Re: VPN routing differences
Sorry for the delay! This was the solution for OpenConnect, thanks. It still doesn't resolve the credential query loop in firefox, but this might be an issue best discussed elsewhere. Regards Tibor ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: VPN routing differences
On Thu, Feb 2, 2023, at 5:53 AM, Tibor Attila Anca wrote: > The most significant difference (for me) is the output of resolvectl. With > Network-Manager vpn I get this in the section Global: > > Global >Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported > resolv.conf mode: stub > > With Cisco VPN this section looks like this: > > Global > Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported > resolv.conf mode: foreign > Current DNS Server: 192.168.3.133 >DNS Servers: 192.168.3.33 192.168.3.133 > DNS Domain: fritz.box ***-***.de > The entry with the stars is the vpn Domain of my company. > > Could this be the relevant part? > > The strange thing is: if I terminate the vpn connection with the Cisco client > and activete it through network-manager, the Global section gives me the DNS > Domain of my company. But after a restart of the system the network-manager > vpn does not make that entry/change on its own. > This article gives an overview of how systemd-resolved works with a VPN. https://fedoramagazine.org/systemd-resolved-introduction-to-split-dns/ You might just need to manually add your company DNS and/or search domains to the OpenConnect VPN network connection you created. You can use nm-connection-editor to configure the specific DNS and search domains for your corporate network specifically just for the VPN network connection. My workplace uses two domains for internal resources but only one is provided via the VPN DHCP I always need to manually tweak the settings when I set up the VPN.___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: VPN routing differences
Thanks! The most significant difference (for me) is the output of resolvectl. With Network-Manager vpn I get this in the section Global: Global Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub With Cisco VPN this section looks like this: Global Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: foreign Current DNS Server: 192.168.3.133 DNS Servers: 192.168.3.33 192.168.3.133 DNS Domain: fritz.box ***-***.de The entry with the stars is the vpn Domain of my company. Could this be the relevant part? The strange thing is: if I terminate the vpn connection with the Cisco client and activete it through network-manager, the Global section gives me the DNS Domain of my company. But after a restart of the system the network-manager vpn does not make that entry/change on its own. Regards Tibor ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: VPN routing differences
On 2/1/23 04:18, Tibor Attila Anca wrote: For a few services of my company I need VPN (openconnect). With the required packages network-manager (recent GNOME on updated Fedora 37) is able to establish the vpn connection, but it would not change routing in a proper way. Neither Firefox nor Edge (why I use this, read below) find the address of a specific service within the vpn-network. Connection is however established. As Barry mentioned, you need to checking the routing that is getting setup. You might need to add some routing settings to the config yourself. When you say it can't "find the address", do you mean DNS or IP? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: VPN routing differences
> On 1 Feb 2023, at 12:18, Tibor Attila Anca wrote: > > Hi, > > Fedora 37 is amazing, thanks for the work! There is a small thing > however, that bothers me. > > For a few services of my company I need VPN (openconnect). With the > required packages network-manager (recent GNOME on updated Fedora 37) is > able to establish the vpn connection, but it would not change routing in > a proper way. Neither Firefox nor Edge (why I use this, read below) find > the address of a specific service within the vpn-network. Connection is > however established. Here are the steps I would use to try and find what is wrong. Before you bring up the VPN get the output of: $ ip route $ resolvectl Bring up the VPN and repeat these two commands. Has the routes that you need to access work been added? is resolvectl showing that the company domain is use the DNS servers from your company? Can you use look up the name that you browse to to check DNS is working as you expect: $ resolvectl query $ host Can you ping the IP returned? Where I work I have to "fix" the routes that IT provides. Barry > > I also can use the cisco-client. This sets everything fine, however, > Firefox keeps asking for login credentials in a loop, so that the system > locks my account and I have to contact the admins to unlock it. That is > why I use Edge... > > Now, these are two different questions, but the first on is more > important. > > Thanks > Tibor > > -- > Dr. Tibor Attila Anca > Pastor > > Pfarramt II > Ev.-luth. Kirchengemeinde An Aue und Fuhse > Fuhsestr. 19, 31311 Uetze OT Dollbergen > Telefon: +49 (0)5177 922144 > E-Mail: kg.auefu...@evlka.de > > Direkter Kontakt: > Telefon: +49 (0)5132 5045860 > Mobil: +49 (0)151 41624094 > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
VPN routing differences
Hi, Fedora 37 is amazing, thanks for the work! There is a small thing however, that bothers me. For a few services of my company I need VPN (openconnect). With the required packages network-manager (recent GNOME on updated Fedora 37) is able to establish the vpn connection, but it would not change routing in a proper way. Neither Firefox nor Edge (why I use this, read below) find the address of a specific service within the vpn-network. Connection is however established. I also can use the cisco-client. This sets everything fine, however, Firefox keeps asking for login credentials in a loop, so that the system locks my account and I have to contact the admins to unlock it. That is why I use Edge... Now, these are two different questions, but the first on is more important. Thanks Tibor -- Dr. Tibor Attila Anca Pastor Pfarramt II Ev.-luth. Kirchengemeinde An Aue und Fuhse Fuhsestr. 19, 31311 Uetze OT Dollbergen Telefon: +49 (0)5177 922144 E-Mail: kg.auefu...@evlka.de Direkter Kontakt: Telefon: +49 (0)5132 5045860 Mobil: +49 (0)151 41624094 ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue