Cisco AnyConnect VPN with DNS #270
Comments
dee-kryvenko
changed the title
dee-kryvenko
changed the title
You have to do this manually via the
On a systemd setup they will not be added to
I suspect the issue is that the VM cannot route to the additional name servers because they too are on the VPN. I don't have an idea right now how to make that work, unfortunately. |
|
I figured the latter question out - modifying list of DNS servers on the existing VM is not having any effect (it only works for VM creation), I had to modify However, that doesn't solve it entirely. Being able to provide DNS servers is not enough - AnyConnect as well as other VPN clients are using conditional resolvers. There are different DNS servers for different search domains. For example my These |
|
Upon further research - split DNS as well as It would be nice to fix Lima to refresh DNS from |
I was just about to say that Lima does refresh the DNS on each restart, but when I just tested it, the new servers were not configured. Unfortunately this seems to be an issue with jan@lima-default:/Users/jan$ sudo cat /mnt/lima-cidata/network-config
version: 2
ethernets:
eth0:
match:
macaddress: '52:55:55:e9:a1:b4'
dhcp4: true
set-name: eth0
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1This seems to be processed only during |
Yes, this is intentional, as far as cloud-init is concerned, but I found a way to work around it, by changing the instance id on every reboot, so it always looks like a fresh install to cloud-init: #270 |
This is the part I still don't understand: If I think leaving But removing this address will still not make the split-dns scenario work. I'm actually not sure if it is even possible to make it work. This is turning into a rabbit hole... I'm re-opening this issue, because I think we need to explore this further. |
On further thoughts, I think it should be possible: we could specify the search domains together with the nameserver addresses, and For systems without This is now getting quite a bit more complex, so it may take a while before I can look into it. |
|
I just tried it and it works like a charm! Thanks @jandubois. |
Thanks for confirming! I'm happy with the result; I love it when stuff works correctly without requiring any configuration. It is good to be able to override settings, but it is even better if you don't need to. |
|
So what was the solution to this? The only way I'm able to currently get network working in lima behind VPN is to copy /etc/resolv.conf from host to lima instance, but it will be rewritten with every restart.. |
|
@Kitanotori Can you provide some more details on what exactly is not working?
Lima now provides a DNS server that resolves names on the host, so generally this should work automatically without any configuration. If this is not the case, then we would like to understand how and why it fails, so we can improve the implementation. Just today I learned that DNS does not work properly when the names are using the If all you need to do is to specify the DNS server inside dns:
- 1.1.1.1
- 8.8.8.8There is no way to specify a search domain though. But even if this fixes your problem, please provide the information I requested above to help us improve Lima! |
|
Host /etc/resolv.conf looks like this: lima instance /etc/resolve.conf: I tried with exact same resolv.conf as host and one with only the nameservers of the host, and both seemed to work. I guess my issue is that the config from
We use such domains, but those don't seem to be issue if using host's nameservers. |
|
Also, the nameservers are not reflected to resolve.conf even when specifying the nameservers during lima instance creation. So, how can I get the configuration persist restarts? |
|
They are configured in $ grep ^useHost ~/.lima/default/lima.yaml
useHostResolver: false
$ grep -A 2 ^dns ~/.lima/default/lima.yaml
dns:
- 1.1.1.1
- 8.8.8.8
$ lima resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.1.1.1
DNS Servers: 1.1.1.1 8.8.8.8 192.168.5.3Looks like the host resolver ( |
|
@jandubois I'm not familiar with systemd-resolved. Does it mean that currently there's no way to persist correct settings at lima instance? |
|
@Kitanotori As I've shown just above, the DNS servers configured via |
AnyConnect will setup
utunNinterface as well as DNS resolvers I could see withscutil --dns.This doesn't seem to be propagated into VMs. Is there a way to make it work, do I miss some configuration or it's just not supported?
I also tried to put some known DNS servers to my
~/.lima/default/lima.yaml:And then
limactl stop && limactl start- but my VM still doesn't have it in the/etc/resolv.confneither am I able to usecurlto get from a private host meaning it is not being injected to the VM in any other way. What am I missing?The text was updated successfully, but these errors were encountered: