search

ancwrd1 / snx-rs

Open source Linux client for Checkpoint VPN tunnels
GNU Affero General Public License v3.0
57 stars 5 forks source link

USB token authorization #19

Closed IdiotEbrilo closed 1 month ago

IdiotEbrilo commented 1 month ago

Hi! First, thanks for your great work. I've spent some days recently trying to connect to checkpoint vpn using the usb token containing certs (exportable), pubkeys (exportable) and privkeys (non-exportable) using different snx instruments.

Official snx provided by checkpoint can't use such tokens.

Well-known python implementation also can't.

Strongswan client is said to be able to connect to checkpoint vpn, and it does support token authorization with opensc - it really can use certs from the token, it can access privkeys protected by pin, but still it never connects.

So the question is - is it somehow possible to add token authorization with opensc to your snx implementation?

Thanks in advance!

ancwrd1 commented 1 month ago

Hi, I think it could be possible via PKCS#11 interface (using something like https://github.com/parallaxsecond/rust-cryptoki which is relatively simple to use). The current implementation of ClientCertificate from the isakmp project could be abstracted and extended to add PKCS11 support. There are just 2 basic methods which need to be implemented: load of public certificates from the token and sign data using HW interface (eventually with pin authentication). It's quite a bit of work though, unfortunately I am a bit time-constrained at the moment and also don't have the hardware to test or the Checkpoint server which accepts certificates.

ancwrd1 commented 1 month ago

I was curious what effort would it take to add PKCS11 support, it appears not much really. I also found an old Yubikey with certificates on it, which I used to test it. You could check out the pkcs11 branch of the project, build it and try to run as follows:

sudo ./target/debug/snx-rs -l trace -e ipsec -s SERVER_HOST -y pkcs11 -z /usr/lib64/pkcs11/opensc-pkcs11.so  -o LOGIN_TYPE -x 123456

Here replace SERVER_HOST with your Checkpoint server, LOGIN_TYPE with one of the login types returned from the server (usually in the form of vpn_xxx, see README file), the /usr/lib64/pkcs11/opensc-pkcs11.so is the path to the PKCS11 driver of your HW token, could be different on your system and could be also vendor-specific, not necessarily opensc. 123456 is the pin code.

I can't really test it against real Checkpoint server, so chances that it won't work first time are non-zero :) Anyway, there will be some logs dumped.

IdiotEbrilo commented 1 month ago

Sorry, was offline these days, just saw your responses.

Thank you very much for your effort! I managed to build updated snx-rs, but it appears that my token (and any random token in common) has multiple certs and keys on it, and they are associated by common id (really long hex). Is it possible to pass this id as a parameter or select specific cert to use for authorization in some other way?

Update: i mean, like --id parameter in pkcs11-tool.

I'll be glad to assist you with testing as well.

ancwrd1 commented 1 month ago

I have added --cert-id (or -w) parameter, which you can add like this:

-w 52:26:40:ee:2a:63:bb:4b:71:67:d3:01:c0:c2:25:da:ee:f8:d9:b8

Colons are optional, so could be just hex string. To find IDs you could use something like p11tool --list-all-certs

IdiotEbrilo commented 1 month ago

Awesome, thanks! You did it just as i updated my comment)

I'll try it in a couple of hours when i'm home and come back with test results.

IdiotEbrilo commented 1 month ago

Edited my comment, missed some options in command line. Looks like it successfully connected, so thank you very much once again for your work!

Actually after the connection is estableshed the internet becomes inaccessible so i guess there's something with routes, but still - it successfully connects and authenticates.

