Windows support #41
Comments
Error message should be clearer here. Just fixed, thanks.
I don't use Windows for software development myself, and very little interest in starting 😅 That said, contributions would be most welcome and I'd be glad to give advice on how to do it:
|
|
Thanks for the feedback! The diff of #11 looks worse than it is, as it does both refactor and add macOS support at the same time. I'll see if I find the time to do anything with this, although I doubt it in the short term. Whoever wants to take this, it's all yours :) |
|
So I did a little digging. It seems that this can be ported without too much effort, especially if one is OK with relying on WSL for
|
It's super ugly, but one workaround for now would be for you to pass a … which should do the right thing. One of the issues here is that Windows hasn't had a historically consistent and standardized way to split/parse/quote command-line arguments, which makes it a bit of a trial-and-error mess to pass the above into OpenConnect. 🤷♂️
Yes, this is important. I've thought about adding a This would also help with timing issues on POSIX, where sometimes creating the tunnel takes too long and vpn-slice tries to use it too soon. |
|
Good points! I do have to be honest, though: I was aiming at using vpn-slice to get split tunneling up and running, since I had no idea how to interpret routes, metrics and interfaces. In researching a bunch of stuff trying to understand the Windows vpnc scripts, I have, as a side-product, solved my original problems without having to use vpn-slice at all. This means I would not even benefit myself from implementing a Windows provider for vpn-slice, and it would cost me considerable time as well (also considering that I am currently not even able to build openconnect for Windows myself.) Further assuming that issues such as the lack of fork() will not be the last OS-specific issue I would be facing, I am inclined to summarize my efforts so far so other people can pick it up, but not go ahead with the actual implementation and, most importantly, thorough testing. |
|
That seems reasonable. If you can summarize how you've set up split-tunneling on Windows, it may indeed help others to implement this more cleanly later. |
|
Alright, this is 1/2, summarizing what I tried in
So I moved the I did the same with the Also, I noticed that the The main work is in Attached is a patch, maybe someone wants to continue what I started. |
|
2/2, how I am doing this without Basically, I installed the TAP driver from OpenVPN (the "OpenConnect GUI" installer does that, too). I renamed my ethernet connection "Ethernet", and the TAP one "OpenConnect". Also, I have set the DNS suffix "mycompany.org" on the OpenConnect interface. Then I use an elevated batch file like this: For split DNS, I have used something like this: This way, my network traffic is 100% split: The company nameserver sees requests only for The part up to here, I would love to do using VPNC env variables to be less fixed on correct naming of interfaces and stuff like this. BUT: I addition, I also configure SSH tunnels for SAMBA using additional loopback devices and additional HOSTS entries and set a proxy PAC script to route some web traffic through the companies proxy server for IP-based subscription access: in summary, as set of highly company-specific changes that would be a pain to integrate and maintain in vpn-slice - sorry! Still, I'll be happy to help with the above integration and/or answer questions regarding my specific setup! |
|
Hi @bersbersbers , could you clarify better the DNS part, perhaps posting your DNS version script, edited to mask your data but with commentaries as to where to do changes inside it? |
|
@Welsige sure, find attached. It's a bit reduced from my full version and I hope I didn't introduce any mistakes. Hard to test with "IP.OF.CMP.NS" :) There's three places you need to do changes, lines 16/17 for the company nameserver IP and their suffix; and optionally line 107 to select a different resolver. I experimented a bit with different options:
If, like me, you use this nameserver only on the VPN interface, what you chose to return has to be somewhat compatible with what the unmodified nameserver returns for the same IPs, as Windows pretty much queries different nameservers on different interfaces simultaneously. |
|
If you have access to powershell you can use Windows build in ability to split the DNS and use it only for company domains: Add-DnsClientNrptRule -Namespace "mycompany.org" -NameServers "xx.yy.zz.1" |
are you referssing to multihomed dns resolution @bersbersbers ? |
According to the links you posted, yes - this is exactly what I meant.
I never tried that, but assuming that your native connection has a lower metric, what you observe is what I would expect. Great to know that this is another option (as well as |
|
I have taken upon me to hold the torch of Windows support hopes (for a while) https://github.com/michkot/vpn-slice/compare/feature-windows_support michkot@8568cf7 Here is a small bridge app to "fit" vpn-slice into to Windows cscript-fixed binary build of openconnect: |
This is great. I had to use though - note the extra |
This might have been helpful, too, but it seems the |
|
alright so this is my take on this subject https://pastebin.com/80Thw5H2 - static subnets and masks lists and dns handled by additional commands as suggested by @reicheltp (thank you very much !) .Saved in the openconnect folder and using it as |
Hi @maurerr this works really well for one of my organizations but not the other. In both cases my public IP never changes to the company, so i know the split is working, but for only one of them i can connect to organization resources. Do you happen to have an updated version of this? I thought about using the powershell command but i dont know what NameServers is supposed to be? |
|
If it helps anyone, here is another vpnc-script based solution that consolidates the various tips above (does not require vpn-slice): Explanation of changes: Starting with the default vpnc-script.js provided by the OpenConnect GUI installation, add the following section to configure the split tunnel (I put it between the Initial setup and Utilities sections): // --------------------------------------------------------------
// Split Tunnel Configuration
// --------------------------------------------------------------
// Domain of the VPN network (used for split DNS configuration)
var VPN_DOMAIN = "company.com";
// Number of split-include rules to add to the routing table (these will be routed via VPN)
env("CISCO_SPLIT_INC") = 2;
// Rule 1: 10.x.x.x
env("CISCO_SPLIT_INC_0_ADDR") = '10.0.0.0';
env("CISCO_SPLIT_INC_0_MASK") = '255.0.0.0';
env("CISCO_SPLIT_INC_0_MASKLEN") = 8;
// Rule 2: 172.16.x.x through 172.31.x.x
env("CISCO_SPLIT_INC_1_ADDR") = '172.16.0.0';
env("CISCO_SPLIT_INC_1_MASK") = '255.240.0.0';
env("CISCO_SPLIT_INC_1_MASKLEN") = 12;
// Number of split-exclude rules to add to the routing table (these will be routed via default outbound internet connection).
// Setting this to 0 ignores any routes pushed by the VPN.
env("CISCO_SPLIT_EXC") = 0;The above configuration will route everything in 10.0.0.0/8 and 172.16.0.0/12 via the VPN, and also ignore any routes pushed by the VPN. Adjust this as needed for your corporate network. Next, in the Utilities section, add the following helper method to run a PowerShell command (this will be used for adding / removing split DNS): function run_pwsh(cmd)
{
var fullCmd = "powershell.exe -Command \"" + cmd + "\" 2>&1";
echo(DEBUG, "-> " + fullCmd);
var oExec = ws.Exec(fullCmd);
oExec.StdIn.Close();
var s = oExec.StdOut.ReadAll();
var exitCode = oExec.ExitCode;
if (exitCode != 0)
echo(ERROR, "\"" + cmd + "\" returned non-zero exit status: " + exitCode);
echo((exitCode != 0 ? ERROR : TRACE), " stdout+stderr dump: " + s);
accumulatedExitCode += exitCode;
return s;
}Next, you are going to want to REMOVE this section: if (env("INTERNAL_IP4_DNS")) {
var dns = env("INTERNAL_IP4_DNS").split(/ /);
for (var i = 0; i < dns.length; i++) {
var protocol = dns[i].indexOf(":") !== -1 ? "ipv6" : "ipv4";
// With 'validate=yes' (the default on newer Windows versions), Windows will try to
// connect to the DNS server, time out after ~10 seconds, and print a warning, but
// nevertheless add the specified server. Adding 'validate=no' is thus NECESSARY.
// We know that Windows 7 supports/requires the 'validate=no' flag (see #52). If
// someone using an older version of Windows that errors out on the unknown flag
// really wants us to support it, we'll need to figure out how to distinguish it.
run("netsh interface " + protocol + " add dnsservers " + env("TUNIDX") + " " + dns[i]
+ " validate=no");
}
echo(INFO, "Configured " + dns.length + " DNS servers: " + dns.join(" "));
}
echo(INFO, "done.");And replace it with: // Configure split DNS
if (env("INTERNAL_IP4_DNS")) {
var dns = env("INTERNAL_IP4_DNS").split(/ /);
if (dns.length > 0) {
echo(INFO, "Adding split DNS configuration (*." + VPN_DOMAIN + " -> " + env("INTERNAL_IP4_DNS") + ")");
run_pwsh("Add-DnsClientNrptRule -Namespace \"." + VPN_DOMAIN + "\" -NameServers " + dns.join(","));
echo(INFO, "done.");
}
}This will run a PowerShell command to route any DNS queries for Finally, you may want to clean up the split DNS configuration when disconnecting from the VPN. In // Remove split DNS configuration
echo(INFO, "Removing split DNS configuration");
run_pwsh("Get-DnsClientNrptRule | Where { $_.Namespace -eq '." + VPN_DOMAIN + "' } | Remove-DnsClientNrptRule -Force");This is especially important if there are any public subdomains that are supposed to be reachable outside the VPN (e.g., |
This package looks great - I would like to use it on Windows 10. However, ...
Is Windows support planned?
The text was updated successfully, but these errors were encountered: