5

Since my college is using this horrible Cisco AnyConnect VPN, I am trying to find my way around their client software and discovered openconnect. So far it works great and thanks to a different question here on StackExchange, I managed to make it stop routing all my traffic through the VPN by default and instead only send college-related traffic through the VPN.

However, openconnect still sends all my DNS queries to the college's nameserver, as I can read in /etc/resolv.conf. Now, because I rather use my own DNS resolver, I want to stop openconnect from changing the DNS settings. I can set the INTERNAL_IP4_DNS variable which I could dynamically set through the wrapper-script I created for the routing, but that doesn't completely solve my problem, since it still modifies the file and adds the search domain from my college.

Is there a way to stop openconnect from doing that without manipulating the vpnc-script?

comfreak
  • 151
  • 1
  • 5
  • Probably telling `dhclient` to not modify resolv.conf, or setting chattr immutable flag for resolv.conf – Rui F Ribeiro Jul 05 '17 at 11:59
  • @RuiFRibeiro I don't want to stop all changes to this file, as it might be necessary when I physically connect to a different network. I only want to stop `openconnect` from making those changes. – comfreak Jul 05 '17 at 12:02
  • Create a script to connect, do the changes, redo them on exit. A possible approach. Clunky, I agree... – Rui F Ribeiro Jul 05 '17 at 12:05
  • @RuiFRibeiro That's basically what the vpnc-script does. I guess I could make my own version of it and remove the part where it changes the DNS settings or add a section where it undoes it after connecting. I just thought that there is a more elegant solution, since I don't think this is a rare use-case. – comfreak Jul 05 '17 at 12:07
  • 1
    There is always the change of intercepting DNS requests by iptables and sending them to another place. More complicated, and once again you have got to have a wrapper script. – Rui F Ribeiro Jul 05 '17 at 12:10
  • @RuiFRibeiro Thanks, that's another workaround, I could try for now. I do already have a wrapper script for routing. – comfreak Jul 05 '17 at 12:13

1 Answers1

7

Posting as an answer rather than a comment to give it some visibility. I am not sure whether there is a better way for just citing other site's answers. But https://serverfault.com/a/900825 is an answer to nearly the same question that actually works.

openconnect calls a the script /usr/share/vpnc-scripts/vpnc-script to change network settings (see /usr/share/doc/openconnect/html/vpnc-script.html). But you can change the script called with the -s option. If you pass in a script like

#!/bin/bash
export INTERNAL_IP4_DNS=
. /usr/share/vpnc-scripts/vpnc-script

the function to change resolv.conf in the original script is simply not called.

Given the script above is called noresolvconf, you would call openconnect like

sudo openconnect -s path/to/noresolvconf ...

Don't forget to make the script executable with

chmod +x path/to/noresolvconf
skynet1010
  • 3
  • 2
Harald
  • 826
  • 1
  • 9
  • 21