VPN openconnect does not add DNS servers since tumbleweed update

English Network/Internet
1

Hi,
I’ve been using openconnect to connect to the corp network for a long time. Since I updated tumbleweed, DNS for corp addresses does not work anymore. The DNS servers are missing. When using them manually (nslookup IP DNS-1), I get the correct answer.

[FONT=monospace]# ll /etc/resolv.conf
lrwxrwxrwx 1 root root 26 Feb 28 2020 /etc/resolv.conf -> /run/netconfig/resolv.conf

[/FONT]# cat /etc/resolv.conf

/etc/resolv.conf is a symlink to /var/run/netconfig/resolv.conf

<skipped some comments>

Call “netconfig update -f” to force adjusting of /etc/resolv.conf.

search <domain-1> <domain-2>
nameserver <DNS-local-lan>

These are the settings I use without VPN, but connecting the VPN does not change anything here. Not sure if it changed that back when it worked.
Also tried the solution from https://bugzilla.opensuse.org/show_bug.cgi?id=1182107#c2 but that did not help here.

# grep hosts /etc/nsswitch.conf

Valid databases are: aliases, ethers, group, gshadow, hosts,

#hosts: files mdns_minimal [NOTFOUND=return] dns
hosts: files dns myhostname

openconnect returns the DNS server and a lot of other stuff:
sudo openconnect --protocol=pulse --authgroup “Phone OTP” --user <user> <host> -v --timestamp --deflate --no-dtls --reconnect-timeout 1

For about 200 different CIDRs:
[2021-11-16 12:37:41] Received split include route <CIDR>
4 exclude lines like this:
[FONT=monospace][2021-11-16 12:37:41] Received split exclude route <CIDR>
[/FONT][2021-11-16 12:37:41] Unknown attr 0x4000 len 1: 00
[2021-11-16 12:37:41] Unknown attr 0x4001 len 1: 00
[2021-11-16 12:37:41] Unknown attr 0x401f len 1: 00
[2021-11-16 12:37:41] Unknown attr 0x4020 len 1: 00
[2021-11-16 12:37:41] Unknown attr 0x4021 len 1: 00
[2021-11-16 12:37:41] Received MTU 1400 from server
[2021-11-16 12:37:41] Received DNS server <DNS-1>
[2021-11-16 12:37:41] Received DNS server <DNS-2>
[2021-11-16 12:37:41] Received DNS search domain <domain-3>
[2021-11-16 12:37:41] Unknown attr 0x4007 len 4: 00 00 00 01
[2021-11-16 12:37:41] Unknown attr 0x4019 len 1: 01
[2021-11-16 12:37:41] ESP only: 0

I traced /etc/openconnect/vpnc-script and added debug-echos so I can see what is executed for the DNS entries, and what are the variables’ values. Here’s the end (after adding the route entries, which are added to the system OK as shown by netstat -rn) of the log:

  • for i in $INTERNAL_IP4_DNS
  • echo <DNS-1>
  • grep :
  • set_network_route <DNS-1> 255.255.255.255 32
  • NETWORK=<DNS-1>
  • NETMASK=255.255.255.255
  • NETMASKLEN=32
  • /sbin/ip route replace <DNS-1>/32 dev tun0
  • /sbin/ip route flush cache
  • for i in $INTERNAL_IP4_DNS
  • echo <DNS-2>
  • grep :
  • set_network_route <DNS-2> 255.255.255.255 32
  • NETWORK=<DNS-2>
  • NETMASK=255.255.255.255
  • NETMASKLEN=32
  • /sbin/ip route replace <DNS-2>/32 dev tun0
  • /sbin/ip route flush cache
  • ‘’ -n ‘’ ‘]’
  • ‘’ -n ‘’ -o -n ‘’ ‘]’
  • ‘’ -n ‘<DNS-1> <DNS-2>’ ‘]’
    **+ modify_resolvconf_suse_netconfig
  • /sbin/netconfig modify -s vpnc -i tun0
    **+ echo INTERFACE=tun0
    INTERFACE=tun0
  • echo ‘DNSSERVERS=<DNS-1> <DNS-2>’
    DNSSERVERS=<DNS-1> <DNS-2>
  • echo DNSDOMAIN=<domain-3>
    DNSDOMAIN=<domain-3>
  • run_hooks post-connect
  • HOOK=post-connect
  • ‘’ -d /etc/vpnc/post-connect.d ‘]’
  • exit 0

So it looks like netconfig receives the correct values, but does not act accordingly.

Did the mechanism for adding DNS servers change and that change did not yet go into openconnect? Or did one of the last updates break netconfig? Any suggestions for a workaround or solution, please?

2

I now added -v to the netconfig line and got this output:

  • /sbin/netconfig modify -s vpnc -i tun0 -v
    <13>Nov 16 15:39:07 netconfig: Executing ‘modify -s vpnc -i tun0 -v’ for pid 13744
    debug: lockfile created (/var/run/netconfig.pid) for PID 14364
    debug: lockfile created
    debug: write new STATE file /var/run/netconfig//tun0/netconfig0
    debug: Module order: dns-resolver dns-bind dns-dnsmasq ntp-runtime -nis
    debug: nis module is disabled
    debug: dns-resolver module called
    debug: Resolved dns-policy ‘auto’ for service ‘NetworkManager’ to ‘STATIC_FALLBACK NetworkManager’
    debug: Static Fallback
    debug: Use NetworkManager policy merged settings
    debug: exec get_dns_settings: /var/run/netconfig/NetworkManager.netconfig
    debug: get_dns_settings: service ‘NetworkManager’ => rank ‘1’
    debug: get_dns_settings: DNS_SEARCHLIST_1=’<domain-1> <domain-2>’
    debug: get_dns_settings: DNS_SERVERS_1=’<DNS-local-lan>’
    debug: exit get_dns_settings: /var/run/netconfig/NetworkManager.netconfig
    debug: write_resolv_conf: ’ [FONT=monospace]<domain-1> <domain-2> ’ ’ [/FONT][FONT=monospace]<DNS-local-lan> ’
    debug: dns settings written to /var/run/netconfig/resolv.conf
    debug: /etc/resolv.conf is already a link to /var/run/netconfig/resolv.conf
    debug: dns-bind Module called
    debug: dns-dnsmasq Module called
    debug: ntp-runtime Module called
    debug: Resolved ntp-policy ‘auto’ for service ‘NetworkManager’ to ‘STATIC_FALLBACK NetworkManager’
    debug: Static Fallback
    debug: Use NetworkManager policy merged settings
    debug: exec get_ntp_settings: /var/run/netconfig/NetworkManager.netconfig
    debug: get_ntp_settings: NTP_SERVER_LIST=’’
    debug: exit get_ntp_settings: /var/run/netconfig/NetworkManager.netconfig
    debug: write_chrony_servers:
    debug: ntp servers written to /var/run/netconfig/chrony.servers

With that, it looks like netconfig either ignores what is sent to it via stdin, or the shell redirect does not work properly … this is the shell code:
[/FONT][FONT=monospace][FONT=monospace]
modify_resolvconf_suse_netconfig()
{
/sbin/netconfig modify -s vpnc -i “$TUNDEV” -v <<-EOF
INTERFACE=’$TUNDEV’
DNSSERVERS=’$INTERNAL_IP4_DNS’
DNSDOMAIN=’$CISCO_DEF_DOMAIN’
EOF
echo INTERFACE="$TUNDEV"
echo DNSSERVERS="$INTERNAL_IP4_DNS"
echo DNSDOMAIN="$CISCO_DEF_DOMAIN"
}
[/FONT]
(The ‘-v’ and the last 3 echoes are my additions). Anyone knowing normal shell (not bash) enough to say if that is correct and should pass the values properly to netconfig?

[/FONT]

3

Alright, I tested adding DNS entries via netconfig directly, and it ignores the input:

# cat /tmp/netconfig.conf
INTERFACE=‘tun0’
DNSSERVERS=’<DNS-1> <DNS-2>’
DNSDOMAIN=’<domain-3>’
# /sbin/netconfig modify -s vpnc -i tun0 -v < /tmp/netconfig.conf

The debug output is exactly as in my previous post: netconfig is ignoring its input. Looks like a bug to me, but maybe it’s just a change that requires additional / different variables?

4

Yes, there was change in default “auto” netconfig DNS policy:

https://bugzilla.opensuse.org/show_bug.cgi?id=1185882

Strictly speaking, if you are using NetworkManager you are expected to use NetworkManager plugins to manage VPN. If you have reasons to use VPN outside of NetworkManager, set

NETCONFIG_DNS_POLICY='STATIC_FALLBACK * NetworkManager'

which restores previous “auto” semantic.

5

Thanks a lot for the link and solution / workaround - changing NETCONFIG_DNS_POLICY as stated has resolved the issue for me.

For my understanding: Was I supposed to not use openconnect (but NetworkManager-openvpn), or should openconnect internally use NetworkManager interfaces instead of netconfig?

So far, I have not been able (see below) to configure a NetworkManager vpn with settings equivalent to my openconnect call, so I’ll be using the modified policy along with openconnect.

Thanks again,
Bdot

As for attempting to setup the VPN using other means:

  1. In “Configure Network Connections” I can add VPN, or even Pulse-vpn, but I’m only offered certificate-based setup. I did not find fields for username/password/2FA.
  2. Using ‘yast vpn’ also does not seem to fit as I have neither pre-shared key nor certificate. I’m connecting with user+password and a 2FA-key. The CIDRs are defined by the VPN Gateway so I can’t define them in the setup … not sure if it even could connect … where would I specify the “pulse” protocol I need?
  3. Using nmtui: The “New Connection” wizard does not offer “VPN”. Other choices like “IP Tunnel” don’t seem to fit as they require fix target IP addesses (I have a target name that is mapped to a bunch of IP’s via round-robin) and don’t seem to ask for user/password.
  4. Using nm-applet I was able to create a VPN of type pulse with the vpn gateway host, but it “Failed to obtain WebVPN cookie” when trying to activate it. I did not find any field to enter my username/password/2FA anywhere, I was only asked for the root password.

So I currently do not know how else I could establish my VPN connection - commandline openconnect was the only way I got to work. Possibly I’m missing some packages, but the ones mentioned in the NetworkManager docs are all there:
# rpm -qa | grep -i openconnect
NetworkManager-openconnect-1.2.6-5.2.x86_64
openconnect-lang-8.10-2.6.noarch
plasma-nm5-openconnect-5.23.2-1.1.x86_64
libopenconnect5-8.10-2.6.x86_64
NetworkManager-openconnect-gnome-1.2.6-5.2.x86_64
openconnect-bash-completion-8.10-2.6.noarch
openconnect-8.10-2.6.x86_64

[FONT=monospace]# rpm -qa | grep -i networkmanager
NetworkManager-pptp-1.2.8-3.10.x86_64
NetworkManager-openconnect-1.2.6-5.2.x86_64
NetworkManager-branding-openSUSE-42.1-3.15.noarch
NetworkManager-connection-editor-1.24.0-2.1.x86_64
libproxy1-networkmanager-0.4.17-2.3.x86_64
NetworkManager-openconnect-gnome-1.2.6-5.2.x86_64
NetworkManager-openvpn-1.8.16-1.1.x86_64
NetworkManager-vpnc-gnome-1.2.6-4.1.x86_64
NetworkManager-pptp-gnome-1.2.8-3.10.x86_64
NetworkManager-vpnc-1.2.6-4.1.x86_64
NetworkManager-openvpn-gnome-1.8.16-1.1.x86_64
NetworkManager-applet-1.24.0-2.1.x86_64
NetworkManager-1.32.12-1.1.x86_64
libKF5NetworkManagerQt6-5.87.0-1.1.x86_64
[/FONT]

6

openvpn and openconnect are two different programs and protocols.

or should openconnect internally use NetworkManager interfaces instead of netconfig?

openconnect (as standalone program) knows nothing about NetworkManager. The idea is to use openconnect NetworkManager plugin and let NetworkManager handle priorities of various connections, and then netconfig is just using whatever NetworkManager returns.

In “Configure Network Connections” I can add VPN, or even Pulse-vpn, but I’m only offered certificate-based setup. I did not find fields for username/password/2FA.

I did not use it myself, but my understanding is that this information is requested during authentication dialogue. Like here

https://www.its.hku.hk/documentation/guide/network/remote/hkuvpn2fa/linux-openconnect

7

Thanks again for the clarifications.

When trying to activate the VPN (after only providing the gateway hostname in the setup), it worked - I was asked for all required info and the connection was established. Today, the ‘connect’ action gets me a “VPN secrets (openconnect) dialog – KDE Daemon” popup. It has the correct VPN Host and asks to “Provide the secrets for the VPN connection ‘VPN connection 1’”. It has 3 checkboxes “Automatically start connecting next time”, “Store Passwords” and “View Log” and an unlabelled, inactive (greyed out) input field. The only button is “Cancel”. No way to add anything and no way to advance to the next step … Seems like a openconnect plugin bug.

(I cannot add a picture here, and susepaste.org only returns 404 Page Not Found after creating the image)