openfortivpn 1.14.1 not resolving DNS on fedora33 #824
Comments
|
Hi all, As i said, a workaround for the time being, but a proper solution would be nice (handled automatically by openfortivpn). Btw, you added a commandline-option to 1.13.x called '--use-resolvconf=' |
|
one more thing: |
|
Yes, most of these issues seem well known. Substantial work is required to adapt to the new routing/DNS backends (systemd) that have appeared in recent Linux distributions. Please send some information if you want us to have a look at this issue: The |
|
Just a question: I tried this with a single domain and it seems to work. |
|
Yes, that's the spirit - but using D-Bus calls instead of running executables. I'm still seeing it as substantial work. If you want to contribute have a look at #600. |
|
If you send the contents of |
|
at the moment, i can only provide the things i wrote down when testing (will reproduce later) Test1: /etc/resolv.conf is a static file
entries as expected (a lot of search entries coming from the company, but only2 nameserver items, so i am still in the limit of 3 nameserver entries and my local router is one of them) Test2: /etc/resolv.conf is a symlink to /run/systemd/resolve/stub-resolv.conf Starting openfortivpn, the same search and nameserver entries are added to the (now symlinked) /etc/resolv.conf file. you can see that Link3 (tun1) does not have any information about nameservers or search-info (to complete non-fqdn domains with) I added to test for one domain and this was working ok for browser and ssh. Does this help? |
|
Test 1 is expected to work. Test 2 is not supported, systemd will not take into account or even overwrite any changes by openfortivpn. |
|
well, yes... that was the reason for opening this bugticket initially... Anything we can do right now for a workaround (besides manually hacking in lines like 'systemd-resolved....' for any search entry and namesever? |
|
I suppose we can see this as a duplicate of #600. On Fedora 33, I suggest using NewtorkManager-fortivpnssl. It does call openfortivpn to create the tunnel but lets NetworkManager handle routing/DNS, and NetworkManager should in turn should call systemd. |
|
i see... ok, let's try this. I'll keep you updated :-) |
|
Hi, What works: The nameservers are setup correctly. The complete search path (which is pasted into the /etc/resolc.conf - stub/symlink (obviously without affecting systemd-resolvd) is not taken into account by networkmanager. But: chrome browser still has problems opening company-websites which seem to make use of redirects (assumption! there is a central identity provider in place which intercepts the request to internal websites for login and redirects afterwards to the target site) And: Compared to using the static file (etc/resolv.conf), well, the NM approach is not working successfully and still seems to have problems interacting with the forti-server info and the systemd-resolvd My conclusion: use the static /etc/resolv.conf approach for now, start openfortivpn manually on commandline (as i did already in fedora32) and all is working as expected Any help on this? |
|
I won't really have time to help with NetworkManager-fortivpnssl. Yet I believe it's the best way to handle machines based on NetworkManager. But then openfortivpn does not handle split DNS, which means NetworkManager-fortivpnssl cannot handle it either for now - the split-DNS parameters are not passed by openfortivpn to NetworkManager-fortivpnssl. That I can try to fix. It would help if I could see the (sanitized) output of Not sure about the difference between I don't know about SELinux, it's always a pain to get things to work. You should probably open a bug report against Fedora, based on the instructions found in the system log file. |
|
I have put the fortivpn log here (sanitized, hopefully :-) selinux: i could define rules myself, seems reasonable because the service needs access to my local (home-dir) files/certificates. dac-override could be bugworthy? |
|
This a rather complex split-tunnel configuration, with many entries, but I don't see why it shouldn't work: No split-DNS here, the DNS part looks pretty simple, just the two DNS servers Ah, I think I've got it, you have way too many search domains: |
|
You could verify the above by trying to resolve a name in some of the first 6 domains and then in some of the other domains. |
|
Thanks for the analysis. |
|
I don't know. It looks like the limitation has been somehow removed in recent versions of RedHat or glibc 2.26: |
|
So the limitation is not with the |
|
Hi, Log for XML Connection: I have to run manually resolvectl to set dns and domain for ppp0. Log was made with openfortivpn, but I use NetworkManager with Automatic DNS and 'use this connection for ressources on this network' Jacek |
|
Same problem here with F33 and openfortivpn 1.14.1 |
|
|
The issue I have is only DNS related, as the tunnel is up and running and I can reach the server using the IP address. i. My After the connection there are two additional IPs at the top of the file ii. The output of After the VPN connection the following item is added iii . The output of iv. The only XML code that I can spot in the openfortivpn verbose output looks something like the following where the two v. In my system the option Cheers |
|
i. File ii. The PPP tunnel has been added. Unfortunately we cannot associate the new DNS servers to the tunnel, for lack of iii. That's to be expected: iv. Yes, you do get the DNS server addresses here v. Ah right, that option has been disabled on Fedora because it doesn't work well - or rather used not to work on Fedora 32 but might work on Fedora 33. You may want to compile openfortivpn and check if it works better with I understand |
I'll try and I'll report here the result
ssh and git are not working. Currently I am adding the IPs in |
|
I ran into the same issue, also on a Fedora 33. I have compiled openfortivpn and the option NetworkManager-fortisslvpn does not read the https response, what it does is use the info sent by pppd. See https://gitlab.gnome.org/GNOME/NetworkManager-fortisslvpn/-/issues/36 and https://gitlab.gnome.org/GNOME/NetworkManager-fortisslvpn/-/issues/33 |
|
@emelenas I see, the short term solution for fedora is to reenable The long term solution remains to:
|
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <[email protected]>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <[email protected]>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <[email protected]>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <[email protected]>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <[email protected]>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <[email protected]>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <[email protected]>
Is it possible that the Had to revert to the F34 one by force to get around this issue. |
|
Why disable |
|
Sorry for the ambiguous wording. I was asking whether it HAS BEEN disabled again (by accident? on purpose?). The point was that the F35 package for |
|
Also tried using |
|
What do you mean by "it does not appear to work"? What is the error message? Which exact Linux distribution? |
|
I am running Fedora 35. NetworkManager-FortiSslVpn will establish the connection, route privately, but then not route publicly. We use split-tunneling and split-dns and I'm wondering if NetworkManager needs additional configuration. I'll try to investigate that as well unless you have any experience with it. At any rate, back to openfortivpn. This is what I see when using my configuration file: [user@computer-fedora ~]$ sudo openfortivpn -c /etc/openfortivpn/config This is what I see if I try to call it inline: |
|
@akellar: Try installing |
|
Indeed, |
|
Unfortunately, it looks like the bug has not really been fixed. Please follow up in #957. This bug report was about Fedora 33 which is EOL'ed. |
Hi,
i'm using openfortivpn 1.14.1 on fedora33, the vpn can be established, but i cannot reach any (remote) server by its DNS name. IP is working perfectly, but no name resolution.
Interestingly, the entries created by openforti in /etc/resolv.conf are taken into account by 'dig', for example, 'dig' can resolve the dns names to valid ip addresses.
But, ssh or a browser cannot.
I found something similar in a bugreport to sshuttle (see: sshuttle/sshuttle#554) which had exactly the same problems.
According to this bugreport, the problem is systemd and 'split DNS' support.
They also showed some workaround i have not tried (yet)
Could you please take a look at this?
The text was updated successfully, but these errors were encountered: