-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows support #41
Comments
Error message should be clearer here. Just fixed, thanks.
I don't use Windows for software development myself, and very little interest in starting 😅 That said, contributions would be most welcome and I'd be glad to give advice on how to do it:
|
Thanks for the feedback! The diff of #11 looks worse than it is, as it does both refactor and add macOS support at the same time. I'll see if I find the time to do anything with this, although I doubt it in the short term. Whoever wants to take this, it's all yours :) |
So I did a little digging. It seems that this can be ported without too much effort, especially if one is OK with relying on WSL for
|
It's super ugly, but one workaround for now would be for you to pass a
… which should do the right thing. One of the issues here is that Windows hasn't had a historically consistent and standardized way to split/parse/quote command-line arguments, which makes it a bit of a trial-and-error mess to pass the above into OpenConnect. 🤷♂️
Yes, this is important. I've thought about adding a This would also help with timing issues on POSIX, where sometimes creating the tunnel takes too long and vpn-slice tries to use it too soon. |
Good points! I do have to be honest, though: I was aiming at using vpn-slice to get split tunneling up and running, since I had no idea how to interpret routes, metrics and interfaces. In researching a bunch of stuff trying to understand the Windows vpnc scripts, I have, as a side-product, solved my original problems without having to use vpn-slice at all. This means I would not even benefit myself from implementing a Windows provider for vpn-slice, and it would cost me considerable time as well (also considering that I am currently not even able to build openconnect for Windows myself.) Further assuming that issues such as the lack of fork() will not be the last OS-specific issue I would be facing, I am inclined to summarize my efforts so far so other people can pick it up, but not go ahead with the actual implementation and, most importantly, thorough testing. |
That seems reasonable. If you can summarize how you've set up split-tunneling on Windows, it may indeed help others to implement this more cleanly later. |
Alright, this is 1/2, summarizing what I tried in
So I moved the I did the same with the Also, I noticed that the The main work is in Attached is a patch, maybe someone wants to continue what I started. |
2/2, how I am doing this without Basically, I installed the TAP driver from OpenVPN (the "OpenConnect GUI" installer does that, too). I renamed my ethernet connection "Ethernet", and the TAP one "OpenConnect". Also, I have set the DNS suffix "mycompany.org" on the OpenConnect interface. Then I use an elevated batch file like this:
For split DNS, I have used something like this:
This way, my network traffic is 100% split: The company nameserver sees requests only for The part up to here, I would love to do using VPNC env variables to be less fixed on correct naming of interfaces and stuff like this. BUT: I addition, I also configure SSH tunnels for SAMBA using additional loopback devices and additional HOSTS entries and set a proxy PAC script to route some web traffic through the companies proxy server for IP-based subscription access: in summary, as set of highly company-specific changes that would be a pain to integrate and maintain in vpn-slice - sorry! Still, I'll be happy to help with the above integration and/or answer questions regarding my specific setup! |
Hi @bersbersbers , could you clarify better the DNS part, perhaps posting your DNS version script, edited to mask your data but with commentaries as to where to do changes inside it? |
@Welsige sure, find attached. It's a bit reduced from my full version and I hope I didn't introduce any mistakes. Hard to test with "IP.OF.CMP.NS" :) There's three places you need to do changes, lines 16/17 for the company nameserver IP and their suffix; and optionally line 107 to select a different resolver. I experimented a bit with different options:
If, like me, you use this nameserver only on the VPN interface, what you chose to return has to be somewhat compatible with what the unmodified nameserver returns for the same IPs, as Windows pretty much queries different nameservers on different interfaces simultaneously. |
If you have access to powershell you can use Windows build in ability to split the DNS and use it only for company domains: Add-DnsClientNrptRule -Namespace "mycompany.org" -NameServers "xx.yy.zz.1" |
are you referssing to multihomed dns resolution @bersbersbers ? |
According to the links you posted, yes - this is exactly what I meant.
I never tried that, but assuming that your native connection has a lower metric, what you observe is what I would expect. Great to know that this is another option (as well as |
I have taken upon me to hold the torch of Windows support hopes (for a while) https://github.com/michkot/vpn-slice/compare/feature-windows_support michkot@8568cf7 Here is a small bridge app to "fit" vpn-slice into to Windows cscript-fixed binary build of openconnect: |
This is great. I had to use
though - note the extra |
This might have been helpful, too, but it seems the |
alright so this is my take on this subject https://pastebin.com/80Thw5H2 - static subnets and masks lists and dns handled by additional commands as suggested by @reicheltp (thank you very much !) .Saved in the openconnect folder and using it as |
Hi @maurerr this works really well for one of my organizations but not the other. In both cases my public IP never changes to the company, so i know the split is working, but for only one of them i can connect to organization resources. Do you happen to have an updated version of this? I thought about using the powershell command but i dont know what NameServers is supposed to be? |
This package looks great - I would like to use it on Windows 10. However, ...
Is Windows support planned?
The text was updated successfully, but these errors were encountered: