I recently switched from the **Cisco AnyConnect Secure Mobility Client** to **OpenConnect** to solve a long-standing issue where my Docker containers could not access internal sites over my corporate VPN. This switch resolved that issue (as reported in several similar cases online), but it introduced a new problem: Now, every time I connect to the VPN using OpenConnect, **/etc/resolv.conf is not properly updated** with the internal DNS servers as the Cisco client used to do automatically. I’ve been working around this by manually updating resolv.conf after each connection, and even wrote a small script to speed that up — but this doesn't feel like a solid or sustainable solution. --- ### My setup: - OS: Ubuntu 24.04.02 - Packages:

network-manager-openconnect         1.2.10-3build2
  network-manager-openconnect-gnome   1.2.10-3build2
  openconnect                         9.12-1build5

- I use the **GNOME UI** for connection because my VPN requires **SSO login via a web view**. --- ### Questions: 1. How can I make OpenConnect automatically update resolv.conf when the VPN connects? 2. Is there a NetworkManager hook or OpenConnect config that I’m missing? 3. Are there known limitations when using OpenConnect via the GNOME UI regarding DNS updates? --- Any advice, workaround, or best practice would be greatly appreciated.

When I work from home, I connect from my Linux machine to a VPN, via this command:

$ sudo openconnect --protocol=anyconnect -u usernameatwork --authgroup=MFA foo.bar.baz.work

which will require that I 1. insert the password of my local user, simply because I'm running sudo, 2. insert the password of my user in the VPN at work, 3. confirm with another device because of MFA. I've just noticed that - before step 1, who on my local machine tells me I'm the only one logged in my computer:

myself   tty1         2025-01-14 17:47

- right after step 1, who on my local machine tells me I've just logged in again:

myself   tty1         2025-01-14 17:47
    myself   pts/2        2025-02-03 07:17

What is the meaning of the second line of the output? I mean, I've connected to a VPN. Why does this mean I've re-logged in my own system?

I can't set up internet access via OpenConnect. From the router where the openconnect client is running, i see only VPS with OCServ

root@OpenWrt:~# traceroute  google.com
traceroute to google.com (74.125.131.113), 30 hops max, 46 byte packets
 1  192.168.2.1 (192.168.2.1)  44.188 ms  44.073 ms  43.962 ms
 2  192.168.0.1 (192.168.0.1)  46.479 ms  46.353 ms  70.473 ms
 3 * * *

But the ping looks good

root@OpenWrt:~# ping google.com
PING google.com (74.125.131.100): 56 data bytes
64 bytes from 74.125.131.100: seq=0 ttl=60 time=75.226 ms
64 bytes from 74.125.131.100: seq=1 ttl=60 time=74.967 ms

On a VPS with OCServ I: * change /etc/ufw/before.rules

-A ufw-before-forward -s 192.168.2.0/24 -j ACCEPT
-A ufw-before-forward -d 192.168.2.0/24 -j ACCEPT
-A ufw-before-forward -s 192.168.3.0/24 -j ACCEPT
-A ufw-before-forward -d 192.168.3.0/24 -j ACCEPT
...
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

* change /etc/default/ufw

DEFAULT_OUTPUT_POLICY="ACCEPT"

* change /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

* Next interfaces exists on VPS

~# ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
...
2: eth0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 54:52:00:51:a6:2f brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    altname ens3
    inet 192.168.0.4/24 metric 100 brd 192.168.0.255 scope global dynamic eth0
       valid_lft 68037sec preferred_lft 68037sec
    inet6 fe80::5652:ff:fe51:a62f/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0:  mtu 1500 qdisc noqueue state DOWN group default 
...
5: vpns0:  mtu 1434 qdisc fq state UNKNOWN group default qlen 500
    link/none 
    inet 192.168.2.1 peer 192.168.2.91/32 scope global vpns0
       valid_lft forever preferred_lft forever
    inet6 fe80::937e:4e59:590c:5bc6/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Typology of my network: * home (192.168.3.0/24) --- wifi/twisted_pair --- * OpenWRT (asus rt-ax53u) (192.168.3.0/24) OpenConnect Client (192.168.2.0/24) --- Russian ISP Blocking YouTube --- * OCServ 1.3.0 (192.168.2.0/24) VPS (192.168.0.4/24)

After some changes on server or in local packages now during trial to connect vpn server I receive 404 error response. Preiously I was using configuration for NetworkManager under Gnome with success for 2 years. I already found a solution when debug connection with command line openconnect client. It requires adding parameter *--useragent=AnyConnect* and connection is working fine Now it's time to update NetworkManager. I didnt't found any field in gui to enter this parameter or add custom parameters to pass to openconnect. I've found that config reflecting graphic form is located in: */etc/NetworkManager/system-connections/VPN 1.nmconnection* I'v added '*useragent=AnyConnect*' line to [vpn] and even after restart of system (to reload configs) vpn connection window reports 404 still How I should pass this parameter? Here is [vpn] section from my config: [vpn] authtype=cert autoconnect-flags=0 cacert=/etc/pki/tls/certs/Company_Root_CA.crt certsigs-flags=0 cookie-flags=2 enable_csd_trojan=no gateway=vpn.net.company.com/EE-Linux gateway-flags=2 gwcert-flags=2 lasthost-flags=0 pem_passphrase_fsid=no prevent_invalid_cert=no protocol=anyconnect resolve-flags=2 stoken_source=manual useragent=AnyConnect usercert=/home/user/keys/user.crt userkey=/home/user/keys/user.key xmlconfig-flags=0 service-type=org.freedesktop.NetworkManager.openconnect

I'm trying to configure an openconnect VPN connection in nmcli on a Debian 12 running SwayWM. I manage to connect to the vpn using nmcli with the --ask flag but it cannot read vpn secrets provided with the configuration file below. Any idea? [connection] id=VPN uuid=d9133c7c-1c0e-47dc-8da1-9e52eced6385 type=vpn autoconnect=false timestamp=1726496682 [vpn] authgroup=Personels authtype=password autoconnect-flags=0 certsigs-flags=0 cookie-flags=2 enable_csd_trojan=no gateway=vpn.grenet.fr gateway-flags=2 gwcert-flags=2 lasthost-flags=0 password-flags=0 pem_passphrase_fsid=no prevent_invalid_cert=no protocol=anyconnect resolve-flags=2 stoken_source=disabled user-name=myusername xmlconfig-flags=0 service-type=org.freedesktop.NetworkManager.openconnect [vpn-secrets] #form:main:group_list=TunnelGroup_Personnels #form:main:username=myusername password=mypassword I tried nmcli con reload, systemctl restart NetworkManager. I also tried using 'passwd-file' without success. Also journalctl logs : > [1726513110.5164] > vpn[0x55c2cb4b6330,d9133c7c-1c0e-47dc-8da1-9e52eced6385,"VPN"]: > secrets: failed to request VPN secrets #3: No agents were av> lines > 751-800/800 (END) Duplicate unanswered posts : - https://serverfault.com/questions/816714/how-do-i-supply-a-password-to-networkmanager-openconnect-automatically - https://unix.stackexchange.com/questions/703089/how-to-set-a-vpn-connection-in-nmcli

I'm attempting to connect to a **Cisco AnyConnect VPN** from my Fedora 40 client. I tried both the GUI (lots of howtos out there) and the terminal to establish this connection through **OpenConnect** and fails with: SSL connection failure: A packet with illegal or unsupported version was received. Failed to open HTTPS connection to vpn.vpn.vpn This is actual connection attempt: $ openconnect vpn.vpn.vpn POST https://vpn.vpn.vpn/ Connected to 0.0.0.0:443 SSL negotiation with vpn.vpn.vpn SSL connection failure: A packet with illegal or unsupported version was received. Failed to open HTTPS connection to vpn.vpn.vpn Failed to complete authentication

I'm trying to connect to a business VPN (Cisco AnyConnect). I'm utilizing openconnect and a connection has been established. That connection is also seen by the ip add command. The default route according to ip route seems to be wlp5s0. How would I configure openconnect in such a way that rather than utilizing this route, it should select the VPN one? The issue I have is that my IP address won't change once I've connected to the VPN. I have tried the terminal openconnect version and the gnome GUI install for Cisco. Same problem with both. 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff 3: wlp5s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether YY:YY:YY:YY:YY:YY brd ff:ff:ff:ff:ff:ff inet 192.111.111.111/24 brd 192.111.111.255 scope global dynamic noprefixroute wlp5s0 valid_lft 86208sec preferred_lft 86208sec inet6 ffff::ffff:ffff:ffff:ffff/64 scope link noprefixroute valid_lft forever preferred_lft forever 4: vpn0: mtu 1300 qdisc fq_codel state UP group default qlen 500 link/none inet 192.111.11.111/22 brd 192.111.111.255 scope global noprefixroute vpn0 valid_lft forever preferred_lft forever inet6 eeee::eeee:eeee:eeee:eeee/64 scope link stable-privacy valid_lft forever preferred_lft forever *Not quite sure what's safe to share and not, so I just modified some of the entries.* This is the ip route entry default via 192.168.1.1 dev wlp5s0 proto dhcp metric 600 10.0.0.0/8 dev vpn0 scope link 10.0.0.2 dev vpn0 scope link 10.0.0.3 dev vpn0 scope link /23 dev vpn0 scope link via 192.168.1.1 dev wlp5s0 src 192.168.1.17 169.254.0.0/16 dev wlp5s0 scope link metric 1000 172.16.0.0/12 dev vpn0 scope link /22 dev vpn0 scope link /24 dev vpn0 scope link 192.168.0.0/16 dev vpn0 scope link 192.168.1.0/24 dev wlp5s0 proto kernel scope link src 192.168.1.17 metric 600 192.168.20.0/22 dev vpn0 scope link I'm trying to reach 10.12.122.197 which should be within the same LAN as the VPN. Running Ubuntu 19.10 by the way.

On a lightweight Debian machine I am using ConnMan instead of NetworkManager. For this I installed ConnMan based on the following packages: - connman - connman-vpn - cmst Ethernet, wifi, virtual bridges etc. are working completely fine. However, it seems to be impossible to graphically add a VPN-connection (openconnect) via connman's cmst-GUI. Do I have to create config-files for every VPN via text editor by hand? ---------- In NetworkManager this was a pretty easy task within the GUI. First, install the packages - network-manager - network-manager-gnome - network-manager-openconnect-gnome Afterwards it was possible to set up the VPN inside the GUI. ---------- In ConnMan this intention seems to be a bit different. So the final question now is: **How to set up a Cisco AnyConnect compatible VPN-connection (OpenConnect) for use with ConnMan?**

i would like to ask for advice. I have Fedora 38 and I am also using Discord there. Problem is, that anytime I connect to VPN (which I need for work), discord disconnects. I have tried to completely turn off firewalld for a while, I tried to change dns to 8.8.8.8, 8.8.4.4, but nothing helps. When I am on Windows 11 and connected to cisco vpn, I cannot start Discord app, but if its running before connecting to VPN, its ok and it stays connected, so I can use it for communication without any issues. Any help is appreciated. Thank you

I'm trying to install ocserv *(OpenConnect VPN Server)*, using script from this repository , on CentOS 8.1. Script automatically sets up server, certificate, user list and other settings. After install.sh is run *(script content is below)*, i check the logs using journalctl -u ocserv, and this is the output:

Starting OpenConnect SSL VPN server...
Started OpenConnect SSL VPN server.
note: skipping 'pid-file' config option
error: cannot open file /etc/letsencrypt/live/208.xx.xx.xx/fullchain>
Parsing plain auth method subconfig using legacy format
error: vhost:default: you cannot mix multiple authentication method>
ocserv.service: Main process exited, code=exited, status=1/FAILURE
ocserv.service: Failed with result 'exit-code'.

Error seems to be error: vhost:default: you cannot mix multiple authentication method, which is located in the source code here . There is also this error error: cannot open file /etc/letsencrypt/live.. about certificate, not sure if it is important. Where is vhost:default config file (about multiple authentication) is located at & how to fix this? Or am i misinterpreting the errors? **PS**: *If you need output of any command, let me know in the comments* install.sh script

#!/bin/bash
# openconnect/anyconnect server (ocserv) installer in centos + let's ecnrypt 
# 
# bash install.sh -f username-list-file -n host-name -e email-address

usage()
{
    echo "usage:"
    echo "bash install.sh -f username-list-file -n host-name -e email-address"
}


###### Main

LIST=""
HOST_NAME=""
EMAIL_ADDR=""

if [[ $(dnf -q check-update | wc -l) > 0 ]] ; then
    echo 'You must be updated before this script.'
    echo 'Run: yum update'
    exit
fi

while [[ $1 != "" ]]; do
    case $1 in
        -f | --list )     shift
			        LIST=$1
                                ;;
        -n | --hostname )     shift
			        HOST_NAME=$1
                                ;;
        -e | --email )      shift
			        EMAIL_ADDR=$1
                                ;;
        -h | --help )         usage
                                exit
                                ;;
        * )                   usage
                                exit 1
    esac
    echo $1;
    shift
done

if [[ $HOST_NAME == "" ]] || [[ $EMAIL_ADDR == "" ]] || [[ $LIST == "" ]] ; then
  usage
  exit
fi

echo '[10%  ] Start installation...'
yum -q update -y  > /dev/null &
wait
yum install epel-release -y > /dev/null &
wait
yum repolist enabled > /dev/null &
wait
yum -q update --assumeno > /dev/null &
wait

yum install iptables-services -y > /dev/null &
wait

yum install ocserv certbot -y > /dev/null &
wait

echo '[20%  ] Request a valid certificate...'
certbot certonly --standalone --non-interactive --preferred-challenges http --agree-tos --email $EMAIL_ADDR -d $HOST_NAME &
wait

echo '[30%  ] Changing the default settings...'
sed -i 's/auth = "pam"/#auth = "pam"\nauth = "plain\[\/etc\/ocserv\/ocpasswd]"/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/try-mtu-discovery = false/try-mtu-discovery = true/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/#dns = 192.168.1.2/dns = 1.1.1.1\ndns = 8.8.8.8/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/#tunnel-all-dns = true/tunnel-all-dns = true/' /etc/ocserv/ocserv.conf & # !=  = DNS Leak
wait
sed -i "s/server-cert = \/etc\/pki\/ocserv\/public\/server.crt/server-cert=\/etc\/letsencrypt\/live\/$HOST_NAME\/fullchain.pem/" /etc/ocserv/ocserv.conf &
wait
sed -i "s/server-key = \/etc\/pki\/ocserv\/private\/server.key/server-key=\/etc\/letsencrypt\/live\/$HOST_NAME\/privkey.pem/" /etc/ocserv/ocserv.conf &
wait
sed -i 's/ipv4-network = 192.168.1.0/ipv4-network = 192.168.2.0/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/#ipv4-network = 192.168.1.0/ipv4-network = 192.168.2.0/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/#ipv4-netmask = 255.255.255.0/ipv4-netmask = 255.255.255.0/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/max-clients = 16/max-clients = 128/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/max-same-clients = 2/max-same-clients = 4/' /etc/ocserv/ocserv.conf &
wait
#sed -i 's/#mtu = 1420/mtu = 1420/' /etc/ocserv/ocserv.conf &
#sed -i 's/#route = default/route = default/' /etc/ocserv/ocserv.conf & # for use server like gateway = IP Leak
sed -i 's/no-route = 192.168.5.0\/255.255.255.0/#no-route = 192.168.5.0\/255.255.255.0/' /etc/ocserv/ocserv.conf &
wait
#sed -i 's/udp-port = 443/#udp-port = 443/' /etc/ocserv/ocserv.conf & # if there is a problem with DTLS/UDP
wait

