Hello,
I'm using Fedora 34. For some services I need to connect to my corporate VPN (Cysco). I use openconnect with NetworkManager, which connects fine to the vpn server. But there is a weird problem and I can not figure out, where to change something.
If I use the AnyConnect-Client, the client creates on connect a resolv.conf and saves the simlink to a backup file which is restored upon disconnect. After it connects it modifies the resolv.conf with entries on domain, dns servers etc. So I can call urls only available within the vpn network.
I i use openconnect (which I prefer, because it keeps my network printer available), it doenst do almost anything with resolve.conf. It only adds a search entry, no dns, nothing. In this case I have to enter the ip address of the services I need within the vpn network. I can resolve this by adding an entry into hosts.conf, but nevertheless this bugs me.
I already searched the internet, tried a lot with nmcli, systemd- resolved, but nothing helped. It seems, that openconnect doesn't populate some vital dns entries.
What could I try?
Regards, Tibor
On 2021-05-19 2:52 p.m., Anca, Tibor wrote:
I'm using Fedora 34. For some services I need to connect to my corporate VPN (Cysco). I use openconnect with NetworkManager, which connects fine to the vpn server. But there is a weird problem and I can not figure out, where to change something.
If I use the AnyConnect-Client, the client creates on connect a resolv.conf and saves the simlink to a backup file which is restored upon disconnect. After it connects it modifies the resolv.conf with entries on domain, dns servers etc. So I can call urls only available within the vpn network.
I i use openconnect (which I prefer, because it keeps my network printer available), it doenst do almost anything with resolve.conf. It only adds a search entry, no dns, nothing. In this case I have to enter the ip address of the services I need within the vpn network. I can resolve this by adding an entry into hosts.conf, but nevertheless this bugs me.
I already searched the internet, tried a lot with nmcli, systemd- resolved, but nothing helped. It seems, that openconnect doesn't populate some vital dns entries.
Is there any indication in logs that openconnect is getting DNS info? If not, then if you edit the connection settings in the control panel, you can add the DNS info. I think systemd-resolved is supposed to be able to handle split DNS like that. Or otherwise, I guess the VPN DNS should get all requests.
Am Mittwoch, dem 19.05.2021 um 15:20 -0700 schrieb Samuel Sieb:
Is there any indication in logs that openconnect is getting DNS info? you can add the DNS info. I think systemd-resolved is supposed to be should get all requests.
Where do I see those logs? If I run systemctl status systemd-resolved than I see this:
vpn0: Bus client set DNS server list to: 192.168.x.x, 192.168.x,y
Now, those two entries are added by the AnyConnect-Client to /etc/resolv.conf.
I cant figure out, why NM is not doing that...
On 2021-05-19 5:52 p.m., Anca, Tibor wrote:
I'm using Fedora 34. For some services I need to connect to my corporate VPN (Cysco). I use openconnect with NetworkManager, which connects fine to the vpn server. But there is a weird problem and I can not figure out, where to change something.
If I use the AnyConnect-Client, the client creates on connect a resolv.conf and saves the simlink to a backup file which is restored upon disconnect. After it connects it modifies the resolv.conf with entries on domain, dns servers etc. So I can call urls only available within the vpn network.
I i use openconnect (which I prefer, because it keeps my network printer available), it doenst do almost anything with resolve.conf. It only adds a search entry, no dns, nothing. In this case I have to enter the ip address of the services I need within the vpn network. I can resolve this by adding an entry into hosts.conf, but nevertheless this bugs me.
I already searched the internet, tried a lot with nmcli, systemd- resolved, but nothing helped. It seems, that openconnect doesn't populate some vital dns entries.
A good VPN does this on purpose - adding ip addresses to what is on the corporate network is a very bad thing from a security standpoint. If you can do that, your admin guys should probably block you. Yes, you like your local printer, but is it secure like the one at work? And how about the fileserver under your desk? Is it also regularly scanned and updated by your work? Adding ip addresses and spoofed hosts that were thought to be secure just makes a mockery of the corporate security. Just don't.
On 20/05/2021 07:22, Anca, Tibor wrote:
Am Mittwoch, dem 19.05.2021 um 15:20 -0700 schrieb Samuel Sieb:
Is there any indication in logs that openconnect is getting DNS info? you can add the DNS info. I think systemd-resolved is supposed to be should get all requests.
Where do I see those logs? If I run systemctl status systemd-resolved than I see this:
vpn0: Bus client set DNS server list to: 192.168.x.x, 192.168.x,y
Now, those two entries are added by the AnyConnect-Client to /etc/resolv.conf.
