openconnect 已连接但未使用正确的 dns

tag-icon tag-icon networking dns vpn openvpn
openconnect 已连接但未使用正确的 dns 
sudo openconnect --protocol=nc [corporate vpn url]
GET [corporate vpn url]
Connected to [corporate vpn ip]:443
SSL negotiation with [corporate vpn url]
Connected to HTTPS on [corporate vpn url]
Got HTTP response: HTTP/1.1 302 Found
GET [corporate vpn url]/auth/url_13/welcome.cgi
SSL negotiation with [corporate vpn url]
Connected to HTTPS on [corporate vpn url]
frmLogin
username: [a username]
password: [a password]
POST [corporate vpn url]/auth/url_13/login.cgi
Got HTTP response: HTTP/1.1 302 Moved
GET [corporate vpn url]/home/starter0.cgi?check=yes
Connected as [new ip address], using SSL, with ESP in progress
ESP session established with server

从某种意义上来说,这似乎很好托尔加德显示openconnect连接前后不同的IP地址和国家。

然而,我似乎无法访问公司网站,当我尝试使用 Chrome 时,结果显示:

Server IP address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN

就像没有获取 DNS 或类似情况一样。

这很奇怪,因为当我从实时 CD 执行此操作时,即没有任何先前连接到任何网络,它工作得很好......

我很疑惑 DNS 是如何获取的。

[编辑]

我现在正在使用 Linux Mint live 来查看正在使用的 DNS 是什么或者是否有任何特殊设置:

对于无线连接:

mint@mint:~$ nmcli device show wlp1s0
GENERAL.DEVICE:                         wlp1s0
GENERAL.TYPE:                           wifi
GENERAL.HWADDR:                         E0:94:67:32:46:AF
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     [our wireless hotspot at home]
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/1
IP4.ADDRESS[1]:                         192.168.1.104/24
IP4.GATEWAY:                            192.168.1.1
IP4.ROUTE[1]:                           dst = 0.0.0.0/0, nh = 192.168.1.1, mt = 600
IP4.ROUTE[2]:                           dst = [what an ip address?!], nh = 0.0.0.0, mt = 600
IP4.ROUTE[3]:                           dst = [yet another one!], nh = 0.0.0.0, mt = 1000
IP4.ROUTE[4]:                           dst = [an address, geez], nh = 192.168.1.1, mt = 0
IP4.DNS[1]:                             192.168.1.1
IP4.DOMAIN[1]:                          home
IP6.ADDRESS[1]:                         [ipv 6 craziness]
IP6.ADDRESS[2]:                         [woooa]
IP6.ADDRESS[3]:                         [asdasdad]
IP6.GATEWAY:                            [&*^$]
IP6.ROUTE[1]:                           dst = [incredible]::/64, nh = ::, mt = 600
IP6.ROUTE[2]:                           dst = ::/0, nh = [beyond understanding], mt = 600
IP6.ROUTE[3]:                           dst = ff00::/8, nh = ::, mt = 256, table=255
IP6.ROUTE[4]:                           dst = fe80::/64, nh = ::, mt = 256
IP6.ROUTE[5]:                           dst = fe80::/64, nh = ::, mt = 600
IP6.DNS[1]:                             [fantastic!]

VPN创建的接口如下:

mint@mint:~$ nmcli device show tun0
GENERAL.DEVICE:                         tun0
GENERAL.TYPE:                           tun
GENERAL.HWADDR:                         (unknown)
GENERAL.MTU:                            1400
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     tun0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/2
IP4.ADDRESS[1]:                         [magic ip]
IP4.GATEWAY:                            0.0.0.0 
IP4.ROUTE[1]:                           dst = [magic ip], nh = 0.0.0.0, mt = 0
IP4.ROUTE[2]:                           dst = 0.0.0.0/0, nh = 0.0.0.0, mt = 0
IP6.ADDRESS[1]:                         [magic ip again]
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = ff00::/8, nh = ::, mt = 256, table=255
IP6.ROUTE[2]:                           dst = fe80::/64, nh = ::, mt = 256

etc/resolv.conf有趣的是,当我连接到 vpn 时,似乎已经发生了变化:

#@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

options edns0
nameserver [some address 1]
nameserver [some address 2]
search home [loads of corporate related names]

...当我断开与 VPN 的连接时:

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0
search home

答案1

我在 Manjaro 论坛上的一个答案中找到了一些东西: VPN 上的奇怪 DNS 问题

那么基本上我做了什么:

  • sudo systemctl stop systemd-resolved
  • sudo systemctl disable systemd-resolved
  • 删除/etc/resolv.conf和之间的符号链接/run/systemd/resolve/resolv.conf
  • 注释掉其中的hosts: .../etc/nsswitch.conf
  • 重启

说实话,对于它为何有效,我还是有点难以理解。

关于此作品的可能原因,作者假设如下:

我的理解是,注释掉带有 hosts 的行/etc/nsswitch.conf允许sudo openconnect不使用systemd-resolved。实际上,openconnect 依赖于 来/etc/vpnc/vpnc-script检测使用了哪种类型的 DNS 解析器,如果它在 中找到包含单词“resolve”的行/etc/nsswitch.conf,它会认为systemd-resolved正在使用,即使它被禁用。

sudo openconnect这就是为什么我在禁用的情况下使用时出现错误的原因systemd-resolved。这也是我后来启用这项服务的原因。然而,这似乎导致了一些错误,即使符号链接技术确实有效,我仍然遇到了一些 DNS 泄漏问题。好吧,只需注释掉这行/etc/nsswitch.conf就是上面链接中推荐的,它确实有效。现在,虽然 systemd-resolved 被禁用了(显然是 Manjaro 中的默认设置),但sudo openconnect不再抱怨它并且正常工作。

我不知道vpnc-script这里是否有问题:它不应该systemd-resolved根据 中的行检测正在使用的 DNS 解析器nsswitch.conf。在我看来,它应该检查 是否systemd-reolved已启用。

答案2

我遇到了这个问题。我是由于已知错误。此解决方法对我有用:

将其添加到/etc/network/if-up.d/globalprotect

#!/bin/sh
# Hacky workaround bug in NM not setting the default routes.
if [ "$IFACE" = "vpn0" ]; then
  ip route replace default via 0.0.0.0 dev vpn0
fi

答案3

自从https://askubuntu.com/a/1169474/620001导致 Firefox 启动和打开链接的速度非常慢,我不知道为什么,感谢上帝,我可以用不同的方式解决这个问题。

我删除了/etc/resolv.conf和之间的符号链接/run/systemd/resolve/resolv.conf

我将自己的 DNS 配置添加到/etc/resolv.conf。 在本例中,我选择:

nameserver 208.67.222.222
nameserver 208.67.220.220
search .

我添加了另一个带有 VPN 配置的文件,名为:/etc/resolv.conf.vpn。然后,我实现了一个脚本,在网络启动时将此文件复制到该文件/etc/resolv.conf;当网络关闭时,该脚本还会删除这些行。

/etc/resolv.conf.vpn文件如下所示,前几行是我/etc/resolv.conf在连接 Cisco AnyConnect 后得到的,因为 Cisco 进行了更改/etc/resolv.conf

domain x.com # My VPN domain
nameserver x.x.x.x # My VPN DNS
nameserver 208.67.222.222
nameserver 208.67.220.220
search .

我的脚本/etc/NetworkManager/dispatcher.d/90restart-resolved.sh如下所示:

#!/bin/bash
 
IF=$1
STATUS=$2
 
if [ "$IF" == "vpn0" ] && [ "$STATUS" == "up" ]
then
        echo "copying vpn dns file..."
        cp /etc/resolv.conf.vpn /etc/resolv.conf
        echo "restarting systemd resolved..."
        systemctl restart systemd-resolved.service
fi

if [ "$IF" == "vpn0" ] && [ "$STATUS" == "down" ]
then
        echo "removing vpn dns lines..."
        sed -i '/domain x.com/d' /etc/resolv.conf
        sed -i '/nameserver x.x.x.x/d' /etc/resolv.conf
        echo "restarting systemd resolved..."
        systemctl restart systemd-resolved.service
fi

PS. 删除符号链接后,断开 Cisco AnyConnect 连接后,我的互联网也能正常工作。在此之前,我的互联网停止工作,因为 DNS 没有恢复正常,只有重新启动后才能正常工作systemd-resolved

答案4

尝试刷新 DNS。

  • Ctrl+ Alt+启动终端T

  • 键入以下命令,然后按 Enter:

    sudo /etc/init.d/dns-clean restart

  • 现在,输入

    sudo /etc/init.d/networking force-reload

  • Enter

相关内容