GlobalProtect-openconnect
GlobalProtect-openconnect copied to clipboard
yuezk
resolv.conf no longer being updated
I had my setup working great for a couple of months, and today my resolv.conf stopped updating.
Any idea how to fix or debug this?
I have the same problem, though for me it was after I switched to Artix Linux (used Manjaro before - worked perfectly there) I suspect it is because maybe this project does not support the Artix NetworkManager but I am unsure. All else works except that resolv.conf is not updated.
I confirm that on Fedora 34 updating the /etc/resolv.conf also does not work.
I managed to make this app work on Ubuntu 21.04 in a VM. Now I'm trying on Pop!_OS and though it connects, there seems to be an issue with DNS configuration. I'm relatively new to openconnect -- does it communicate with systemd-resolved?
Hi @tunix could you please provide the log files, it locates at $HOME/.cache/GlobalProtect-openconnect/gpclient.log.
Hi @yuezk ,
Let me share my latest findings. I'll share the logs if you still need them after this comment. Looks like openconnect triggers vpnc-scripts after a connection is established. Those scripts seems to check /etc/nsswitch.conf to see how the system manages the DNS. That line lacked resolve in both Pop!_OS and Ubuntu. However, Pop!_OS has /sbin/resolveconf while Ubuntu doesn't. Somehow the Ubuntu VM manages DNS as expected but not Pop!_OS. So I added resolve into the hosts line of /etc/nsswitch.conf and now the DNS resolution works as expected.
For me, it doesn't work. I use globalprotect-openconnect 1.3.0-1ppa1 with openconnect 8.05-1 on Ubuntu 20.04. This is how the configuration files look like after connecting to the VPN:
# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 1.1.1.1
nameserver 8.8.8.8
and
# grep hosts /etc/nsswitch.conf
hosts: files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns mymachines
Thank you!
Just a note that the nsswitch.conf workaround may not work on recent systemd (from around 249), as the vpnc-script tries to run systemd-resolve --status, in addition to checking nsswitch.conf, but that command has been removed from systemd (I think in favor of resolvectl).
I was having the same problem with POP-OS 20 and the solution for me was to change the resolv.conf symlink to /run/resolvconf/resolv.conf before the symlink was to ../run/systemd/resolve/stub-resolv.conf
I can confirm that systemd-resolved breaks GlobalProtect-openconnect DNS resolution on Fedora 35. Resolvers were not honored, or were only honored temporarily (resolution for a certain internal domain would just fail after a few minutes and require full restarts of GP and NM. Worse, systemd-resolved didn't update /etc/resolv.conf so anything that wasn't specifically aware of systemd-resolved's part of nsswitch was seeing a different view of name resolution. Warning against systemd-resolved usage should probably be in the official docs unless a fix is available.
as @tidux has said, systemd-resolved doesn't work properly. I have done some testing and written a post script with "resolvectl" commands that I call with the --script option in gp.conf. Even using a script, it doesnt work properly. I have set the search domain which for some reason causes openconnect to not configure the dns server on the interface. If I setup both in the script the "current scope" for then tun interface listed with resolvectl goes to "none" and you can't resolve anything over the interface. If I don't use the script at all, the dns servers get set on the interface, but no scope is set, so basically it never gets used for resolution. not sure how to continue from here.
edit: fyi this is with fedora 35 as well
