How to easily use vpn-slice?

[suntong]

From readme:

$ sudo openconnect gateway.bigcorp.com -u user1234 \
    -s 'vpn-slice 192.168.1.0/24 hostname1 alias2=alias2.bigcorp.com=192.168.1.43'
$ cat /etc/hosts
...
192.168.1.1 dns0.tun0					# vpn-slice-tun0 AUTOCREATED
192.168.1.2 dns1.tun0					# vpn-slice-tun0 AUTOCREATED
192.168.1.57 hostname1 hostname1.bigcorp.com		# vpn-slice-tun0 AUTOCREATED
192.168.1.43 alias2 alias2.bigcorp.com		# vpn-slice-tun0 AUTOCREATED

From #15

I've got split tunnelling working with:

openconnect -b vpn.myvpn.com -s 'vpn-slice 10.0.0.0/8'

Then I can successfully ping 10.n.n.n, while also not affecting other traffic.

Both the above provides a single IP segment from mycompany.com. But my company has lots of IP segments, and maybe another IP segment is added tomorrow. How to easily use vpn-slice under such situation?

Can we specify other way around, instead of specifying company IP segments, can we specify what home IP segment is instead and add all company IP segments automatically?

PS:

$ tail -5 /etc/hosts
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
10.51.51.xx dns0.tun0  # vpn-slice-tun0 AUTOCREATED
10.51.51.yy dns1.tun0  # vpn-slice-tun0 AUTOCREATED

$ ip a s tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1300 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.54.65.173/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::3aa3:bf04:8b92:366f/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

$ ping 10.54.65.173
PING 10.54.65.173 (10.54.65.173) 56(84) bytes of data.
64 bytes from 10.54.65.173: icmp_seq=1 ttl=64 time=0.047 ms
64 bytes from 10.54.65.173: icmp_seq=2 ttl=64 time=0.061 ms
64 bytes from 10.54.65.173: icmp_seq=3 ttl=64 time=0.062 ms

As the result, I can only access IPs within 10.54.65.173/32. All else would fail on me.

Please help.

PPS:

All IP segments passed to vpnc-script:

. . .
Called by /usr/sbin/openconnect (PID 15484) with environment variables for vpnc-script:
. . .
  CISCO_SPLIT_INC         => nsplitinc=98
  IDLE_TIMEOUT            => idle_timeout=1800
  CISCO_*SPLIT_INC_*      => splitinc=[IPv4Network('184.84.0.0/14'), IPv4Network('118.214.0.0/16'), IPv4Network('173.222.0.0/15'), IPv4Network('23.72.0.0/13'), IPv4Network('69.192.0.0/16'), IPv4Network('96.6.0.0/15'), IPv4Network('96.16.0.0/15'), IPv4Network('72.246.0.0/15'), IPv4Network('23.64.0.0/14'), IPv4Network('88.221.0.0/16'), IPv4Network('184.50.0.0/15'), IPv4Network('172.232.0.0/13'), IPv4Network('92.122.0.0/15'), IPv4Network('95.100.0.0/15'), IPv4Network('23.0.0.0/12'), IPv4Network('184.24.0.0/13'), IPv4Network('104.64.0.0/10'), IPv4Network('2.16.0.0/13'), IPv4Network('23.192.0.0/11'), IPv4Network('23.32.0.0/11'), IPv4Network('23.50.48.0/20'), IPv4Network('23.48.168.0/22'), IPv4Network('66.198.8.144/32'), IPv4Network('66.198.8.143/32'), IPv4Network('66.198.8.142/32'), IPv4Network('66.198.8.141/32'), IPv4Network('67.220.142.22/32'), IPv4Network('67.220.142.21/32'), IPv4Network('67.220.142.20/32'), IPv4Network('67.220.142.19/32'), IPv4Network('23.54.164.0/24'), IPv4Network('23.48.94.0/24'), IPv4Network('23.45.51.0/24'), IPv4Network('23.44.7.0/24'), IPv4Network('23.40.241.0/24'), IPv4Network('23.35.71.0/24'), IPv4Network('23.223.149.0/24'), IPv4Network('23.213.54.0/24'), IPv4Network('23.209.102.0/24'), IPv4Network('23.205.127.0/24'), IPv4Network('23.195.73.0/24'), IPv4Network('2.23.155.0/24'), IPv4Network('2.21.12.0/24'), IPv4Network('2.17.100.0/24'), IPv4Network('184.50.112.0/24'), IPv4Network('184.31.1.0/24'), IPv4Network('184.30.41.0/24'), IPv4Network('184.28.36.0/24'), IPv4Network('184.28.156.0/24'), IPv4Network('104.93.21.0/24'), IPv4Network('104.117.181.0/24'), IPv4Network('104.102.248.0/24'), IPv4Network('184.31.3.0/24'), IPv4Network('23.1.99.0/24'), IPv4Network('184.25.103.0/24'), IPv4Network('104.109.12.0/24'), IPv4Network('104.109.11.0/24'), IPv4Network('104.109.10.0/24'), IPv4Network('184.25.179.0/24'), IPv4Network('23.1.35.0/24'), IPv4Network('184.31.10.0/24'), IPv4Network('23.1.106.0/24'), IPv4Network('148.171.114.192/32'), IPv4Network('148.171.114.191/32'), IPv4Network('148.171.189.26/32'), IPv4Network('45.60.205.113/32'), IPv4Network('45.60.199.113/32'), IPv4Network('45.60.197.113/32'), IPv4Network('45.60.195.113/32'), IPv4Network('45.60.203.113/32'), IPv4Network('45.60.201.113/32'), IPv4Network('45.60.108.3/32'), IPv4Network('45.60.67.3/32'), IPv4Network('45.60.65.3/32'), IPv4Network('45.60.63.3/32'), IPv4Network('45.60.72.3/32'), IPv4Network('45.60.69.3/32'), IPv4Network('45.223.0.0/16'), IPv4Network('45.60.0.0/16'), IPv4Network('107.154.0.0/16'), IPv4Network('192.230.64.0/18'), IPv4Network('185.11.124.0/22'), IPv4Network('45.64.64.0/22'), IPv4Network('103.28.248.0/22'), IPv4Network('149.126.72.0/21'), IPv4Network('198.143.32.0/19'), IPv4Network('199.83.128.0/21'), IPv4Network('165.113.196.243/32'), IPv4Network('168.1.76.80/28'), IPv4Network('168.75.169.0/26'), IPv4Network('168.75.159.192/28'), IPv4Network('168.75.153.128/27'), IPv4Network('168.75.146.224/27'), IPv4Network('168.75.144.192/26'), IPv4Network('170.153.0.0/16'), IPv4Network('172.16.0.0/12'), IPv4Network('192.168.0.0/16'), IPv4Network('10.0.0.0/8')]

Can vpnc-script add all passed IP segments automatically pls?

[dlenski]

All IP segments passed to vpnc-script:

