Arch Linux

planetmarshall

Member

Registered: 2023-09-07

Posts: 11

[SOLVED] Configuring split DNS using Network Manager and OpenConnect

I am using Network Manager and the Gnome OpenConnect Network Manager to connect to a corporate VPN.

I have successfully configured and connected to the VPN.

However, by default the VPN is configured as a default gateway - so all my network traffic is routed through the VPN - when I only require it to provide certain private network resources. I would like to configure the VPN to only provide private network resources and not global internet traffic.

After connecting to the VPN, my resolvectl configuration looks like this:

$ resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
Fallback DNS Servers: <various>
Link 2 (eno1)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.1.1
       DNS Servers: 192.168.1.1
        DNS Domain: lan

Link 4 (vpn0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.2.3.4
       DNS Servers: 1.2.3.4 5.6.7.8
        DNS Domain: example.com

What I have tried:

In the NetworkManager Gnome GUI - check "Use this connection only for resources on its network" on the IPv4 and IPv6 tabs. After reconnecting to the VPN, the network config looks like:

$ resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google

Link 2 (eno1)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.1.1
       DNS Servers: 192.168.1.1 fd8b:e6ab:9552::1
        DNS Domain: lan

Link 4 (vpn0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.2.3.4
       DNS Servers: 1.2.3.4 5.6.7.8
        DNS Domain: example.com

However now I have the opposite problem - default internet traffic is routed through my default router as I wanted, but I can no longer access resources behind the VPN (on 'example.com'). It seems that I either get "All or nothing". Why can I not access resources on "example.com" when according to the resolve.conf output, queries on that domain should be routed to the correct DNS servers?

Any help appreciated.

Last edited by planetmarshall (2023-11-14 13:21:36)

-thc

Member

Registered: 2017-03-15

Posts: 502

Re: [SOLVED] Configuring split DNS using Network Manager and OpenConnect

The systemd-resolved configuration looks O.K. - please verify that the name resolution works as expected:

drill somehost.example.com

If it does, please post the output of

ip a
ip route

planetmarshall

Member

Registered: 2023-09-07

Posts: 11

Re: [SOLVED] Configuring split DNS using Network Manager and OpenConnect

The systemd-resolved configuration looks O.K. - please verify that the name resolution works as expected:

drill somehost.example.com

Yes it does - so DNS is fine but I am unable to actually reach those resources. I managed to get a bit further by manually adding the resolved IPs with

nmcli connection modify MyVpn +ipv4.routes "<Corporate IP Address>"

but unsure if that's the best way of achieving what I want.

-thc

Member

Registered: 2017-03-15

Posts: 502

Re: [SOLVED] Configuring split DNS using Network Manager and OpenConnect

Depending on the VPN itself the routes may be supplied by the VPN endpoint (if a split tunnel is supported) or have to be entered locally.

A tunnel mode VPN may have a completely different address scheme for the tunnel network itself and your IP stack needs to know how to reach the corporate addresses behind the tunnel endpoint.