[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Forcing dhclient to not ignore tun0 interface when it's available

On Mon 06 Mar 2023 at 13:34:52 (+0100), davenull@tuxfamily.org wrote:
> On 2023-03-03 16:00, Max Nikulin wrote:
> > On 03/03/2023 13:29, Tim Woodall wrote:
> > > On Fri, 3 Mar 2023, Max Nikulin wrote:
> > > > 
> > > > dhclient running for enp2s0f0 should detect that VPN is
> > > > active and to avoid overwriting DNS settings that direct
> > > > requests to tun0.
> > > > 
> > > The hook can create and delete a file like rhis:
> > > tim@dirac:/etc/dhcp (none)$ cat dhclient-enter-hooks.d/nodnsupdate
> > > make_resolv_conf() {
> > >          :
> > > }
> > 
> > I agree that VPN script may add and remove dhclient hook or may write
> > some file in /run that is read by dhclient hook. They should cooperate
> > in some way. In more versatile configuration domain resolution may be
> > per-interface. E.g. hosts from the corporate domain are resolved
> > through tun0, other sites through enp2s0f0.
> 
> I agree about cooperation. BUT  It would be much easier if everything
> is resolved through workplace's resolver whenever openconnect is
> active.

I don't see how your workplace's resolver can resolve addresses on
your own LAN.

> If I have to specify all the domains I want to be resolved using tun0
> interface,
> It would be annoying to configure and error-prone. Because there
> multiple "private"
> different domains, in additions to private subdomains, of
> publicly-accessible "parent" domains.

I was under the impression that the fifty-odd functions in the
vpnc-script we discussed earlier had a role in setting your
resolvers and routing for the tunnel with the environment parameters.

> Not to mention redirections for SSO/authentication (depending on the
> tool/server/where's it hosted, it not the same LDAP server),
> or tools which multiple servers but without load-balancer/unique URL
> for access. You just arrive on one of the servers.
> Some kind of load balancing but different FQDN for each server of the
> pool.
> 
> And some tools have literally multiples redirections before the home
> page, across different domains and subdomains

I'm guessing that you're talking here about stuff at the other
end of the tunnel? Presumably they have sysadmins setting that up.

Cheers,
David.
Reply to: