Ubuntu
vpnc-scripts package

Split-DNS not working in vpnc-scripts after renaming systemd-resolve to resolvectrl

Bug #1990141 reported by Michael Fuchs
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
vpnc-scripts (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Setting up a VPN with openconnect and split DNS is not working correctly after dist-upgrade from 21.10 to 22.04. The vpnc-script still refers to "systemd-resolve" to check for systemd-resolved and fails due to the name change to "resolvectl". Thus the DNS servers are written into the resolve.conf and thus breaks the split DNS functionality.

As a quick workaround it was sufficient to create a symlink:
  sudo ln /usr/bin/resolvectl /usr/bin/systemd-resolve

As fix I would suggest to update the vpnc-script to use "resolvectl".

Source: /usr/share/vpnc-scripts/vpnc-script line 143:

grep '^hosts' /etc/nsswitch.conf 2>/dev/null|grep resolve >/dev/null 2>&1 && command systemd-resolve --status >/dev/null 2>&1
if [ $? = 0 ];then
 RESOLVEDENABLED=1
else
 RESOLVEDENABLED=0
fi

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: ubiquity (not installed)
ProcVersionSignature: Ubuntu 5.15.0-47.51-generic 5.15.46
Uname: Linux 5.15.0-47-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: KDE
Date: Mon Sep 19 14:35:43 2022
InstallCmdLine: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/kubuntu.seed boot=casper maybe-ubiquity quiet splash ---
InstallationDate: Installed on 2019-01-12 (1345 days ago)
InstallationMedia: Kubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.2)
ProcEnviron:
 LANGUAGE=
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: ubiquity
Symptom: installation
UpgradeStatus: Upgraded to jammy on 2021-12-03 (290 days ago)

Revision history for this message
Michael Fuchs (michael-fuchs) wrote :
Revision history for this message
Heinrich Schuchardt (xypron) wrote :

Hello Michael,

thank you for reporting the issue. According to your description the problem is with package vpnc-scripts and not ubiquity.

Could you, please, describe how to set up and test a split DNS scenario.

Best regards

Heinrich

Changed in ubiquity (Ubuntu):
status: New → Incomplete
Revision history for this message
Michael Fuchs (michael-fuchs) wrote :

Hi Heinrich!

I changed the package to vpnc-scripts. Sorry for the wrong setting - I tried to enter this manually but I think there was some error message from launchpad then. I hope it's fine now.

About the Split-DNS: I use openconnect to access a PAN-Global-Protect VPN with some self-written CLI scripts.

The call to openconnect to the main script:

$user is set to the VPN-User
$cert is set to the certificate string.
$gw is set to the vpn gateway.
$bindir/my-vpnc-script is my own vpnc-script setting up ENV-variables and forwarding to the standard vpnc-script, see below.

sudo openconnect \
    --user=$user \
    --protocol=gp \
    --csd-wrapper /usr/libexec/openconnect/hipreport.sh \
    -s $bindir/my-vpnc-script \
    --servercert $cert \
    $gw \
    --usergroup gateway \
    -v 2> >(while read line; do echo -e "\e[01;31m$line\e[0m" >&1; done) | ts "%F %T" | tee $LOGFILE

my-vpnc-script:

# Helper function to set up the variables for split routing.
add_net ()
{
 export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=$2
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=$3
        export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
}

# Initialize empty split tunnel list
export CISCO_SPLIT_INC=0

# Split-DNS domain: Requests to that domain should go to the VPN-provided nameservers.
CISCO_SPLIT_DNS=customer.local

# List of IPs beyond VPN tunnel - those two networks should be routed to the VPN.
add_net 10.100.0.0 255.255.0.0 16
add_net 10.200.0.0 255.255.0.0 16

# Forward to the vpnc-script to set up the routes and DNS.
/usr/share/vpnc-scripts/vpnc-script "$@"

As described, the DNS setup fails in the standard vpnc-script. It tries to figure out, if systemd-resolved is used in the system (yes on Ubuntu), but fails to detect it because the call to "command systemd-resolve --status" fails because "systemd-resolve" is not a valid command since 22.04 - it has been obviously renamend (or changed) to "resolvectl". Thus creating a symlink from systemd-resolve to resolvectl fixed it for me.

I use those scripts for years already and the problems seemed to start after dist-upgrade from 21.10 to 22.04. Although I can't tell for sure if the bug is already longer present, since the VPN Nameservers usually work as well and seem to fail just for some special domains and I may just have not realized the invalid Split-DNS setup.

affects: ubiquity (Ubuntu) → vpnc-scripts (Ubuntu)
Revision history for this message
Jon Åslund (jooon) wrote :

This was fixed upstream 2021-10-25.
https://gitlab.com/openconnect/vpnc-scripts/-/commit/8f289ea712d8ce4f3d57acabe0813225501d0118

This specific commit and some more changes were backported to the launchpad repository 2022-03-05 (before the 22.04 freeze?) as version 0.1~git20210402-2 but never released to any ubuntu version.
https://git.launchpad.net/ubuntu/+source/vpnc-scripts/commit/?id=c21dc7288981657b216c9c3e47d6edd475d567ff

Launchpad repo now tracks a new upstream version 0.1~git20220510-1 where the backport patch is not needed, but it is not available for 22.04 jammy. Only the upcoming 22.10 kinetic.

Revision history for this message
Jon Åslund (jooon) wrote :

Just wanted to add that I also have the same problem. I built and installed the backported version 0.1~git20210402-2 locally and it fixes the problem for me.

Changed in vpnc-scripts (Ubuntu):
status: Incomplete → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.