I cant figure out, why NM is not doing that...
First, when using NM and the openconnect plugin I'm assuming you've not disabled systemd-resolved.
So, your /etc/resolv.conf is a symlink on the order of
lrwxrwxrwx. 1 root root 39 Oct 31 2020 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
If that is the case, then can you compare the output of "resolvectl" for dis-connected/connected? I only use openvpn. But it looks like so:
disconnected
[egreshko@f34k ~]$ resolvectl Global Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub
Link 2 (enp1s0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.122.1 DNS Servers: 192.168.122.1 DNS Domain: greshko.com
connected
Global Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub
Link 2 (enp1s0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.122.1 DNS Servers: 192.168.122.1 DNS Domain: greshko.com
Link 3 (tun0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 25.0.0.1 DNS Servers: 25.0.0.1
On May 19, 2021, at 5:52 PM, Anca, Tibor Tibor.Anca@evlka.de wrote:
I i use openconnect (which I prefer, because it keeps my network printer available), it doenst do almost anything with resolve.conf. It only adds a search entry, no dns, nothing. In this case I have to enter the ip address of the services I need within the vpn network. I can resolve this by adding an entry into hosts.conf, but nevertheless this bugs me.
Is the search domain that is added to resolv.conf the correct domain for your work that you are trying to access? I have two domains at my workplace and only one of them gets pushed out by the VPN DHCP service so in order to resolve anything in the other domain I have to add it myself. I use nm-connection-editor to modify the IPV4 settings for my VPN adapter to add both desired search domains. Systemd-resolved has per-adapter DNS servers and will only query the VPN DNS servers for domains that are specified in the search domain for that adapter.
Hello, Am Donnerstag, dem 20.05.2021 um 08:46 +0800 schrieb Ed Greshko:
disconnected
My output on disconnected is:
Global Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub
Link 2 (enp2s0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.178.1 DNS Servers: 192.168.178.1 DNS Domain: fritz.box
Link 3 (wlp4s0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.178.1 DNS Servers: fd00::e228:6dff:fec6:b89a 192.168.178.1 DNS Domain: fritz.box
Link 4 (virbr0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 5 (vpn0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: 192.168.3.133
connected
When connected:
Global Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub
Link 2 (enp2s0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.178.1 DNS Servers: 192.168.178.1 DNS Domain: fritz.box
Link 3 (wlp4s0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.178.1 DNS Servers: fd00::e228:6dff:fec6:b89a 192.168.178.1 DNS Domain: fritz.box
Link 4 (virbr0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 5 (vpn0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.3.33 DNS Servers: 192.168.3.33 192.168.3.133 DNS Domain: vpn.domain.de
And yes, systemd-resolved is running, /etc/resolv.conf is a symlink.
What do you read out of these outputs?
Regards Tibor
On 20/05/2021 18:49, Anca, Tibor wrote:
Link 5 (vpn0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.3.33 DNS Servers: 192.168.3.33 192.168.3.133 DNS Domain: vpn.domain.de
And yes, systemd-resolved is running, /etc/resolv.conf is a symlink.
What do you read out of these outputs?
How are you specifying the hostname you want to reach on the remote side?
If you are just using "Aname" then when the request is sent to 192.168.3.33 it will become a request for an A (or AAAA) record for "Aname.vpn.domain.de"
If you the actual FQDN is different than that you'd need to spell it out or add the additional "Search Domain" under the IPv4 Tab in the openconnect configuration of NM.
You can always use the "host" command to test/try different combination and direct the request only to that one DNS server.
host Aname 192.168.3.33 for example
Hi, Am Mittwoch, dem 19.05.2021 um 20:10 -0400 schrieb John Mellor:
A good VPN does this on purpose - adding ip addresses to what is on the corporate network is a very bad thing from a security standpoint. If you can do that, your admin guys should probably block you. Yes, you like your local printer, but is it secure like the one at work? And how about the fileserver under your desk? Is it also regularly scanned and thought to be secure just makes a mockery of the corporate security. Just don't.
I work totally decentral, in fact I have three offices, which are officially recognized by my employer as designated offices. Those network printers are located in these offices, so I would like to use the local network printers in my official offices.
Now, the VPN-Servers are located in a different city. There is only one service, for what I need VPN. I could disable the connection, of course, but that is annoying. I still suffer from previous experiences, when we only had CheckPoint client ONLY FOR WINDOWS...
Concerning the fileserver under my desk: there is none. There is a LUKS partitioned disk ON my desk, used by rsync twice a day for backups.
Regards Tibor
Hi, Am Donnerstag, dem 20.05.2021 um 19:14 +0800 schrieb Ed Greshko:
How are you specifying the hostname you want to reach on the remote side?
If you are just using "Aname" then when the request is sent to 192.168.3.33 it will become a request for an A (or AAAA) record for "Aname.vpn.domain.de"
I mus admit, I don't really get it...
If you the actual FQDN is different than that you'd need to spell it out or add the additional "Search Domain" under the IPv4 Tab in the openconnect configuration of NM.
You can always use the "host" command to test/try different combination and direct the request only to that one DNS server.
host Aname 192.168.3.33 for example
I added a few days ago in /etc/hosts a line:
ip.add.re.ss host.name.de
By doing this Firefox finds the target website, even if I only use the url. Without this entry I must specify the ip of the website. The difference is: anyconnect populates the nameservers, openconnect doesn't.
Am Mittwoch, dem 19.05.2021 um 21:24 -0400 schrieb Kevin Becker:
Is the search domain that is added to resolv.conf the correct domain for your work that you are trying to access?
Yes, it is the same which is added by AnyConnect.
I have two domains at my workplace and only one of them gets pushed out by the VPN DHCP service so in order to resolve anything in the other domain I have to add it myself. I use nm-connection-editor to modify the IPV4 settings for my VPN adapter to add both desired search domains. Systemd-resolved has per-adapter DNS servers and will only query the VPN DNS servers for domains that are specified in the search domain for that adapter.
I already tried to make those modifications in the connection editor (DNS). However, as soon as I commented out the entry in /etc/hosts (ip url), those changes were useless. Still got from Firefox: Not found.
Regards Tibor
On 20/05/2021 19:27, Anca, Tibor wrote:
Hi, Am Donnerstag, dem 20.05.2021 um 19:14 +0800 schrieb Ed Greshko:
How are you specifying the hostname you want to reach on the remote side?
If you are just using "Aname" then when the request is sent to 192.168.3.33 it will become a request for an A (or AAAA) record for "Aname.vpn.domain.de"
I mus admit, I don't really get it...
If you the actual FQDN is different than that you'd need to spell it out or add the additional "Search Domain" under the IPv4 Tab in the openconnect configuration of NM.
You can always use the "host" command to test/try different combination and direct the request only to that one DNS server.
host Aname 192.168.3.33 for example
I added a few days ago in /etc/hosts a line:
ip.add.re.ss host.name.de
By doing this Firefox finds the target website, even if I only use the url. Without this entry I must specify the ip of the website. The difference is: anyconnect populates the nameservers, openconnect doesn't.
Does
host host.name.de 192.168.3.33
Return the IP address you expect?
On 20/05/2021 20:59, Anca, Tibor wrote:
Am Donnerstag, dem 20.05.2021 um 19:33 +0800 schrieb Ed Greshko:
Does
host host.name.de 192.168.3.33
Return the IP address you expect?
Yes. But it also returns:
Host xyz not found: 3(NXDOMAIN)
One of my problems is I can't find a way to give sound advice when the actual information is obfuscated.
But, is the above with or without the /etc/hosts entry?
Hello, Am Donnerstag, dem 20.05.2021 um 21:46 +0800 schrieb Ed Greshko:
But, is the above with or without the /etc/hosts entry?
I just checked, it is with added entry, with established VPN-Connection.
On Thu, 2021-05-20 at 12:59 +0000, Anca, Tibor wrote:
Am Donnerstag, dem 20.05.2021 um 19:33 +0800 schrieb Ed Greshko:
Does
host host.name.de 192.168.3.33
Return the IP address you expect?
Yes. But it also returns:
Host xyz not found: 3(NXDOMAIN)
Are you trying to use just the hostname without the fully qualified domain name?
systemd resolved won't modify the nameservers listed in /etc/resolv.conf. It uses different name servers based on the interface. It won't query your VPN name servers if you only specify a hostname. It will only use your VPN name servers if you specify a domain name that matches the domain names of your VPN.
This article gives a good overview of how it works, including on vpns.
https://fedoramagazine.org/systemd-resolved-introduction-to-split-dns/
On 20/05/2021 22:19, Anca, Tibor wrote:
Hello, Am Donnerstag, dem 20.05.2021 um 21:46 +0800 schrieb Ed Greshko:
But, is the above with or without the /etc/hosts entry?
I just checked, it is with added entry, with established VPN-Connection.
How about with the entry removed?
-
Anca, Tibor -
Ed Greshko -
John Mellor -
Kevin Becker -
Samuel Sieb