Hi all,
Tried finding an answer to this, but no such luck. I have also tried the openSUSE reddit, but no luck there either.
I’ve recently hopped over to Tubleweed from Xubuntu where I’d been for a number of years. Almost everything works as expected, and I’m happy with the general feel of things. The only thing I haven’t been able to get to work properly is my work StrongSwan VPN. I’ve tried a variety of things so far, and none have provided me with a proper solution. The set up we have involves a dedicated VPN connection to multiple data centres at a time. One of those provides DNS resolution by sending a nameserver entry in the connection attempt when StrongSwan connects. This nameserver entry never ends up in /etc/resolv.conf despite StrongSwan receiving notice of it. Here’s a breakdown of what I’ve tried and what I’ve found. Hopefully, it’s either a genuine bug, or something easily resolved
Initial setup (from fresh install)
I installed StrongSwan, added the various bits I needed (ipsec.conf, secrets, certificates and keys). This is entirely managed via ipsec. NetworkManager at this point was only handling the wired & wireless interfaces.
I can see StrongSwan receiving the update from the VPN server to say there’s a nameserver entry and it’s adding it to /run/strongswan/resolvconf
netconfig was configured to listen out to StrongSwan provided name servers (under NETCONFIG_DNS_RANKING="+strongswan")
I notice, /etc/resolv.conf is actually a symlink to /run/netconfig/resolv.conf, so no wonder the VPN provided nameserver doesn’t end up there
Disabling netconfig
Based on some research I’d done, I then tried disabling netconfig to see if that was the cause, which then meant NetworkManager would be managed /etc/resolv.conf. Unsurprisingly this made no difference, as StrongSwan was still writing to a different file that NM wasn’t looking at.
Running the VPN through NetworkManager
I then tried setting up the VPNs to run purely through NM. This gave me mixed success - I could run the VPN connection that provides the name server, and the nameserver entry ended up in /etc/resolv.conf. However, NM only seems to allow 1 VPN connection to be up at once. I need around 7. If I have to take the DNS providing VPN down, I lose name resolution, which is a bit of draw back to say the least. I then tried running just this VPN connection through NM, but the other directly through IPSec and it would work for some time, but then the connection managed through NM would fail = no name resolution again.
After digging around a lot, I started to look at why StrongSwan was configured to add DNS entries to /run/strongswan/resolvconf. From what I’ve found, this is an openSUSE specific change, but there doesn’t seem to be any sensible reason for it. I checked Fedora and Ubuntu and neither of them change this build setting. Is this right, or an oversight? Should it be pointing somewhere else that can then make sense of what’s being added in there?
As a workaround I ended up configuring the charon resolv plugin to just add any name servers it gets to /run/NetworkManager/resolv.conf. This mostly works, but changing between wired and wireless can cause the file to be overwritten, the nameserver entry to be lost and then I have to kick the VPN connection to get it back.
If any more info is needed, I’m happy to provide it