search

dlenski / vpn-slice

vpnc-script replacement for easy and secure split-tunnel VPN setup
GNU General Public License v3.0
726 stars 87 forks source link

New issue with openconnect/vpn-slice due to env change? #148

Open mebigfatguy opened 8 months ago

mebigfatguy commented 8 months ago

HI folks,

Looking to see if bright folks can help me, I've been using openconnect/vpn-slice for years as a simple user for years w/o issue [thanks!], but today, after a phone update (which i hotspot thru), openconnect and/or vpn-slice aren't working correctly.

openconnect seems to work correctly to the vpn if run without vpn-slice, however i now get this error when connecting

(I get the RTNETLINK answers: Invalid argument error whether vpn-slice is in the picture or not)

Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as 10.69.39.197 + 2606:b400:600:c063::16d/64, using SSL, with DTLS in progress
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
Detected MTU of 1182 bytes (was 1280)
WARNING: IPv6 address or netmask set. Support for IPv6 in vpn-slice should be considered BETA-QUALITY.
WARNING: IPv6 address or netmask set. Support for IPv6 in vpn-slice should be considered BETA-QUALITY.
RTNETLINK answers: Invalid argument
Traceback (most recent call last):
  File "/usr/local/bin/vpn-slice", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/dist-packages/vpn_slice/__main__.py", line 564, in main
    do_connect(env, args)
  File "/usr/local/lib/python3.8/dist-packages/vpn_slice/__main__.py", line 198, in do_connect
    providers.route.add_address(env.tundev, env.myaddr6)
  File "/usr/local/lib/python3.8/dist-packages/vpn_slice/linux.py", line 79, in add_address
    self._iproute('address', 'add', address, dev=device)
  File "/usr/local/lib/python3.8/dist-packages/vpn_slice/linux.py", line 50, in _iproute
    subprocess.check_call(cl)
  File "/usr/lib/python3.8/subprocess.py", line 364, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['/usr/sbin/ip', 'address', 'add', '2606:b400:600:c063::16d/64', 'dev', 'tun0']' returned non-zero exit status 2.
Script 'vpn-slice '..................' returned error 1

vpn-slice -V returns `vpn-slice 0.15``

sudo vpn-slice --self-test reports success

uname -a
Linux mbfgdell 5.4.0-169-generic #187-Ubuntu SMP Thu Nov 23 14:52:28 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Linux Mint 20.3 Una \n \l

Samsung Galaxy A53 updated to OpenUI 6.0

Any suggestions or help to diagnose/fix this issue would be appreciated.

thanks, dave

dlenski commented 5 months ago

(I get the RTNETLINK answers: Invalid argument error whether vpn-slice is in the picture or not)

Yeah, it's just that vpn-slice checks failures much more carefully than the default vpnc-script, which will simply ignore such errors.

Detected MTU of 1182 bytes (was 1280)

Aaaah, that's the problem. IPv6 requires an MTU of at least 1280 bytes.

Seems like iproute(8) will return this error for any IPv6-related actions you attempt to perform on an adapter that has an MTU of <1280 bytes. In order to resolve this without sloppily ignoring errors, we're going to have to detect (and warn) when MTU is too low for IPv6, and then filter out all subsequent manipulations related to IPv6.

dlenski commented 5 months ago

Detected MTU of 1182 bytes (was 1280)

Aaaah, that's the problem. IPv6 requires an MTU of at least 1280 bytes.

@mebigfatguy, please test cd40123.

If OpenConnect provides IPv6 configuration and a too-small MTU, vpn-slice will intentionally abort and will instruct you to add --disable-ipv6 to the command-line:

MTU of 789 is too small for IPv6 (minimum 1280). Invoke OpenConnect with --disable-ipv6 to configure for IPv4 only