Hi, I am using openconnect from Enterprise Linux 7 distributions to connect to a Cisco VPN, authenticating with a PCKS#11 smart card. When an unprivileged user connects externally two issues arise. 1. Name resolution doesn't get updated with the VPN's name servers. I guess this is because NetworkManager sets /etc/resolv.conf, and openconnect is being executed outside of NetworkManager, though I'm not certain. 2. A split tunnel is created. I hope that's the right language, if not, I hope this will explain the behavior: From a windows system connecting to the vpn with the Cisco client, all traffic is routed through the vpn tunnel... when I start the vpn client from within and RDP session, my RDP session will disconnect, so I'd expect an ssh connection to disconnect when openconnect establishes the vpn connection and that is not the case. Syslog shows messages that imply that NetworkManager understands what's going on when openconnect is run, but these issues persist.... NetworkManager[2677]: <info> Policy set 'vpn0' (vpn0) as default for IPv4 routing and DNS. NetworkManager[2677]: <info> (vpn0): Activation: successful, device activated. Here's the client side configuration: I've setup a systemd service that plumbs the interface vpn0 using the following command: /usr/sbin/ip tuntap add vpn0 mode tun group vpnusers I have a vpn-wrapper script that the users execute which runs the following openconnect command: /usr/sbin/openconnect -q -i vpn0 -c 'pkcs11:<certificate token string>' -s 'sudo /etc/vpnc/vpnc-script' vpn.example.com I also have deployed a sudoers rule file for the vpnusers group with the following rules: Defaults env_keep += "reason VPNGATEWAY TUNDEV INTERNAL_IP4_ADDRESS INTERNAL_IP4_NETMASK" Defaults env_keep += "INTERNAL_IP4_NETMASKLEN INTERNAL_IP4_NETADDR INTERNAL_IP4_DNS" Defaults env_keep += "INTERNAL_IP4_NBNS CISCO_DEF_DOMAIN CISCO_BANNER CISCO_SPLIT_INC" Defaults env_keep += "CISCO_SPLIT_INC_%d_ADDR CISCO_SPLIT_INC_%d_MASK CISCO_SPLIT_INC_%d_MASKLEN" Defaults env_keep += "CISCO_SPLIT_INC_%d_PROTOCOL CISCO_SPLIT_INC_%d_SPORT" Defaults env_keep += "CISCO_SPLIT_INC_%d_DPORT" %vpnusers ALL = (root) /etc/vpnc/vpnc-script NOTE that we seem to have an issue with users running sudo -E so, I've added the environment variables documented in the vpnc-script to the sudo rules and this seems to work save the issues listed above. Can you help? Thank you kindly! --Sean