GlobalProtect-openconnect
GlobalProtect-openconnect copied to clipboard
yuezk
No name resolution (DNS) on openSUSE Leap 15.4
Hi! First of all, thank you for the great program!
I'm an openSUSE Leap user.
A bit of context
I used to connect to my work's GlobalProtect VPN invoking the openconnect command directly, and I made a tutorial on how to do it:
Then my work's network admin showed me there was a way to set up the VPN using the GUI tool Advanced Network Configuration (package NetworkManager-connection-editor on openSUSE, network-manager-gnome on Ubuntu and Debian) and for some time I used it that way.
But then my work started to require two-factor authentication (2FA) to login to the VPN, and the previous methods stopped working, that's when I came accross your program.
What is working
- Installation works fine (I shared installation instructions for openSUSE Leap 15.4 on issue #160);
- I'm able to connect to the VPN. The 2FA screen is shown, I enter the TOTP. In the end, I can see a
tun0interface with an assigned IP address if I run ip address; - I can see routes are setup if I run ip route;
- I'm able to ping some intranet server, if I know its IP address.
What is not working
- Name resolution (DNS): I'm not able to ping intranet servers by their names.
I see that the /etc/resolv.conf file is not updated (maybe issue #53 is related).
And if I run nmcli, I don't see my work's DNS servers listed. Just my ISP gateway at home (which serves a local DNS server).
Networking on openSUSE is managed by either NetworkManager (default for desktops) or Wicked (a framework developed by openSUSE as a replacement for the ifup family of scripts, default for servers).
At the moment, I'm using NetworkManager.
I haven't tested GlobalProtect-openconnect with Wicked yet.
I opened YaST's Network Settings and switched the Network Setup Method to Wicked Service. Then, I had to set up my Wi-Fi connection using YaST.
But, after that, GlobalProtect-openconnect just worked. The /etc/resolv.conf file was updated with my work's internal nameservers and domain search list.
I'm going to use it this way. The drawback of this setup is that I cannot use the GNOME's NetworkManager applet (or the GNOME Settings app, or the Advanced Network Configuration tool) to handle network settings, I need to go through YaST, which, for a desktop, is not practical (especially for the newbie, which is not my case, but I believe is the target user of GlobalProtect-openconnect).
I think we should keep this issue open and investigate a better way to integrate GlobalProtect-openconnect with NetworkManager (and/or openSUSE).
With this one, I opened a ticket with opensuse: https://bugzilla.opensuse.org/show_bug.cgi?id=1204297.
Basically you need to edit /etc/sysconfig/network/config and add:
NETCONFIG_DNS_POLICY='STATIC_FALLBACK tun0 NetworkManager'
@ldriscoll, would you know why such a file doesn't exist for me?
@ldriscoll, would you know why such a file doesn't exist for me?
@matheussilvasantos it exists on Leap (15.4) and Tumbleweed; which OpenSUSE distro are you using?
@ldriscoll, oh, I'm sorry. Too many tabs opened. I'm actually using Fedora and having the same problem.
https://askubuntu.com/a/1169474/620001 made it work for me on Fedora. I believe it might work on OpenSUSE since the issue seems related to openconnect and systemd.