search

dlenski / vpn-slice

vpnc-script replacement for easy and secure split-tunnel VPN setup
GNU General Public License v3.0
726 stars 87 forks source link

Disable split-tunnel #76

Open cavemandaveman opened 3 years ago

cavemandaveman commented 3 years ago

Yes I know doing this defeats the whole purpose of this project. But is it possible to either disable the split-tunnel functionality or tell vpn-slice to route everything through the vpn?

I ask because I need the prevent-idle-timeouts feature. And until functionality like this is added to openconnect, I need to find an alternate way to do it.

dlenski commented 3 years ago

But is it possible to either disable the split-tunnel functionality or tell vpn-slice to route everything through the vpn?

You can use vpn-slice --route-internal --route-splits --incoming to:

That pretty much replicates the routing behavior of the standard vpnc-script. However, vpn-slice has no option to accept the server's DNS configuration, and handle it identically to vpnc-script.

  1. I didn't envision such behavior as a likely use case when I originally wrote vpn-slice.
  2. Making the standard vpnc-script handle DNS sanely is very complicated; invoking or replicating its behavior in vpn-slice would also be quite complicated.

Better ideas are welcome, especially in the form of PRs. :grimacing:

an alternate way to do it.

Use the standard vpnc-script, but add post-connect and post-disconnect hooks to start and stop the prevent-idle-timeouts handler. https://gitlab.com/openconnect/vpnc-scripts/blob/master/vpnc-script#L1136-1141

It should be relatively easy to factor out the relevant code into a small standalone CLI script which could be installed alongside vpn-slice: https://github.com/dlenski/vpn-slice/blob/HEAD/vpn_slice/__main__.py#L297-L323

cavemandaveman commented 3 years ago

You can use vpn-slice --route-internal --route-splits --incoming

So taking this route, I would have to handle DNS on my own, right? That might get too messy though.

Use the standard vpnc-script, but add post-connect and post-disconnect hooks to start and stop the prevent-idle-timeouts handler. https://gitlab.com/openconnect/vpnc-scripts/blob/master/vpnc-script#L1136-1141

It should be relatively easy to factor out the relevant code into a small standalone CLI script which could be installed alongside vpn-slice: https://github.com/dlenski/vpn-slice/blob/HEAD/vpn_slice/__main__.py#L297-L323

I like the idea of breaking out this functionality. You've got some other cool features in vpn-slice, like blocking incoming traffic, that would be cool as standalone handlers. For my use case, running openconnect in docker and connecting to the container through proxies already allows the possibility for a kind of psuedo split-tunneling. But creating the possibility to inject hooks like this would make it super modular and flexible. If I get some time I might look at what it takes to break out these pieces.