| View previous topic :: View next topic |
| Author |
Message |
jody
l33t
Joined: 16 Oct 2007
Posts: 676
Location: Switzerland
|
 Posted: Sun Jun 03, 2012 12:20 pm Post subject: vpnc and resolv.conf: warmed up |
 |
|
Hi
Whenever vpnc (0.5.3) is started, it overwrites resolv.conf.
Is there a way to block this behaviour?
This issue has been posted before, but what was said there didn't help me.
https://forums.gentoo.org/viewtopic-t-580008-start-0.html
When vpnc overwrites resolv.conf it writes the following comment: | Code: | #@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact |
But i don't understand this - my original resolv.conf does not contain any mark what soever and is still being overwritten.
I tried to 'protect' /etc/resolv.conf by setting its permissions to 444 : to no avail - resolv.conf is overwritten by vpnc all the same
I tried by creating a new group (vpncop), adding my normal user to this group, setting group ownership of of /etc/init.d/vpnc to 'vpncop' and permissions to 775. (with vpncop having no permission to write resolv.conf ) | Code: | raven jody # ls -l /etc/resolv.conf
-r--r--r-- 1 root root 69 Jun 3 14:16 /etc/resolv.conf
raven jody # ls -l /etc/init.d/vpnc
-rwxrwxr-x 1 root vpncop 2323 Jun 2 14:32 /etc/init.d/vpnc
raven jody # groups jody
wheel audio video postgres vpncop jody
|
But when i start vpnc by hand, it desn't work: | Code: | jody@raven ~ $ /etc/init.d/vpnc start
* vpnc: superuser access required |
I know that vpnc saves the original resolv.conf and tries to restore it when stopped.
But for certain reasons i would like to keep my original dns servers even while being connected under vpnc
Does anybody know a way of preventing resolv.conf from being changed by vpnc? Some configuration option of vpnc or net.eth0?
Thank You
Jody |
|
| Back to top |
|
 |
Mad Merlin
Veteran
Joined: 09 May 2005
Posts: 1155
|
| Posted: Mon Jun 04, 2012 5:56 am Post subject: |
|
|
You can fix it the dirty way by setting the file immutable:
| Code: | | chattr +i /etc/resolv.conf |
Not even root will be able to remove the file until you chattr -i it.
_________________
Game! - Where the stick is mightier than the sword! |
|
| Back to top |
|
|
virtguru
Tux's lil' helper
Joined: 14 Aug 2010
Posts: 148
Location: The Greatest Country in the World
|
| Posted: Mon Jun 04, 2012 7:22 am Post subject: |
|
|
| while you can "chattr -i" setting up dnsmasq and changing the routing tables is your best bet. This is also very beneficial if you don't want certain traffic going over the vpn that isn't intended to do so. |
|
| Back to top |
|
|
jody
l33t
Joined: 16 Oct 2007
Posts: 676
Location: Switzerland
|
| Posted: Mon Jun 04, 2012 10:03 pm Post subject: |
|
|
@MadMerlin
As a work around "chattr +i" works, even though there is "Permission denied" message...
@tr0ll
As far as i can tell from a first glance, dnsmasq is a local dns server (I will have to read into that subject).
How can having an own DNS help me against vpnc's meddling? And what do you mean by 'changing routing tables'?
Thank You
Jody |
|
| Back to top |
|
|
virtguru
Tux's lil' helper
Joined: 14 Aug 2010
Posts: 148
Location: The Greatest Country in the World
|
| Posted: Tue Jun 05, 2012 7:43 am Post subject: |
|
|
Jody the vpnc wiki pretty much sums it up, | Quote: | if you want to be able to leave your tunnel connected for lengthy periods of time and don't want your work DNS servers handling requests for your personal traffic, read on.
The ideal setup would allow you to separate your DNS queries into two categories: VPN-related and other. Under this setup, all VPN-related DNS queries would be answered by DNS servers located at the other end of your VPN tunnel and all other queries would continue to be answered by local or ISP supplied DNS servers |
This is where you have to change the routing tables to direct the traffic between your eth devices. Traffic intended for the tunnel goes to route X and all other traffic goes to route Y. Unless you don't mind sending all traffic over the tunnel , then this configuration isn't needed. |
|
| Back to top |
|
|
jody
l33t
Joined: 16 Oct 2007
Posts: 676
Location: Switzerland
|
| Posted: Thu Jun 07, 2012 9:18 pm Post subject: |
|
|
Hi tr0ll
I have started to follow the instructions given in the vpnc wiki,
and made a configuration for dnsmasq and put 127.0.0.1 in the first place of my original resolv.conf.
and typed some routing table entries.
How can i find out whether the routing entries are being used?
Is there some tool with which i can see which way a ping (or any other internet connection) goes?
Furthermore vpnc still overwrites resolv.conf.
When i normally shut down vpnc, this is not a problem,
because then resolv.conf is restored to its previous version.
But when i turn off my computer and have forgotten to properly
shut down vpnc i have a problem at the next start because of the bad resolv.conf.
What i don't understand yet is where i can specify the routing table entries
when i want to start vpnc during boot; the wiki is being very unclear there.
Can you help me here?
Thank You
Jody |
|
| Back to top |
|
|
tuber
Apprentice
Joined: 12 Nov 2004
Posts: 267
|
| Posted: Fri Jun 08, 2012 6:20 am Post subject: |
|
|
| Can you set the variable INTERNAL_IP4_DNS in /etc/vpnc/vpnc-script to be your DNS? |
|
| Back to top |
|
|
|
Networking & Security
