Open badbob001 opened 9 years ago
Hi, the current vpnc-script doesn't honour the exclude routes. If there is patch which fixes that, I'll apply it.
It would still be very helpful to just have includes, so only the specified subnets will go over the vpn. If this is possible with the current release, please point me to documentation on this. I've only seen one example for the non-windows version and none for the windows version.
The includes works just fine as long as the server sends you the correct routes. Check the log for the routes that are getting applied.
The vpn server will want to include all routes (no split tunneling). I want to ignore that and specify what subnets I want to route over the vpn.
This would be very helpful, failing that at least allow the option to specify another script. I have enabled split tunnelling locally by using a script to set the split route variables and then calling the (renamed) default script (script is below in case anyone else wants to do this):-
// Add one IP or subnet to the list of the split tunnel var oShell = WScript.CreateObject("WScript.shell"); var oProcEnv = oShell.Environment("Process");
function addAddr(addr, mask, maskLen) { oProcEnv("CISCO_SPLITINC" + oProcEnv("CISCO_SPLIT_INC") + "_ADDR") = addr; oProcEnv("CISCO_SPLITINC" + oProcEnv("CISCO_SPLIT_INC") + "_MASK") = mask; oProcEnv("CISCO_SPLITINC" + oProcEnv("CISCO_SPLIT_INC") + "_MASKLEN") = maskLen;
// increment counter
oProcEnv("CISCO_SPLIT_INC") = parseInt(oProcEnv("CISCO_SPLIT_INC")) + 1;
}
// Initialize empty split tunnel list oProcEnv("CISCO_SPLIT_INC") = 0;
// Delete DNS info provided by VPN server to use internet DNS // Comment following line to use DNS beyond VPN tunnel oProcEnv.Remove("INTERNAL_IP4_DNS");
// List of IPs or subnets beyond VPN tunnel addAddr("90.1.1.0", "255.255.255.0", "24"); addAddr("10.1.1.50", "255.255.255.255", "32");
// Execute default script oExec = oShell.Run("vpnc-script-main.js", 1, true);
MorpheusUK, I can't get your modifications to work. Does this work in Windows? Can the remote vpn gateway over-ride these new routes?
I renamed vpnc-script.js to vpnc-script-main.js. I think vpnc-script-win.js is not used at all. I created a new vpnc-script-main.js and pasted the above content. Then I added 'addAddr("x.x.x.x", "y.y.y.y", "z");' for each subnet that I WANT to reach over the tunnel. But after connection, I can't reach any of the specified subnets. I do a traceroute and they are still routing over the Internet.
I finally got it work.
Find this line:
echo("Configuring \"" + tundevid + "\" interface for Legacy IP...");
And add the following block before it. Update the dns and subnet list to fit your network.
function addAddr(addr, mask, maskLen)
{
env("CISCO_SPLIT_INC_" + env("CISCO_SPLIT_INC") + "_ADDR") = addr;
env("CISCO_SPLIT_INC_" + env("CISCO_SPLIT_INC") + "_MASK") = mask;
env("CISCO_SPLIT_INC_" + env("CISCO_SPLIT_INC") + "_MASKLEN") = maskLen;
env("CISCO_SPLIT_INC") = parseInt(env("CISCO_SPLIT_INC")) + 1;
}
env("CISCO_SPLIT_INC") = 0;
//DNS Servers to use. Put private ones first to get to intranet sites
env("INTERNAL_IP4_DNS") = "10.150.10.5 10.150.11.6 8.8.8.8 8.8.4.4";
//To use whatever DNS the vpn supplies, uncomment the following:
//env.Remove("INTERNAL_IP4_DNS");
// List of IPs or subnets beyond VPN tunnel
//IP4 doesn't care about masklen so I just make it XX
addAddr("10.0.0.0", "255.0.0.0", "XX");
addAddr("172.16.0.0", "255.240.0.0", "XX");
addAddr("65.52.10.0", "255.255.255.0", "XX");
addAddr("192.168.100.10", "255.255.255.255", "XX");
// To ignore the above subnet routes, uncomment the following lines:
//env.Remove("CISCO_SPLIT_INC");
Also, find this block:
for (var i = 0 ; i < parseInt(env("CISCO_SPLIT_INC")); i++) {
var network = env("CISCO_SPLIT_INC_" + i + "_ADDR");
var netmask = env("CISCO_SPLIT_INC_" + i + "_MASK");
var netmasklen = env("CISCO_SPLIT_INC_" + i + "_MASKLEN");
exec("route add " + network + " mask " + netmask +
" " + internal_gw);
}
And change the last line as such:
" " + internal_gw + " METRIC 1 IF " + tundevid);
At least for me, I have to specify the interface for the route else I'll use my non-vpn interface.
