Include support for Palo Alto Globalprotect split-tunneling includes #151
Comments
vstoyanov
changed the title
|
Interesting. As you can see, I haven't encountered these config tags before, and I'm not 100% sure how to interpret them.
So I'm not sure how to handle this DNS-based split tunneling, and I'm kind of suspicious of the security characteristics or value to the end-user. Anything you think I'm missing here? As for |
|
Hello Dan, According to the semantics of the PaloAlto GP configurations I have seen, I am pretty certain that the domains listed in I agree that split tunneling on FQDN is a complex task, but since this feature is mainly used for statically configured firewalled services I reckon their addresses won't change that often (with the exception of DNS routing), so my proposed implementation would be to do a DNS resolve on establisihng connection and then modify the routing table based on that. About I will try to gather more information and get back in touch. Thanks, |
How would we do a DNS resolve on something like
Plausible theory, yeah. Would be good to confirm. If I'm understanding all this correctly, it seems that the office GlobalProtect client for Windows actually runs a sort of transparent proxy that intercepts and rewrites TCP/UDP traffic dynamically. (Much like |
|
See upstream MR: https://gitlab.com/openconnect/openconnect/-/merge_requests/132 |
|
Please also add the It is a Cisco ASA custom attribute which appears to be similar to Globalprotect's |
Hm. Well, that might be the reason why this feature is not supported by the official Anyconnect linux client. On Windows and OS X it appears to be solved by installing a custom driver. On Linux it seems to be complicated: |
|
I'm thinking maybe it's possible to subscribe to the D-Bus system-resolved messages? So that when some domain name gets resolved, openconnect will receive a signal "example.com was resolved to 10.0.0.1" and add the route "10.0.0.1 via tunnel0" according to the rules specified by the domain-based split tunneling. |
|
Or, alternatively, start a tiny DNS server and use DBus to add it for the tunnel interface. In this DNS server you would spy on the DNS query and add/update a route whenever there's a match. Then, proxy the request to a real DNS server. |
Yes, this is the (least-in)sane way to handle a name-based split tunnel for
Even if you did all this…
This is kind of 🤬 nuts. It's completely mismatched to the layered nature of DNS/IP/TCP on the real Internet. My thought is that it can't possibly be reliable enough for any VPN administrators who know what they're doing to use it for anything that's performance- or security-critical. It might be useful for excluding bandwidth-heavy traffic from the VPN (e.g. |
Well, if it works for windows, I don't see why it won't work for linux. There's a TTL specifically for this issue. As for not using system resolver, well, that's another can of worms...
Yes, there is a presumption that people do sane things and don't expect domain-based split routing to be magic. Otherwise deep packet inspection / policy based routing must be used to inspect whether we can get the domain from the TCP protocol. This is a brave new world, where government censorship and the pandemic-imposed work from home policy dictate new rules for the internet :( |
|
@dlenski Is the WIP MR https://gitlab.com/openconnect/openconnect/-/merge_requests/132 usable , or waiting on anything else before it could be tested ? We are looking to get some early testing on how well this could work for Linux [ openconnect ] clients, as we have recently started leveraging this functionality if other platform clients. |
@jocado In terms of how it extracts the contents of the The issue is that we don't have a clear consensus on how domain-based split-tunneling should be handled not only for GlobalProtect but for other protocols as well. See the discussions at vpnc-scripts#5.
Unless you have modified the existing vpnc-script or vpn-slice to handle domain-based split tunneling in an intelligent way, then there is no way to test this functionality on Linux. And if you have done that, I'd really like to see the code you've got 😬. Or if you have some thoughts on how your organization is handling domain-based split tunneling on other platforms, and want to propose them as the standard behavior for OpenConnect too, please chime in on vpnc-scripts#5. It'll certainly give me more confidence to push out a change if someone can give me a fairly detailed and coherent explanation of how their organization uses domain-based split tunneling. |
That is what I meant when I was asking if it was waiting for anything else before it could be tested :) Actually, I'm glad you mentioned
I will go back to the team that are looking after the solution and get the exact requirements of the problem it's solving, and also try and dig out implementation details for how this works on the other platforms. It will be GP centric, but ff I can get some useful info I will report back here. |
See https://gitlab.com/openconnect/vpnc-scripts/-/issues/5 and dlenski/openconnect#151 for discussions of what this means Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Chimped config containing these settings from adrienverge/openfortivpn#824 (comment). This doesn't actually *do* anything with the settings yet. See dlenski/openconnect#151 and https://gitlab.com/openconnect/openconnect/-/merge_requests/132 for discussion about split-DNS. Signed-off-by: Daniel Lenski <dlenski@gmail.com>
|
There is also a <exclude-split-tunneling-domain>
<member>windowsupdate.microsoft.com:80,443</member>
</exclude-split-tunneling-domain>are there any plans yet to include it too? |
The standard Merely reading and storing the Personally, I don't think name-based includes and excludes are things that a VPN should do. They require deep packet inspection and rewriting to handle (semi)sanely, and there are tons of corner cases that will make it a huge unreliable mess, as I wrote in a comment above. |
I see, my problem is also that I use NetworkMonitor and it does not provide a way how I can use
IMHO the responsibility of OpenConnect client is only to recognize those and pass them along, regardless of the possibility of
I understand your worries about how this could end up in a big mess, but I also think we need to look in the future, what I mean by that is the Cloud Services are evolving and relying only on IPs is kind of outdated IMHO. IPs change now more often than ever and I believe that they will change more often in the future, the world is more dynamic then ever. Do we know how the other clients handle the config? e.g. official GP clients? In this post: https://superuser.com/a/1210156 Possum described some Methods/Strategies how such Policy Based Routing can be done on a Linux system (when I understood correctly some of them match what you described in the comment above as a possible solution), what I thought, maybe we could implement a simple and a more advanced one and select which one to use. What do you think? |
|
Thanks for opening this ticket. This issue is the only thing holding me back from using this client with my VPN provider. Is there any update? Or should we request an update in https://gitlab.com/openconnect/openconnect/-/merge_requests/132? |
|
Please see comment 2 here: https://gitlab.com/openconnect/vpnc-scripts/-/issues/5 So, in theory, if openconnect parsed I'm not sure you could sensibly support the above example which seems to include ports, so you would have to strip them off I think. Our infra returns the data in this form, which is currently picked up by the other Win or Macos clients: To make that list usable for systemd-resolvd you would have to remove the leading They could also be supplied to systemd-resolved in this form, which would make them route only dns routing domain only, and not a dns search domain. This second form is preferable IMO, but potentially not as widely expected. There's a nice explanation systemd-resolved behaviour in this regard here: https://systemd.io/RESOLVED-VPNS/ Would it be reasonable to populate Cheers, |
Hello,
I think globalprotect offers split-tunneling include configuration, which is ignored in the current release.
It seems to me that this bit of configuration is pretty straight-forward/obvious to reverse engineer. Given some guidance I could also try and help with the implementation.
Best regards,
Vasil
The text was updated successfully, but these errors were encountered: