Re: Forcing dhclient to not ignore tun0 interface when it's available

[davenull@tuxfamily.org]

Hello

On 2023-03-07 05:01, David Wright wrote:
> On Mon 06 Mar 2023 at 13:17:23 (+0100), davenull@tuxfamily.org wrote:
> > On 2023-03-03 06:22, Max Nikulin wrote:
> > > On 03/03/2023 10:08, Tim Woodall wrote:
> > > > New to this thread, so might be totally off-piste but openvpn
> > > > has hooks
> > > > to run scripts like this:
> > > ...
> > > > This is server side but the route-up/pre-down work client side too.
> >
> > Since it's workplace's VPN, which I don't have access to, I can't do
> > anything which requires server-side access.
> > Plus, it's a Cisco VPN. I don't anything aout cisco stuff. I'm more
> > familiar with openVPN
> >
> > > >
> > > > Presumably you can do something here to renew dhcp leases or restore
> > > > resolv.conf.
> > >
> > > Perhaps the opposite. dhclient running for enp2s0f0 should detect that
> > > VPN is active and to avoid overwriting DNS settings that direct
> > > requests to tun0.
> >
> > Yes, indeed. I want dhclient to NOT overwrite /etc/resolv.conf when
> > VPN is active. OR to use tun05 when it tries to renew the lease
> >
> > One person at work suggested to use resolvectl/resolvconf but after
> > looking at it, I noticed it requires using sytemd-resolved, which
> > I don't use.
>
>   Package: resolvconf
>   Depends: lsb-base (>= 4.1+Debian3), debconf (>= 0.5) | debconf-2.0
>
> AIUI systemd-resolved is a replacement for openresolv, and it's
> systemd-networkd that can work alongside openresolv.
>
> > As an alternative, there is openresolv, which seems work without
> > resolved. But I failed to find any document on how to useit with
> > openconnect.
>
> Yes, no dependencies.
>
> Openconnect will supply openresolv with the information it needs
> when the vpnc-script that we discussed earlier runs. It's at the
> function "modify_resolvconf_manager", around line 690.
>
> > The official website config page only gives parameters for some
> > well-known local resolvers, including unbound.
>
> It also covers Bind, named (a part of bind), and dnsmasq
> (mentioned in that script). All these are in Debian.

Yes. but I don't need any of these, or other local (at in localhost) 
resolver.
So that official page isn't helpful in my case.

> > If anyone has a good documention on how to configure openresolv
> > correctly to use it with openconnect.
>
> I see that the openresolv wiki at Arch has a section on openconnect.
> Obviously you may need to "bend" their pages when consulting them
> for Debian.

Will check that out. I just realized "resolvconf" command in the script 
given
in openconnect's Arch wiki page is not necessarily resolvclt and might 
as well
refer to openconnect. When I searched for keybould with both openresolv 
and openconnect,
all I've found was a (still open) 3 years issue on openconnect't gitlab.

I'll give it a try and see what's to adjust for debian, once workload 
allows that.

> > Thing is : years ago I used to use OpenVPN on debian on another
> > computer, the DHCP client was also dhclient
> > but I didn't to do any extra configuration, it just worked… The only
> > differences was an older debian version,
> > as the stable batk them was like Debian 7 or 8, and I was using wicd
> > instead. So the network stuff probably changed since then
> >
> > Therefore I have no damn idea on how to configure stuff like 
> > openresolv.
>
> Cheers,
> David.