Ubuntu – OpenConnect Juniper VPN Not Working in Ubuntu 18.04

network-managernetworkingopenconnectservervpn

I have been using openconnect for a long time now with our corporate VPN. I upgraded my personal laptop to Ubuntu 18.04 and I can no longer receive network traffic once connect.

I use the following command to connect:

/usr/bin/sudo /usr/sbin/openconnect --juniper --servercert $CERT --user=$USERNAME $HOST

I have to use the --servercert flag because of how the certs were installed on the VPN servers.

Anyway, this has been working flawlessly for the last few versions of Ubuntu.

With 18.04, the /etc/resolve.conf file is getting modified as expected, openconnect itself reports no issues, but once I am connected, I receive no traffic.

I have been doing some reading that the kernel with 18.04 may require some changes to the /etc/sysctl.conf file.

Is there anyone who can help figure out why I no longer receive traffic once connected the VPN via openconnect?

I assume since it doesn't appear to be DNS, that this is a problem with the tunnel.

I am going to compare to my 17.10 machine to see if there is something obvious which is different.

Any help would be greatly appreciated!

Best Answer

I performed a:

sudo apt install network-manager-openconnect-gnome

Then I setup the VPN details via the GUI. When I connect now via the GUI, it is working and there is communication.

I still need to investigate what is happening differently, but this might help in the meantime.

Related Solutions

Ubuntu – VPN disconnected: resolv.conf not refreshed

The path /etc/resolvconf/run is no longer used.

The following snippet will delete the tun0 record if no vpnc process is running.

[ "$(pidof vpnc)" ] || resolvconf -d tun0

The correct solution to the problem would be to arrange for vpnc to be terminated in such a way that it cleans up before exiting, where cleaning up includes deleting any resolvconf records it created when it connected.

Ubuntu – Openconnect in network-manager does not update resolv.conf

I found the solution. Basically, if the dns server sents ipv6 dns servers to lookup ipv4 addresses things go wrong. Openconnect will put ipv6 addresses in INTERNAL_IP4_DNS and the "network-manager-openconnect" does not expect that, treats the whole variable (and basically all dns servers) as garbage and goes on. I compiled my own network-manager-openconnect from master which has a fix for this, and that works fine.

I don't know why I have this problem after upgrading. Maybe something changed in openconnect? Or maybe in the day I upgraded my company network admin added an ipv6 dns server? (I think that is unlikely...)

If you are using network-manager-openconnect 1.2.6 or 1.2.7-dev (or maybe even a lower version, which does not contain the fix) you can compile your own version from master like so:

sudo apt-get build-dep network-manager-openconnect
mkdir ~/network-manager-openconnect_build
cd ~/network-manager-openconnect_build
git clone https://gitlab.gnome.org/GNOME/NetworkManager-openconnect.git
cd NetworkManager-openconnect
./autogen.sh
make
sudo mv /usr/lib/NetworkManager/nm-openconnect-service-openconnect-helper /usr/lib/NetworkManager/nm-openconnect-service-openconnect-helper_bak
sudo cp src/nm-openconnect-service-openconnect-helper /usr/lib/NetworkManager/nm-openconnect-service-openconnect-helper

Note: I only copied over the helper bin. In theory this could give incompatibility problems. I had no problems with it. But if you have, you might try to copy over the main bin as wel from src.

If you want, you can use the following to have extra logging for the vpn module to see in the syslog if openconnect received any dns data:

sudo nmcli general logging level KEEP domains VPN_PLUGIN:TRACE

If you see the INTERNAL_IP4_DNS being set with both ipv4 and ipv6 addresses, and you use the openconnect network manager version mentioned above, you are affected with this bug.

Related Question