Here's corresponding part of the log:

2024-05-10T10:14:56.977298Z DEBUG snxcore::platform::linux::net: Routes to add: [0.0.0.1/32, 0.0.0.2/31, 0.0.0.4/30, 0.0.0.8/29, 0.0.0.16/28, 0.0.0.32/27, 0.0.0.64/26, 0.0.0.128/25, 0.0.1.0/24, 0.0.2.0/23, 0.0.4.0/22, 0.0.8.0/21, 0.0.16.0/20, 0.0.32.0/19, 0.0.64.0/18, 0.0.128.0/17, 0.1.0.0/16, 0.2.0.0/15, 0.4.0.0/14, 0.8.0.0/13, 0.16.0.0/12, 0.32.0.0/11, 0.64.0.0/10, 0.128.0.0/9, 1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6, 8.0.0.0/5, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/2, 224.0.0.0/4, 240.0.0.0/5, 248.0.0.0/6, 252.0.0.0/7, 254.0.0.0/8, 255.0.0.0/9, 255.128.0.0/10, 255.192.0.0/11, 255.224.0.0/12, 255.240.0.0/13, 255.248.0.0/14, 255.252.0.0/15, 255.254.0.0/16, 255.255.0.0/17, 255.255.128.0/18, 255.255.192.0/19, 255.255.224.0/20, 255.255.240.0/21, 255.255.248.0/22, 255.255.252.0/23, 255.255.254.0/24, 255.255.255.0/25, 255.255.255.128/26, 255.255.255.192/27, 255.255.255.224/28, 255.255.255.240/29, 255.255.255.248/30, 255.255.255.252/31, 255.255.255.254/32]
2024-05-10T10:14:56.977334Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.0.1/32 via snx-xfrm
2024-05-10T10:14:56.977343Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.0.1/32", "dev", "snx-xfrm"]
2024-05-10T10:14:56.978809Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.0.2/31 via snx-xfrm
2024-05-10T10:14:56.978819Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.0.2/31", "dev", "snx-xfrm"]
2024-05-10T10:14:56.980096Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.0.4/30 via snx-xfrm
2024-05-10T10:14:56.980106Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.0.4/30", "dev", "snx-xfrm"]
2024-05-10T10:14:56.981437Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.0.8/29 via snx-xfrm
2024-05-10T10:14:56.981448Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.0.8/29", "dev", "snx-xfrm"]
2024-05-10T10:14:56.982733Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.0.16/28 via snx-xfrm
2024-05-10T10:14:56.982741Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.0.16/28", "dev", "snx-xfrm"]
2024-05-10T10:14:56.984081Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.0.32/27 via snx-xfrm
2024-05-10T10:14:56.984091Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.0.32/27", "dev", "snx-xfrm"]
2024-05-10T10:14:56.985536Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.0.64/26 via snx-xfrm
2024-05-10T10:14:56.985550Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.0.64/26", "dev", "snx-xfrm"]
2024-05-10T10:14:56.986888Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.0.128/25 via snx-xfrm
2024-05-10T10:14:56.986900Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.0.128/25", "dev", "snx-xfrm"]
2024-05-10T10:14:56.988399Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.1.0/24 via snx-xfrm
2024-05-10T10:14:56.988411Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.1.0/24", "dev", "snx-xfrm"]
2024-05-10T10:14:56.989756Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.2.0/23 via snx-xfrm
2024-05-10T10:14:56.989769Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.2.0/23", "dev", "snx-xfrm"]
2024-05-10T10:14:56.991266Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.4.0/22 via snx-xfrm
2024-05-10T10:14:56.991278Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.4.0/22", "dev", "snx-xfrm"]
2024-05-10T10:14:56.992636Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.8.0/21 via snx-xfrm
2024-05-10T10:14:56.992648Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.8.0/21", "dev", "snx-xfrm"]
2024-05-10T10:14:56.994008Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.16.0/20 via snx-xfrm
2024-05-10T10:14:56.994019Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.16.0/20", "dev", "snx-xfrm"]
2024-05-10T10:14:56.995310Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.32.0/19 via snx-xfrm
