On Sat, Nov 29, 2014 at 5:54 AM, David Woodhouse <dwmw2 at infradead.org> wrote: > On Sat, 2014-11-29 at 08:29 +0100, Nikos Mavrogiannopoulos wrote: >> When connecting to an IP which is dynamic, it may often change and >> require a reconnection. However, cstp_reconnect() will attempt to >> connect to the cached IP and never fallback. The attached patch fixes >> the issue for me, but what would be the best approach? >> 1. Don't cache the IP at all > > Hm, the problem with this is that you may now be using a DNS server *on* > the VPN. So it's unlikely that the DNS lookup will succeed. And even if > it *does* work because you still have a live DTLS connection, if you > have schizoDNS you might find that the hostname either doesn't exist in > the internal view or resolves to something different. > > And then if you have full tunnel routing you're going to need to change > the routes so that the new server IP address isn't routed through the > VPN... For the special case of Android, you can ask the OS to route traffic over the "primary" network connection (bypassing the VPN) on a per-fd basis. We already do this through the protect_socket() callback for CSTP/DTLS reconnections. DNS might be a bigger challenge, unless you wanted to bypass the resolver built into libc. Not sure if there is a clean, portable way to make this work with vpnc-script though. Nikos: > 1. "The new DNS is routed through the VPN": That is a configuration issue, nothing openconnect can solve. Well, in a corporate installation, that is pretty much the norm because you'll want people to be able to look up internal hostnames. And the schizoDNS setup that David referred to is more likely. But on a dyndns installation (presumably somebody's home cable/DSL line) maybe the goals are different. The various "bypass GFW" tutorials I've seen online have often instructed the ocserv administrator to configure DNS using a public server like 8.8.8.8 and to push a long list of split tunnel routes allowing access to specific blocked services. Likewise, if somebody is using ocserv to provide access to their home LAN, they might push a route for 192.168.1.0/24 and allow other traffic to use the primary network connection. If somebody is using ocserv to circumvent e.g. OpenDNS parental controls or as a full tunnel to avoid workplace snooping, then (currently) they would want to be using a static IP. Do you think it makes sense for ocserv to pass a hint to the client that the server's IP is dynamic?
