Comments (9)
bobsoppe
commented on August 16, 2024
1
I created a small script to automate the IP generation for vpn-slice
#!/usr/bin/env sh
aws_ips="$(curl --silent https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[].ip_prefix' | xargs)"
vpn_script="vpn-slice some.domain.tld x.x.x.x/x ${aws_ips}"
password="$(security find-generic-password -s 'name' -a '[email protected]' -w)"
echo "${password}" | sudo openconnect --script "${vpn_script}" --user "[email protected]" --authgroup "authgroup" --passwd-on-stdin vpn.some.domain.tld
I use this script to connect to the vpn, which is working fine, but after using ctrl+c and reinvoke the script, it starts the tunnel, but the vpn-slice script is hanging. So the split tunnel is not set up.
from vpn-slice.
bobsoppe
commented on August 16, 2024
1
I'll add it to the script and the next time it occurs I'll post it here. Thank you for the guidance
from vpn-slice.
gmacon
commented on August 16, 2024
1
I have a couple questions: when stopping the VPN the first time, how long do you wait after pressing ^C the first time before pressing it again?
I noticed that you were always interrupting vpn-slice while it was waiting for lsof to run. What happens if you run lsof -p $$ in your shell?
from vpn-slice.
bobsoppe
commented on August 16, 2024
1
It didn't happen anymore in the last few weeks, so I would suggest we close this one. I'll reopen it when it is happening again and I have some relevant info.
Thank you for helping me!
from vpn-slice.
dlenski
commented on August 16, 2024
This is not actually an error, although the message could be cleaner… it just says that vpn-slice was interrupted with Ctrl-C.
After this I am not able to start another tunnel with openconnect, it seems vpn-slice is hanging at that point.
Please give more details of how you're invoking openconnect and vpn-slice, and what errors you get when you attempt to rerun openconnect afterwards.
from vpn-slice.
dlenski
commented on August 16, 2024
I use this script to connect to the vpn, which is working fine, but after using ctrl+c and reinvoke the script, it starts the tunnel, but the vpn-slice script is hanging.
Can you give more details on what you mean by "hanging" here? Perhaps add -vv to vpn-slice to log more details of what it's trying to do?
from vpn-slice.
dlenski
commented on August 16, 2024
Sounds good.
My one other observation — which may be relevant, but may not — is that this results in a very long command line for vpn-slice (~50 kB) and also a very large routing table (~3228 new entries):
$ curl --silent https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[].ip_prefix' | wc
3228 3228 49671
from vpn-slice.
bobsoppe
commented on August 16, 2024
So here we go!
This first section is the outcome of running my script for the first time, where I need to kill it by pressing ctrl+c twice.
❯ connect-vpn
Password:
POST https://vpn.some.domain.tld/
Connected to x.x.x.x.:443
SSL negotiation with vpn.some.domain.tld
Connected to HTTPS on vpn.some.domain.tld with ciphersuite (TLS1.2)-(RSA)-(AES-128-CBC)-(SHA1)
XML POST enabled
Please enter your username and password.
POST https://vpn.some.domain.tld/
XML POST enabled
Please enter your username and password.
POST https://vpn.some.domain.tld/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as x.x.x.x., using SSL, with DTLS in progress
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
Set explicit route to VPN gateway x.x.x.x. (via x.x.x.x., dev en0, mtu 1500)
WARNING: no firewall provider available; can't block incoming traffic
Adding route to nameserver x.x.x.x through utun2.
Adding route to nameserver x.x.x.x through utun2.
Adding route to subnet x.x.x.x through utun2.
...
Adding route to subnet x.x.x.x through utun2.
Added routes for 2 nameservers, 3229 subnets, 0 aliases.
Restored routes for 0 excluded subnets. []
Adding /etc/hosts entries for 2 nameservers...
x.x.x.x = dns0.utun2
x.x.x.x = dns1.utun2
Looking up 1 hosts using VPN DNS servers...
Got results: [<DNS IN A rdata: x.x.x.x.>, <DNS IN A rdata: x.x.x.x.>, <DNS IN A rdata: x.x.x.x.>]
some.domain.tld = x.x.x.x., x.x.x.x., x.x.x.x.
Added hostnames and aliases for 5 addresses to /etc/hosts.
Adding route to x.x.x.x (for named hosts) through utun2.
Adding route to x.x.x.x (for named hosts) through utun2.
Adding route to x.x.x.x (for named hosts) through utun2.
Added 3 routes for named hosts.
Continuing in background as PID 4156, attempting to prevent idle timeout every 1800 seconds.
Sleeping 1519 seconds until we issue a DNS query to prevent idle timeout...
Issuing DNS lookup of x.x.x.x. to prevent idle timeout...
Sleeping 1467 seconds until we issue a DNS query to prevent idle timeout...
Issuing DNS lookup of x.x.x.x. to prevent idle timeout...
Sleeping 1305 seconds until we issue a DNS query to prevent idle timeout...
Issuing DNS lookup of x.x.x.x. to prevent idle timeout...
Sleeping 1547 seconds until we issue a DNS query to prevent idle timeout...
DTLS got write error: Error in the push function.. Falling back to SSL
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
Issuing DNS lookup of x.x.x.x. to prevent idle timeout...
Sleeping 1489 seconds until we issue a DNS query to prevent idle timeout...
...
Issuing DNS lookup of x.x.x.x. to prevent idle timeout...
Sleeping 1288 seconds until we issue a DNS query to prevent idle timeout...
^C
Send BYE packet: Aborted by caller
Traceback (most recent call last):
File "/usr/local/bin/vpn-slice", line 11, in <module>
load_entry_point('vpn-slice==0.14.2', 'console_scripts', 'vpn-slice')()
File "/usr/local/Cellar/vpn-slice/0.14.2/libexec/lib/python3.8/site-packages/vpn_slice/__main__.py", line 527, in main
do_post_connect(env, args)
File "/usr/local/Cellar/vpn-slice/0.14.2/libexec/lib/python3.8/site-packages/vpn_slice/__main__.py", line 266, in do_post_connect
sleep(delay)
KeyboardInterrupt
^C
Failed to spawn script 'vpn-slice {ip-list} --prevent-idle-timeout -vv' for disconnect: Interrupted system call
User cancelled (SIGINT/SIGTERM); exiting.
Traceback (most recent call last):
File "/usr/local/bin/vpn-slice", line 11, in <module>
load_entry_point('vpn-slice==0.14.2', 'console_scripts', 'vpn-slice')()
File "/usr/local/Cellar/vpn-slice/0.14.2/libexec/lib/python3.8/site-packages/vpn_slice/__main__.py", line 468, in main
finalize_args_and_env(args, env)
File "/usr/local/Cellar/vpn-slice/0.14.2/libexec/lib/python3.8/site-packages/vpn_slice/__main__.py", line 422, in finalize_args_and_env
exe = providers.process.pid2exe(args.ppid)
File "/usr/local/Cellar/vpn-slice/0.14.2/libexec/lib/python3.8/site-packages/vpn_slice/mac.py", line 17, in pid2exe
info = subprocess.check_output([self.lsof, '-p', str(pid)], universal_newlines=True)
File "/usr/local/opt/[email protected]/Frameworks/Python.framework/Versions/3.8/lib/python3.8/subprocess.py", line 411, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "/usr/local/opt/[email protected]/Frameworks/Python.framework/Versions/3.8/lib/python3.8/subprocess.py", line 491, in run
stdout, stderr = process.communicate(input, timeout=timeout)
File "/usr/local/opt/[email protected]/Frameworks/Python.framework/Versions/3.8/lib/python3.8/subprocess.py", line 1011, in communicate
stdout = self.stdout.read()
KeyboardInterrupt
After this when I want to start the vpn connection again with the script I get the following
❯ connect-vpn
Password:
POST https://vpn.some.domain.tld/
Connected to x.x.x.x:443
SSL negotiation with vpn.some.domain.tld
Connected to HTTPS on vpn.some.domain.tld with ciphersuite (TLS1.2)-(RSA)-(AES-128-CBC)-(SHA1)
XML POST enabled
Please enter your username and password.
POST https://vpn.some.domain.tld/
XML POST enabled
Please enter your username and password.
POST https://vpn.some.domain.tld/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as x.x.x.x, using SSL, with DTLS in progress
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
But nothing after that, so for me it seems like the vpn-slice command is not succeeding for some reason.
Running ps to check what is running results in the following
❯ ps aux | grep vpn
root 11168 0.0 0.0 4342924 6656 s005 S+ 5:11PM 0:00.03 sudo openconnect --script vpn-slice {ip-list} --prevent-idle-timeout -vv --user [email protected] --authgroup {authgroup} --passwd-on-stdin vpn.some.domain.tld
root 11170 0.0 0.1 4257368 19960 s005 S+ 5:11PM 0:00.19 /usr/local/Cellar/vpn-slice/0.14.2/libexec/bin/python3.8 /usr/local/bin/vpn-slice {ip-list} --prevent-idle-timeout -vv
root 11169 0.0 0.1 4331008 8588 s005 S+ 5:11PM 0:00.05 openconnect --script vpn-slice {ip-list} --prevent-idle-timeout -vv --user [email protected] --authgroup {authgroup} --passwd-on-stdin vpn.some.domain.tld
In the end I need to press ctrl+c twice to kill my script which results in the following
^C
Failed to spawn script 'vpn-slice {ip-list} --prevent-idle-timeout -vv' for pre-init: Interrupted system call
Traceback (most recent call last):
File "/usr/local/bin/vpn-slice", line 11, in <module>
load_entry_point('vpn-slice==0.14.2', 'console_scripts', 'vpn-slice')()
File "/usr/local/Cellar/vpn-slice/0.14.2/libexec/lib/python3.8/site-packages/vpn_slice/__main__.py", line 468, in main
finalize_args_and_env(args, env)
File "/usr/local/Cellar/vpn-slice/0.14.2/libexec/lib/python3.8/site-packages/vpn_slice/__main__.py", line 422, in finalize_args_and_env
exe = providers.process.pid2exe(args.ppid)