2024-05-10T10:14:56.995321Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.32.0/19", "dev", "snx-xfrm"]
2024-05-10T10:14:56.996665Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.64.0/18 via snx-xfrm
2024-05-10T10:14:56.996676Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.64.0/18", "dev", "snx-xfrm"]
2024-05-10T10:14:56.998115Z DEBUG snxcore::platform::linux::net: Adding route: 0.0.128.0/17 via snx-xfrm
2024-05-10T10:14:56.998128Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.0.128.0/17", "dev", "snx-xfrm"]
2024-05-10T10:14:56.999540Z DEBUG snxcore::platform::linux::net: Adding route: 0.1.0.0/16 via snx-xfrm
2024-05-10T10:14:56.999553Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.1.0.0/16", "dev", "snx-xfrm"]
2024-05-10T10:14:57.000995Z DEBUG snxcore::platform::linux::net: Adding route: 0.2.0.0/15 via snx-xfrm
2024-05-10T10:14:57.001008Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.2.0.0/15", "dev", "snx-xfrm"]
2024-05-10T10:14:57.002451Z DEBUG snxcore::platform::linux::net: Adding route: 0.4.0.0/14 via snx-xfrm
2024-05-10T10:14:57.002465Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.4.0.0/14", "dev", "snx-xfrm"]
2024-05-10T10:14:57.003845Z DEBUG snxcore::platform::linux::net: Adding route: 0.8.0.0/13 via snx-xfrm
2024-05-10T10:14:57.003857Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.8.0.0/13", "dev", "snx-xfrm"]
2024-05-10T10:14:57.005210Z DEBUG snxcore::platform::linux::net: Adding route: 0.16.0.0/12 via snx-xfrm
2024-05-10T10:14:57.005222Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.16.0.0/12", "dev", "snx-xfrm"]
2024-05-10T10:14:57.006551Z DEBUG snxcore::platform::linux::net: Adding route: 0.32.0.0/11 via snx-xfrm
2024-05-10T10:14:57.006562Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.32.0.0/11", "dev", "snx-xfrm"]
2024-05-10T10:14:57.007898Z DEBUG snxcore::platform::linux::net: Adding route: 0.64.0.0/10 via snx-xfrm
2024-05-10T10:14:57.007910Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.64.0.0/10", "dev", "snx-xfrm"]
2024-05-10T10:14:57.009216Z DEBUG snxcore::platform::linux::net: Adding route: 0.128.0.0/9 via snx-xfrm
2024-05-10T10:14:57.009227Z TRACE snxcore::util: Exec: "ip" ["route", "add", "0.128.0.0/9", "dev", "snx-xfrm"]
2024-05-10T10:14:57.010703Z DEBUG snxcore::platform::linux::net: Adding route: 1.0.0.0/8 via snx-xfrm
2024-05-10T10:14:57.010714Z TRACE snxcore::util: Exec: "ip" ["route", "add", "1.0.0.0/8", "dev", "snx-xfrm"]
2024-05-10T10:14:57.012057Z DEBUG snxcore::platform::linux::net: Adding route: 2.0.0.0/7 via snx-xfrm
2024-05-10T10:14:57.012070Z TRACE snxcore::util: Exec: "ip" ["route", "add", "2.0.0.0/7", "dev", "snx-xfrm"]
2024-05-10T10:14:57.013330Z DEBUG snxcore::platform::linux::net: Adding route: 4.0.0.0/6 via snx-xfrm
2024-05-10T10:14:57.013341Z TRACE snxcore::util: Exec: "ip" ["route", "add", "4.0.0.0/6", "dev", "snx-xfrm"]
2024-05-10T10:14:57.014643Z DEBUG snxcore::platform::linux::net: Adding route: 8.0.0.0/5 via snx-xfrm
2024-05-10T10:14:57.014654Z TRACE snxcore::util: Exec: "ip" ["route", "add", "8.0.0.0/5", "dev", "snx-xfrm"]
2024-05-10T10:14:57.015965Z DEBUG snxcore::platform::linux::net: Adding route: 16.0.0.0/4 via snx-xfrm
2024-05-10T10:14:57.015977Z TRACE snxcore::util: Exec: "ip" ["route", "add", "16.0.0.0/4", "dev", "snx-xfrm"]
2024-05-10T10:14:57.017301Z DEBUG snxcore::platform::linux::net: Adding route: 32.0.0.0/3 via snx-xfrm
2024-05-10T10:14:57.017313Z TRACE snxcore::util: Exec: "ip" ["route", "add", "32.0.0.0/3", "dev", "snx-xfrm"]
2024-05-10T10:14:57.018570Z DEBUG snxcore::platform::linux::net: Adding route: 64.0.0.0/2 via snx-xfrm
2024-05-10T10:14:57.018582Z TRACE snxcore::util: Exec: "ip" ["route", "add", "64.0.0.0/2", "dev", "snx-xfrm"]
