Openconnect: using your own DNS

Symptoms

After setting up a VPN using Openconnect, local sites stop resolving.

Solution

Stop using the DNS server belonging to the VPN; instead, use your own DNS server and hardcode servers you want to reach through the VPN in your /etc/hosts file.

Assumptions

• You are using Openconnect (the replacement for the Cisco tool AnyConnect) on a Unix machine;
• You trust the DNS server you are connected to, perhaps because you are working in a trusted network, perhaps because you are connected through another VPN to a trusted DNS server;
• There are only a few hosts you want to reach through the VPN;
• This was written for Openconnect 3.20, but it should work for newer versions too.

Theory

Openconnect uses a shell script to initialize all network settings. Those settings are provided through environment variables. What we will do is provide our own script; it will unset the DNS environment variables and call the original script.

Procedure

Create a script vpnc-script-no-dns and put it somewhere logical (for example, /etc/openconnect/):

#!/bin/bash
unset INTERNAL_IP4_DNS
# Replace the path below with the location where the original script is located
exec /usr/share/vpnc-scripts/vpnc-script "$@"

Make sure you call openconnect with the parameter --script=/etc/openconnect/vpnc-script-no-dns (replacing the patch as needed).

Put any hosts you want to reach through the VPN in /etc/hosts.