Comments (8)
dlenski
commented on September 18, 2024
Please include the openconnect and vpn-slice command line you're using here. Hard for me to be sure what's going wrong without knowing how you're calling it.
It seems that you're ending up with a domain name (bigip-sage.us.mycompany.com) in a place where an IP address is expected. I think you are using the alias option in an unexpected way… but I should add error checking for this.
from vpn-slice.
ciapecki
commented on September 18, 2024
this is example execution that shows that issue:
$ sudo openconnect https://myaccess.mycompanyvpn.com --no-dtls --user myusername -s 'vpn-slice websites.mycompanycorp.com'
POST https://myaccess.mycompanyvpn.com/
Connected to <mycompanyvpnIP>:443
SSL negotiation with myaccess.mycompanyvpn.com
Connected to HTTPS on myaccess.mycompanyvpn.com
Got HTTP response: HTTP/1.0 302 Temporary moved
POST https://lon-twvpn-3a.mycompanyvpn.com/
Connected to 141.143.211.25:443
SSL negotiation with lon-twvpn-3a.mycompanyvpn.com
Connected to HTTPS on lon-twvpn-3a.mycompanyvpn.com
XML POST enabled
Password:
POST https://lon-twvpn-3a.mycompanyvpn.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as 10.175.240.234 + 2606:b400:8f0:82:8000::22a/64, using SSL
WARNING: IPv6 address or netmask set, but this version of vpn-slice has only rudimentary support for them.
WARNING: IPv6 address or netmask set, but this version of vpn-slice has only rudimentary support for them.
Error: inet prefix is expected rather than "bigip-sage.us.mycompany.com".
Traceback (most recent call last):
File "/usr/bin/vpn-slice", line 11, in <module>
load_entry_point('vpn-slice==0.1', 'console_scripts', 'vpn-slice')()
File "/usr/lib/python3.6/site-packages/vpn_slice/main.py", line 315, in main
do_post_connect(env, args)
File "/usr/lib/python3.6/site-packages/vpn_slice/main.py", line 180, in do_post_connect
iproute('route', 'replace', ip, 'dev', env.tundev)
File "/usr/lib/python3.6/site-packages/vpn_slice/linux.py", line 77, in iproute
sp.check_call(cl)
File "/usr/lib/python3.6/subprocess.py", line 291, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['/usr/bin/ip', 'route', 'replace', 'bigip-sage.us.mycompany.com', 'dev', 'tun0']' returned non-zero exit status 1.
^CSend BYE packet: Aborted by caller
WARNING: IPv6 address or netmask set, but this version of vpn-slice has only rudimentary support for them.
User canceled (SIGINT); exiting;
from vpn-slice.
dlenski
commented on September 18, 2024
Weird… I think your dig utility is outputting a host name where I expect it to output an IP address.
Could you please update to the latest version of vpn-slice and run dig -v and tell me what version you're using?
$ dig -v
DiG 9.10.3-P4-UbuntuAfter that, try running again and add vpn-slice -v --dump to your command line. That will give more detailed information about how vpn-slice is getting the wrong address, and it should only give a warning rather than an error.
from vpn-slice.
ciapecki
commented on September 18, 2024
I updated vpn-slice with:
$ git pull origin master
remote: Counting objects: 37, done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 37 (delta 21), reused 26 (delta 21), pack-reused 11
Unpacking objects: 100% (37/37), done.
From https://github.com/dlenski/vpn-slice
* branch master -> FETCH_HEAD
95b1d7d..77aca3f master -> origin/master
Updating 42a1dc9..77aca3f
Fast-forward
setup.py | 28 +++++++++++++++++++++++++++-
vpn_slice/README.md | 7 ++++---
vpn_slice/linux.py | 14 ++++++++++----
vpn_slice/main.py | 31 +++++++++++++++++--------------
vpn_slice/version.py | 2 ++
5 files changed, 60 insertions(+), 22 deletions(-)
create mode 100644 vpn_slice/version.py
ruby-2.3.0 [chris@x250cia vpn-slice]$ sudo pip3 install . --upgrade
[sudo] password for chris:
Processing /home/chris/src/vpn-slice
Installing collected packages: vpn-slice
Found existing installation: vpn-slice 0.1
Uninstalling vpn-slice-0.1:
Successfully uninstalled vpn-slice-0.1
Running setup.py install for vpn-slice ... done
Successfully installed vpn-slice-0.1
$ dig -v
DiG 9.11.1
It seems the upgraded vpn-slice does not show that issue again.
If they issue reappears will keep you updated.
The issue might be connected to that the site provided as argument to vpn-slice is not reachable (maybe I misspelled the address):
$ sudo openconnect https://myaccess.mycompanyvpn.com --no-dtls --user kcierpis_de -s 'vpn-slice -v --dump websites.mycompanycorp.com'
POST https://myaccess.mycompanyvpn.com/
Connected to ...:443
SSL negotiation with myaccess.mycompanyvpn.com
Connected to HTTPS on myaccess.mycompanyvpn.com
Got HTTP response: HTTP/1.0 302 Temporary moved
POST https://lon-twvpn-2a.mycompanyvpn.com/
Connected to ...:443
SSL negotiation with lon-twvpn-2a.mycompanyvpn.com
Connected to HTTPS on lon-twvpn-2a.mycompanyvpn.com
XML POST enabled
Password:
POST https://lon-twvpn-2a.mycompanyvpn.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as 10.175.222.89 + 2606:b400:8f0:81:8000::1a2/64, using SSL
Called by /usr/bin/openconnect (PID 22293) with environment variables for vpnc-script:
reason => reason=<reasons.pre_init: 1>
VPNGATEWAY => gateway=IPv4Address('...')
CISCO_DEF_DOMAIN => domain='uk.mycompany.com'
INTERNAL_IP4_ADDRESS => myaddr=IPv4Address('10.175.222.89')
INTERNAL_IP4_MTU => mtu=1300
INTERNAL_IP4_NETMASK => netmask=IPv4Address('255.255.224.0')
INTERNAL_IP4_NETMASKLEN => netmasklen=19
INTERNAL_IP4_NETADDR => network=IPv4Network('10.175.192.0/19')
INTERNAL_IP4_DNS => dns=[IPv4Address('192.135.82.44'), IPv4Address('192.135.82.60')]
INTERNAL_IP6_ADDRESS => myaddr6=IPv6Address('2606:b400:8f0:81:8000::1a2')
INTERNAL_IP6_NETMASK => netmask6=IPv6Interface('2606:b400:8f0:81:8000::1a2/64')
WARNING: IPv6 address or netmask set, but this version of vpn-slice has only rudimentary support for them.
Called by /usr/bin/openconnect (PID 22293) with environment variables for vpnc-script:
reason => reason=<reasons.connect: 2>
VPNGATEWAY => gateway=IPv4Address('...')
TUNDEV => tundev='tun0'
CISCO_DEF_DOMAIN => domain='uk.mycompany.com'
INTERNAL_IP4_ADDRESS => myaddr=IPv4Address('10.175.222.89')
INTERNAL_IP4_MTU => mtu=1300
INTERNAL_IP4_NETMASK => netmask=IPv4Address('255.255.224.0')
INTERNAL_IP4_NETMASKLEN => netmasklen=19
INTERNAL_IP4_NETADDR => network=IPv4Network('10.175.192.0/19')
INTERNAL_IP4_DNS => dns=[IPv4Address('192.135.82.44'), IPv4Address('192.135.82.60')]
INTERNAL_IP6_ADDRESS => myaddr6=IPv6Address('2606:b400:8f0:81:8000::1a2')
INTERNAL_IP6_NETMASK => netmask6=IPv6Interface('2606:b400:8f0:81:8000::1a2/64')
WARNING: IPv6 address or netmask set, but this version of vpn-slice has only rudimentary support for them.
Blocked incoming traffic from VPN interface with iptables.
Added routes for 2 nameservers, 0 subnets, 0 aliases.
Adding /etc/hosts entries for 2 nameservers...
192.135.82.44 = ('dns0.tun0',)
192.135.82.60 = ('dns1.tun0',)
Looking up 1 hosts using VPN DNS servers...
WARNING: Lookup for websites.mycompanycorp.com on VPN DNS servers failed.
Added hostnames and aliases for 2 addresses to /etc/hosts.
Added routes for 0 named hosts.
from vpn-slice.
dlenski
commented on September 18, 2024
It's not actually working now … it's just ignoring the error:
WARNING: Lookup for websites.mycompanycorp.com on VPN DNS servers failed.
… so you won't get a routing or host entry for this host.
After connecting to the VPN as above, try this:
$ dig +short @dns0.tun0 websites.mycompanycorp.com
Does the output show the IP address for the VPN internal host? Or something different? Because it's definitely showing something different during the connection process.
from vpn-slice.
ciapecki
commented on September 18, 2024
it shows no IP just different host:
$ dig +short @dns0.tun0 websites.mycompanycorp.com
bigip-sage.us.mycompany.com.
from vpn-slice.
dlenski
commented on September 18, 2024
Aha, so that's the problem… dig is showing a hostname as output instead of an IP address. I guess that's because it's an alias of some kind? (I'm not really a DNS expert.)
dig without the +short option should give more details about what kind of DNS record it is.
Maybe I need to add some special handling for this case.
from vpn-slice.
dlenski
commented on September 18, 2024
I'm assuming this (old) DNS-related issue was fixed by switching from dig→dnspython (#46). Closing.
from vpn-slice.
Related Issues (20)
- Eliminate deprecated route cache flushing
- Connect WSL2 with openconnect and vpn-slice, to use windows apps like a pro HOT 1
- Use syscall instead of subprocess HOT 2
- Connect to IP on non http/s ports HOT 3
- current `vpn-slice` fails with `(22, 'Invalid argument')` HOT 6
- vpn-slice fails to install on Fedora 37 HOT 2
- Cannot read/write /etc/hosts with no-ns-hosts option HOT 2
- Please release a new version of the master branch HOT 5
- Split DNS check incorrectly uses ResolveConfSplitDNSProvider on Fedora 37 HOT 7
- vpn-slice==0.16.1 raise PackageNotFoundError(name) HOT 4
- Question (not bug): Kerberos SSO over VPN-Slice HOT 2
- Specifying a route with a non-default port HOT 2
- loading stuck HOT 1
- WARNING: no split dns provider available; can't split dns HOT 1
- Exclude hosts by name HOT 1
- Routes cleanup on disconnect HOT 2
- --dump option causes crash when using one or more host-to-ip aliases
- Split DNS not working when using `--background` flag HOT 6
- hostname args ineffective in background mode on openconnect HOT 12
- New issue with openconnect/vpn-slice due to env change? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vpn-slice.