenst do almost anything with resolve.conf. It only adds
a search entry, no dns, nothing. In this case I have to enter the ip
address of the services I need within the vpn network. I can resolve
this by adding an entry into hosts.conf, but nevertheless this bugs me.
I already searched the internet, tried a lot with nmcli, systemd-
resolved, but nothing helped. It seems, that openconnect doesn't
populate some vital dns entries.
A good VPN does this on purpose - adding ip
addresses to what is on the
corporate network is a very bad thing from a security standpoint. If
you can do that, your admin guys should probably block you. Yes, you
like your local printer, but is it secure like the one at work? And how
about the fileserver under your desk? Is it also regularly scanned and
updated by your work? Adding ip addresses and spoofed hosts that were
thought to be secure just makes a mockery of the corporate security.
Just don't.
6:19 a.m.
Hi,
Am Mittwoch, dem 19.05.2021 um 20:10 -0400 schrieb John Mellor:
A good VPN does this on purpose - adding ip addresses to what is on
the
corporate network is a very bad thing from a security standpoint. If
you can do that, your admin guys should probably block you. Yes, you
like your local printer, but is it secure like the one at work? And
how
about the fileserver under your desk? Is it also regularly scanned
and
thought to be secure just makes a mockery of the corporate security.
Just don't.
I work totally decentral, in fact I have three offices, which are
officially recognized by my employer as designated offices. Those
network printers are located in these offices, so I would like to use
the local network printers in my official offices.
Now, the VPN-Servers are located in a different city. There is only one
service, for what I need VPN. I could disable the connection, of course,
but that is annoying. I still suffer from previous experiences, when we
only had CheckPoint client ONLY FOR WINDOWS...
Concerning the fileserver under my desk: there is none. There is a LUKS
partitioned disk ON my desk, used by rsync twice a day for backups.
Regards
Tibor
--
Dr. Tibor Attila Anca
Pastor
Ev.-luth. Kirchengemeinde Dollbergen-Schwüblingsen
Fuhsestr. 19,
31311 Uetze OT Dollbergen
Gemeindebüro Telefon: +49 (0)5177 922144
Gemeindebüro Telefax: +49 (0)5177 922145
Direkter Kontakt:
Telefon: +49 (0)5132 5045860
Telefax: +49 (0)5132 5045861
8:24 p.m.
On May 19, 2021, at 5:52 PM, Anca, Tibor <Tibor.Anca(a)evlka.de>
wrote:
I i use openconnect (which I prefer, because it keeps my network printer
available), it doenst do almost anything with resolve.conf. It only adds
a search entry, no dns, nothing. In this case I have to enter the ip
address of the services I need within the vpn network. I can resolve
this by adding an entry into hosts.conf, but nevertheless this bugs me.
Is the search domain that is added to resolv.conf the correct domain for your work that
you are trying to access? I have two domains at my workplace and only one of them gets
pushed out by the VPN DHCP service so in order to resolve anything in the other domain I
have to add it myself. I use nm-connection-editor to modify the IPV4 settings for my VPN
adapter to add both desired search domains. Systemd-resolved has per-adapter DNS servers
and will only query the VPN DNS servers for domains that are specified in the search
domain for that adapter.
6:30 a.m.
Am Mittwoch, dem 19.05.2021 um 21:24 -0400 schrieb Kevin Becker:
Is the search domain that is added to resolv.conf the correct domain
for your work that you are trying to access?
Yes, it is the same which is added by AnyConnect.
I have two domains at my workplace and only one of them gets pushed
out by the VPN DHCP service so in order to resolve anything in the
other domain I have to add it myself. I use nm-connection-editor to
modify the IPV4 settings for my VPN adapter to add both desired search
domains. Systemd-resolved has per-adapter DNS servers and will only
query the VPN DNS servers for domains that are specified in the search
domain for that adapter.
I already tried to make those modifications in the connection editor
(DNS). However, as soon as I commented out the entry in /etc/hosts (ip
url), those changes were useless. Still got from Firefox: Not found.
Regards
Tibor
--
Dr. Tibor Attila Anca
Pastor
Ev.-luth. Kirchengemeinde Dollbergen-Schwüblingsen
Fuhsestr. 19,
31311 Uetze OT Dollbergen
Gemeindebüro Telefon: +49 (0)5177 922144
Gemeindebüro Telefax: +49 (0)5177 922145
Direkter Kontakt:
Telefon: +49 (0)5132 5045860
Telefax: +49 (0)5132 5045861
1071
days inactive
1072
days old
16 comments
5 participants
participants (5)
-
Anca, Tibor -
Ed Greshko -
John Mellor -
Kevin Becker -
Samuel Sieb