Comments (12)
vonkad
commented on September 18, 2024
1
this is 64bit linux mint
from vpn-slice.
vonkad
commented on September 18, 2024
1
Dan, thanks a lot ! It works fine now. I'm based in Central Europe and my company in Colorado. The VPN they give me slows Internet access to local resources down 100 times, as every request gets sent to the US and back. Being able to use the VPN just for the resources that actually require it is a great relief.
So thank you for helping me with this. If you ever come to Prague, do not forget I owe you a drink.
from vpn-slice.
dlenski
commented on September 18, 2024
vpn-slice is failing an assertion because the split-tunnel netmasks it's receiving apparently don't have the expected bit pattern: assert net.netmask==nm
Try adding an additional -D/--dump parameter for vpn-slice itself, as follows:
sudo ./openconnect --protocol=gp sslvpn.mycompany.com -u dvonka -s '/home/vonkad/.local/bin/vpn-slice --dump den-dev-git-01.extendthereach.com' --dump
… this should cause it to print out all the variables that it's passed. What does it show you? Does one of the CISCO_SPLIT_INC_x_MASK not match the CISCO_SPLIT_INC_x_MASKLEN?
And also, what version of vpn-slice? What version of openconnect?
from vpn-slice.
vonkad
commented on September 18, 2024
I'm not getting any such list when calling
sudo ./openconnect --protocol=gp sslvpn.mycompany.com -u dvonka \
-s '/home/vonkad/.local/bin/vpn-slice --dump den-dev-git-01.extendthereach.com'
from vpn-slice.
vonkad
commented on September 18, 2024
vpn-slice 0.2
OpenConnect version v7.08-265-gae48121
Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP software token, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp
from vpn-slice.
vonkad
commented on September 18, 2024
I manager to add a print into the python code, right before the assert.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Connected as 192.168.60.179, using SSL
net.netmask=255.255.255.255, nm=255.255.255.255
net.netmask=255.255.255.255, nm=255.255.255.255
net.netmask=255.255.255.0, nm=255.255.255.0
net.netmask=255.255.255.0, nm=255.255.255.0
net.netmask=255.255.255.0, nm=255.255.255.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=0.0.0.0, nm=255.255.255.255
Traceback (most recent call last):
File "/home/vonkad/.local/bin/vpn-slice", line 11, in
load_entry_point('vpn-slice==0.1', 'console_scripts', 'vpn-slice')()
File "/home/vonkad/.local/lib/python3.5/site-packages/vpn_slice/main.py", line 295, in main
env = parse_env()
File "/home/vonkad/.local/lib/python3.5/site-packages/vpn_slice/main.py", line 245, in parse_env
assert net.netmask==nm
AssertionError
Script '/home/vonkad/.local/bin/vpn-slice -D extendthereach.com' returned error 1
net.netmask=255.255.255.255, nm=255.255.255.255
net.netmask=255.255.255.255, nm=255.255.255.255
net.netmask=255.255.255.0, nm=255.255.255.0
net.netmask=255.255.255.0, nm=255.255.255.0
net.netmask=255.255.255.0, nm=255.255.255.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=255.255.0.0, nm=255.255.0.0
net.netmask=0.0.0.0, nm=255.255.255.255
Traceback (most recent call last):
File "/home/vonkad/.local/bin/vpn-slice", line 11, in
load_entry_point('vpn-slice==0.1', 'console_scripts', 'vpn-slice')()
File "/home/vonkad/.local/lib/python3.5/site-packages/vpn_slice/main.py", line 295, in main
env = parse_env()
File "/home/vonkad/.local/lib/python3.5/site-packages/vpn_slice/main.py", line 245, in parse_env
from vpn-slice.
dlenski
commented on September 18, 2024
Right. I still don't understand where that last one is coming from.
Pull the commit I just pushed (cacc628) which will provide a more verbose error message about which of the splits is actually causing the failure.
from vpn-slice.
vonkad
commented on September 18, 2024
You need to provide a --csd-wrapper argument with the HIP report submission script.
