You are not logged in.

#1 2016-02-26 14:48:58

cmtonkinson
Member
Registered: 2013-11-15
Posts: 18

OpenConnect and DNS

Been using OpenConnect for about six months now; haven't had any problems with it. There is a DNS server inside the VPN that I use to resolve internal names. /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf, and normally the content is:

# cat /run/systemd/resolve/resolv.conf 
# This file is managed by systemd-resolved(8). Do not edit.
#
# Third party programs must not access this file directly, but
# only through the symlink at /etc/resolv.conf. To manage
# resolv.conf(5) in a different way, replace the symlink by a
# static file or a different symlink.

nameserver 208.67.222.222
nameserver 208.67.220.220

After connecting to the VPN server, the file contents are changed to:

# cat /run/systemd/resolve/resolv.conf 
# Generated by resolvconf
nameserver w.x.y.z
nameserver 208.67.222.222
nameserver 208.67.220.220

where w.x.y.z is the IP of our private DNS server. The problem is that something changed a few days ago and I haven't figured out what. Now, after having been connected to the VPN for a while /run/systemd/resolve/resolv.conf reverts back to its pre-connection state and lookups are no longer routed to the internal DNS server. The VPN connection is still open, existing connections are not interrupted; this seems to be the only change.

I haven't been able to nail down the exact interval (or window) of this failure, but I'm looking for some help as to how I can diagnose it. openconnect is at 1:7.06-2 (installed 2015-07-19) and networkmanager-openconnect is at 1.0.8-1 (updated from 1.0.2-2 on 2015-11-24).

I've asked the netadmin and he's said there haven't been any changes to the server recently.

Any ideas on where I can look next? Are there logs I can examine/enable to help figure out what's going on?

Last edited by cmtonkinson (2016-03-17 13:48:53)

Offline

#2 2016-03-17 13:27:22

shoobs
Member
Registered: 2016-03-17
Posts: 3

Re: OpenConnect and DNS

I'm having exactly the same issue, but I've manually set my DNS servers to Google's public servers in my VPN settings in NetworkManager.

It works for a while after connecting to the VPN, but after some time Google's public DNS servers are dropped from my resolv.conf.

Offline

#3 2016-03-17 14:24:45

cmtonkinson
Member
Registered: 2013-11-15
Posts: 18

Re: OpenConnect and DNS

I'm currently testing the timing of this using:

echo /etc/resolv.conf | entr date +"%Y-%m-%d %H:%M:%S"

Meanwhile, @shoobs do you have your VPN configured through the NetworkManager GUI or what? I've been running

sudo openconnect ...

from the CLI.

Last edited by cmtonkinson (2016-03-17 14:25:07)

Offline

#4 2016-03-17 15:34:17

elkoraco
Member
Registered: 2013-02-18
Posts: 140

Re: OpenConnect and DNS

The normal contents of your resolv.conf file indicate that it is generated by systemd-resolved. When they are changed, it says they are created by resolvconf, which is a resolver program used by other programs to write to the file. I would guess that something is running resolvconf for the third time, which is when you're getting these problems. Dunno what your setup is, though, but I would hazard a guess that disabling systemd-resolved might be of some help, since you obviously need the resolvconf generated file for VPN stuff. Is network manager using dhclient or dhcpcd?

Offline

#5 2016-03-17 23:59:00

shoobs
Member
Registered: 2016-03-17
Posts: 3

Re: OpenConnect and DNS

@cmtonkinson, yeah, I'm using OpenVPN, not OpenConnect. I have it configured through the NetworkManager GUI.

Interesting that there is two different bits of software poking at the resolv.conf. I wonder if the failure happens at a DHCP renewal or something?

Anyway, NetworkManager is using dhclient. dhcpcd seems to be disabled:

   CGroup: /system.slice/NetworkManager.service
           ├─ 1144 /usr/bin/NetworkManager --no-daemon
           ├─ 1248 /usr/bin/dhclient -d -q -sf /usr/lib/networkmanager/nm-dhcp-helper -pf /var/run/dhclient-enp6s0.pid -lf /var/lib/NetworkManager/dhclient-a10dfec0-723c-4363-bb56-1cbcb6521270-enp6s0.lease
           ├─28243 /usr/lib/networkmanager/nm-openvpn-service
           └─28248 /usr/sbin/openvpn --remote katarina.shoobs.net 443 udp --comp-lzo --nobind --dev tun --auth-nocache --reneg-sec 0 --syslog nm-openvpn --script-security 2 --up /usr/lib/networkmanager/nm-
● dhcpcd.service - dhcpcd on all interfaces
   Loaded: loaded (/usr/lib/systemd/system/dhcpcd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
● dhcpcd@enp6s0.service - dhcpcd on enp6s0
   Loaded: loaded (/usr/lib/systemd/system/dhcpcd@.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

This is what I get when NetworkManager connects to my VPN:

Mar 18 07:45:52 xxxx NetworkManager[1144]: <info>  Policy set 'tun0' (tun0) as default for IPv4 routing and DNS.
Mar 18 07:45:52 xxxx NetworkManager[1144]: <info>  Writing DNS information to /usr/bin/resolvconf
Mar 18 07:45:52 xxxx NetworkManager[1144]: <info>  (tun0): Activation: successful, device activated.

Offline

Board footer

Powered by FluxBB