How can I stop openconnect from changing /etc/resolv.conf?
772
When I run openconnect (with the default vpnc script) it changes /etc/resolv.conf and it really shouldn't do that. I am just using the VPN for a few specific host not for a full Internet connection.
Does vpnc-script look like this? If so, the belows code is why it changes your /etc/resolv.conf:
if [ -x /sbin/resolvconf ]; then # Optional tool on Debian, Ubuntu, Gentoo
MODIFYRESOLVCONF=modify_resolvconf_manager
RESTORERESOLVCONF=restore_resolvconf_manager
elif [ -x /sbin/modify_resolvconf ]; then # Mandatory tool on Suse earlier than 11.1
MODIFYRESOLVCONF=modify_resolvconf_suse
RESTORERESOLVCONF=restore_resolvconf_suse
else # Generic for any OS
MODIFYRESOLVCONF=modify_resolvconf_generic
RESTORERESOLVCONF=restore_resolvconf_generic
fi
modify_resolvconf_manager() {
NEW_RESOLVCONF=""
for i in $INTERNAL_IP4_DNS; do
NEW_RESOLVCONF="$NEW_RESOLVCONF
nameserver $i"
done
if [ -n "$CISCO_DEF_DOMAIN" ]; then
NEW_RESOLVCONF="$NEW_RESOLVCONF
domain $CISCO_DEF_DOMAIN"
fi
echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV
}
The 'dirty' way is make the /etc/resolv.conf file immutable:
# chattr +i /etc/resolv.conf
The proper way is edit your vpnc-script to make it shouldn't change the /etc/resolv.conf.
Use vpn-slice to set up a split tunnel connection wherein your DNS configuration is not modified, and only traffic to a few hosts or IP subnets is routed over the VPN.
It was created for this exact purpose:
I am just using the VPN for a few specific host not for a full Internet connection.
Once you've installed vpn-slice, use it with OpenConnect as a replacement for the standard vpnc-script (you can remove the -v --dump after you've confirmed that it's working properly):
This will set the routing tables up so that only traffic to those two particular hosts are routed over the VPN, and will add entries for them to /etc/hosts. Docs have more details.
(I'm the author of vpn-slice, and one of the main contributors to OpenConnect.)
Create the following script /etc/vpnc/no_resolverupdate.sh
Make it executable:
Then add a line to your connection configuration file (here /etc/vpnc/customer.conf)
Alternatively, you can use script hooks, create /etc/vpnc/connect.d/no_resolverupdate.sh with contents
To be applied for every connection.
Does vpnc-script look like this? If so, the belows code is why it changes your
/etc/resolv.conf
:The 'dirty' way is make the
/etc/resolv.conf
file immutable:The proper way is edit your vpnc-script to make it shouldn't change the
/etc/resolv.conf
.Use vpn-slice to set up a split tunnel connection wherein your DNS configuration is not modified, and only traffic to a few hosts or IP subnets is routed over the VPN.
It was created for this exact purpose:
Once you've installed vpn-slice, use it with OpenConnect as a replacement for the standard vpnc-script (you can remove the
-v --dump
after you've confirmed that it's working properly):This will set the routing tables up so that only traffic to those two particular hosts are routed over the VPN, and will add entries for them to
/etc/hosts
. Docs have more details.(I'm the author of vpn-slice, and one of the main contributors to OpenConnect.)