Send ESP probes
Connected as 192.168.60.197, using SSL
Traceback (most recent call last):
File "/usr/local/bin/vpn-slice", line 11, in <module>
load_entry_point('vpn-slice==0.1', 'console_scripts', 'vpn-slice')()
File "/usr/local/lib/python3.5/dist-packages/vpn_slice-0.1-py3.5.egg/vpn_slice/main.py", line 295, in main
File "/usr/local/lib/python3.5/dist-packages/vpn_slice-0.1-py3.5.egg/vpn_slice/main.py", line 245, in parse_env
AssertionError: Netmask supplied in CISCO_SPLIT_INC_12_MASK (255.255.255.255) does not match the 0-bit prefix (_MASKLEN) of the network address 0.0.0.0 (_ADDR)
255.255.255.255 != 0.0.0.0
Script '/usr/local/bin/vpn-slice --dump den-dev-git-01.extendthereach.com' returned error 1
Traceback (most recent call last):
File "/usr/local/bin/vpn-slice", line 11, in <module>
load_entry_point('vpn-slice==0.1', 'console_scripts', 'vpn-slice')()
File "/usr/local/lib/python3.5/dist-packages/vpn_slice-0.1-py3.5.egg/vpn_slice/main.py", line 295, in main
File "/usr/local/lib/python3.5/dist-packages/vpn_slice-0.1-py3.5.egg/vpn_slice/main.py", line 245, in parse_env
AssertionError: Netmask supplied in CISCO_SPLIT_INC_12_MASK (255.255.255.255) does not match the 0-bit prefix (_MASKLEN) of the network address 0.0.0.0 (_ADDR)
255.255.255.255 != 0.0.0.0
Script '/usr/local/bin/vpn-slice --dump den-dev-git-01.extendthereach.com' returned error 1
ESP session established with server
from vpn-slice.
dlenski
commented on September 18, 2024
Right, now it explains exactly what is going on. vpn-slice apparently receives the 3 following variables.
CISCO_SPLIT_INC_12_MASK=255.255.255.255 # ????
CISCO_SPLIT_INC_12_MASKLEN=0
CISCO_SPLIT_INC_12_ADDR=0.0.0.0
These are not internally consistent with each other. It's openconnect's fault.
I don't understand why openconnect is doing this, because it's a perfectly normal use case… I recall having connected to other VPNs with 0.0.0.0/0 "splits" (GP, AnyConnect, Juniper) and it had the expected behavior and worked fine with vpn-slice.
You might need to add some debugging/logging statements around here to figure out why the split is getting output with the wrong mask: https://github.com/dlenski/openconnect/blob/HEAD/script.c#L131-L152
from vpn-slice.
dlenski
commented on September 18, 2024
Are you building/running on a 32-bit or 64-bit system, by the way? I'm wondering if there's some architecture where this doesn't work.
from vpn-slice.
dlenski
commented on September 18, 2024
Thank you very much for helping me debug this. This was not a bug in vpn-slice, but a bug in openconnect (introduced by me 🤦♂️ 🤦♂️ 🤦♂️) causing inconsistent input to vpn-slice.
Please pull and build the latest version of the globalprotect branch of openconnect-gp including dlenski/openconnect@a1f97f0 and it should work now.
I need to send this patch upstream too…
from vpn-slice.
dlenski
commented on September 18, 2024
I'm currently one timezone east of you, using a VPN gateway 9 timezones west of you, and occasionally another one 8 timezones east of you… so I feel your pain. Will do 👌
from vpn-slice.
Related Issues (20)
- Eliminate deprecated route cache flushing
- Connect WSL2 with openconnect and vpn-slice, to use windows apps like a pro HOT 1
- Use syscall instead of subprocess HOT 2
- Connect to IP on non http/s ports HOT 3
- current `vpn-slice` fails with `(22, 'Invalid argument')` HOT 6
- vpn-slice fails to install on Fedora 37 HOT 2
- Cannot read/write /etc/hosts with no-ns-hosts option HOT 2
- Please release a new version of the master branch HOT 5
- Split DNS check incorrectly uses ResolveConfSplitDNSProvider on Fedora 37 HOT 7
- vpn-slice==0.16.1 raise PackageNotFoundError(name) HOT 4
- Question (not bug): Kerberos SSO over VPN-Slice HOT 2
- Specifying a route with a non-default port HOT 2
- loading stuck HOT 1
- WARNING: no split dns provider available; can't split dns HOT 1
- Exclude hosts by name HOT 1
- Routes cleanup on disconnect HOT 2
- --dump option causes crash when using one or more host-to-ip aliases
- Split DNS not working when using `--background` flag HOT 6
- hostname args ineffective in background mode on openconnect HOT 12
- New issue with openconnect/vpn-slice due to env change? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vpn-slice.