File "/usr/local/Cellar/vpn-slice/0.14.2/libexec/lib/python3.8/site-packages/vpn_slice/mac.py", line 17, in pid2exe
info = subprocess.check_output([self.lsof, '-p', str(pid)], universal_newlines=True)
File "/usr/local/opt/[email protected]/Frameworks/Python.framework/Versions/3.8/lib/python3.8/subprocess.py", line 411, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "/usr/local/opt/[email protected]/Frameworks/Python.framework/Versions/3.8/lib/python3.8/subprocess.py", line 491, in run
stdout, stderr = process.communicate(input, timeout=timeout)
File "/usr/local/opt/[email protected]/Frameworks/Python.framework/Versions/3.8/lib/python3.8/subprocess.py", line 1011, in communicate
stdout = self.stdout.read()
KeyboardInterrupt
^C
Failed to spawn script 'vpn-slice {ip-list} --prevent-idle-timeout -vv' for connect: Interrupted system call
Send BYE packet: Aborted by caller
Traceback (most recent call last):
File "/usr/local/bin/vpn-slice", line 11, in <module>
load_entry_point('vpn-slice==0.14.2', 'console_scripts', 'vpn-slice')()
File "/usr/local/Cellar/vpn-slice/0.14.2/libexec/lib/python3.8/site-packages/vpn_slice/__main__.py", line 468, in main
finalize_args_and_env(args, env)
File "/usr/local/Cellar/vpn-slice/0.14.2/libexec/lib/python3.8/site-packages/vpn_slice/__main__.py", line 422, in finalize_args_and_env
exe = providers.process.pid2exe(args.ppid)
File "/usr/local/Cellar/vpn-slice/0.14.2/libexec/lib/python3.8/site-packages/vpn_slice/mac.py", line 17, in pid2exe
info = subprocess.check_output([self.lsof, '-p', str(pid)], universal_newlines=True)
File "/usr/local/opt/[email protected]/Frameworks/Python.framework/Versions/3.8/lib/python3.8/subprocess.py", line 411, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "/usr/local/opt/[email protected]/Frameworks/Python.framework/Versions/3.8/lib/python3.8/subprocess.py", line 491, in run
stdout, stderr = process.communicate(input, timeout=timeout)
File "/usr/local/opt/[email protected]/Frameworks/Python.framework/Versions/3.8/lib/python3.8/subprocess.py", line 1011, in communicate
stdout = self.stdout.read()
KeyboardInterrupt
from vpn-slice.
dlenski
commented on August 16, 2024
@bobsoppe, you didn't show that you were using the --prevent-idle-timeout option in your previous comment about the script.
Given that you are, I wonder if this has something to do with #61 (comment). Other users have seen issues where the child process implementing this behavior stays alive after the connection is closer, causing the tunnel interface to remain open and not get deleted, and then causing problems on subsequent invocation.
Things to try:
- After interrupting the first invocation of
openconnect… doesifconfigshow the tunnel device still existing? (I'd be surprised if not, givenFailed to spawn script 'vpn-slice {ip-list} --prevent-idle-timeout -vv' for disconnect: Interrupted system call.) - Does removing
--prevent-idle-timeoutfrom thevpn-sliceinvocation affect the behavior you observe in any way?
Your symptoms don't exactly line up with this, though. If the above doesn't pan out, I think @gmacon is on the right track by wondering why lsof is taking so long to complete. Investigate this further.
I don't use macOS myself, and also can't reproduce this behavior by substituting the PsProvider from mac.py into the place of ProcfsProvider from linux.py.
from vpn-slice.
Related Issues (20)
- Eliminate deprecated route cache flushing
- Connect WSL2 with openconnect and vpn-slice, to use windows apps like a pro HOT 1
- Use syscall instead of subprocess HOT 2
- Connect to IP on non http/s ports HOT 3
- current `vpn-slice` fails with `(22, 'Invalid argument')` HOT 6
- vpn-slice fails to install on Fedora 37 HOT 2
- Cannot read/write /etc/hosts with no-ns-hosts option HOT 2
- Please release a new version of the master branch HOT 5
- Split DNS check incorrectly uses ResolveConfSplitDNSProvider on Fedora 37 HOT 7
- vpn-slice==0.16.1 raise PackageNotFoundError(name) HOT 4
- Question (not bug): Kerberos SSO over VPN-Slice HOT 2
- Specifying a route with a non-default port HOT 2
- loading stuck HOT 1
- WARNING: no split dns provider available; can't split dns HOT 1
- Exclude hosts by name HOT 1
- Routes cleanup on disconnect HOT 2
- --dump option causes crash when using one or more host-to-ip aliases
- Split DNS not working when using `--background` flag HOT 6
- hostname args ineffective in background mode on openconnect HOT 12
- New issue with openconnect/vpn-slice due to env change? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vpn-slice.