I also needed to set this from:
var REDIRECT_GATEWAY_METHOD = 0;
to
var REDIRECT_GATEWAY_METHOD = -1;
To allow non-specified routes to go normally over the internet. When it was set to 0, the 0.0.0.0 route for the vpn had a lower metric than the internet's 0.0.0.0 route.
Also, when viewing the log output of this script from the gui, the gui will only monitor the log output for maybe a minute before switching to show other output. The cutoff point is where it'll say something like:
Could not remove D:/temp\vpnc.log: 9
To view the full log, just open %temp%\vpnc.log. Maybe the gui should just wait until this script has completed before it stops monitoring vpnc.log.
Yeah the @badbob001 "patch" is working from my end too
I am trying the solution from @badbob001 , but I am not sure what file to edit or create.
I am using OpenConnect-GUI 1.5.3 on Windows 10.
I found the file C:\Program Files (x86)\OpenConnect-GUI\vpnc-script.js
.
But the line I should look for (echo("Configuring \"" + tundevid + "\" interface for Legacy IP...");
) does not exist.
For the OpenConnect-GUI 1.5.3 version in Windows 7 I used @badbob001 version, but instead of searching for echo("Configuring \"" + tundevid + "\" interface for Legacy IP...");
search for:
echo("Configuring " + env("TUNIDX") + " interface for Legacy IP...");
And instead of:
" " + internal_gw + " METRIC 1 IF " + tundevid);
Change the line to:
" " + internal_gw + " METRIC 1 IF " + env("TUNIDX"));
Basically, follow the @badbob001 instructions but where you read tundevid use env("TUNIDX").
I have started using the PIA client (basically a modified OpenVPN client) which also uses the TAP driver and have found that if I use PIA before openconnect then I lose connectivity to the internet whilst the VPN is running. I have noticed that my original script seems to have stopped working as it originally did at some point during the updates of openconnect-gui but tbh due to the fact that I was VPN'ing into my remote PC and from there to other sites on that side of the VPN I didn't really notice once I was able to access internet sites directly from my local machine at the same time which I couldn't before the changes of my original script.
I am now using @badbob001 and @daniel-ascensao change's (on the 1.5.3 vpnc-script.js) does allow me to again access other sites other than the main machine I connect to from my machine over the VPN. (Perhaps we should look at moving the address, mask and masklen into a csv file and if present looping through that to populate the custom routes. Then this could possibly be included in the main default script with the open-connect-gui releases.) However this still fails with access not over the VPN blocked when run after the PIA client without first rebooting my local PC.
Although I didn't compare them directly the routing tables from my version and the new version looked very similar and looked like in both cases things should have routed as expected with a brief surface look (hadn't picked up on the metric values). The routes also seem to be being cleared down on exit. Has anyone else seen this? Are we perhaps failing to restore some values when we create the custom routes?
I'm unsure if split-tunnel support is possible in Windows. I suspect it involves editing the vpnc-script-win.js. It would be nice if there is a gui for each connection so one can specify the ips/subnets to include/exclude from going over the vpn (perhaps this involves having a separate vpnc-script for each connection?). Ideally, if there are only 'include' statements, then only the mentioned subnets will go over the vpn and if there are only 'exclude' statements, then only the mentioned subnets will NOT go over the vpn. The former setup would be ideal for keeping internet/local traffic off the vpn.