opennect is connected but browsers don't use the vpn connection to browse

I am using openconnect to connect a corporate vpn:

[perret-pc perret]# sudo openconnect --protocol=nc --user=[secret-me] [secret-url]
GET [secret-stuff]
Connected to [secret-stuff]
SSL negotiation with [secret-stuff]
Connected to HTTPS on [secret-stuff]
Got HTTP response: HTTP/1.1 302 Found
GET [secret-stuff]
SSL negotiation with [secret-stuff]
Connected to HTTPS on [secret-stuff]
frmLogin
password:
POST [secret-stuff]
Got HTTP response: HTTP/1.1 302 Moved
GET [secret-stuff]
Connected as [secret-stuff] using SSL, with ESP in progress
ESP session established with server

The connection works fine with the command line but for some reasons the browsers or any other application do not really leverage the vpn.

Weird thing is that with Linux Mint (live, didn't want to bother to install) and setting up the same exact vpn with openconnect works like a charm with browsers.

Wondering what I am missing =/

The good sense of blocking all important details of your company connection, ip-addresses, URL, SSL negotiation. The only thing somebody needs to find out is the password and nowadays that's not so difficult.

A guess: Your connection does not provide DNS which then falls back to the system DNS and route.

So the same connection on Mint provides DNS... that does not makes sense.

Yawning, you're bit a pendant, but well

  1. I got lazy
  2. It's deprecated
  3. I got lazy

It's "fixed" now and the someone maybe he's gonna ask me for the -vvvv --dump version of command which obviously will require me to provide even more details.

Network Manager has an OpenConnect plugin (networkmanager-openconnect). That should be a more reliable way of making sure everything is set correctly.

1 Like

Thanks I actually found out why it didn't click, it was something else but thanks the pointer, it may help someone else.

I bumped into an Arch Linux thread https://bugs.archlinux.org/task/61738

I actually missed out something in the connection details:

Unit dbus-org.freedesktop.resolve1.service not found.
Unit dbus-org.freedesktop.resolve1.service not found.

Which is funny cause it didn't stop openconnect to run =/

So I just had to do that:

systemctl enable systemd-resolved.service
Created symlink /etc/systemd/system/dbus-org.freedesktop.resolve1.service → /usr/lib/systemd/system/systemd-resolved.service.
Created symlink /etc/systemd/system/multi-user.target.wants/systemd-resolved.service → /usr/lib/systemd/system/systemd-resolved.service.

Works all fine now.

It's probably enabled by default on Linux Mint, hence the difference of behaviour I got between Mint and Manjaro.

Talked a bit too fast, that works well with the live of Manjaro Gnome but not with Xfce... there might some initial setup differences... the issues lies somewhere else.

Well, if you know it all so well then please go ahead and give all the information, including the password. I was only telling you it is not wise to write this kind of information openly on the internet. But if that is not appreciated then you also disappear on the ignore list, just as so many others before you.

I found something that works from another answer on the forum:
Weird DNS issue over VPN

So basically what did I do:

  • sudo systemctl stop systemd-resolved
  • sudo systemctl disable systemd-resolved
  • Remove symlink between /etc/resolv.conf and /run/systemd/resolve/resolv.conf
  • Comment out the line with hosts: ... in /etc/nsswitch.conf
  • Reboot

Tbh, it's still a bit voodoo to me about why it works.

The hypothetical underlying reason about why this works from the author is pasted below:

My understanding is that commenting out the line with hosts in /etc/nsswitch.conf allows sudo openconnect to work without systemd-resolved. Indeed, openconnect relies on /etc/vpnc/vpnc-script to detect which type of DNS resolver is used and if it finds a row containing the word "resolve" in /etc/nsswitch.conf, it thinks systemd-resolved is being used even if it is disabled.

This is why I got an error when using sudo openconnect with systemd-resolved disabled. And this is also why I did enable this service afterwards. However it seems this caused some errors and even if the symlink technique did work, I was still having some issues with DNS leaks. Well, simply commenting this line in /etc/nsswitch.conf is what is recommended in the above link and it indeed works. Now, although systemd-resolved is being disabled (the default in Manjaro apparently), sudo openconnect does't complain anymore about it and works properly.

I don't know whether vpnc-script is at fault here: it should not detect systemd-resolved as the DNS resolver being used based on that row in nsswitch.conf. It should check if systemd-reolved is enabled IMHO.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by