search

dlenski / vpn-slice

vpnc-script replacement for easy and secure split-tunnel VPN setup
GNU General Public License v3.0
743 stars 87 forks source link

Specifying a route with a non-default port #137

Closed H2CO3 closed 1 year ago

H2CO3 commented 1 year ago

Hello,

I'm using openconnect with vpn-slice to connect to the corporate VPN. I'm using it like this:

sudo openconnect \
    --servercert pin-sha256:<sha256> \
    --protocol=anyconnect XX.XX.XX.XX:PPPP \
    -s 'vpn-slice gitlab.corporate.com devenv.othercorp.com' \
    --disable-ipv6 \
    -u <myusername>

After this, I can access gitlab.corporate.com just fine.

However, I am supposed to reach devenv.othercorp.com via another port (3442 if it matters). Unfortunately, trying to connect through that port fails (I can't even ping it), it says "Failed to connect to devenv.othercorp.com port 3442: connection refused".

I tried to specify this exact route with the port number for vpn-slice like this:

vpn-slice gitlab.corporate.com devenv.othercorp.com:3442

but this failed with the following error:

WARNING: Lookup for devenv.othercorp.com:3442 on VPN DNS servers failed:
    All nameservers failed to answer the query devenv.othercorp.com:3442. IN A: Server 192.168.1.11 UDP port 53 answered REFUSED

What am I doing wrong?

dlenski commented 1 year ago

I tried to specify this exact route with the port number for vpn-slice like this:

That doesn't make any sense. "Routes" are a feature of the IP (network) layer; "ports" are a feature of the TCP/UDP (transport) layers.

vpn-slice only manipulates network-layer routes. It has no mechanism to enable (or restrict) access to particular TCP/UDP ports.

After this, I can access gitlab.corporate.com just fine.

Good. So that indicates that the VPN tunnel is working correctly, and that vpn-slice has correctly routed traffic to (at least one) server over it.

However, I am supposed to reach devenv.othercorp.com via another port (3442 if it matters). Unfortunately, trying to connect through that port fails (I can't even ping it), it says "Failed to connect to devenv.othercorp.com port 3442: connection refused".

What am I doing wrong?

Whatever is wrong here, it has nothing to do with vpn-slice.

Do connections to devenv.othercorp.com:3442 work if you use the default vpnc-script (not vpn-slice)? Do they work if you use the proprietary client on an officially-supported device?

H2CO3 commented 1 year ago

Whatever is wrong here, it has nothing to do with vpn-slice.

Do connections to devenv.othercorp.com:3442 work if you use the default vpnc-script (not vpn-slice)? Do they work if you use the proprietary client on an officially-supported device?

No, they don't – I already tried vpnc-script, and I was since able to verify with a co-worker that the host is inaccessible to him, too.

I didn't mean to imply in any way that vpn-slice is broken – it was my assumption that I might be invoking it incorrectly. But apparently the error is as simple as the host being down. (We are in the middle of changing sysadmins; we used OpenVPN so far, but we are being migrated to AnyConnect, hence it's possible that the new SRE team simply didn't yet configure something.)