2024-05-10T10:14:57.019862Z DEBUG snxcore::platform::linux::net: Adding route: 128.0.0.0/2 via snx-xfrm
2024-05-10T10:14:57.019873Z TRACE snxcore::util: Exec: "ip" ["route", "add", "128.0.0.0/2", "dev", "snx-xfrm"]
2024-05-10T10:14:57.021204Z DEBUG snxcore::platform::linux::net: Adding route: 224.0.0.0/4 via snx-xfrm
2024-05-10T10:14:57.021215Z TRACE snxcore::util: Exec: "ip" ["route", "add", "224.0.0.0/4", "dev", "snx-xfrm"]
2024-05-10T10:14:57.022605Z DEBUG snxcore::platform::linux::net: Adding route: 240.0.0.0/5 via snx-xfrm
2024-05-10T10:14:57.022616Z TRACE snxcore::util: Exec: "ip" ["route", "add", "240.0.0.0/5", "dev", "snx-xfrm"]
2024-05-10T10:14:57.023942Z DEBUG snxcore::platform::linux::net: Adding route: 248.0.0.0/6 via snx-xfrm
2024-05-10T10:14:57.023954Z TRACE snxcore::util: Exec: "ip" ["route", "add", "248.0.0.0/6", "dev", "snx-xfrm"]
2024-05-10T10:14:57.025311Z DEBUG snxcore::platform::linux::net: Adding route: 252.0.0.0/7 via snx-xfrm
2024-05-10T10:14:57.025323Z TRACE snxcore::util: Exec: "ip" ["route", "add", "252.0.0.0/7", "dev", "snx-xfrm"]
2024-05-10T10:14:57.026695Z DEBUG snxcore::platform::linux::net: Adding route: 254.0.0.0/8 via snx-xfrm
2024-05-10T10:14:57.026707Z TRACE snxcore::util: Exec: "ip" ["route", "add", "254.0.0.0/8", "dev", "snx-xfrm"]
2024-05-10T10:14:57.028045Z DEBUG snxcore::platform::linux::net: Adding route: 255.0.0.0/9 via snx-xfrm
2024-05-10T10:14:57.028057Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.0.0.0/9", "dev", "snx-xfrm"]
2024-05-10T10:14:57.029427Z DEBUG snxcore::platform::linux::net: Adding route: 255.128.0.0/10 via snx-xfrm
2024-05-10T10:14:57.029438Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.128.0.0/10", "dev", "snx-xfrm"]
2024-05-10T10:14:57.030898Z DEBUG snxcore::platform::linux::net: Adding route: 255.192.0.0/11 via snx-xfrm
2024-05-10T10:14:57.030909Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.192.0.0/11", "dev", "snx-xfrm"]
2024-05-10T10:14:57.032264Z DEBUG snxcore::platform::linux::net: Adding route: 255.224.0.0/12 via snx-xfrm
2024-05-10T10:14:57.032276Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.224.0.0/12", "dev", "snx-xfrm"]
2024-05-10T10:14:57.033616Z DEBUG snxcore::platform::linux::net: Adding route: 255.240.0.0/13 via snx-xfrm
2024-05-10T10:14:57.033626Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.240.0.0/13", "dev", "snx-xfrm"]
2024-05-10T10:14:57.034855Z DEBUG snxcore::platform::linux::net: Adding route: 255.248.0.0/14 via snx-xfrm
2024-05-10T10:14:57.034864Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.248.0.0/14", "dev", "snx-xfrm"]
2024-05-10T10:14:57.036252Z DEBUG snxcore::platform::linux::net: Adding route: 255.252.0.0/15 via snx-xfrm
2024-05-10T10:14:57.036263Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.252.0.0/15", "dev", "snx-xfrm"]
2024-05-10T10:14:57.037745Z DEBUG snxcore::platform::linux::net: Adding route: 255.254.0.0/16 via snx-xfrm
2024-05-10T10:14:57.037757Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.254.0.0/16", "dev", "snx-xfrm"]
2024-05-10T10:14:57.039149Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.0.0/17 via snx-xfrm
2024-05-10T10:14:57.039160Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.0.0/17", "dev", "snx-xfrm"]
2024-05-10T10:14:57.040620Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.128.0/18 via snx-xfrm
2024-05-10T10:14:57.040631Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.128.0/18", "dev", "snx-xfrm"]
2024-05-10T10:14:57.042064Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.192.0/19 via snx-xfrm
2024-05-10T10:14:57.042076Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.192.0/19", "dev", "snx-xfrm"]
2024-05-10T10:14:57.043415Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.224.0/20 via snx-xfrm
2024-05-10T10:14:57.043429Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.224.0/20", "dev", "snx-xfrm"]