. . .
Called by /usr/sbin/openconnect (PID 15484) with environment variables for vpnc-script:
. . .
  CISCO_SPLIT_INC         => nsplitinc=98
  IDLE_TIMEOUT            => idle_timeout=1800
  CISCO_*SPLIT_INC_*      => splitinc=[IPv4Network('184.84.0.0/14'), IPv4Network('118.214.0.0/16'), IPv4Network('173.222.0.0/15'), IPv4Network('23.72.0.0/13'), IPv4Network('69.192.0.0/16'), IPv4Network('96.6.0.0/15'), IPv4Network('96.16.0.0/15'), IPv4Network('72.246.0.0/15'), IPv4Network('23.64.0.0/14'), IPv4Network('88.221.0.0/16'), IPv4Network('184.50.0.0/15'), IPv4Network('172.232.0.0/13'), IPv4Network('92.122.0.0/15'), IPv4Network('95.100.0.0/15'), IPv4Network('23.0.0.0/12'), IPv4Network('184.24.0.0/13'), IPv4Network('104.64.0.0/10'), IPv4Network('2.16.0.0/13'), IPv4Network('23.192.0.0/11'), IPv4Network('23.32.0.0/11'), IPv4Network('23.50.48.0/20'), IPv4Network('23.48.168.0/22'), IPv4Network('66.198.8.144/32'), IPv4Network('66.198.8.143/32'), IPv4Network('66.198.8.142/32'), IPv4Network('66.198.8.141/32'), IPv4Network('67.220.142.22/32'), IPv4Network('67.220.142.21/32'), IPv4Network('67.220.142.20/32'), IPv4Network('67.220.142.19/32'), IPv4Network('23.54.164.0/24'), IPv4Network('23.48.94.0/24'), IPv4Network('23.45.51.0/24'), IPv4Network('23.44.7.0/24'), IPv4Network('23.40.241.0/24'), IPv4Network('23.35.71.0/24'), IPv4Network('23.223.149.0/24'), IPv4Network('23.213.54.0/24'), IPv4Network('23.209.102.0/24'), IPv4Network('23.205.127.0/24'), IPv4Network('23.195.73.0/24'), IPv4Network('2.23.155.0/24'), IPv4Network('2.21.12.0/24'), IPv4Network('2.17.100.0/24'), IPv4Network('184.50.112.0/24'), IPv4Network('184.31.1.0/24'), IPv4Network('184.30.41.0/24'), IPv4Network('184.28.36.0/24'), IPv4Network('184.28.156.0/24'), IPv4Network('104.93.21.0/24'), IPv4Network('104.117.181.0/24'), IPv4Network('104.102.248.0/24'), IPv4Network('184.31.3.0/24'), IPv4Network('23.1.99.0/24'), IPv4Network('184.25.103.0/24'), IPv4Network('104.109.12.0/24'), IPv4Network('104.109.11.0/24'), IPv4Network('104.109.10.0/24'), IPv4Network('184.25.179.0/24'), IPv4Network('23.1.35.0/24'), IPv4Network('184.31.10.0/24'), IPv4Network('23.1.106.0/24'), IPv4Network('148.171.114.192/32'), IPv4Network('148.171.114.191/32'), IPv4Network('148.171.189.26/32'), IPv4Network('45.60.205.113/32'), IPv4Network('45.60.199.113/32'), IPv4Network('45.60.197.113/32'), IPv4Network('45.60.195.113/32'), IPv4Network('45.60.203.113/32'), IPv4Network('45.60.201.113/32'), IPv4Network('45.60.108.3/32'), IPv4Network('45.60.67.3/32'), IPv4Network('45.60.65.3/32'), IPv4Network('45.60.63.3/32'), IPv4Network('45.60.72.3/32'), IPv4Network('45.60.69.3/32'), IPv4Network('45.223.0.0/16'), IPv4Network('45.60.0.0/16'), IPv4Network('107.154.0.0/16'), IPv4Network('192.230.64.0/18'), IPv4Network('185.11.124.0/22'), IPv4Network('45.64.64.0/22'), IPv4Network('103.28.248.0/22'), IPv4Network('149.126.72.0/21'), IPv4Network('198.143.32.0/19'), IPv4Network('199.83.128.0/21'), IPv4Network('165.113.196.243/32'), IPv4Network('168.1.76.80/28'), IPv4Network('168.75.169.0/26'), IPv4Network('168.75.159.192/28'), IPv4Network('168.75.153.128/27'), IPv4Network('168.75.146.224/27'), IPv4Network('168.75.144.192/26'), IPv4Network('170.153.0.0/16'), IPv4Network('172.16.0.0/12'), IPv4Network('192.168.0.0/16'), IPv4Network('10.0.0.0/8')]

Can vpnc-script add all passed IP segments automatically pls?

Yes, it can.

Did you run vpn-slice --help and read the available options? 🤨

  -S, --route-splits    Add route for VPN's split-tunnel subnets (passed in
                        via $CISCO_SPLIT_*)

[suntong]

thx

[suntong]

I have to say that even if I had read the explanation to the -route-splits option, I wouldn't have make the connection.

Also, this should be turned on by default IMHO.

[dlenski]

I have to say that even if I had read the explanation to the -route-splits option, I wouldn't have make the connection.

Can you suggest an improvement to the documentation to improve it? PRs welcome.

Also, this should be turned on by default IMHO.

That is not in keeping with my design goal for vpn-slice, nor with the expectation of current users.

By default, vpn-slice only routes traffic for the IPs, hostnames or routes that the user explicitly requests. If you want to route traffic for the split routes requested by the server, then you add --route-splits.

[suntong]

If you want to route traffic for the split routes requested by the server, then you add --route-splits.

OK. thx.

Can you suggest an improvement to the documentation to improve it? PRs welcome.

No, it's not the problem of the explanation text, but my ignorance of the situation, which has no cure, :)