[TriLUG] NetExtender VPN Client on Linux leaves resolv.conf clobbered

Thomas Delrue via TriLUG trilug at trilug.org
Mon Aug 17 17:57:43 EDT 2020


On 8/17/20 10:10 AM, Brian via TriLUG wrote:
> Hi Gang,
> 
> [...SNIP...]
> 
> NetExtender rewrites /etc/resolv.conf on connection according to the
> tunnel's settings.  The problem is it doesn't restore the original
> content when it exits; resolv.conf still points to a nameserver that is
> only accessible over the VPN, and my name resolution is broken until I
> reset that file, either by hand or by renewing the DHCP lease for my
> ethernet connection.
> 
> I would've expected it to be NetExtender's responsibility to reset that
> file back to its previous state, but the SonicWall tech guy insists that
> it's the OS's job.
> 
> Is he correct?  And if he is, how do I even troubleshoot why it's not
> happening on my computer?

No, the OS's job is to use the value it is given. The meaning of that
value is opaque to the OS, and it should be opaque.
If 'his' software changes it, it is his responsibility to change it back
when done.
It's similar to "if you eat a candy in the park, it's your
responsibility to pick up the wrapper and toss it in the appropriate bin"

The problem is that they implemented something in a dumb way... namely
by mucking with /your/ settings. It sounds like a deficient product to
me. OpenVPN doesn't need to do this to redirect your DNS queries, and
neither does WireGuard... (the latter uses routes inside your device IIRC).

That being said, it's not an easy thing to solve in a way that works
100% of the time: what if you are connected to VPN and then your
computer conks out in a single heartbeat? Well, the file will remain in
place as was, because the software never got a chance to revert the file.
But that's not an excuse, now is it...

> In the mean time, I've just written a script that copies the original to
> a safe place and then copies it back after NetExtender exits, but I
> shouldn't have to do that (and it requires privilege escalation)...

Based on the product behavior's description, so does activating and
deactivating the VPN - as it requires the ability to change that file.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.trilug.org/pipermail/trilug/attachments/20200817/d0a5c828/attachment.pgp>


More information about the TriLUG mailing list