For a long time I’ve tolerated the workaround of setting the immutable attribute on resolv.conf (ie. chattr +i /etc/resolv.conf). This will prevent anything from updating the file and thus you will not lose your DNS settings when the VPN connection takes place. This is fine for a desktop machine on a local network where resolv.conf is likely to stay static, but no good for a laptop or other mobile device.

This week I searched around for a better solution. Something new I found was vpnc connect and post-connect scripts. This looked like a possible solution, something similar to what I did when using the vpnc client for KDE. The KDE client had a post-connect script option, and from that I would restore my old resolv.conf. I tried creating the vpnc scripts to back up resov.conf and restore it afterwards, but it seems that those scripts don’t even get run by NetworkManager because nothing happened for me.

Then by luck I noticed something in my search results about a setting called ignore-auto-dns. Seems that the interface doesn’t support the setting, but you can specify it for the connection using gconf-editor. The specs for the setting are here… http://projects.gnome.org/NetworkManager/developers/settings-spec-08.html

So to apply this setting, open gconf-editor and find your VPN connection under system/networking/connections (all connections are just numbered under there). There should be an ipv4 key in there. Now just create the boolean value ignore-auto-dns and set it to true. Shortly after discovering this solution, I found another technique which lists this same setting but in a network configuration file… https://help.ubuntu.com/community/NetworkManager0.7. I’ve not tried the method listed there because I’m not actually convinced that it’s a better option than modifying this gconf setting.

Not much to add, except “oh the awesome!”. Here’s a little screen shot of the add connection GUI…

If you have trouble figuring out what to enter into those fields, check out my old get-a-robot-vpnc post for some hints.

• Rooted G1 (clean JesusFreke v1.51 US image)

Prerequisites:

• VPN connection settings or a pcf file
• If you need to decrypt enc_GroupPwd from pcf, Linux box with vpnc installed
• Something to extract bz2 files
• BusyBox (or alternative copy method that doesn’t use tar)
• Get-a-robot-vpnc package
• Root access!

First of all, this is an alternative version of instructions from xda-developers post by Phlogiston. I’ve included more complete details for those people who wouldn’t know the first thing about getting started with vpnc. Big win credit to wmealing for bringing vpnc to Android!

Extract the bz2 file (not on the phone yet). Note the directory structure is /data/data/org.codeandroid.vpnc/..., this is designed to be extracted directly to the root of the phone.

Open /data/data/org.codeandroid.vpnc/etc/vpnc/vpnc.conf and place your VPN connection settings in there. Very important that you remove or comment out the line “IKE authmode hybrid” or later you will have errors about missing openssl components. If you are not sure about the vpnc.conf settings and you have the .pcf file, map the following values…

You should know your user name and password. Of course I’m not going to recommend that you store them in plain text in this file, but it sure does make life a whole lot simpler.

*If GroupPwd is blank and instead you have enc_GroupPwd you need to use the cisco-decrypt tool that usually comes with a standard vpnc installation (in my distro it’s found at /usr/lib/vpnc/cisco-decrypt). Simply run:

/usr/lib/vpnc/cisco-decrypt <enc_GroupPwd hash>

Open /data/data/org.codeandroid.vpnc/etc/vpnc/vpnc-script and change the first line to “#!/system/bin/sh” (replace bash with just sh).

Now you need to get it all on to your phone. Confirm you have the tar command on the phone by opening up the terminal app and typing “tar“. If you don’t have it, you might want to get BusyBox.

From the directory where you extracted the bz2 file, run the following to make a tarball:

$ tar -cvf vpnc.tar ./data/data

Copy that to the phone’s sdcard. While you have the sdcard mounted on your PC, create a directory called vpnc and create two empty files in there named go and prep (you can name them anything really).

Open go and paste the following (this is one single long line of text):

/data/data/org.codeandroid.vpnc/bin/vpnc /data/data/org.codeandroid.vpnc/etc/vpnc/vpnc.conf --script /data/data/org.codeandroid.vpnc/etc/vpnc/vpnc-script --pid-file /data/data/org.codeandroid.vpnc/etc/vpnc/vpnc-pid --no-detach --debug 1

Open prep and paste the following:

modprobe tun
lsmod
mkdir /dev/net
ln -s /dev/tun /dev/net/tun

These scripts will help you type less on the handset. Now unmount the sdcard and wait for the phone to check it. Open up a terminal and run the following:

$ su
# cp /sdcard/vpnc.tar /data
# cd /data
# tar xvf vpnc.tar
# rm vpnc.tar
# cd /sdcard/vpnc
# sh prep
# sh go

If all went well you should see the following happy little message!

… and to later kill the VPN connection, just press Ball+C. Note: You only need to run the prep script the first time during the session (when the phone reboots you’ll need to run it again).

If you want to undo it all and start from scratch, just do a recursive delete of /data/data/org.codeandroid.vpnc directory and reboot.