2024-05-10T10:14:57.044882Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.240.0/21 via snx-xfrm
2024-05-10T10:14:57.044894Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.240.0/21", "dev", "snx-xfrm"]
2024-05-10T10:14:57.046396Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.248.0/22 via snx-xfrm
2024-05-10T10:14:57.046408Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.248.0/22", "dev", "snx-xfrm"]
2024-05-10T10:14:57.047781Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.252.0/23 via snx-xfrm
2024-05-10T10:14:57.047795Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.252.0/23", "dev", "snx-xfrm"]
2024-05-10T10:14:57.049219Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.254.0/24 via snx-xfrm
2024-05-10T10:14:57.049231Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.254.0/24", "dev", "snx-xfrm"]
2024-05-10T10:14:57.050560Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.255.0/25 via snx-xfrm
2024-05-10T10:14:57.050570Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.255.0/25", "dev", "snx-xfrm"]
2024-05-10T10:14:57.051935Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.255.128/26 via snx-xfrm
2024-05-10T10:14:57.051946Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.255.128/26", "dev", "snx-xfrm"]
2024-05-10T10:14:57.053380Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.255.192/27 via snx-xfrm
2024-05-10T10:14:57.053393Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.255.192/27", "dev", "snx-xfrm"]
2024-05-10T10:14:57.054858Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.255.224/28 via snx-xfrm
2024-05-10T10:14:57.054872Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.255.224/28", "dev", "snx-xfrm"]
2024-05-10T10:14:57.056183Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.255.240/29 via snx-xfrm
2024-05-10T10:14:57.056195Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.255.240/29", "dev", "snx-xfrm"]
2024-05-10T10:14:57.057533Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.255.248/30 via snx-xfrm
2024-05-10T10:14:57.057546Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.255.248/30", "dev", "snx-xfrm"]
2024-05-10T10:14:57.058865Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.255.252/31 via snx-xfrm
2024-05-10T10:14:57.058879Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.255.252/31", "dev", "snx-xfrm"]
2024-05-10T10:14:57.060210Z DEBUG snxcore::platform::linux::net: Adding route: 255.255.255.254/32 via snx-xfrm
2024-05-10T10:14:57.060224Z TRACE snxcore::util: Exec: "ip" ["route", "add", "255.255.255.254/32", "dev", "snx-xfrm"]
2024-05-10T10:14:57.061511Z TRACE snxcore::util: Exec: "ip" ["route", "add", "table", "18234", "XXX.XXX.XXX.XXX", "dev", "snx-xfrm"]
2024-05-10T10:14:57.062911Z TRACE snxcore::util: Exec: "ip" ["rule", "add", "to", "XXX.XXX.XXX.XXX", "ipproto", "udp", "dport", "18234", "table", "18234"]
2024-05-10T10:14:57.064364Z DEBUG snxcore::platform::linux::xfrm: Adding acquired DNS suffixes: ["corp.dev.TEST_DOMAIN", "TEST_DOMAIN", "TEST_DOMAIN", "TEST_DOMAIN", "TEST_DOMAIN"]
2024-05-10T10:14:57.064374Z DEBUG snxcore::platform::linux::xfrm: Adding provided DNS suffixes: []
2024-05-10T10:14:57.064380Z TRACE snxcore::util: Exec: "resolvectl" ["domain", "snx-xfrm", "TEST_DOMAIN", "TEST_DOMAIN", "TEST_DOMAIN", "TEST_DOMAIN", "TEST_DOMAIN"]
2024-05-10T10:14:57.070052Z TRACE snxcore::util: Exec: "resolvectl" ["dns", "snx-xfrm", "10.230.192.78", "10.230.192.77"]
2024-05-10T10:14:57.075435Z TRACE perform: zbus::connection::handshake: Initializing
2024-05-10T10:14:57.075481Z TRACE perform: zbus::connection::handshake: Waiting for DATA or OK from server
2024-05-10T10:14:57.075496Z TRACE perform:read_command: zbus::connection::handshake: Reading OK 56e09c38e6dbda944842e6bff87cefa6

2024-05-10T10:14:57.075506Z TRACE perform: zbus::connection::handshake: Received OK from server
2024-05-10T10:14:57.075517Z TRACE perform: zbus::connection::handshake: Waiting for Unix FD passing agreement from server
2024-05-10T10:14:57.075541Z TRACE perform:read_command: zbus::connection::handshake: Reading AGREE_UNIX_FD

2024-05-10T10:14:57.075549Z TRACE perform: zbus::connection::handshake: Unix FD passing agreed by server
2024-05-10T10:14:57.075564Z TRACE perform: zbus::connection::handshake: Handshake done
2024-05-10T10:14:57.075625Z TRACE socket reader: zbus::connection::socket_reader: Waiting for message on the socket..
2024-05-10T10:14:57.075660Z TRACE zbus::connection: Sending message: Msg { type: MethodCall, path: ObjectPath("/org/freedesktop/DBus"), iface: InterfaceName("org.freedesktop.DBus"), member: MemberName("Hello"), fds: [] }
2024-05-10T10:14:57.075683Z TRACE zbus::connection: Sent message with serial: 1
2024-05-10T10:14:57.075788Z TRACE socket reader: zbus::connection::socket_reader: Message received on the socket: Msg { type: MethodReturn, sender: UniqueName("org.freedesktop.DBus"), reply-serial: 1, body: Signature("s"), fds: [] }
2024-05-10T10:14:57.075808Z TRACE socket reader: zbus::connection::socket_reader: Error broadcasting message to stream for `None`: SendError(..)
2024-05-10T10:14:57.075814Z TRACE socket reader: zbus::connection::socket_reader: Broadcasted to all streams: Ok(Msg { type: MethodReturn, sender: UniqueName("org.freedesktop.DBus"), reply-serial: 1, body: Signature("s"), fds: [] })
2024-05-10T10:14:57.075821Z TRACE socket reader: zbus::connection::socket_reader: Waiting for message on the socket..
2024-05-10T10:14:57.075870Z TRACE socket reader: zbus::connection::socket_reader: Message received on the socket: Msg { type: Signal, sender: UniqueName("org.freedesktop.DBus"), path: ObjectPath("/org/freedesktop/DBus"), iface: InterfaceName("org.freedesktop.DBus"), member: MemberName("NameAcquired"), body: Signature("s"), fds: [] }
2024-05-10T10:14:57.075888Z TRACE socket reader: zbus::connection::socket_reader: Error broadcasting message to stream for `None`: SendError(..)
2024-05-10T10:14:57.075896Z TRACE socket reader: zbus::connection::socket_reader: Broadcasted to all streams: Ok(Msg { type: Signal, sender: UniqueName("org.freedesktop.DBus"), path: ObjectPath("/org/freedesktop/DBus"), iface: InterfaceName("org.freedesktop.DBus"), member: MemberName("NameAcquired"), body: Signature("s"), fds: [] })
2024-05-10T10:14:57.075906Z DEBUG snxcore::tunnel::ipsec: Running IPSec tunnel
2024-05-10T10:14:57.075907Z TRACE socket reader: zbus::connection::socket_reader: Waiting for message on the socket..
2024-05-10T10:14:57.075925Z DEBUG snxcore::tunnel::ipsec::natt: Listening for NAT-T packets on port 0.0.0.0:33942
2024-05-10T10:14:57.075987Z TRACE snxcore::tunnel::ipsec::keepalive: Sending keepalive to XXX.XXX.XXX.XXX
2024-05-10T10:14:57.076023Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::connection: Sending message: Msg { type: MethodCall, sender: UniqueName(":1.157"), path: ObjectPath("/org/freedesktop/DBus"), iface: InterfaceName("org.freedesktop.DBus"), member: MemberName("AddMatch"), body: Signature("s"), fds: [] }
2024-05-10T10:14:57.076049Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::connection: Sent message with serial: 2
2024-05-10T10:14:57.076057Z DEBUG snxcore::tunnel::ipsec::connector: Tunnel connected
2024-05-10T10:14:57.076142Z TRACE socket reader: zbus::connection::socket_reader: Message received on the socket: Msg { type: MethodReturn, sender: UniqueName("org.freedesktop.DBus"), reply-serial: 2, body: Signature(""), fds: [] }
2024-05-10T10:14:57.076159Z TRACE socket reader: zbus::connection::socket_reader: Error broadcasting message to stream for `None`: SendError(..)
2024-05-10T10:14:57.076168Z TRACE socket reader: zbus::connection::socket_reader: Broadcasted to all streams: Ok(Msg { type: MethodReturn, sender: UniqueName("org.freedesktop.DBus"), reply-serial: 2, body: Signature(""), fds: [] })
2024-05-10T10:14:57.076177Z TRACE socket reader: zbus::connection::socket_reader: Waiting for message on the socket..
2024-05-10T10:14:57.076282Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::connection: Sending message: Msg { type: MethodCall, sender: UniqueName(":1.157"), path: ObjectPath("/org/freedesktop/DBus"), iface: InterfaceName("org.freedesktop.DBus"), member: MemberName("GetNameOwner"), body: Signature("s"), fds: [] }
2024-05-10T10:14:57.076306Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::connection: Sent message with serial: 3
2024-05-10T10:14:57.076379Z TRACE socket reader: zbus::connection::socket_reader: Message received on the socket: Msg { type: MethodReturn, sender: UniqueName("org.freedesktop.DBus"), reply-serial: 3, body: Signature("s"), fds: [] }
2024-05-10T10:14:57.076393Z TRACE socket reader: zbus::connection::socket_reader: Error broadcasting message to stream for `None`: SendError(..)
2024-05-10T10:14:57.076401Z TRACE socket reader: zbus::connection::socket_reader: Broadcasted to all streams: Ok(Msg { type: MethodReturn, sender: UniqueName("org.freedesktop.DBus"), reply-serial: 3, body: Signature("s"), fds: [] })
2024-05-10T10:14:57.076410Z TRACE socket reader: zbus::connection::socket_reader: Waiting for message on the socket..
2024-05-10T10:14:57.076498Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::connection: Sending message: Msg { type: MethodCall, sender: UniqueName(":1.157"), path: ObjectPath("/org/freedesktop/DBus"), iface: InterfaceName("org.freedesktop.DBus"), member: MemberName("AddMatch"), body: Signature("s"), fds: [] }
2024-05-10T10:14:57.076520Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::connection: Sent message with serial: 4
2024-05-10T10:14:57.076596Z TRACE socket reader: zbus::connection::socket_reader: Message received on the socket: Msg { type: MethodReturn, sender: UniqueName("org.freedesktop.DBus"), reply-serial: 4, body: Signature(""), fds: [] }
2024-05-10T10:14:57.076612Z TRACE socket reader: zbus::connection::socket_reader: Error broadcasting message to stream for `None`: SendError(..)
2024-05-10T10:14:57.076619Z TRACE socket reader: zbus::connection::socket_reader: Broadcasted to all streams: Ok(Msg { type: MethodReturn, sender: UniqueName("org.freedesktop.DBus"), reply-serial: 4, body: Signature(""), fds: [] })
2024-05-10T10:14:57.076627Z TRACE socket reader: zbus::connection::socket_reader: Waiting for message on the socket..
2024-05-10T10:14:57.076694Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::connection: Sending message: Msg { type: MethodCall, sender: UniqueName(":1.157"), path: ObjectPath("/org/freedesktop/NetworkManager"), iface: InterfaceName("org.freedesktop.DBus.Properties"), member: MemberName("GetAll"), body: Signature("s"), fds: [] }
2024-05-10T10:14:57.076716Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::connection: Sent message with serial: 5
2024-05-10T10:14:57.077093Z TRACE socket reader: zbus::connection::socket_reader: Message received on the socket: Msg { type: MethodReturn, sender: UniqueName(":1.3"), reply-serial: 5, body: Signature("a{sv}"), fds: [] }
2024-05-10T10:14:57.077109Z TRACE socket reader: zbus::connection::socket_reader: Error broadcasting message to stream for `None`: SendError(..)
2024-05-10T10:14:57.077116Z TRACE socket reader: zbus::connection::socket_reader: Broadcasted to all streams: Ok(Msg { type: MethodReturn, sender: UniqueName(":1.3"), reply-serial: 5, body: Signature("a{sv}"), fds: [] })
2024-05-10T10:14:57.077122Z TRACE socket reader: zbus::connection::socket_reader: Waiting for message on the socket..
2024-05-10T10:14:57.077194Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.WimaxHardwareEnabled` updated
2024-05-10T10:14:57.077204Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.PrimaryConnection` updated
2024-05-10T10:14:57.077210Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.Startup` updated
2024-05-10T10:14:57.077216Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.State` updated
2024-05-10T10:14:57.077222Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.Version` updated
2024-05-10T10:14:57.077227Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.WimaxEnabled` updated
2024-05-10T10:14:57.077232Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.WwanHardwareEnabled` updated
2024-05-10T10:14:57.077236Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.VersionInfo` updated
2024-05-10T10:14:57.077245Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.Checkpoints` updated
2024-05-10T10:14:57.077252Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.Connectivity` updated
2024-05-10T10:14:57.077257Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.WirelessEnabled` updated
2024-05-10T10:14:57.077265Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.RadioFlags` updated
2024-05-10T10:14:57.077271Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.ConnectivityCheckUri` updated
2024-05-10T10:14:57.077278Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.GlobalDnsConfiguration` updated
2024-05-10T10:14:57.077284Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.Devices` updated
2024-05-10T10:14:57.077295Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.NetworkingEnabled` updated
2024-05-10T10:14:57.077302Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.ActivatingConnection` updated
2024-05-10T10:14:57.077308Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.WwanEnabled` updated
2024-05-10T10:14:57.077313Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.Capabilities` updated
2024-05-10T10:14:57.077318Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.Metered` updated
2024-05-10T10:14:57.077324Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.PrimaryConnectionType` updated
2024-05-10T10:14:57.077329Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.AllDevices` updated
2024-05-10T10:14:57.077338Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.ActiveConnections` updated
2024-05-10T10:14:57.077345Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.ConnectivityCheckAvailable` updated
2024-05-10T10:14:57.077351Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.ConnectivityCheckEnabled` updated
2024-05-10T10:14:57.077356Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}: zbus::proxy: Property `org.freedesktop.NetworkManager.WirelessHardwareEnabled` updated
2024-05-10T10:14:57.077377Z TRACE new:{}{task_name="org.freedesktop.NetworkManager proxy caching"}:keep_updated: zbus::proxy: Listening for property changes on org.freedesktop.NetworkManager...
2024-05-10T10:14:57.077391Z DEBUG snxcore::platform::linux::net: NetworkManager state changed to ConnectedGlobal
ancwrd1 commented 1 month ago

Great! I will finalize it also with UI support.

Regarding routes, you could try "no-routing" option and add custom routes you want manually via "add-routes". This was recently contributed as a PR by another user.

IdiotEbrilo commented 1 month ago

Thanks! I also see these lines in the log:

2024-05-10T10:41:29.395834Z TRACE snxcore::util: Exec: "resolvectl" ["domain", "snx-xfrm", "DOMAIN_1", "DOMAIN_2", "DOMAIN_3", "DOMAIN_4", "DOMAIN_5"]
2024-05-10T10:41:29.401940Z TRACE snxcore::util: Exec: "resolvectl" ["dns", "snx-xfrm", "XXX.XXX.XXX.XXX", "YYY.YYY.YYY.YYY"]

But there's no changes in /etc/resolv.conf or /etc/hosts or in /etc/systemd/resolved.conf. Should it be so?

ancwrd1 commented 1 month ago

If you have systemd-resolved as a global DNS provider then it's ok. Run resolvectl without parameters to check the DNS configuration. Normally /etc/resolv.conf is a symlink pointing to something like /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

IdiotEbrilo commented 1 month ago

Got it, thanks. Added some internal IPs and hostnames to /etc/hosts, and they're accessible now, so everything appears to be working properly.

You saved my day actually with your work since i no longer have to run windows in virtualbox every time i need to access some internal stuff)