Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not writing to /etc/hosts #44

Closed
m0ngr31 opened this issue Apr 22, 2020 · 8 comments
Closed

Not writing to /etc/hosts #44

m0ngr31 opened this issue Apr 22, 2020 · 8 comments
Labels
bug ipv6

Comments

@m0ngr31
Copy link

m0ngr31 commented Apr 22, 2020

I've been using this script for a while now, and has been working great. Today I did a fresh install of Ubuntu 20.04, and when I run this it seems to connect okay, but it never seems to write to /etc/hosts, so it never forwards the traffic.

If I run without the script, I can get the full VPN just fine.

When I kill openconnect while I'm running the script, vpn-slice keeps to keep running and I have to manually kill it. When I do, I get the following message in my terminal:

/usr/bin/dig: isc_socket_bind: address not available

While it is running, it will slowly start printing out messages like this to my terminal:

WARNING: Lookup for my-example-domain.com on VPN DNS servers failed.

Is there something I'm doing wrong?
@m0ngr31 m0ngr31 changed the title Not writing to /etc/hosts Not writing to /etc/hosts Apr 22, 2020
@dlenski
Copy link
Owner

dlenski commented Apr 23, 2020

It's not writing to /etc/hosts because it's getting timed-out while looking up the hosts, hence why you have helping warning messages about failing dig processes. (That's the tool used to do the DNS lookups.)

Why is dig failing? I have no idea… ¯_(ツ)_/¯

What happens if you add --dump -v to the vpn-slice arguments to make it print out more details about the routing configuration passed in by OpenConnect?

@dlenski dlenski added the needs info Need more information label Apr 23, 2020
@m0ngr31
Copy link
Author

m0ngr31 commented Apr 23, 2020

Here's what I get with those flags:

Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1).
WARNING: IPv6 address or netmask set, but this version of vpn-slice has only rudimentary support for them.
Called by /usr/sbin/openconnect (PID 37345) with environment variables for vpnc-script:
  reason                  => reason=<reasons.pre_init: 1>
  VPNGATEWAY              => gateway=IPv4Address('XXX.XXX.XXX.149')
  CISCO_DEF_DOMAIN        => domain=['corp.XXXXXX.com']
  INTERNAL_IP4_ADDRESS    => myaddr=IPv4Address('172.135.4.22')
  INTERNAL_IP4_MTU        => mtu=1406
  INTERNAL_IP4_NETMASK    => netmask=IPv4Address('255.255.224.0')
  INTERNAL_IP4_NETMASKLEN => netmasklen=19
  INTERNAL_IP4_NETADDR    => network=IPv4Network('172.135.0.0/19')
  INTERNAL_IP4_DNS        => dns=[IPv4Address('X.X.X.X'), IPv4Address('XXX.XXX.XXX.XXX')]
  INTERNAL_IP6_ADDRESS    => myaddr6=IPv6Address('XXXX:XXXX:XXXX:XXXX::1085')
  INTERNAL_IP6_NETMASK    => netmask6=IPv6Interface('XXXX:XXXX:XXXX:XXXX::1085/64')
WARNING: IPv6 address or netmask set, but this version of vpn-slice has only rudimentary support for them.
Called by /usr/sbin/openconnect (PID 37345) with environment variables for vpnc-script:
  reason                  => reason=<reasons.connect: 2>
  VPNGATEWAY              => gateway=IPv4Address('XXX.XXX.XXX.XXX')
  TUNDEV                  => tundev='tun0'
  CISCO_DEF_DOMAIN        => domain=['corp.XXXXXX.com']
  INTERNAL_IP4_ADDRESS    => myaddr=IPv4Address('172.135.4.22')
  INTERNAL_IP4_MTU        => mtu=1406
  INTERNAL_IP4_NETMASK    => netmask=IPv4Address('255.255.224.0')
  INTERNAL_IP4_NETMASKLEN => netmasklen=19
  INTERNAL_IP4_NETADDR    => network=IPv4Network('172.135.0.0/19')
  INTERNAL_IP4_DNS        => dns=[IPv4Address('10.73.97.6'), IPv4Address('XXX.XXX.XXX.XXX')]
  INTERNAL_IP6_ADDRESS    => myaddr6=IPv6Address('XXXX:XXXX:XXXX:XXXX::1085')
  INTERNAL_IP6_NETMASK    => netmask6=IPv6Interface('XXXX:XXXX:XXXX:XXXX::1085/64')
Blocked incoming traffic from VPN interface with iptables.
Added routes for 2 nameservers, 0 subnets, 0 aliases.
Restored routes for 0 excluded subnets.
Adding /etc/hosts entries for 2 nameservers...
  XX.XX.XX.XX = dns0.tun0
  XXX.XXX.XXX.XXX = dns1.tun0
Looking up 113 hosts using VPN DNS servers...
WARNING: Lookup for XXX.XXX.com on VPN DNS servers failed.

I left a working Manjaro install to this. It also had the same issue on Ubuntu 19.10 when I tried that yesterday as well. Just fyi.

@m0ngr31
Copy link
Author

m0ngr31 commented Apr 23, 2020
edited
Loading

I also just tried this with 18.04 with the same results. Was there an update to the package that could have broken this?

I installed v0.11 and it works fine again. So it's probably just been a while since I had updated and the new updates don't work on my corp VPN.

dlenski added a commit that referenced this issue Apr 23, 2020
@dlenski
Capture and report DNS lookup exceptions in more detail
3a4bbdb 
(ping #44)
@dlenski
Copy link
Owner

dlenski commented Apr 23, 2020
edited
Loading

I installed v0.11 and it works fine again. So it's probably just been a while since I had updated and the new updates don't work on my corp VPN.

I see that your VPN is offering IPv6 addresses and IPv6 DNS servers.

We've added some IPv6 support (see #6, #30 which were in v0.11; 1e5c92b, #39 were added in v0.13). Unfortunately I cannot thoroughly test the IPv6 support since I do not have access to a VPN that supports IPv6 myself.

Likely there is something wrong with the dig command line we're using to do the DNS lookup in your case. Please test 3a4bbdb, where I've added additional logging of the exact DNS lookup command line in the case where it fails.

dlenski added a commit that referenced this issue Apr 29, 2020
@dlenski
fix regression in 3a4bbdb
7c48a66 
ping #44, #45
@dlenski dlenski mentioned this issue Apr 29, 2020
Closed
@dlenski
Copy link
Owner

dlenski commented Apr 30, 2020

I've pushed a new dnspython branch, which uses https://github.com/rthalley/dnspython to do the DNS lookups instead of dig.

Should be easier to maintain, less error-prone, and faster to do the lookups.

@m0ngr31 @gmacon @jeLee6gi @joelbu … would be great to have some of you test this branch if you're still using vpn-slice.

@dlenski dlenski added bug ipv6 and removed needs info Need more information labels Apr 30, 2020
@jeLee6gi
Copy link

Works like a charm for my relative simple usecase (same as in #45)

@gmacon
Copy link
Collaborator

gmacon commented May 2, 2020

This is working for me.

@dlenski
Copy link
Owner

dlenski commented May 3, 2020

Thanks @jeLee6gi and @gmacon. Will merge it soon!

@amerlyq amerlyq mentioned this issue May 25, 2020
Closed
@dlenski dlenski closed this as completed May 27, 2020
@dlenski dlenski mentioned this issue Jun 1, 2020
Closed
Repository owner locked and limited conversation to collaborators Oct 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug ipv6
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dlenski @gmacon @m0ngr31 @jeLee6gi