Noob question: I'm getting http traffic blocked by VPN OpenDNS

[edgar]

Hey there,

First of all, thanks for the amazing work in vpn-slice!

I'm using vpn-slice with OpenConnect, using some shell functions plus an script to supply all the hosts, CIDR ranges to vpn-slice:

function vpn-up() {
  if [[ -z $VPN_HOST ]]
  then
    echo "Please set VPN_HOST env var"
    return
  fi
  if [[ "$1" == "split" ]]
  then
    echo "Starting the vpn with split tunneling ..."
    sudo openconnect --background --script='~/custom-vpn-slice' --user=$USER  $VPN_HOST
  else
    echo "Starting the vpn ..."
    sudo openconnect --background --user=$USER  $VPN_HOST
  fi
}

function vpn-split() {
  vpn-up split
}

function vpn-down() {
  sudo kill -2 `pgrep openconnect`
}

and custom-vpn-slice has:

#!/bin/sh
vpn-slice --prevent-idle-timeout \
host_x \
host_y \
cidr_range_a \
cidr_range_b

When I ran vpn-split the traffic is routed properly through the VPN, however when I check my public IP address with websites like http://ip4.me/ I'm getting reported the VPN IP address. And when I kill OpenConnect (vpn-down) I'm getting reported the ISP IP (which was what I expected when the VPN was up).

Also when I visit some websites I got an alert message from the company OpenDNS about the website been blocked. That also happened after I kill OpenConnect (vpn-down). I checked in another machine using Cisco AnyConnect instead of OpenConnect + vpn-slice and the traffic is not blocked

Wondering what I'm missing if my setup

[dlenski]

… however when I check my public IP address with websites like http://ip4.me/ I'm getting reported the VPN IP address.

First of all, obviously check that 216.115.184.69 (ip4.me) isn't in the address ranges that you're routing via the VPN.

Secondly, what do you mean by "the VPN IP address"?

• Do you mean the IP address of your tunX adapter? That seems extremely implausible. Your VPN would have to be handing out globally routable IPv4 addresses with no intervening NAT… I've never seen such a thing.
• Or do you mean (the same IP address that it would show if you set the default IPv4 route through the VPN)?

Also when I visit some websites I got an alert message from the company OpenDNS about the website been blocked. That also happened after I kill OpenConnect (vpn-down).

No idea without more details. :man_shrugging:

Are you intending to using OpenDNS as your DNS provider?

Wondering what I'm missing if my setup

Does your VPN provide IPv6 connectivity, or only IPv4?

[edgar]

Hey Dan,

Thanks for the quick response.

• ip4.me was not in the address ranges routed via the VPN.
• ip4.me was reporting the same IP address that it would show if I set the default IPv4 route through the VPN - geolocating my IP address in Seattle (company HQ) - instead of my ISP in NYC.

I noticed (via netstat -nr -f inet and ifconfig -a) that I had several utunX (from utun0 to utun8) network interfaces even after openconnect was killed. I restarted the laptop and now ifconfig -a only reports utun0 to utun4 and ip4.me is now reporting my ISP in NYC.

About OpenDNS, I noticed that if I visit a website like http://gems.rubydev.ir I got redirected to block.opendns.com, I guess this is done via the Cisco Umbrella Roaming Client - AnyConnect. This behavior is happening to me and a co-worker that is also trying vpn-slice. For folks that have never used vpn-slice, they got this behavior if they are in the VPN (via Cisco AnyConnect) and they don't get redirected to block.opendns.com if they are not in the VPN.

Any suggestions on how can I dig deeper into this?

[edgar]

I also noticed that sometimes when I do sudo kill -2pgrep openconnect` I still got avpn-slicerunning and theutunXinterface still shows innetstat -nr -f inet`.

After doing sudo kill -2pgrep vpn-slice` theutunX` interface is removed.

Is there a preferred way of killing OpenConnect / vpn-slice? Not sure but it seems this behavior is related to the use of --prevent-idle-timeout flag

[dlenski]

• ip4.me was not in the address ranges routed via the VPN.

:thinking: If traffic to ip4.me's IP address (as destination) was not routed via the VPN interface… how could ip4.me possibly be receiving packets with a source IP address that's linked to the VPN?

I noticed (via netstat -nr -f inet and ifconfig -a) that I had several utunX (from utun0 to utun8) network interfaces even after openconnect was killed. I restarted the laptop and now ifconfig -a only reports utun0 to utun4 and ip4.me is now reporting my ISP in NYC.

Based on the device and command names you're sharing… I'm guessing you're running macOS or *BSD? Probably macOS?

I do not use macOS myself, and know very little about its networking configuration beyond the baseline of the *BSD network and routing configuration commands.

About OpenDNS, I noticed that if I visit a website like http://gems.rubydev.ir I got redirected to block.opendns.com, I guess this is done via the Cisco Umbrella Roaming Client - AnyConnect. This behavior is happening to me and a co-worker that is also trying vpn-slice. For folks that have never used vpn-slice, they got this behavior if they are in the VPN (via Cisco AnyConnect) and they don't get redirected to block.opendns.com if they are not in the VPN.

I'm afraid that I don't understand what you're describing at all. It sounds like Cisco AnyConnect may be running in the background and interfering with the system DNS setup in some way. Can you uninstall or disable it?

[dlenski]

I also noticed that sometimes when I do sudo kill -2pgrep openconnect` I still got avpn-slicerunning and theutunXinterface still shows innetstat -nr -f inet`.

After doing sudo kill -2pgrep vpn-slice` theutunX` interface is removed.

Is there a preferred way of killing OpenConnect / vpn-slice? Not sure but it seems this behavior is related to the use of --prevent-idle-timeout flag

Yeah, the way the keepalive process works is extremely unsophisticated:

https://github.com/dlenski/vpn-slice/blob/e6971456ed4a94d91fa0086367e04dd39dd45cdd/vpn_slice/__main__.py#L262-L281

It simply runs in a loop, sleeps for a while, and then checks if the parent process is still alive. This interferes with the automated teardown of the tunnel device as you note.

Better approaches would be:

1. vpn-slice parent process could track the keepalive child process's PID itself ("yet another PIDfile") and kill it when it gets reason=disconnect
2. The child process could arrange for its sleep to be interrupted when the tundev goes into a DOWN state. Very OS-dependent.

Patches welcome.

[edgar]

Yes, I'm using MacOS and it seems it's Cisco AnyConnect/Umbrella who is messing around with the DNS setup.

I'll take a look at the prevent-idle-timeout logic and see if I can contribute

Thanks again Dan!

[dlenski]

it seems it's Cisco AnyConnect/Umbrella who is messing around with the DNS setup.

Looks like you're not the only one with this issue. :eyes: https://www.reddit.com/r/Cisco/comments/i7dmic/umbrella_client_disableenable_without_internet/