echo '[40%  ] Adding iptables items...'
iptables -I INPUT -p tcp --dport 22 -j ACCEPT & # SSH port
wait
iptables -I INPUT -p tcp --dport 443 -j ACCEPT &
wait
iptables -I INPUT -p udp --dport 443 -j ACCEPT &
wait
iptables -I INPUT -p udp --dport 53 -j ACCEPT &
wait
iptables -t nat -A POSTROUTING -j MASQUERADE &
wait
iptables -I FORWARD -d 192.168.2.0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT &
wait
iptables -A FORWARD -s 192.168.2.0 -j ACCEPT &
wait

echo '[50%  ] Activating the ip_forward feature...'
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf &
#echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
wait

sysctl -p & # apply wihout rebooting
wait

echo '[60%  ] Adding users...'
echo ''
if [[ $LIST != "" ]] ; then
  while read -r -a line; do
    if [[ "${line}" != "" ]] ; then
      echo "   For user ${line} password updated with ${line[1] }"
      echo "${line[1] }" | ocpasswd -c /etc/ocserv/ocpasswd "${line}" &
      wait
    fi
  done  /dev/null &
wait
systemctl disable ocserv.socket > /dev/null &
wait

echo '[80%  ] Start ocserv service...'
systemctl restart ocserv.service > /dev/null &
wait
#systemctl status ocserv.service &
#wait

#iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT & # Allow SSH port. Is this port really configured?
#iptables -P INPUT DROP & # If you have not ACCEPT the SSH port connection before, do not run this command! 
#wait

echo '[90%  ] Persistent iptables rules...'
iptables-save > /etc/iptables.rules &
wait

systemctl enable iptables &
wait

service iptables save &
wait

systemctl start iptables &
wait

echo '[100% ] Your VPN server is ready to use.'
echo ''
echo 'Please check the ocserv logs with: journalctl -u ocserv'
echo ''

I have been having some problems with openconnect in my Arch Linux (Antergos to be precise) and I have no idea what's causing it. (Although I'm used to linux and all, I'm very new to VPNs and openconnect.) I'm trying to connect to my University's VPN via 2 methods. I start by following the instructions, which simply say to create a Cisco AnyConnect Compatible VPN and input the name and gateway. When I do it this way and try to connect via the network-manager applet it doesn't work. When I flip the VPN switch it simply flips right back immediately and that's it. No error messages or anything. The second approach I'm trying is via command line. So I try this $ sudo openconnect -u myusername my.gateway.edu *(I'm replacing the actual gateway with my.gateway.edu and also the username and blurring relevant IPs from now on)* This is the log I get from that input: POST https://my.gateway.edu/ Connected to 164.**.**.**:443 SSL negotiation with my.gateway.edu Server certificate verify failed: signer not found Certificate from VPN server "my.gateway.edu" failed verification. Reason: signer not found To trust this server in future, perhaps add this to your command line: --servercert sha256:bb2476a96b88357fe74f28a347ba549a2af4bea8668e30a77e1a8295f466bfdc Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on my.gateway.edu Got HTTP response: HTTP/1.1 401 Unauthorized Error generating GSSAPI response: gss_init_sec_context(): Unspecified GSS failure. Minor code may provide more information gss_init_sec_context(): SPNEGO cannot find mechanisms to negotiate Server 'my.gateway.edu' requested Basic authentication which is disabled by default GET https://my.gateway.edu/ Connected to 164.**.**.**:443 SSL negotiation with my.gateway.edu Server certificate verify failed: signer not found Connected to HTTPS on my.gateway.edu Got HTTP response: HTTP/1.1 401 Unauthorized No more authentication methods to try GET https://my.gateway.edu/ Please enter your username. POST https://my.gateway.edu/auth Please enter your password. Password: POST https://my.gateway.edu/auth Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 90, Keepalive 32400 Connected as 169.**.***.**, using SSL DTLS handshake failed: Resource temporarily unavailable, try again. Failed to open tun device: No such device Set up tun device failed Unknown error; exiting. I have asked the University's IT support but they also don't know what's happening (I think they're not very familiar with Arch Linux). I have tried some other things such as using the flag --script /etc/vpnc/vpnc-script but the result is the same. __EDIT__ I have recently come across [this website](https://medium.com/@v4runvs/using-openconnect-instead-of-cisco-anyconnect-vpn-agent-d7bc7d9b1631) via the IT people that says that I have to create a tunnel device before connecting. Even after doing that the results of sudo openconnect -u myusername my.gateway.edu --interface tun1 are still the same.

