You are not logged in.
I am using Network Manager and the Gnome OpenConnect Network Manager to connect to a corporate VPN.
I have successfully configured and connected to the VPN.
However, by default the VPN is configured as a default gateway - so all my network traffic is routed through the VPN - when I only require it to provide certain private network resources. I would like to configure the VPN to only provide private network resources and not global internet traffic.
After connecting to the VPN, my resolvectl configuration looks like this:
$ resolvectl
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Fallback DNS Servers: <various>
Link 2 (eno1)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.1.1
DNS Servers: 192.168.1.1
DNS Domain: lan
Link 4 (vpn0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.2.3.4
DNS Servers: 1.2.3.4 5.6.7.8
DNS Domain: example.com
What I have tried:
In the NetworkManager Gnome GUI - check "Use this connection only for resources on its network" on the IPv4 and IPv6 tabs. After reconnecting to the VPN, the network config looks like:
$ resolvectl
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
Link 2 (eno1)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.1.1
DNS Servers: 192.168.1.1 fd8b:e6ab:9552::1
DNS Domain: lan
Link 4 (vpn0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.2.3.4
DNS Servers: 1.2.3.4 5.6.7.8
DNS Domain: example.com
However now I have the opposite problem - default internet traffic is routed through my default router as I wanted, but I can no longer access resources behind the VPN (on 'example.com'). It seems that I either get "All or nothing". Why can I not access resources on "example.com" when according to the resolve.conf output, queries on that domain should be routed to the correct DNS servers?
Any help appreciated.
Last edited by planetmarshall (2023-11-14 13:21:36)
Offline
The systemd-resolved configuration looks O.K. - please verify that the name resolution works as expected:
drill somehost.example.com
If it does, please post the output of
ip a
ip route
Offline
The systemd-resolved configuration looks O.K. - please verify that the name resolution works as expected:
drill somehost.example.com
Yes it does - so DNS is fine but I am unable to actually reach those resources. I managed to get a bit further by manually adding the resolved IPs with
nmcli connection modify MyVpn +ipv4.routes "<Corporate IP Address>"
but unsure if that's the best way of achieving what I want.
Offline
Depending on the VPN itself the routes may be supplied by the VPN endpoint (if a split tunnel is supported) or have to be entered locally.
A tunnel mode VPN may have a completely different address scheme for the tunnel network itself and your IP stack needs to know how to reach the corporate addresses behind the tunnel endpoint.
Offline