Closed dpqkdqkj closed 1 month ago
Hello, for DNS resolution or custom routes you don't need to change a default route.
I will check anyway if I can fix this default-route issue for the SSL tunnel.
For custom routes there are several parameters available, for example add-routes=<routes>
.
You can configure DNS manually on your system (It's 192.168.25.5 I believe), I think on Void it's /etc/resolvconf.conf or similar, but I am not much familiar with it.
You can tell snx-rs to not modify DNS settings via no-dns=true
.
Alternatively, I guess multiple DNS resolver backends could be added to the project, including NetworkManager and resolvconf, but it will require some time.
default-route=true
redirects all system traffic to the created tunnel? Do I understand the default-route
parameter correctly? I want to be able to redirect all my network requests through the VPN.
Setting the address 192.168.25.5
in the /etc/resolv.conf
file was not successful. I think this is because the DNS request is not going through the tunnel but to 192.168.0.1
.
All I need to do is turn on the VPN for a while to take/send data on work maybe in a browser or git. I thought that default-route=true
did exactly that. Maybe I'm wrong?
default-route
redirects all traffic via the VPN interface (including all global Internet IPs), in most cases this is not needed. I think there is a bug in there in the SSL tunnel implementation, because there must be an exception defined which skips it for the VPN server itself (traffic to the VPN server should be routed through your internet connection). This was fixed few releases ago for the IPSec tunnel, but not for SSL.
By default, only traffic meant for addresses behind the VPN is redirected through the tunnel. We are getting those routes from the CheckPoint VPN server.
I see that in your case your DNS server is not in this list:
DNS server: 192.168.25.5
Routes:
192.168.1.1 dev snx-tun scope link
192.168.20.1 dev snx-tun scope link
192.168.21.1 dev snx-tun scope link
192.168.22.1 dev snx-tun scope link
192.168.23.1 dev snx-tun scope link
192.168.24.1 dev snx-tun scope link
192.168.25.1 dev snx-tun scope link
192.168.26.0/24 dev snx-tun proto kernel scope link src 192.168.26.17
192.168.27.1 dev snx-tun scope link
192.168.28.1 dev snx-tun scope link
192.168.29.1 dev snx-tun scope link
192.168.30.1 dev snx-tun scope link
192.168.31.1 dev snx-tun scope link
192.168.63.1 dev snx-tun scope link
What you can try is add an option in the config file:
add-route = 192.168.25.5/32
I added to the config add-routes=192.168.25.5/32
and put nameserver 192.168.25.5
in /etc/resolv.conf
and now DNS is working!
cat conf.conf
(with add-routes=192.168.25.5/32
)
ip route
cat /etc/resolv.conf
curl -v --interface snx-tun http://abc.defgh.klm
Can I redirect e.g. browser or git traffic through the tunnel myself (without using default-route=true
)?
You can add more manual routes if you have a fixed destination for your browser or for git server (e.g. x.x.x.x/32, with an IP address of the host). But for generic "catch-all" traffic a routing table trick is required:
ip route add table 18234 default dev snx-tun
ip rule add not to VPN_SERVER_IP table 18234
Where VPN_SERVER_IP is the IP address of CheckPoint server. I will fix it in the code.
"Сatch-all" traffic a routing table trick works. I can now view the page in a browser. And the logs now look like this.
./snx-rs -m command -c conf.conf
Thank you very much, Dmitry! 😊
Should be fixed now in the code.
The problem occurs when the config file specifies
default-route=true
. I've seen similar ones issues https://github.com/ancwrd1/snx-rs/issues/42 but I don't understand the solution. I used v2.6.0 (snx-rs-v2.6.0-linux-x86_64.tar.xz).With default-route=true
Hide/Show config
``` server-name=cat conf.conf
(withdefault-route
)I run the command
./snx-rs -m command -c conf.conf
and then./snxctl connect -c conf.conf
Hide/Show output
``` 2024-10-28T19:06:59.654890Z DEBUG snxcore::platform::linux::net: NetworkManager state changed to ConnectedGlobal 2024-10-28T19:09:27.113916Z TRACE snxcore::server: Command received 2024-10-28T19:09:27.113936Z TRACE snxcore::server: Handling get status command 2024-10-28T19:09:27.113946Z TRACE snxcore::server: Response: ConnectionStatus(ConnectionStatus { connected_since: None, mfa: None }) 2024-10-28T19:09:27.235613Z TRACE snxcore::server: Command received 2024-10-28T19:09:27.235650Z TRACE snxcore::server: Handling connect command 2024-10-28T19:09:27.235670Z DEBUG snxcore::tunnel::ssl::connector: Authenticating to endpoint:./snx-rs -m command -c conf.conf
after entering the password
Hide/Show output
``` 2024-10-28T19:10:31.310072Z TRACE snxcore::server: Command received 2024-10-28T19:10:31.310156Z DEBUG snxcore::server: Handling challenge code command 2024-10-28T19:10:31.310189Z DEBUG snxcore::tunnel::ssl::connector: Authenticating with challenge code to endpoint:after that the tunnel becomes inoperable.
When the tunnel is created after entering the password, these routes are created
Hide/Show
``` 1: lo:ip a
Hide/Show
``` default dev snx-tun scope link default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.106 metric 100 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 172.18.0.0/16 dev br-1e622e7e1599 proto kernel scope link src 172.18.0.1 linkdown 172.19.0.0/16 dev br-7db1c03f4c30 proto kernel scope link src 172.19.0.1 linkdown 172.20.0.0/16 dev br-2045bc6863ab proto kernel scope link src 172.20.0.1 linkdown 172.21.0.0/16 dev br-4c9c9aaae848 proto kernel scope link src 172.21.0.1 linkdown 172.22.0.0/16 dev br-896cc57c445a proto kernel scope link src 172.22.0.1 linkdown 172.23.0.0/16 dev br-cc2d7d2706fa proto kernel scope link src 172.23.0.1 linkdown 172.24.0.0/16 dev br-b1e37f2f9d34 proto kernel scope link src 172.24.0.1 linkdown 172.25.0.0/16 dev br-8347d3b3ba17 proto kernel scope link src 172.25.0.1 linkdown 192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.106 metric 100 192.168.26.0/24 dev snx-tun proto kernel scope link src 192.168.26.16 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 ```ip route
Without default-route=true
Hide/Show config
``` server-name=cat conf.conf
(withoutdefault-route
)Hide/Show output
``` 2024-10-28T21:02:58.606445Z DEBUG snxcore::platform::linux::net: NetworkManager state changed to ConnectedGlobal 2024-10-28T21:03:01.512898Z TRACE snxcore::server: Command received 2024-10-28T21:03:01.512940Z TRACE snxcore::server: Handling get status command 2024-10-28T21:03:01.512953Z TRACE snxcore::server: Response: ConnectionStatus(ConnectionStatus { connected_since: None, mfa: None }) 2024-10-28T21:03:01.678092Z TRACE snxcore::server: Command received 2024-10-28T21:03:01.678162Z TRACE snxcore::server: Handling connect command 2024-10-28T21:03:01.679064Z DEBUG snxcore::tunnel::ssl::connector: Authenticating to endpoint:./snx-rs -m command -c conf.conf
with./snxctl connect -c conf.conf
after entering the password
Hide/Show output
``` 2024-10-28T21:05:12.652890Z TRACE snxcore::server: Command received 2024-10-28T21:05:12.652920Z DEBUG snxcore::server: Handling challenge code command 2024-10-28T21:05:12.652926Z DEBUG snxcore::tunnel::ssl::connector: Authenticating with challenge code to endpoint:Hide/Show output
``` 1: lo:ip a
Hide/Show output
``` default via 192.168.0.1 dev eno1 proto dhcp src 192.168.0.106 metric 100ip route
I can do curl queries by ip through the tunnel interface. For example:
curl --interface snx-tun http://192.168.29.197
but unfortunately can't by name
This is probably because I don't have
systemd-resolved configured as a global DNS resolver
on void linux. My/etc/resolv.conf
Could you please tell me if I can redirect traffic on my own without using the not working
default-route=true
and how I can do it?my system Void Linux
D-Bus enabled as a runit service
and it would be nice to add a feature to mask sensitive data in the logs 🙂