I want to use nmcli to connect to a VPN that I typically use Cisco Annyconnect for. I've installed networkmanager-openconnect package (in Arch) and now I want to use it through nmcli. However, nmcli interface seems too convoluted for me. Looking at nmcli c add help, it should be something along these lines:

Usage: nmcli connection add { ARGUMENTS | help }

ARGUMENTS := COMMON_OPTIONS TYPE_SPECIFIC_OPTIONS SLAVE_OPTIONS IP_OPTIONS [-- ([+|-]. )+]

with:

TYPE_SPECIFIC_OPTIONS:
...
    vpn:          vpn-type vpnc|openvpn|pptp|openconnect|openswan|libreswan|ssh|l2tp|iodine|...
                  [user ]

But the explanation in the help message is too terse for me and I could not find any examples online. **Can anyone who uses nmcli for similar purposes share their examples here?** ---------- **Failed attempts** There is an example configuration here . Exploring the available man pages I did not find what form:main:group_list=CLIENTGROUP even suppose to do. Fails with:

Error: Connection activation failed: No valid secrets

---------- For those who look for the simplest possible option; you can use openconnect directly:

sudo openconnect my.vpn.gateway

And that works as long as you don't need to make it available for a non-sudoer. When that happens, the plot gets complicated around name resolution (see here ). I would prefer nmcli to handle this.

I want to start a VPN connection without needing to type in the password to the VPN connection or the password for sudo and without saving the password on my pc accessible to any normal users. ATM I have a bash-script that is runnable and readable only by root which contains the VPN password so to startup the VPN I still need to use sudo to run it. I compiled the bash-script so I can now let normal users run it without exposing the password to them (at least I think so, can it still get sniffed from traffic or something?). But openconnect still needs sudo, can I somehow solve that?

I tried using openconnect today for the first time to connect to my organization's VPN. However, once connected, it runs in the foreground of the terminal and the only way I could see to close the connection was to use CTRL-C. Is this an acceptable way to close the openconnect session cleanly? If not, what is the preferred method?

I wanted to connect to freevpn openvpn service so I've followed the setup steps as their website said. but there is a problem about certificate I think. I've tried:

openvpn --config vpnbook-pl226-tcp443.ovpn

And here is the error:

2022-10-04 16:32:13 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2022-10-04 16:32:13 Cannot load inline certificate file
2022-10-04 16:32:13 Exiting due to fatal error

any ideas to fix this error??

I use openconnect to join a VPN. On disconnection, the DNS remain alongside with mine in Global section, which causes a delay in network queries : Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: foreign Current DNS Server: 172.29.183.69 DNS Servers: 172.29.183.69 172.29.183.70 192.168.100.144 DNS Domain: groumpf.org in.company.fr Link 2 (enp2s0f0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 4 (wlp3s0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 5 (docker0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 6 (vmnet1) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 7 (vmnet8) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 9 (enx482ae3a900cd) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported groumpf.org/192.168.100.144 are my correct domain/DNS, while others are remnants from tun0 wich is actuallay down. The system is Ubuntu 21.10 (kinetics) and openconnect is 9.01. Is this a systemd or an openconnect problem ? Regards, Xavier

