Check if there is a mismatch between the host you are trying to resolve via the VPN and the "DNS Domain" that the Cisco VPN server is sending.
To check for this, open a terminal and run:
tail -f /var/log/syslog
Then start openconnect via network manager. You'll see a whole bunch of output come through, including some lines like this:
Dec 5 12:54:31 canoe NetworkManager[1266]: Internal DNS: 10.0.20.21
Dec 5 12:54:31 canoe NetworkManager[1266]: Internal DNS: 10.10.3.32
Dec 5 12:54:31 canoe NetworkManager[1266]: DNS Domain: 'internal.example.com'
And further down you'll see
Dec 5 12:54:31 canoe dnsmasq[1871]: using nameserver 10.0.20.21#53 for domain internal.example.com
This means that the VPN server is instructing the client that the DNS servers should be used to resolve hosts within internal.example.com, such as server.internal.example.com.
In my case, I need to resolve server.example.com (and was not getting any result).
The solution for me was to go into the VPN settings and add example.com as an additional search domain:
Don't forget to disconnect VPN and then re-connect for the setting to take effect.
DNSoverTLS 1.1.1.1 OpenVPN configuration.
First you need systemd-resolved installed and configured to use stub-resolv.conf.
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
cat /etc/resolv.conf
Output
nameserver 127.0.0.53
options edns0
systemd-networkd
/etc/systemd/resolved.conf (example):
[Resolve]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=1.1.1.1 1.0.0.1
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=yes
DNSStubListener=yes
/etc/systemd/network/ethX.network (example):
[Match]
Name=eth*
[Link]
RequiredForOnline=yes
[Network]
DHCP=yes
MulticastDNS=no
LLMNR=no
LinkLocalAddressing=no
[DHCP]
UseDNS=yes
UseHostname=no
CriticalConnection=yes
/etc/systemd/network/tunX.network (important!):
(in order for openvpn to be able to administer tun link, the link must be unmanaged)
[Match]
Name=tun*
[Link]
Unmanaged=yes
I use update-resolved to configure systemd-resolved.
(you can use update-systemd-resolved or
aptitude install openvpn-systemd-resolved, but when you need to follow
README.md instead).
Installing update-resolved:
cd /etc/openvpn
git clone https://github.com/bac0n/update-resolved.git
Add update-resolved to your openvpn.conf:
# Include update-resolved up/down script.
config /etc/openvpn/update-resolved/update-resolved.ovpn
Restart openvpn:
systemctl restart openvpn
Journald:
journalctl -t update-resolved
Output
-- Logs begin at Sat 2019-09-21 12:28:01 CEST, end at Sun 2019-09-22 17:05:01 CEST. --
Sep 21 12:28:11 foobar update-resolved[914]: Note: Successfully configured resolved on link 3 (tun0)
Note:
As default it uses openvpn supplied dns´s. if you like to use
static dns´s you need to filter the dns´s supplied by openvpn
in 'update-resolved.ovpn' and set your own dns´s in 'update-resolved.conf'
Example:
resolve_options=(DOMAIN ~. DNS 1.1.1.1 DNS 1.0.0.1 LLMNR no MulticastDNS no)
(when using domain ~. resolved will use the tun link for all your dns queries (unless other too carry such a route-only domain). When the tun link is removed resolved will start using 'global' and 'isp' dns´s in parallel, Protocols and Routing)
Best Answer
First make sure that there are no lines beginning with
nameserverin any files in /etc/resolvconf/resolv.conf.d. If /etc/resolvconf/resolv.conf.d/tail is a symbolic link to targetoriginal, make it point to/dev/null.Second, disconnect from the VPN. Edit
/etc/NetworkManager/NetworkManager.confand comment out
(i.e., add a
#so that it looks like the following)and then