7

As stated in a previous question I want to connect to 2 VPN servers at the same time and for each connection specify the IPs of computers I want to reach with it. One of this VPN connection is done with vpnc and a default.conf file, and the other one is done with a Cisco client (I am not able, for now at least to connect with vpnc because I don't have the IPSecrete element required to connect).

I am ok with the connection done through vpnc: I am able to connect configure the targeted IPs to use the created interface as following:

#!/bin/sh

#Get default gateway
DEFGW=`ip route list | grep default | awk -F' ' '{print $3 }'`
DEVICE=`ip route list | grep default | awk -F' ' '{print $5 }'`

echo "Default Gatway is: $DEFGW on device $DEVICE"

echo "Starting vpnc"
sudo vpnc

echo "Adding routes to known computers through VPN network interface"
sudo route add -net 132.181.11.0  netmask 255.255.255.0 dev tun0

echo "Adding all other routes through standard network interface"
sudo route del default
sudo route add default gw $DEFGW dev $DEVICE

Now, before running the two connections simultaneously, I am trying to do the same with the Cisco client but I am facing on problem with resolv.conf. This file is modified by the VPN client with a domain value and to DNS servers values. Running the following script result in DNS resolutions errors (reported by chrome)

#!/bin/sh

#Get default gateway
DEFGW=`ip route list | grep default | awk -F' ' '{print $3 }'`
DEVICE=`ip route list | grep default | awk -F' ' '{print $5 }'`

echo "Default Gatway is: $DEFGW on device $DEVICE"

echo "Starting cisco"
sudo /opt/cisco/vpn/bin/vpn connect 134.214.244.203

echo "Adding routes to computers through VPN network interface"
sudo route add -net 132.212.146.156  netmask 255.255.255.255 dev cscotun0

echo "Adding all other routes through standard network interface"
sudo route del default
sudo route add default gw $DEFGW dev $DEVICE

Any help and comments on this, and solve the issue are welcome.

Thanks

Community
  • 1
Manuel Selva
  • 3,454
  • 7
  • 20
  • 17

2 Answers2

6

/etc/resolv.conf defines how the computer resolves host names (e.g. which, if any, default domain names are searched when you try to resolve a non-FQDN hostname....lookup for a bare www becomes www.yourdomain.example.com), and which name servers are used to do the lookup.

One of the reasons, and the most likely, that VPN clients might modify /etc/resolv.conf is to make the VPN client computer use a particular nameserver for hostname resolution - e.g. if the VPN router runs a caching name-server.

There is nothing stopping you from changing /etc/resolv.conf back to what you want it to be, and the VPN client software may even provide you with some automated method of doing that (otherwise just cp a backup copy of resolv.conf back into place)....but you may have difficulty resolving some names (e.g. some domains are set up with public and private views - outsiders see only "public" names, while insiders - including VPN clients - see all the internal, private names as well).

One way to solve this would be to cp not a backup copy of the original resolv.conf, but a modified copy with both your preferred name-servers and search domains as well as what the VPN client software wants.

cas
  • 1
  • 7
  • 119
  • 185
  • But if I keep the new domain value, all my non-FQDN requests will be appended with this domain value, meaning that it must go through the VPN router DNS. Isn't it ? An dI don't want that. – Manuel Selva Sep 07 '12 at 06:50
  • The `search` and `domain` entries in /etc/resolv.conf are independent of the `nameserver` entry/entries. They specify which domains to search for bare hostnames, while the nameserver entries specify which server(s) to query. – cas Sep 07 '12 at 14:15
2

/etc/resolv.conf lists the name servers that your computer uses to look up DNS names. To send packets to a computer, you need to know its IP address, but IP addresses are (more or less) tied to a particular Internet service provider and location, and can change, so they aren't normally used to designate computers. Instead, DNS names are used.

Usually whoever provides your Internet access (e.g. your ISP) provides name servers to use. The name servers themselves have to be accessed via their IP address, of course. Usually, when you connect with DHCP or PPP, your computer receives DNS server addresses, and the software updates /etc/resolv.conf automatically to add your provider's DNS servers' addresses, and remove them when you disconnect.

In simple cases, you only need a single DNS server listed in /etc/resolv.conf. That server will interrogate other servers as needed if it doesn't have the answer to a query. Often, when you connect through a provider or inside a large organization, you'll see two addresses: a primary server and a fallback server in case the primary server goes offline.

With Debian-based distributions, ensure you have the resolvconf package installed (it's now installed by default under Ubuntu), as it takes care of managing /etc/resolv.conf. It usually gets things right automatically, and if it doesn't it's easy to tweak.

If, with your two VPNs, you can use a single nameserver, arrange for some working nameserver to end up in /etc/resolv.conf. Preferably, configure the VPN client you don't want DNS from not to overwrite /etc/resolv.conf (any good VPN client should have this as an option in its configuration file or in a companion script).

If you need multiple nameservers, for example because each VPN gives you access to a different internal network, you'll need to connect to a single nameserver that dispatches the requests. I recommend dnsmasq, which is lightweight, easy to configure, and powerful enough for most single-machine and small-network setups. If you run your own nameserver, /etc/resolv.conf must contain nameserver 127.0.0.1 and no other nameserver directive, so ensure that none of your VPN clients override that.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • Thanks for this detailed answer. I am still getting a question with resolve.conf that is always empty on my Ubuntu when I am connected directly to my "Box" provided by my ISP. Where is it configured, and who is translating addresses, my computer or my Box ? – Manuel Selva Sep 07 '12 at 06:55
  • @ManuelSelva Typically the box connects to the ISP over PPP and receives DNS servers when it initiates the PPP connection; your computer connects to the box and receives an address as well as DNS servers over DHCP. This normally works out of the box (it's all taken care of by scripts under `/etc/network` and `/etc/resolvconf`). With a default setup, your computer would directly connect to the ISP for translation (i.e. you'd have ISP addresses in your computer's `/etc/resolv.conf`, though perhaps some boxes include a DNS server (then your computer would have the box's address as `nameserver`). – Gilles 'SO- stop being evil' Sep 07 '12 at 09:19
  • Ok thanks again. Strangely, me resolv.conf is always empty when I am not using VPN clients. how can I explain that ? – Manuel Selva Sep 07 '12 at 11:10
  • @ManuelSelva If you have no nameserver declared, it's equivalent to having `127.0.0.1` (i.e. localhost). So you're presumably running a local nameserver. If you don't know which, find out with `lsof -i udp:53`. You'll have to configure that nameserver. – Gilles 'SO- stop being evil' Sep 07 '12 at 11:17
  • I don't have any open udp connection ('lsof -i' udp) result is empty:-( – Manuel Selva Sep 07 '12 at 11:48
  • @ManuelSelva NetworkManager can change the resolv.conf when interface (e.g. VPN) up or down if configure so. – Ding-Yi Chen Feb 05 '22 at 06:40