When I run openconnect (with the default vpnc script) it changes /etc/resolv.conf
and it really shouldn't do that. I am just using the VPN for a few specific host not for a full Internet connection.
3 Answers
Use vpn-slice to set up a split tunnel connection wherein your DNS configuration is not modified, and only traffic to a few hosts or IP subnets is routed over the VPN.
It was created for this exact purpose:
I am just using the VPN for a few specific host not for a full Internet connection.
Once you've installed vpn-slice, use it with OpenConnect as a replacement for the standard vpnc-script (you can remove the -v --dump
after you've confirmed that it's working properly):
$ openconnect --script "vpn-slice -v --dump host.you.need.to.access some.other.host" \
vpn-server.your.company.com
This will set the routing tables up so that only traffic to those two particular hosts are routed over the VPN, and will add entries for them to /etc/hosts
. Docs have more details.
(I'm the author of vpn-slice, and one of the main contributors to OpenConnect.)
-
2Thanks for your contribution! This question predates vpn-slice by quite a few years but it's great such a tool is available now!– chxCommented May 1, 2020 at 22:23
-
2This is exactly what I was looking for, thank you! Also now my machine doesn't dump my ssh session when logged into the VPN either.– chernoCommented Jun 17, 2020 at 4:27
-
1
Create the following script /etc/vpnc/no_resolverupdate.sh
#!/bin/sh
#
#
export INTERNAL_IP4_DNS=
. /usr/share/vpnc-scripts/vpnc-script
Make it executable:
chmod +x /etc/vpnc/no_resolverupdate.sh
Then add a line to your connection configuration file (here /etc/vpnc/customer.conf)
echo 'Script /etc/vpnc/no_resolverupdate.sh' >> /etc/vpnc/customer.conf
Alternatively, you can use script hooks, create /etc/vpnc/connect.d/no_resolverupdate.sh with contents
#!/bin/sh
export INTERNAL_IP4_DNS=
To be applied for every connection.
-
This deserves to be the preferred response because It gives a fix and not only an explanation. Commented Aug 22, 2018 at 20:44
-
1I would add two extra fixes I had to do in order to make this solution work in RedHat based (RHEL/CentOS/Fedora/Mageia) distributions: 1. the path of the vpnc-script at the end of the no_resolverupdate.sh has to be changed to /usr/sbin/vpnc-script 2. accoding to the manual pages for my openconnect version, the configuration line to execute the custom script had to be changed to "script=/etc/vpnc/no_resolvconf.sh" Commented Oct 14, 2018 at 16:49
-
Just a note for the
vpnc-script
modification method.Openconnect
will generate a dns configuration file under/etc/resolvconf/run/interface/
, so if you find the DNS still changes after applying the hack, you might need to clean the configuration file here. The file name should be the name of the tunnel device.– hajimuzCommented Oct 23, 2019 at 10:40
Does vpnc-script look like this? If so, the belows code is why it changes your /etc/resolv.conf
:
if [ -x /sbin/resolvconf ]; then # Optional tool on Debian, Ubuntu, Gentoo
MODIFYRESOLVCONF=modify_resolvconf_manager
RESTORERESOLVCONF=restore_resolvconf_manager
elif [ -x /sbin/modify_resolvconf ]; then # Mandatory tool on Suse earlier than 11.1
MODIFYRESOLVCONF=modify_resolvconf_suse
RESTORERESOLVCONF=restore_resolvconf_suse
else # Generic for any OS
MODIFYRESOLVCONF=modify_resolvconf_generic
RESTORERESOLVCONF=restore_resolvconf_generic
fi
modify_resolvconf_manager() {
NEW_RESOLVCONF=""
for i in $INTERNAL_IP4_DNS; do
NEW_RESOLVCONF="$NEW_RESOLVCONF
nameserver $i"
done
if [ -n "$CISCO_DEF_DOMAIN" ]; then
NEW_RESOLVCONF="$NEW_RESOLVCONF
domain $CISCO_DEF_DOMAIN"
fi
echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV
}
The 'dirty' way is make the /etc/resolv.conf
file immutable:
# chattr +i /etc/resolv.conf
The proper way is edit your vpnc-script to make it shouldn't change the /etc/resolv.conf
.
-
OMG thank you so much for this answer. With
chattr
, I can now finally rely on no stupid program changing my DNS settings. I am so tired of fixing one program and then one month later finding yet another program that thinks it would be ok to change my DNS settings.– msrd0Commented Apr 8, 2023 at 20:10