Vpnc disconnects internet when connected to network

Ook · 08-23-2014, 07:46 PM

Slackware 14.1 32 bit.
Vpnc 0.5.3

I can connect to the vpn gateway and access resources there, but when I do I loose all Internet access. I've seen a few "fixes", but they either are for Windows or involve using network-manager, which I do not use.

How can I, using vpnc, connect to the vpn gateway and also retain Internet access?

thirdm · 08-23-2014, 08:57 PM

When I've used vpnc, all I lost was my previous resolv.conf. That is, my routing table still looked good, but I lost my ISP's dns servers in favour of my work's servers. If you edit the resolv.conf or copy back the one you had before vpnc ran can you connect outside the tunnel? If not, consider this excerpt from vpnc(8):

"(The vpnc daemon by itself does not set any routes, but it calls vpnc-script to do this job. vpnc-script displays a connect banner. If the concentrator supplies a network list for split-tunneling these networks are added to the routing table. Otherwise the default-route will be modified to point to the tunnel. Further a host route to the concentrator is added in the later case. If the client host needs DHCP, care must be taken to add another host route to the DHCP-Server around the tunnel.)"

If it's just dns you're losing, there's a setting in vpnc-script to control whether resolv.conf gets re-written. See the vpnc README.

Ook · 09-06-2014, 10:54 AM

After I connect, resolv.conf shows I'm using the dns server from the gateway I'm connected to, but that still resolves hostnames correctly. IP addresses on the network I've connected to are available, but that is all. It's a routing problem, but I'm not sure how to set it. I read the readme, but it didn't really help. My routing table normally looks like this:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default unknown 0.0.0.0 UG 202 0 0 eth0
10.0.0.0 * 255.255.255.0 U 202 0 0 eth0
ook localhost 255.255.255.255 UGH 202 0 0 lo
loopback * 255.0.0.0 U 0 0 0 lo

After I connect using vpnc, it looks like this:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 tun0
default 10.0.0.1 0.0.0.0 UG 202 0 0 eth0
10.0.0.0 * 255.255.255.0 U 202 0 0 eth0
10.0.0.2 localhost 255.255.255.255 UGH 202 0 0 lo
xx.250.14.62 10.0.0.1 255.255.255.255 UGH 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
192.168.27.2 * 255.255.255.255 UH 0 0 0 tun0

I'm not quite sure where to go from here, is there an obvious solution that I'm missing?

Ook · 09-06-2014, 11:38 AM

If I do this:

route add default gw 10.0.0.1

that gives me back internet, but I loose access to the gateway. Then I realized all that did was modify my routing table:

Quote:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
default * 0.0.0.0 U 0 0 0 tun0
default 10.0.0.1 0.0.0.0 UG 202 0 0 eth0

By adding a default line that was already there. First come first serve? So I'm still stuck trying to figure out how to access internet resources while connected to the getaway <sigh>....

ml4711 · 09-06-2014, 11:59 AM

You need a "Split Tunnel" setup, which you can enforce,
but some IT departments looks at split tunnels as a security risk,
so maybe you should ask if it's OK to use it.

I use this script, you just need to adjust it
to the actual network at the other end of Your vpn connection!
Also You can choose which dns to use - your own or the one at the other end.
Just comment one line in the script to use dns from the vpn connection.

Code:

/etc/vpnc/VPN_split:

#!/bin/sh
# This script is called from the vpnc.conf
#    ...
#    ...
#    Script /etc/vpnc/VPN_split
# 2013 ml4711

# Add one IP to the list of split tunnel
add_ip ()
{
    export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
    export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=$2
    export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=$3
    export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
}

# Initialize empty split tunnel list
export CISCO_SPLIT_INC=0

# Delete DNS info provided by VPN server to use internet DNS
# Comment following line to use DNS beyond VPN tunnel
unset INTERNAL_IP4_DNS

# List of IPs or Nets beyond VPN tunnel
add_ip 10.1.0.0  255.255.0.0   16
add_ip 10.10.4.0 255.255.255.0 24
add_ip 10.255.5.0 255.255.255.0 24

# Execute (i.e source) default script
. /etc/vpnc/vpnc-script
# End of script

To use it,
just add "Script /etc/vpnc/VPN_split" to Your vpn configuration,
as the very last line, so it looks something like this:

Code:

/etc/vpnc/YourConnection.conf

IPSec ID VPNC_name
IPSec gateway 10.10.x.x
IPSec secret YourGroupSecret

Xauth username YourName
IKE Authmode psk

Script /etc/vpnc/VPN_split

Enjoy