When using OpenConnect with the default vpnc script, the VPN client automatically modifies /etc/resolv.conf to use the VPN's DNS servers. This behavior becomes problematic when you only need VPN access for specific hosts while maintaining your regular internet connection.
The vpnc script is designed for full-tunnel VPN setups where all traffic should route through the VPN. It achieves this by:
1. Backing up original resolv.conf 2. Replacing it with VPN-provided DNS servers 3. Restoring the original on disconnect
The most effective solution is to modify or replace the default vpnc script. Here's how:
#!/bin/sh # Custom vpnc script that preserves local DNS # Backup original resolv.conf (optional) cp /etc/resolv.conf /etc/resolv.conf.backup # Get VPN-provided DNS (without applying it) TUNNEL_DNS=$(echo "$INTERNAL_IP4_DNS" | sed "s/ /,/g") # Your custom logic here echo "VPN DNS would be: $TUNNEL_DNS" >&2 echo "Keeping original resolv.conf intact" >&2 # Add your selective routing rules ip route add 192.168.1.0/24 dev $TUNDEV
If your OpenConnect version supports it (v8.0+), you can use:
openconnect vpn.example.com --no-dns
This prevents DNS configuration entirely while maintaining the VPN tunnel.
For targeted VPN usage, combine with route commands:
# Connect without DNS modification openconnect vpn.example.com --script-tun --script "echo" --no-dns # Add specific routes after connection ip route add 10.0.0.0/8 dev tun0 ip route add corp.example.com dev tun0
Create /usr/local/bin/openconnect-selective:
#!/bin/bash # Wrapper for selective VPN routing CONNECT_CMD="openconnect $@ --no-dns" $CONNECT_CMD & sleep 2 # Wait for interface to come up # Add your specific routes ip route add 10.10.10.0/24 dev tun0 ip route add special.host.example.com dev tun0 wait
Make it executable: chmod +x /usr/local/bin/openconnect-selective
When establishing a VPN connection with OpenConnect using the default vpnc script, the tool automatically modifies /etc/resolv.conf to route all DNS queries through the VPN. While this behavior makes sense for full-tunnel VPN configurations, it becomes problematic when you only need to access specific hosts through the VPN while maintaining normal DNS resolution for other traffic.
As developers, we often need VPN access to internal resources while simultaneously requiring:
- Local DNS resolution for development environments
- Unrestricted access to public repositories and documentation
- Maintenance of local network resources
The most effective solution is to create a custom script that prevents DNS modification while preserving other VPN functions. Here's how to implement it:
#!/bin/bash
# Save as /usr/local/bin/custom-vpnc-script
# Preserve original resolv.conf
cp /etc/resolv.conf /tmp/resolv.conf.backup
# Execute standard vpnc-script but prevent DNS changes
export CISCO_DEF_DOMAIN=""
export INTERNAL_IP4_DNS=""
# Run the original script without DNS modification
. /usr/share/vpnc-scripts/vpnc-script
# Restore original resolv.conf
cp /tmp/resolv.conf.backup /etc/resolv.confFor temporary solutions, you can use these OpenConnect parameters:
sudo openconnect vpn.example.com --script /usr/local/bin/custom-vpnc-scriptTo make this persistent across connections:
- Create the custom script as shown above
- Make it executable:
chmod +x /usr/local/bin/custom-vpnc-script - Add this alias to your
~/.bashrc:
alias vpnconnect='sudo openconnect vpn.example.com --script /usr/local/bin/custom-vpnc-script'After connecting, verify DNS settings remain unchanged:
cat /etc/resolv.conf
dig example.com +shortYou should see your local DNS servers listed and public DNS queries resolving normally.
For more control, consider implementing policy-based routing:
# Add route for specific host through VPN
ip route add 192.168.1.100 via $VPN_GATEWAY