[Bug 1990141] Re: Split-DNS not working in vpnc-scripts after renaming systemd-resolve to resolvectrl

Michael Fuchs 1990141 at bugs.launchpad.net
Wed Sep 21 08:24:41 UTC 2022 

Hi Heinrich!

I changed the package to vpnc-scripts. Sorry for the wrong setting - I
tried to enter this manually but I think there was some error message
from launchpad then. I hope it's fine now.

About the Split-DNS: I use openconnect to access a PAN-Global-Protect
VPN with some self-written CLI scripts.

The call to openconnect to the main script:

$user is set to the VPN-User
$cert is set to the certificate string.
$gw is set to the vpn gateway.
$bindir/my-vpnc-script is my own vpnc-script setting up ENV-variables and forwarding to the standard vpnc-script, see below. 

sudo openconnect \
    --user=$user \
    --protocol=gp \
    --csd-wrapper /usr/libexec/openconnect/hipreport.sh \
    -s $bindir/my-vpnc-script \
    --servercert $cert \
    $gw \
    --usergroup gateway \
    -v 2> >(while read line; do echo -e "\e[01;31m$line\e[0m" >&1; done) | ts "%F %T" | tee $LOGFILE 

my-vpnc-script:

# Helper function to set up the variables for split routing.
add_net ()
{
	export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=$2
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=$3
        export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
}

# Initialize empty split tunnel list
export CISCO_SPLIT_INC=0

# Split-DNS domain: Requests to that domain should go to the VPN-provided nameservers.
CISCO_SPLIT_DNS=customer.local

# List of IPs beyond VPN tunnel - those two networks should be routed to the VPN.
add_net 10.100.0.0 255.255.0.0 16
add_net 10.200.0.0 255.255.0.0 16

# Forward to the vpnc-script to set up the routes and DNS.
/usr/share/vpnc-scripts/vpnc-script "$@"


As described, the DNS setup fails in the standard vpnc-script. It tries to figure out, if systemd-resolved is used in the system (yes on Ubuntu), but fails to detect it because the call to "command systemd-resolve --status" fails because "systemd-resolve" is not a valid command since 22.04 - it has been obviously renamend (or changed) to "resolvectl". Thus creating a symlink from systemd-resolve to resolvectl fixed it for me.

I use those scripts for years already and the problems seemed to start
after dist-upgrade from 21.10 to 22.04. Although I can't tell for sure
if the bug is already longer  present, since the VPN Nameservers usually
work as well and seem to fail just for some special domains and I may
just have not realized the invalid Split-DNS setup.

** Package changed: ubiquity (Ubuntu) => vpnc-scripts (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/1990141

Title:
  Split-DNS not working  in vpnc-scripts after renaming systemd-resolve
  to resolvectrl

Status in vpnc-scripts package in Ubuntu:
  Incomplete

Bug description:
  Setting up a VPN with openconnect and split DNS is not working
  correctly after dist-upgrade from 21.10 to 22.04. The vpnc-script
  still refers to "systemd-resolve" to check for systemd-resolved and
  fails due to the name change to "resolvectl". Thus the DNS servers are
  written into the resolve.conf and thus breaks the split DNS
  functionality.

  As a quick workaround it was sufficient to create a symlink: 
    sudo ln /usr/bin/resolvectl /usr/bin/systemd-resolve

  As fix I would suggest to update the vpnc-script to use "resolvectl".

  Source: /usr/share/vpnc-scripts/vpnc-script line 143:

  grep '^hosts' /etc/nsswitch.conf 2>/dev/null|grep resolve >/dev/null 2>&1 && command systemd-resolve --status >/dev/null 2>&1
  if [ $? = 0 ];then
  	RESOLVEDENABLED=1
  else
  	RESOLVEDENABLED=0
  fi

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: ubiquity (not installed)
  ProcVersionSignature: Ubuntu 5.15.0-47.51-generic 5.15.46
  Uname: Linux 5.15.0-47-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: KDE
  Date: Mon Sep 19 14:35:43 2022
  InstallCmdLine: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/kubuntu.seed boot=casper maybe-ubiquity quiet splash ---
  InstallationDate: Installed on 2019-01-12 (1345 days ago)
  InstallationMedia: Kubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.2)
  ProcEnviron:
   LANGUAGE=
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=de_DE.UTF-8
   SHELL=/bin/bash
  SourcePackage: ubiquity
  Symptom: installation
  UpgradeStatus: Upgraded to jammy on 2021-12-03 (290 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vpnc-scripts/+bug/1990141/+subscriptions

More information about the foundations-bugs mailing list