# vpnc and resolv.conf: warmed up

## jody

Hi

Whenever vpnc (0.5.3) is started, it overwrites resolv.conf.

Is there a way to block this behaviour?

This issue has been posted before, but what was said there didn't help me.

https://forums.gentoo.org/viewtopic-t-580008-start-0.html

When vpnc overwrites resolv.conf it writes the following comment:

```
 #@VPNC_GENERATED@ -- this file is generated by vpnc

# and will be overwritten by vpnc

# as long as the above mark is intact
```

But i don't understand this - my original resolv.conf does not contain any mark what soever and is still being overwritten.

I tried to 'protect' /etc/resolv.conf  by setting its permissions to 444 : to no avail - resolv.conf is overwritten by vpnc all the same 

I tried by creating a new group (vpncop), adding my normal user to this group, setting group ownership of of /etc/init.d/vpnc to 'vpncop' and permissions to 775. (with vpncop having no permission to write resolv.conf )

```
raven jody # ls -l /etc/resolv.conf  

-r--r--r-- 1 root root 69 Jun  3 14:16 /etc/resolv.conf

raven jody # ls -l /etc/init.d/vpnc 

-rwxrwxr-x 1 root vpncop 2323 Jun  2 14:32 /etc/init.d/vpnc

raven jody # groups jody

wheel audio video postgres vpncop jody

```

But when i start vpnc by hand, it desn't work:

```
jody@raven ~ $ /etc/init.d/vpnc start

 * vpnc: superuser access required
```

I know that vpnc saves the original resolv.conf and tries to restore it when stopped.

But for certain reasons i would like to keep my original dns servers even while being connected under vpnc

Does anybody know a way of preventing resolv.conf from being changed by vpnc? Some configuration option of vpnc or net.eth0?

Thank You

  Jody

----------

## Mad Merlin

You can fix it the dirty way by setting the file immutable:

```
chattr +i /etc/resolv.conf
```

Not even root will be able to remove the file until you chattr -i it.

----------

## virtguru

while you can "chattr -i" setting up dnsmasq and changing the routing tables is your best bet. This is also very beneficial if you don't want certain traffic going over the vpn that isn't intended to do so.

----------

## jody

@MadMerlin

As a work around "chattr +i" works, even though there is "Permission denied" message...

@tr0ll

As far as i can tell from a first glance, dnsmasq is a local dns server (I will have to read into that subject).

How can having an own DNS help me against vpnc's meddling? And what do  you mean by 'changing routing tables'?

Thank You

  Jody

----------

## virtguru

Jody the vpnc wiki  pretty much sums it up,  *Quote:*   

> if you want to be able to leave your tunnel connected for lengthy periods of time and don't want your work DNS servers handling requests for your personal traffic, read on.
> 
> The ideal setup would allow you to separate your DNS queries into two categories: VPN-related and other. Under this setup, all VPN-related DNS queries would be answered by DNS servers located at the other end of your VPN tunnel and all other queries would continue to be answered by local or ISP supplied DNS servers

 

This is where you have to change the routing tables to direct the traffic between your eth devices. Traffic intended for the tunnel goes to route X and all other traffic goes to route Y. Unless you don't mind sending all traffic over the tunnel , then this configuration isn't needed.

----------

## jody

Hi tr0ll

I have started to follow the instructions given in the vpnc wiki,

and made a configuration for dnsmasq and put 127.0.0.1 in the first place of my original resolv.conf.

and typed some routing table entries. 

How can i find out whether the routing entries are being used?

Is there some tool with which i can see which way a ping (or any other internet connection) goes?

Furthermore vpnc still overwrites resolv.conf. 

When i normally shut down vpnc, this is not a problem,

because then resolv.conf is restored to its previous version.

But when i turn off my computer and have forgotten to properly 

shut down vpnc i have a problem at the next start because of the bad resolv.conf.

What i don't understand yet is where i can specify the routing table entries

when i want to start vpnc during boot; the wiki is being very unclear there. 

Can you help me here?

Thank You

  Jody

----------

## tuber

Can you set the variable INTERNAL_IP4_DNS in /etc/vpnc/vpnc-script to be your DNS?

----------

