opennect is connected but browsers don't use the vpn connection to browse

ehouarn-perret · 25 August 2019 16:43

I am using openconnect to connect a corporate vpn:

[perret-pc perret]# sudo openconnect --protocol=nc --user=[secret-me] [secret-url]
GET [secret-stuff]
Connected to [secret-stuff]
SSL negotiation with [secret-stuff]
Connected to HTTPS on [secret-stuff]
Got HTTP response: HTTP/1.1 302 Found
GET [secret-stuff]
SSL negotiation with [secret-stuff]
Connected to HTTPS on [secret-stuff]
frmLogin
password:
POST [secret-stuff]
Got HTTP response: HTTP/1.1 302 Moved
GET [secret-stuff]
Connected as [secret-stuff] using SSL, with ESP in progress
ESP session established with server

The connection works fine with the command line but for some reasons the browsers or any other application do not really leverage the vpn.

Weird thing is that with Linux Mint (live, didn't want to bother to install) and setting up the same exact vpn with openconnect works like a charm with browsers.

Wondering what I am missing =/

DeMus · 25 August 2019 16:24

The good sense of blocking all important details of your company connection, ip-addresses, URL, SSL negotiation. The only thing somebody needs to find out is the password and nowadays that's not so difficult.

linux-aarhus · 25 August 2019 16:26

A guess: Your connection does not provide DNS which then falls back to the system DNS and route.

ehouarn-perret · 25 August 2019 16:41

So the same connection on Mint provides DNS... that does not makes sense.

ehouarn-perret · 25 August 2019 16:50

Yawning, you're bit a pendant, but well

I got lazy
It's deprecated
I got lazy

It's "fixed" now and the someone maybe he's gonna ask me for the -vvvv --dump version of command which obviously will require me to provide even more details.

jonathon · 25 August 2019 17:07

Network Manager has an OpenConnect plugin (networkmanager-openconnect). That should be a more reliable way of making sure everything is set correctly.

ehouarn-perret · 25 August 2019 17:11

Thanks I actually found out why it didn't click, it was something else but thanks the pointer, it may help someone else.

I bumped into an Arch Linux thread https://bugs.archlinux.org/task/61738

I actually missed out something in the connection details:

Unit dbus-org.freedesktop.resolve1.service not found.
Unit dbus-org.freedesktop.resolve1.service not found.

Which is funny cause it didn't stop openconnect to run =/

So I just had to do that:

systemctl enable systemd-resolved.service
Created symlink /etc/systemd/system/dbus-org.freedesktop.resolve1.service → /usr/lib/systemd/system/systemd-resolved.service.
Created symlink /etc/systemd/system/multi-user.target.wants/systemd-resolved.service → /usr/lib/systemd/system/systemd-resolved.service.

Works all fine now.

It's probably enabled by default on Linux Mint, hence the difference of behaviour I got between Mint and Manjaro.

ehouarn-perret · 25 August 2019 17:19

Talked a bit too fast, that works well with the live of Manjaro Gnome but not with Xfce... there might some initial setup differences... the issues lies somewhere else.

DeMus · 25 August 2019 18:05

Well, if you know it all so well then please go ahead and give all the information, including the password. I was only telling you it is not wise to write this kind of information openly on the internet. But if that is not appreciated then you also disappear on the ignore list, just as so many others before you.

ehouarn-perret · 29 August 2019 21:47

I found something that works from another answer on the forum:
Weird DNS issue over VPN

So basically what did I do:

sudo systemctl stop systemd-resolved

sudo systemctl disable systemd-resolved

Remove symlink between /etc/resolv.conf and /run/systemd/resolve/resolv.conf

Comment out the line with hosts: ... in /etc/nsswitch.conf

Reboot

Tbh, it's still a bit voodoo to me about why it works.

The hypothetical underlying reason about why this works from the author is pasted below:

My understanding is that commenting out the line with hosts in /etc/nsswitch.conf allows sudo openconnect to work without systemd-resolved. Indeed, openconnect relies on /etc/vpnc/vpnc-script to detect which type of DNS resolver is used and if it finds a row containing the word "resolve" in /etc/nsswitch.conf, it thinks systemd-resolved is being used even if it is disabled.

This is why I got an error when using sudo openconnect with systemd-resolved disabled. And this is also why I did enable this service afterwards. However it seems this caused some errors and even if the symlink technique did work, I was still having some issues with DNS leaks. Well, simply commenting this line in /etc/nsswitch.conf is what is recommended in the above link and it indeed works. Now, although systemd-resolved is being disabled (the default in Manjaro apparently), sudo openconnect does't complain anymore about it and works properly.

I don't know whether vpnc-script is at fault here: it should not detect systemd-resolved as the DNS resolver being used based on that row in nsswitch.conf. It should check if systemd-reolved is enabled IMHO.

system · 28 September 2019 21:46

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.