Can this support exclusions instead of inclusions? about vpn-slice HOT 13 CLOSED

I don't have a need to do this right now, but here's my thoughts on the UI, for what that's worth:

If you --exclude 192.0.2.0/24, that creates a route to 192.0.2.0/24 via the previous default gateway and nothing more. The routing table already uses a "most specific match" rule, so we can just defer to that behavior, which should be completely consistent on every system. Now, for that to do anything interesting, you'd need to have a less specific route that points over the VPN. You could obviously write 0.0.0.0/0 (i.e. the whole internet) as one of your "slices" to route through the VPN, but I think it would make more sense to have an option to honor the hosts provided by the server, like --route-splits, but adding a default route if there are no splits.

from vpn-slice.

I guess I was misled about my read of --route-internal by reading this as being the broadcast domain to which the virtual interface is attached, which is what happens for an ethernet interface, say. I'll blame Cisco for a misleading name...

Yeah, the Cisco naming isn't great, but I don't have a good idea for a better option name here. Any suggestions?

I hadn't thought about excluding a hostname, but now that you've drawn my attention to it, I'd say that excludes are the opposite of includes, so it should be resolved using the system resolver, not the VPN's resolver.

I think that's right. So basically, if I do --exclude github.com (for example), then we should look for A and/or AAAA records for github.com using the system-default resolvers, and exclude all of the matching IP addresses from being routed over the VPN.

from vpn-slice.

@NightMachinary, if you're still around, please test https://github.com/dlenski/vpn-slice/commits/split_excludes_on_command_line

For the time being, the syntax to specify an exclude route is %a.b.c.d/xx (or %f00::1234/xx for IPv6). No hostname-based excludes yet.

from vpn-slice.

Seeing the notification for this reminded me of something I saw a few weeks back that may mean that static domain-based excludes are impossible in the general case. The example of --exclude github.com was mentioned, but there's an issue with that. GitHub gives a single answer to an A query with a short TTL (60 s). If you wait for the TTL to expire, and then resolve the name again, you can (and, in my experience, you often do) get back a different address on the next query.

Making DNS requests once when openconnect starts up works in the simple case of a static DNS zone, and I expect the vast majority of internal names (i..e the ones currently handled by vpn-slice) are set up this way, but large public websites are much more likely to do something dynamic with their DNS configurations.

from vpn-slice.

Yeah, that's an interesting possibility. I started to do some coding of this, but don't really have a use case personally, and found it difficult to come up with an intuitive way to specify excluded subnets on the command-line.

Want to take a crack at coding something up?

from vpn-slice.

from vpn-slice.

Specifying exclusions seem easy to me? -exclude “x.x.x.x/y”?

Sure. But the hard part is figuring out how to make the user interface intuitive and sensible when both inclusions and exclusions are specified, principle of least surprise and all that. I need to think about it a bit more.

from vpn-slice.

@gmacon, for what it's worth we already have the --route-internal option that does cause vpn-slice to use whatever "internal network route" is sent by the VPN server (even 0.0.0.0/0).

Part of what I'm uncertain about with the UI is whether it should support hostnames (not just IP routes)… and if so, how should we handle the DNS lookups for those hosts?

from vpn-slice.

I guess I was misled about my read of --route-internal by reading this as being the broadcast domain to which the virtual interface is attached, which is what happens for an ethernet interface, say. I'll blame Cisco for a misleading name...

I hadn't thought about excluding a hostname, but now that you've drawn my attention to it, I'd say that excludes are the opposite of includes, so it should be resolved using the system resolver, not the VPN's resolver.

from vpn-slice.

Yeah, the Cisco naming isn't great, but I don't have a good idea for a better option name here. Any suggestions?

I think we should continue to match Cisco's terminology even though it isn't very good.

from vpn-slice.

Good summary, @gmacon, and a good reason not to do --exclude host.name.com.

To really accomplish this in an ideal way, we'd need fancy-split-DNS.

from vpn-slice.

@NightMachinary, if you're still around, please test https://github.com/dlenski/vpn-slice/commits/split_excludes_on_command_line

For the time being, the syntax to specify an exclude route is %a.b.c.d/xx (or %f00::1234/xx for IPv6). No hostname-based excludes yet.

I no longer have an OpenVPN server, nowadays I use WireGuard. (It has this issue as well, unfortunately.)

Thank you for your work.

from vpn-slice.

Closing now that 4a34ff5 is in master.

from vpn-slice.