Heiko Schabert [Fri, 6 May 2022 12:08:32 +0000 (14:08 +0200)]
Removed automatic adding of NS routes
With openconnect version 9.01 include-split was modified, in a way that
a announced route with netwask 0.0.0.0 will leverage env variable `CISCO_SPLIT_INC`.
Entries inside `CISCO_SPLIT_INC`, always causes that routes to the NS
`INTERNAL_IP4_DNS` are created.
This commit, removes that NS routes are automatically are added.
The same mechanism applies to IP6 as well, which uses
env variable `CISCO_IPV6_SPLIT_INC`
Resolves #38. Alignment with behaviour of NetworkManager openconnect
see [1].
Luca Boccassi [Sat, 5 Mar 2022 15:41:48 +0000 (15:41 +0000)]
vpnc-script-sshd: use ip link peer name syntax
iproute2 since at least v4.20 supports specifying local and remote
peer names. Use that instead of guessing. Support older iproute2
versions by falling back to guessing.
Reported-by: Karl O. Pinc <kop@karlpinc.com> Signed-off-by: Luca Boccassi <bluca@debian.org>
Daniel Lenski [Sat, 22 Jan 2022 21:48:16 +0000 (13:48 -0800)]
On newer versions of Windows, need `validate=no` when adding DNS servers
This should fix https://gitlab.com/openconnect/openconnect/-/issues/375.
It appears that on newer Windows systems, `netsh interface ipvX add dns` can
take a long time to run, over 10 seconds. (See
https://gitlab.com/openconnect/openconnect/-/issues/375#note_818616048 for
examples.)
This appears to be because of unwanted network I/O. Specifically, unless
`validate=no` is specified, Windows will try to immediately connect to the
server. Because OpenConnect is not yet exchanging packets over the tunnel
when the vpnc-script is invoked, and hasn't even added IP *routes* for the
tunnel yet, this connection cannot succeed in most configurations. If it
can't connect:
1. It times out after ~10 seconds.
2. It prints a warning: "The configured DNS server is incorrect or does not exist."
3. It nevertheless adds the specified DNS server for the interface.
4. It returns success (exit status 0).
This combination of effects explains why we weren't detecting and displaying
the error.
The `validate` option appears to be poorly documented; it appears in the help
output of `netsh interface ipvX add dns` on Windows 10, but it doesn't
appear in Microsoft's web documentation of `netsh interface ipvX add dns`
for Windows 2008
(https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731521(v=ws.10)#add-dnsserver),
which is what their "netsh overview" documentation for Windows 2012
(https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129394(v=ws.11))
refers readers to for comprehensive information.
Furthermore, the `validate` option does not exist on older versions of
Windows, but it's *enabled by default* on Windows 10. This means that
we have to be sure to append `validate=no` on newer versions of Windows,
but *not* to append it on older version.
Daniel Lenski [Sat, 22 Jan 2022 20:58:55 +0000 (12:58 -0800)]
Better ordering, more logging, and disconnect handler fixes on Windows
Set up the explicit route to the VPN gateway before configuring *anything else*,
and include default/Internet-facing gateway in the logging output.
Fixed a couple issues in the 'disconnect' handler. We missed these until
now because the 'disconnect' handler was *never being run on Windows* due to
https://gitlab.com/openconnect/openconnect/-/issues/362, until this was
fixed in https://gitlab.com/openconnect/openconnect/-/merge_requests/323
1. Need to specify 'store=active' when deleting an IPv6 address on disconnect
(missed this in 3a11fc7c971a28e375cc1fb2defe9d829aed2a4f)
2. Put some logging on the 'disconnect' handler.
Daniel Lenski [Sat, 22 Jan 2022 20:52:35 +0000 (12:52 -0800)]
Add logLevel and logTimestamps options to vpnc-script-win.js
Based on discussions about how to improve vpnc-script logging in
https://gitlab.com/openconnect/vpnc-scripts/-/issues/32#note_810779624.
See https://gitlab.com/openconnect/openconnect/-/merge_requests/328,
which makes OpenConnect send its verbosity level to the vpnc-script
as $LOG_LEVEL.
In the future, $LOG_TIMESTAMPS should probably also be passed by
OpenConnect, although this may be unnecessary since most OS's logging
systems can add timestamps on their own.
Daniel Lenski [Tue, 30 Nov 2021 18:06:44 +0000 (10:06 -0800)]
Always use INTERNAL_IP4_ADDRESS as "gateway" on Windows
It appears that Windows's 'netsh' utility doesn't like the VPN interface
having a "gateway" address of 0.0.0.1, which is what vpnc-script-win.js
would attempt to use if INTERNAL_IP4_NETMASK is /0. See
https://gitlab.com/openconnect/openconnect/-/merge_requests/306#note_745139972.
As noted in the OpenConnect source, "It's a tunnel; having a gateway is
meaningless."
Setting the "gateway" address for Windows to match INTERNAL_IP4_ADDRESS
seems like the simplest way to make 'netsh' configure routingly correctly in
all cases, including when the INTERNAL_IP4_NETMASK is either /0 or /32.
which was first released in systemd v239 from June 2018.
systemd-resolve is usually symlinked to resolvectl, but it appears to
be deprecated. This change will still fallback to trying
systemd-resolve if resolvectl fails.
Daniel Lenski [Wed, 17 Nov 2021 19:34:00 +0000 (19:34 +0000)]
Another bugfix when determining the controlling PID
In 596d947a ("Use $VPNPID when provided by OpenConnect"), I inadvertently
included an extra space, which entirely defeated the purpose of checking
if this variable is empty.
Ville Skyttä [Fri, 12 Nov 2021 22:06:22 +0000 (00:06 +0200)]
Use `grep -E` instead of `egrep`
`egrep` has been deprecated in GNU grep since 2007, and in current
post 3.7 Git it has been made to emit obsolescence warnings:
https://git.savannah.gnu.org/cgit/grep.git/commit/?id=a9515624709865d480e3142fd959bccd1c9372d1
Ville Skyttä [Fri, 12 Nov 2021 21:47:56 +0000 (23:47 +0200)]
Use `command -v` instead of `which`
`which` is not standard and might not be installed, whereas `command -v`
is in POSIX and its predecessor specs at least since 1994,
specified to produce no output when the arg command is not found.
https://pubs.opengroup.org/onlinepubs/7908799/xcu/command.html
`which` is also deprecated in Debian's debianutils 5.0+ and emits a
warning when used. At the moment, 5.0+ is only in Debian unstable, and
there is no other package in it providing `which`.
https://salsa.debian.org/debian/debianutils/-/commit/3a8dd10b4502f7bae8fc6973c13ce23fc9da7efb
Daniel Lenski [Fri, 24 Sep 2021 15:07:00 +0000 (08:07 -0700)]
Ensure that vpnc-script-win.js works even if INTERNAL_IP4_{NETADDR,NETMASK} are unset
Not all protocols supported by OpenConnect consistently set the variables
INTERNAL_IP4_{NETADDR,NETMASK} in all cases.
This should be fixed within OpenConnect itself as part of
https://gitlab.com/openconnect/openconnect/-/merge_requests/215, but in the
meantime (and for older versions of OpenConnect/vpnc) we need to ensure that
vpnc-script-win.js works correctly even when these are unset.
Daniel Lenski [Wed, 22 Sep 2021 19:12:00 +0000 (19:12 +0000)]
Add polyfill for String.prototype.trim in vpnc-script-win.js
As noted in https://gitlab.com/openconnect/openconnect/-/issues/312#note_684460541,
Windows Scripting Host's "JScript" does not appear to support
the `String.prototype.trim` method, apparently due to being
based on a very old ECMAScript standard.
The straightforward solution is to use the JavaScript polyfill
described in https://stackoverflow.com/a/35456830.
Daniel Lenski [Thu, 16 Sep 2021 19:56:55 +0000 (12:56 -0700)]
Use $VPNPID when provided by OpenConnect
See https://gitlab.com/openconnect/openconnect/-/merge_requests/278. Once
merged, OpenConnect will send its PID to the vpnc-script as $VPNPID. The
vpnc-script should use this in preference to trying to figure out its
grandparent's PID on its own.
Daniel Lenski [Thu, 16 Sep 2021 03:00:08 +0000 (20:00 -0700)]
Bugfix default route handling by using GRANDparent process ID to uniquely identify connection
In 01d3b8c0, I tried to fix an issue with default route restoration when
multiple "stacked" VPNs were running. However, this actually caused more
problems than it solved, by breaking default route restoration in the
"usual" case of a single VPN.
The problem is that OpenConnect (and vpnc) always call the vpnc-script via
an intermediary, ephemeral shell process. So the GRANDparent process ID
must be used to persistently identify the VPN connection between vpnc-script
'connect' and 'disconnect' invocations.
Daniel Lenski [Thu, 1 Apr 2021 15:43:12 +0000 (08:43 -0700)]
always exclude TUNDEV when finding/setting gateway route
The previous commit didn't fix #20, because 'ip route get' doesn't preserve the onlink flag.
(See https://gitlab.com/openconnect/vpnc-scripts/-/issues/20#note_542783676)
We should just use the 'ip route show' version across-the-board; it's more complex, but appears
to be quite robus. If we have to use it to get the gateway route correctly, then we simply
remove the redundancy in the code. *BSD code ('route'-based) can be similarly simplified.
Daniel Lenski [Wed, 31 Mar 2021 23:23:38 +0000 (16:23 -0700)]
vpnc-script-win: make VPN addresses/gateways "non-persistent", and delete them on disconnect
Persisting the state of IPv4 configuration of these interfaces is generally
unhelpful (as with DNS/WINS settings).
Two approaches. We do both:
1. Make the addresses ephemeral ("netsh ... store=active", as opposed to the
"store=persistent" default). This ensures that the addresses won't last
past reboot.
2. Delete the addresses upon disconnection.
Aaron LI [Sun, 13 Dec 2020 08:38:38 +0000 (16:38 +0800)]
Add DragonFly BSD support and improve FreeBSD support
Support DragonFly BSD for TUN creation and destroy in the same way as
FreeBSD.
No need to load the `if_tun` kernel module, because the `ifconfig(8)`
utility on FreeBSD and DragonFly BSD will auto load it if necessary
(the `-n` option suppresses this behavior; see man page for details).
This feature was added to `ifconfig(8)` in 1999:
https://github.com/freebsd/freebsd/commit/4d16916f800d4c5ee37fb3c93ca6981ad9b33eb3
In addition, FreeBSD 13 has merged `if_tun` and `if_tap` into a single
module named `if_tuntap`. So this change improves the FreeBSD
support.
Signed-off-by: Aaron LI <aly@aaronly.me> Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Tue, 8 Dec 2020 07:31:50 +0000 (23:31 -0800)]
fix another ifconfig syntax difference between Linux and *BSDs
See https://gitlab.com/openconnect/vpnc-scripts/-/merge_requests/9#note_466328301 :
> Thanks. I don't know how this one was missed; the [FreeBSD man
> page](https://www.freebsd.org/cgi/man.cgi?ifconfig) and [macOS man
> page](https://ss64.com/osx/ifconfig.html) clearly show that `delete` has
> to come _after_ the address.
>
> However, Linux's ifconfig [requires `del` to come
> before](https://linux.die.net/man/8/ifconfig), and _only_ works for
> removing IPv6 addresses… so this needs to be reworked a bit to not break
> on Linux.
Daniel Lenski [Tue, 8 Dec 2020 06:12:05 +0000 (22:12 -0800)]
use `ip netns` instead of ocserv `listen-netns` config option for test configs
`listen-netns` is new in ocserv 1.1.1, while iproute2's `ip netns` will work
more universally on Linux, allowing testing on older Linux distributions (see
https://gitlab.com/openconnect/vpnc-scripts/-/commit/c95a3ad0e77963fea73c185ff0308e1edabe522c#note_457425702)
Trygve Aaberge [Sun, 12 Aug 2018 09:53:31 +0000 (11:53 +0200)]
Use systemd-resolve to check if resolved is running
resolved may be included in nsswitch.conf even though systemd-resolved
is not running. E.g. Arch Linux includes resolved in nsswitch.conf by
default, but systemd-resolved is not enabled by default, which causes
this script to fail updating dns.
This patch uses the systemd-resolve command, which is included with
systemd, to check if systemd-resolved is actually running.
Signed-off-by: Trygve Aaberge <trygveaa@gmail.com> Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Fri, 27 Nov 2020 19:54:23 +0000 (11:54 -0800)]
CI: don't need to install ocserv and which
These are already included in the Centos7 build image: https://gitlab.com/openconnect/build-images/-/blob/master/openconnect-cli/centos7/Dockerfile#L11
Daniel Lenski [Sat, 28 Nov 2020 02:27:08 +0000 (18:27 -0800)]
numerous fixes for Linux IPv6 configuration using ifconfig/route/netstat
Trying to ensure that none of the commands executed change in any way on the actual non-Linux OSes which
we cannot directly test with CI currently.
- add missing $route_syntax_gw
- need new syntax variants:
- $ifconfig_syntax_add_inet6 ('add' on Linux, 'inet6' on *BSDs)
- $route_syntax_ipv6 ('-6' on Linux, '-inet6' on *BSDs)
- special handling for IPv6 route addition deletion on Linux:
- '-host'/-net' are REQUIRED on *BSDs but Linux 'route' rejects them
⇒ add $route_syntax_ipv6_{host,net} for these cases
- Linux 'route' rejects local adapter's IPv6 address as gateway with "SIOCADDRT: invalid argument"
⇒ use 'dev $DEVICE' instead of 'gw $NETGW' in this case on Linux
Daniel Lenski [Wed, 25 Nov 2020 21:48:20 +0000 (13:48 -0800)]
try running tests with *BSD-ish tools (ifconfig/route/netstat) for additional coverage
Things that should be improved:
* Need a better way to disable iproute2. Most likely the sanest way to
do this will actually be to split the vpnc-script into two versions, rather than
try to maintain its one-size-fits-all structure.
* Need a better way to enable tracing in vpnc-script. This really should be added
to OpenConnect itself (in part, by adding `-x` to the `sh /path/to/vpnc-script`
exec) since we're frequently requesting it of real users for real issues.
James Hennessy [Sun, 17 Feb 2019 19:18:05 +0000 (14:18 -0500)]
Don't use /sbin/resolvconf if it just points to resolvectl.
On Fedora 29 systems, resolvconf is a symbolic link to resolvectl, but
using resolvectl won't work unless "resolve" appears on the "hosts" line
of /etc/nsswitch. If we reach the point of considering resolvconf, then
"resolve" is not enabled and resolvectl should be avoided.