Check if there is a mismatch between the host you are trying to resolve via the VPN and the "DNS Domain" that the Cisco VPN server is sending.
To check for this, open a terminal and run:
tail -f /var/log/syslog
Then start openconnect via network manager. You'll see a whole bunch of output come through, including some lines like this:
Dec 5 12:54:31 canoe NetworkManager[1266]: Internal DNS: 10.0.20.21
Dec 5 12:54:31 canoe NetworkManager[1266]: Internal DNS: 10.10.3.32
Dec 5 12:54:31 canoe NetworkManager[1266]: DNS Domain: 'internal.example.com'
And further down you'll see
Dec 5 12:54:31 canoe dnsmasq[1871]: using nameserver 10.0.20.21#53 for domain internal.example.com
This means that the VPN server is instructing the client that the DNS servers should be used to resolve hosts within internal.example.com
, such as server.internal.example.com
.
In my case, I need to resolve server.example.com
(and was not getting any result).
The solution for me was to go into the VPN settings and add example.com
as an additional search domain:
Don't forget to disconnect VPN and then re-connect for the setting to take effect.
DNSoverTLS 1.1.1.1 OpenVPN configuration.
First you need systemd-resolved installed and configured to use stub-resolv.conf.
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
cat /etc/resolv.conf
Output
nameserver 127.0.0.53
options edns0
systemd-networkd
/etc/systemd/resolved.conf (example):
[Resolve]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=1.1.1.1 1.0.0.1
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=yes
DNSStubListener=yes
/etc/systemd/network/ethX.network (example):
[Match]
Name=eth*
[Link]
RequiredForOnline=yes
[Network]
DHCP=yes
MulticastDNS=no
LLMNR=no
LinkLocalAddressing=no
[DHCP]
UseDNS=yes
UseHostname=no
CriticalConnection=yes
/etc/systemd/network/tunX.network (important!):
(in order for openvpn to be able to administer tun link, the link must be unmanaged)
[Match]
Name=tun*
[Link]
Unmanaged=yes
I use update-resolved to configure systemd-resolved.
(you can use update-systemd-resolved or
aptitude install openvpn-systemd-resolved, but when you need to follow
README.md instead).
Installing update-resolved:
cd /etc/openvpn
git clone https://github.com/bac0n/update-resolved.git
Add update-resolved to your openvpn.conf:
# Include update-resolved up/down script.
config /etc/openvpn/update-resolved/update-resolved.ovpn
Restart openvpn:
systemctl restart openvpn
Journald:
journalctl -t update-resolved
Output
-- Logs begin at Sat 2019-09-21 12:28:01 CEST, end at Sun 2019-09-22 17:05:01 CEST. --
Sep 21 12:28:11 foobar update-resolved[914]: Note: Successfully configured resolved on link 3 (tun0)
Note:
As default it uses openvpn supplied dns´s. if you like to use
static dns´s you need to filter the dns´s supplied by openvpn
in 'update-resolved.ovpn' and set your own dns´s in 'update-resolved.conf'
Example:
resolve_options=(DOMAIN ~. DNS 1.1.1.1 DNS 1.0.0.1 LLMNR no MulticastDNS no)
(when using domain ~. resolved will use the tun link for all your dns queries (unless other too carry such a route-only domain). When the tun link is removed resolved will start using 'global' and 'isp' dns´s in parallel, Protocols and Routing)
Best Answer
First make sure that there are no lines beginning with
nameserver
in any files in /etc/resolvconf/resolv.conf.d. If /etc/resolvconf/resolv.conf.d/tail is a symbolic link to targetoriginal
, make it point to/dev/null
.Second, disconnect from the VPN. Edit
/etc/NetworkManager/NetworkManager.conf
and comment out
(i.e., add a
#
so that it looks like the following)and then