problem adding hosts by name on MacOS

[bilak]

Hello,
didn't found vpn-slice on stackoverflow so I'm trying to ask for help here.

When I'm using openconnect on Ubuntu I just configure route 192.168.1.0 255.255.255.0 and everything communicates through VPN.

However I'd like to use MAC and route only work related traffic through VPN and everything else "normally".
Something like this works perfectly for some usecases sudo openconnect --cafile=./myvpn.com.pem --servercert pin-sha256:somecert --disable-ipv6 -u me -s 'vpn-slice 192.168.1.0/24 somehost.myvpn.com' myvpn.com.
I've recently realised that there are some domains that I'm only able to access through VPN but with configuration above I'm not able to do so. So for example if I'd like to connect to som.weird.example.com what would be the configuration? I've tried to modify script like this -s 'vpn-slice 192.168.1.0/24 somehost.myvpn.com som.weird.example.com' but that didn't worked. Is that possible at all?

Thanks

[dlenski]

So for example if I'd like to connect to som.weird.example.com what would be the configuration? I've tried to modify script like this -s 'vpn-slice 192.168.1.0/24 somehost.myvpn.com som.weird.example.com' but that didn't worked. Is that possible at all?

Yes, that should work.

Questions:

1. What does "that didn't work" mean? Can you give more details of how/why it "didn't work"?
2. What is different about somehost.myvpn.com and som.weird.example.com?

[bilak]

Hello, thanks for quick response:

first of all, I don't understand the routing and networking so please be patient with me :D

the thing is that I'm running the openconnect on ubuntu where the command looks like this /usr/sbin/openconnect --servercert pin-sha256:somesecret --syslog --cookie-on-stdin --script /usr/lib/NetworkManager/nm-openconnect-service-openconnect-helper --interface vpn0 123.456.789.00:443. The only thin which I needed to configure is to add route 192.168.1.0 255.255.255.0 (see image) otherwise there was no internet connection at all.

Now I'd like to move to MAC and I'm struggling to configure this. So I've thought that adding -s 'vpn-slice 192.168.1.0/24' should be enough and it will work in same manner as on ubuntu. But with this configuration I'm not able to reach any host. Even ping to remote hosts inside VPN doesn't work.
Then I've added -s 'vpn-slice 192.168.1.0/24 somehost.myvpn.com' where somehost.myvpn.com is internal host in remote network and I'm able to connect to it. However if I have multiple hosts with multiple levels of subdomains (e.g sub1.sub2.myvpn.com and sub3.myvpn.com) it's hard to name them all.

so to be more precise here are some questions:

1. is it possible to use some kind of wildcard to route all subdomains through vpn (e.g. *.myvpn.com) and not name them all?
2. if I'm only able to access som.weird.example.com through VPN and this is some public cloud which has configured firewall with rule that allows connection only from myvpn.com then am I able to route the traffic to som.weird.example.com through VPN? Again I've added -s 'vpn-slice 192.168.1.0/24 som.weird.example.com' but I'm not able to connect to that host.

Addtitionally maybe the problem is that my local network and also remote network are both 192.168.*.

If you need some details/debugging please let me know

[dlenski]

Okay, there's a lot going on here. 😅

• I don't use a Mac, I don't want to use a Mac, and I don't have any way to test on MacOS myself. But there are other users here who've contributed support for MacOS, so maybe they can chime in.
• Regarding wildcards for hostnames, see Multiple variants of similar hostnames? #63

Now I'd like to move to MAC and I'm struggling to configure this. So I've thought that adding -s 'vpn-slice 192.168.1.0/24' should be enough and it will work in same manner as on ubuntu. But with this configuration I'm not able to reach any host. Even ping to remote hosts inside VPN doesn't work.

Do you understand that vpn-slice does not modify your DNS configuration? So if you try to ping hosts by name, and those names exist only on the VPN's DNS servers, it'll fail.

if I'm only able to access som.weird.example.com through VPN and this is some public cloud which has configured firewall with rule that allows connection only from myvpn.com then am I able to route the traffic to som.weird.example.com through VPN? Again I've added -s 'vpn-slice 192.168.1.0/24 som.weird.example.com' but I'm not able to connect to that host.

I don't really understand what this means 🤷‍♂️ … does a connection to som.weird.example.com work if you don't use vpn-slice, and route all traffic through the VPN with the default vpnc-script?

Addtitionally maybe the problem is that my local network and also remote network are both 192.168.*.

This should not matter unless the third byte is also the same. 192.168.0.0/16 is not a standards-compliant IPv4 private network; 192.168.x.0/24 is.

If both your local network and the remote network are, say, 192.168.123.0/24… then you should try to change the local network to avoid the collision.

[dlenski]

Also, add -v --dump to the vpn-slice command line to get a whole lot more logging about what it's doing.

[dlenski]

@bilak Any updates? Please reopen if so.