This is a replacement for the
vpnc-script
used by OpenConnect or
VPNC.
Instead of trying to copy the behavior of standard corporate VPN clients, which normally reroute all your network traffic through the VPN, this one tries to minimize your contact with an intrusive VPN. This is also known as a split-tunnel VPN, since it splits your traffic between the VPN tunnel and your normal network interfaces.
vpn-slice makes it easy to set up a split-tunnel VPN:
/etc/hosts (which it cleans up
after VPN disconnection), however it does not otherwise alter your
/etc/resolv.conf at all.--route-splits to additionally route traffic for specific
subnets requested by the server). Run vpn-slice --help to see
them all.If you are using a VPN to route all your traffic for privacy reasons (or to avoid censorship in repressive countries), then you do not want to use this.
The purpose of this tool is almost the opposite; it makes it easy to connect to a VPN while minimizing the traffic that passes over the VPN.
This is for people who have to connect to the high-security VPNs of corporations or other bureaucracies (which monitor and filter and otherwise impede network traffic), and thus wish to route as little traffic as possible through those VPNs.
You can install the latest build from PyPI
with pip (make sure you are using the Python 3.x version, usually invoked
with pip3).
You should install as root (e.g. using sudo), because
openconnect or vpnc will need to be able to invoke vpn-slice
while running as root:
# latest release from PyPI
$ sudo pip3 install vpn-slice
# latest development version
$ sudo pip3 install https://github.com/dlenski/vpn-slice/archive/master.zip
On macOS, you can also install from the Homebrew repository:
$ brew install vpn-slice
Before trying to use vpn-slice with openconnect or vpnc,
check that it works properly on your platform, and can verify that it has all of
the access and dependencies that it needs (to modify /etc/hosts, alter
routing table, etc.):
$ sudo vpn-slice --self-test
***************************************************************************
*** Self-test passed. Try using vpn-slice with openconnect or vpnc now. ***
***************************************************************************
If you run the self-test as a non-root user, it will tell you what required
access it is unable to obtain:
$ vpn-slice --self-test
WARNING: Couldn't configure hosts provider: Cannot read/write /etc/hosts
******************************************************************************************
*** Self-test did not pass. Double-check that you are running as root (e.g. with sudo) ***
******************************************************************************************
Aborting because providers for hosts are required; use --help for more information
When you start trying to use vpn-slice for real, you should use the
diagnostic options (e.g openconnect -s 'vpn-slice --verbose --dump') to troubleshoot and understand its behavior.
You should specify vpn-slice as your connection script with
openconnect or vpnc. It has been tested with vpnc v0.5.3, OpenConnect
v7.06+ (Cisco AnyConnect and Juniper protocols) and v8.0+ (PAN GlobalProtect
protocol).
For example:
$ sudo openconnect gateway.bigcorp.com -u user1234 \
-s 'vpn-slice 192.168.1.0/24 hostname1 alias2=alias2.bigcorp.com=192.168.1.43'
$ cat /etc/hosts
...
192.168.1.1 dns0.tun0 # vpn-slice-tun0 AUTOCREATED
192.168.1.2 dns1.tun0 # vpn-slice-tun0 AUTOCREATED
192.168.1.57 hostname1 hostname1.bigcorp.com # vpn-slice-tun0 AUTOCREATED
192.168.1.43 alias2 alias2.bigcorp.com # vpn-slice-tun0 AUTOCREATED
or
# With most versions of vpnc, you *must* specify an absolute path
# for the disconnect hook to work correctly, due to a bug.
#
# I reported this bug, but the original maintainers no longer maintain vpnc.
# https://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2016-August/004199.html
#
# However, some Linux distro packagers have picked up my patch in recent
# releases, e.g. Ubuntu 17.04:
# https://changelogs.ubuntu.com/changelogs/pool/universe/v/vpnc/vpnc_0.5.3r550-3/changelog
#
$ sudo vpnc config_file \
--script '/path/to/vpn-slice 192.168.1.0/24 hostname1 alias2=alias2.bigcorp.com=192.168.1.43'
Notice that vpn-slice accepts several different kinds of routes and hostnames on the command line:
hostname1) as well as host-to-IP aliases (alias2=alias2.bigcorp.com=192.168.1.43).
The former are first looked up using the VPN's DNS servers. Both are also added to the routing table, as
well as to /etc/hosts (unless --no-host-names is specified). As in this example, multiple aliases can
be specified for a single IP address.10.0.0.0/8) in the VPN routes as well as subnets to explicitly exclude (%10.123.0.0/24).There are many command-line options to alter the behavior of
vpn-slice; try vpn-slice --help to show them all.
Running with --verbose makes it explain what it is doing, while running with
--dump shows the environment variables passed in by the caller.
vpnc-script.--auto-hosts and --seed-hosts options. These inspired the
automatic host lookup feature.dig.GPLv3 or later.
FAQs
vpnc-script replacement for easy split-tunnel VPN setup
We found that vpn-slice demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.