I have ssh and openconnect installed but when I proceed to start or stop the ssh service, I get the following error: > Failed to start ssh.service: Unit ssh.service not found. Also, when I try sudo apt-get install ssh I get the following: sudo apt-get install ssh Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: ncurses-term openssh-server openssh-sftp-server ssh-import-id Suggested packages: ssh-askpass rssh molly-guard monkeysphere The following NEW packages will be installed: ncurses-term openssh-server openssh-sftp-server ssh ssh-import-id 0 upgraded, 5 newly installed, 0 to remove and 193 not upgraded. Need to get 640 kB of archives. After this operation, 5.237 kB of additional disk space will be used. Do you want to continue? [Y/n] Which I find confusing. If I do which ssh, I get: /usr/bin/ssh How can the binary be there if apt-get thinks the package is not installed? Also, when calling ssh , I get the following error: > ssh: connect to host port 22: No route to host But if I use openconnect and connect to a VPN, ssh work without problems. What am I missing? I'm running Ubuntu 16.04.

I am trying to connect to my university network with openconnect. When I do, it asks for my credentials and then outputs the following: POST university_url Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 Connected as my.ip.v4.address, using SSL, with DTLS in progress Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM). Error: Nexthop has invalid gateway. Error: ipv4: Invalid values in header for route get request. on arch linux. Cisco anyconnect works fine on a ubuntu vm on the very same machine (clumsy workaround), however I would rather resolve the cause of the issue. This is unfortunately beyond my skilllevel. Any help would be much appreciated.

I want to use openconnect instead of pulsesecure/pulseUI to connect to my company's vpn. this was ok in the old server but in the new they have added 2FA. I saw this https://stackoverflow.com/a/63232539/959179 which looks promising. so I try a very basic test:

echo -e "${myPasswd}\n${freshOTPcode} | sudo openconnect --protocol=pulse --passwd-on-stdin -u me@company.com

Connected to :443 SSL negotiation with Connected to HTTPS on Got HTTP response: HTTP/1.1 101 Switching Protocols **Unhandled Pulse authentication packet, or authentication failure** E [...] **Failed to obtain WebVPN cookie** I cannot make anything out of it . The PulseSecure v9.1R13 connects fine to the server. the error is the same if I use the following arguments

echo "myPasswd" | sudo openconnect --protocol=pulse -u me@company.com --passwd-on-stdin --token-mode=totp --token-secret=813940

## Update: Solved thanks to comment by @NotTheDr01ds ### Original question (Details of the machines I'm using at end) I connect to a my Uni's VPN using: sudo /sbin/modprobe tun && sudo openconnect gucsasa1.cent.gla.ac.uk I get this output:

POST https://gucsasa1.cent.gla.ac.uk/ 
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as 172.20.183.165, using SSL, with DTLS in progress
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
Unknown DTLS packet type 13, len 16

Then I run the following command to connect via ssh:

ssh -X mymachine

Once connected, my .bashrc on the server tries to automatically launches tmux (version 2.6):

# Launch tmux
if command -v tmux>/dev/null; then
    [[ ! $TERM =~ screen ]] && [ -z $TMUX ] && tmux new-session -A -s main
fi

But it instantly crashes leaving my terminal display looking like this (here I typed ls to show the problem, but it happens with all stdout): I also can't see anything I'm typing into the terminal - i.e. it doesn't update the display until I hit enter on the command (having typed it 'blind'). When using the -X and -Y flags with ssh, I have no problems with GUI programs. This is specific to stdout rendering in the terminal in tmux. After googling, I found that typing reset brought back a 'normal' experience, but also killed the tmux server. Here is the result of typing ls: As soon as I try to launch tmux, it crashes again and I'm back to the original problem. I don't have this problem when I connect to other servers (running Debian 10, and Ubuntu 20.04, bash and tmux 2.8) using the same client machine and same terminal. Does anyone have any ideas of how I can troubleshoot this issue? I've been googling all day without success. #### Client machine - OS: lubuntu 20.04 - terminal: st - shell: bash - In tmux session: echo $TERM: st-256color - Outside tmux session: echo $TERM: screen-256color #### Server machine - OS: Ubuntu 18.04 - terminal: gnome-terminal - shell: bash - Outside tmux session: echo $TERM: st-256color