Comments (13)
I don't have a need to do this right now, but here's my thoughts on the UI, for what that's worth:
If you --exclude 192.0.2.0/24
, that creates a route to 192.0.2.0/24 via the previous default gateway and nothing more. The routing table already uses a "most specific match" rule, so we can just defer to that behavior, which should be completely consistent on every system. Now, for that to do anything interesting, you'd need to have a less specific route that points over the VPN. You could obviously write 0.0.0.0/0
(i.e. the whole internet) as one of your "slices" to route through the VPN, but I think it would make more sense to have an option to honor the hosts provided by the server, like --route-splits
, but adding a default route if there are no splits.
from vpn-slice.
I guess I was misled about my read of
--route-internal
by reading this as being the broadcast domain to which the virtual interface is attached, which is what happens for an ethernet interface, say. I'll blame Cisco for a misleading name...
Yeah, the Cisco naming isn't great, but I don't have a good idea for a better option name here. Any suggestions?
I hadn't thought about excluding a hostname, but now that you've drawn my attention to it, I'd say that excludes are the opposite of includes, so it should be resolved using the system resolver, not the VPN's resolver.
I think that's right. So basically, if I do --exclude github.com
(for example), then we should look for A and/or AAAA records for github.com
using the system-default resolvers, and exclude all of the matching IP addresses from being routed over the VPN.
from vpn-slice.
@NightMachinary, if you're still around, please test https://github.com/dlenski/vpn-slice/commits/split_excludes_on_command_line
For the time being, the syntax to specify an exclude route is %a.b.c.d/xx
(or %f00::1234/xx
for IPv6). No hostname-based excludes yet.
from vpn-slice.
Seeing the notification for this reminded me of something I saw a few weeks back that may mean that static domain-based excludes are impossible in the general case. The example of --exclude github.com
was mentioned, but there's an issue with that. GitHub gives a single answer to an A query with a short TTL (60 s). If you wait for the TTL to expire, and then resolve the name again, you can (and, in my experience, you often do) get back a different address on the next query.
Making DNS requests once when openconnect starts up works in the simple case of a static DNS zone, and I expect the vast majority of internal names (i..e the ones currently handled by vpn-slice) are set up this way, but large public websites are much more likely to do something dynamic with their DNS configurations.
from vpn-slice.
Yeah, that's an interesting possibility. I started to do some coding of this, but don't really have a use case personally, and found it difficult to come up with an intuitive way to specify excluded subnets on the command-line.
Want to take a crack at coding something up?
from vpn-slice.
from vpn-slice.
Specifying exclusions seem easy to me? -exclude “x.x.x.x/y”?
Sure. But the hard part is figuring out how to make the user interface intuitive and sensible when both inclusions and exclusions are specified, principle of least surprise and all that. I need to think about it a bit more.
from vpn-slice.
@gmacon, for what it's worth we already have the --route-internal
option that does cause vpn-slice
to use whatever "internal network route" is sent by the VPN server (even 0.0.0.0/0
).
Part of what I'm uncertain about with the UI is whether it should support hostnames (not just IP routes)… and if so, how should we handle the DNS lookups for those hosts?
from vpn-slice.
I guess I was misled about my read of --route-internal
by reading this as being the broadcast domain to which the virtual interface is attached, which is what happens for an ethernet interface, say. I'll blame Cisco for a misleading name...
I hadn't thought about excluding a hostname, but now that you've drawn my attention to it, I'd say that excludes are the opposite of includes, so it should be resolved using the system resolver, not the VPN's resolver.
from vpn-slice.
Yeah, the Cisco naming isn't great, but I don't have a good idea for a better option name here. Any suggestions?
I think we should continue to match Cisco's terminology even though it isn't very good.
from vpn-slice.
Good summary, @gmacon, and a good reason not to do --exclude host.name.com
.
To really accomplish this in an ideal way, we'd need fancy-split-DNS
.
from vpn-slice.
@NightMachinary, if you're still around, please test https://github.com/dlenski/vpn-slice/commits/split_excludes_on_command_line
For the time being, the syntax to specify an exclude route is
%a.b.c.d/xx
(or%f00::1234/xx
for IPv6). No hostname-based excludes yet.
I no longer have an OpenVPN server, nowadays I use WireGuard. (It has this issue as well, unfortunately.)
Thank you for your work.
from vpn-slice.
Closing now that 4a34ff5 is in master
.
from vpn-slice.
Related Issues (20)
- Eliminate deprecated route cache flushing
- Connect WSL2 with openconnect and vpn-slice, to use windows apps like a pro HOT 1
- Use syscall instead of subprocess HOT 2
- Connect to IP on non http/s ports HOT 3
- current `vpn-slice` fails with `(22, 'Invalid argument')` HOT 6
- vpn-slice fails to install on Fedora 37 HOT 2
- Cannot read/write /etc/hosts with no-ns-hosts option HOT 2
- Please release a new version of the master branch HOT 5
- Split DNS check incorrectly uses ResolveConfSplitDNSProvider on Fedora 37 HOT 7
- vpn-slice==0.16.1 raise PackageNotFoundError(name) HOT 4
- Question (not bug): Kerberos SSO over VPN-Slice HOT 2
- Specifying a route with a non-default port HOT 2
- loading stuck HOT 1
- WARNING: no split dns provider available; can't split dns HOT 1
- Exclude hosts by name HOT 1
- Routes cleanup on disconnect HOT 2
- --dump option causes crash when using one or more host-to-ip aliases
- Split DNS not working when using `--background` flag HOT 6
- hostname args ineffective in background mode on openconnect HOT 12
- New issue with openconnect/vpn-slice due to env change? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vpn-slice.