When I run openconnect (with the default vpnc script) it changes /etc/resolv.conf and it really shouldn't do that. I am just using the VPN for a few specific host not for a full Internet connection.

3 Answers 3


Use vpn-slice to set up a split tunnel connection wherein your DNS configuration is not modified, and only traffic to a few hosts or IP subnets is routed over the VPN.

It was created for this exact purpose:

I am just using the VPN for a few specific host not for a full Internet connection.

Once you've installed vpn-slice, use it with OpenConnect as a replacement for the standard vpnc-script (you can remove the -v --dump after you've confirmed that it's working properly):

$ openconnect --script "vpn-slice -v --dump host.you.need.to.access some.other.host" \

This will set the routing tables up so that only traffic to those two particular hosts are routed over the VPN, and will add entries for them to /etc/hosts. Docs have more details.

(I'm the author of vpn-slice, and one of the main contributors to OpenConnect.)

  • 2
    Thanks for your contribution! This question predates vpn-slice by quite a few years but it's great such a tool is available now!
    – chx
    Commented May 1, 2020 at 22:23
  • 2
    This is exactly what I was looking for, thank you! Also now my machine doesn't dump my ssh session when logged into the VPN either.
    – cherno
    Commented Jun 17, 2020 at 4:27
  • 1
    Very handy solution! Commented Aug 7, 2020 at 10:22

Create the following script /etc/vpnc/no_resolverupdate.sh


. /usr/share/vpnc-scripts/vpnc-script

Make it executable:

chmod +x /etc/vpnc/no_resolverupdate.sh

Then add a line to your connection configuration file (here /etc/vpnc/customer.conf)

echo 'Script /etc/vpnc/no_resolverupdate.sh' >> /etc/vpnc/customer.conf

Alternatively, you can use script hooks, create /etc/vpnc/connect.d/no_resolverupdate.sh with contents


To be applied for every connection.

  • This deserves to be the preferred response because It gives a fix and not only an explanation. Commented Aug 22, 2018 at 20:44
  • 1
    I would add two extra fixes I had to do in order to make this solution work in RedHat based (RHEL/CentOS/Fedora/Mageia) distributions: 1. the path of the vpnc-script at the end of the no_resolverupdate.sh has to be changed to /usr/sbin/vpnc-script 2. accoding to the manual pages for my openconnect version, the configuration line to execute the custom script had to be changed to "script=/etc/vpnc/no_resolvconf.sh" Commented Oct 14, 2018 at 16:49
  • Just a note for the vpnc-script modification method. Openconnect will generate a dns configuration file under /etc/resolvconf/run/interface/, so if you find the DNS still changes after applying the hack, you might need to clean the configuration file here. The file name should be the name of the tunnel device.
    – hajimuz
    Commented Oct 23, 2019 at 10:40

Does vpnc-script look like this? If so, the belows code is why it changes your /etc/resolv.conf:

if [ -x /sbin/resolvconf ]; then # Optional tool on Debian, Ubuntu, Gentoo
elif [ -x /sbin/modify_resolvconf ]; then # Mandatory tool on Suse earlier than 11.1
else # Generic for any OS

modify_resolvconf_manager() {
    for i in $INTERNAL_IP4_DNS; do
nameserver $i"
    if [ -n "$CISCO_DEF_DOMAIN" ]; then
    echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV

The 'dirty' way is make the /etc/resolv.conf file immutable:

# chattr +i /etc/resolv.conf

The proper way is edit your vpnc-script to make it shouldn't change the /etc/resolv.conf.

  • OMG thank you so much for this answer. With chattr, I can now finally rely on no stupid program changing my DNS settings. I am so tired of fixing one program and then one month later finding yet another program that thinks it would be ok to change my DNS settings.
    – msrd0
    Commented Apr 8, 2023 at 20:10

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .