Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
vpnc and resolv.conf: warmed up
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jody
Guru
Guru


Joined: 16 Oct 2007
Posts: 584
Location: Switzerland

PostPosted: Sun Jun 03, 2012 12:20 pm    Post subject: vpnc and resolv.conf: warmed up Reply with quote

Hi

Whenever vpnc (0.5.3) is started, it overwrites resolv.conf.
Is there a way to block this behaviour?

This issue has been posted before, but what was said there didn't help me.
https://forums.gentoo.org/viewtopic-t-580008-start-0.html

When vpnc overwrites resolv.conf it writes the following comment:
Code:
 #@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact

But i don't understand this - my original resolv.conf does not contain any mark what soever and is still being overwritten.

I tried to 'protect' /etc/resolv.conf by setting its permissions to 444 : to no avail - resolv.conf is overwritten by vpnc all the same

I tried by creating a new group (vpncop), adding my normal user to this group, setting group ownership of of /etc/init.d/vpnc to 'vpncop' and permissions to 775. (with vpncop having no permission to write resolv.conf )
Code:
raven jody # ls -l /etc/resolv.conf 
-r--r--r-- 1 root root 69 Jun  3 14:16 /etc/resolv.conf
raven jody # ls -l /etc/init.d/vpnc
-rwxrwxr-x 1 root vpncop 2323 Jun  2 14:32 /etc/init.d/vpnc
raven jody # groups jody
wheel audio video postgres vpncop jody

But when i start vpnc by hand, it desn't work:
Code:
jody@raven ~ $ /etc/init.d/vpnc start
 * vpnc: superuser access required


I know that vpnc saves the original resolv.conf and tries to restore it when stopped.
But for certain reasons i would like to keep my original dns servers even while being connected under vpnc

Does anybody know a way of preventing resolv.conf from being changed by vpnc? Some configuration option of vpnc or net.eth0?

Thank You
Jody
Back to top
View user's profile Send private message
Mad Merlin
Veteran
Veteran


Joined: 09 May 2005
Posts: 1155

PostPosted: Mon Jun 04, 2012 5:56 am    Post subject: Reply with quote

You can fix it the dirty way by setting the file immutable:

Code:
chattr +i /etc/resolv.conf


Not even root will be able to remove the file until you chattr -i it.
_________________
Game! - Where the stick is mightier than the sword!
Back to top
View user's profile Send private message
virtguru
Tux's lil' helper
Tux's lil' helper


Joined: 14 Aug 2010
Posts: 148
Location: The Greatest Country in the World

PostPosted: Mon Jun 04, 2012 7:22 am    Post subject: Reply with quote

while you can "chattr -i" setting up dnsmasq and changing the routing tables is your best bet. This is also very beneficial if you don't want certain traffic going over the vpn that isn't intended to do so.
Back to top
View user's profile Send private message
jody
Guru
Guru


Joined: 16 Oct 2007
Posts: 584
Location: Switzerland

PostPosted: Mon Jun 04, 2012 10:03 pm    Post subject: Reply with quote

@MadMerlin
As a work around "chattr +i" works, even though there is "Permission denied" message...

@tr0ll
As far as i can tell from a first glance, dnsmasq is a local dns server (I will have to read into that subject).
How can having an own DNS help me against vpnc's meddling? And what do you mean by 'changing routing tables'?

Thank You
Jody
Back to top
View user's profile Send private message
virtguru
Tux's lil' helper
Tux's lil' helper


Joined: 14 Aug 2010
Posts: 148
Location: The Greatest Country in the World

PostPosted: Tue Jun 05, 2012 7:43 am    Post subject: Reply with quote

Jody the vpnc wiki pretty much sums it up,
Quote:
if you want to be able to leave your tunnel connected for lengthy periods of time and don't want your work DNS servers handling requests for your personal traffic, read on.

The ideal setup would allow you to separate your DNS queries into two categories: VPN-related and other. Under this setup, all VPN-related DNS queries would be answered by DNS servers located at the other end of your VPN tunnel and all other queries would continue to be answered by local or ISP supplied DNS servers


This is where you have to change the routing tables to direct the traffic between your eth devices. Traffic intended for the tunnel goes to route X and all other traffic goes to route Y. Unless you don't mind sending all traffic over the tunnel , then this configuration isn't needed.
Back to top
View user's profile Send private message
jody
Guru
Guru


Joined: 16 Oct 2007
Posts: 584
Location: Switzerland

PostPosted: Thu Jun 07, 2012 9:18 pm    Post subject: Reply with quote

Hi tr0ll

I have started to follow the instructions given in the vpnc wiki,
and made a configuration for dnsmasq and put 127.0.0.1 in the first place of my original resolv.conf.
and typed some routing table entries.
How can i find out whether the routing entries are being used?
Is there some tool with which i can see which way a ping (or any other internet connection) goes?

Furthermore vpnc still overwrites resolv.conf.
When i normally shut down vpnc, this is not a problem,
because then resolv.conf is restored to its previous version.
But when i turn off my computer and have forgotten to properly
shut down vpnc i have a problem at the next start because of the bad resolv.conf.

What i don't understand yet is where i can specify the routing table entries
when i want to start vpnc during boot; the wiki is being very unclear there.
Can you help me here?



Thank You
Jody
Back to top
View user's profile Send private message
tuber
Apprentice
Apprentice


Joined: 12 Nov 2004
Posts: 267

PostPosted: Fri Jun 08, 2012 6:20 am    Post subject: Reply with quote

Can you set the variable INTERNAL_IP4_DNS in /etc/vpnc/vpnc-script to be your DNS?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum