Add macOS support #11
Conversation
|
It seems fine to me, although I have no way to test the MacOS functionality. (A test suite will be useful here sooner or later…) But please fix the unnecessary code formatting changes, as discussed in #5. |
|
Sure. I thought I'd fixed them all, and I'm apparently too close to this code to see whatever is left. Can you point me to them (really just one of each type; knowing exactly what to look for will make them easier to find)? |
|
I would like to have a look and maybe resolve the conflicts from another fork but I don't know how to build it correctly. EDIT : OK I didn't use the -s option of openconnect but --script-tun --script instead as for ocproxy. |
gmacon
force-pushed
the
feature/macos
branch
from
e2d5d3f to
00186bb
Compare
|
I've rebased my branch on top of the current master. @XL64: I don't think your error is related to this PR. I think your issue is that vpn-slice does not expect the --script-tun option (which routes all traffic through the command provided by --script). Try it without that option. |
|
@gmacon Indeed I had to remove this option, thanks for rebasing :) |
|
Tested this on macOS Mojave 10.14.3 and it seems to be working fine so far with basic testing. Will be testing more throughout the week. cmd used: |
|
Connection is active but got this exception after macbook went to sleep while it was locked. |
|
confirmed, works on osx 10.14.3 with openconnect 8.02. |
|
What are the odds that this could be a Homebrew formula? |
|
You can install it with pip if that would be merged |
|
Toi can even install the branch directly if toi don't want tout wait for
the merge.
Le mer. 6 mars 2019 à 18:01, doomedraven <notifications@github.com> a
écrit :
… You can install it with pip if that would be merged
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#11 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABfOMkdKiknSAqsWExDczhrGvalKgs3cks5vT_RbgaJpZM4XZ0tz>
.
|
|
Yes is what i have done, but merge would be better for all of us :)
El mié., 6 mar. 2019 18:03, Xavier Lacoste <notifications@github.com>
escribió:
… Toi can even install the branch directly if toi don't want tout wait for
the merge.
Le mer. 6 mars 2019 à 18:01, doomedraven ***@***.***> a
écrit :
> You can install it with pip if that would be merged
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#11 (comment)>,
or mute
> the thread
> <
https://github.com/notifications/unsubscribe-auth/ABfOMkdKiknSAqsWExDczhrGvalKgs3cks5vT_RbgaJpZM4XZ0tz
>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#11 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABxT70JLBYK4hf_Lr0pj0qWGXo7G_wQnks5vT_T6gaJpZM4XZ0tz>
.
|
|
if that would be useful for someone, vpn-slice + unbound dns server in local |
|
@doomedraven In your script didn’t you mean
sudo cat >> /usr/local/etc/unbound/unbound.conf << EOF$
Instead of
cat >> /usr/local/etc/unbound/unbound.conf <<< EOL
I suppose after that you don’t need to give a list of adresses to resolve to vpn-slice juste a range of IP to pass via the tunnel ?
|
|
you are correct, fixing, yes the dns will handle that dynamically for you, and you don't need use hosts or pass list of domains |
|
Hello again,
I must have missed something.
I did copy your configuration at the end of ubound.conf and changed yourcompany.com by something like my company.corp.local and started ubound and set the DNS to 127.0.0.1.
I then started openconnect with vpn-slice and a list of subnets to route.
DNS resolution of internet domains works but not for « something.mycompany.corp.local » .
Did I miss something ?
Do you have documentation I should read ?
Regards,
XL.
… Le 8 mars 2019 à 10:03, doomedraven ***@***.***> a écrit :
you are correct, fixing, yes the dns will handle that dynamically for you, and you don't need use hosts or pass list of domains
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#11 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABfOMreDrPTqaHPfjMtwmqFcaLgMFOy8ks5vUidSgaJpZM4XZ0tz>.
|
|
you don't need to put .local at the end, just yourcompany.com. <- dot at the end :) i just updated it as i forgot what i had updated it here so 1 more thing |
|
ayway let me know if you need help, so i can maybe better explain it |
|
Hello again,
I think I understood what’s still wrong with my config, I need to replace dns1/dns2 by the IP of my internal DNS in the VPN network, right ?
I then have to figure out what it is :)
Thanks,
XL.
… Le 8 mars 2019 à 10:47, doomedraven ***@***.***> a écrit :
ayway let me know if you need help, so i can maybe better explain it
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#11 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABfOMjwZvJUpd6nUaqJK_RRSYFvZ8DhIks5vUjGhgaJpZM4XZ0tz>.
|
|
yes correct, that is the easier one, you was need just to check vpn-slice --help, just add to and it will give you all info |
|
Thanks, I retrieved the IP but the DNS resolution is still broken.
I think I took too much of your time and will keep with the openconnect/ocproxy/foxyproxy solution I have in place.
Regards,
XL.
… Le 8 mars 2019 à 14:20, doomedraven ***@***.***> a écrit :
yes correct, that is the easier one, you was need just to check vpn-slice --help, just add to vpn-slice --dump --verbose
and it will give you all info
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#11 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABfOMrLxjQEt4jOhdxYBcKWOvFRPPLBWks5vUmOhgaJpZM4XZ0tz>.
|
|
to check your dns do few things
to simplify debug of issue in unbound.conf uncomment and do |
|
Thanks lot, I’ll try that !
… Le 8 mars 2019 à 14:51, doomedraven ***@***.***> a écrit :
to check your dns do few things
dig @dns_IP some_corp_domain
dig @localhost some_corp_domain
to simplify debug of issue in unbound.conf uncomment
# logfile: "/tmp/unbound.log"
# log-queries: yes
# log-time-ascii: yes
and do tail -f /tmp/unbound.log in another terminal, and exec dig command to see whats going on
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#11 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABfOMoj5p_QmJ7ZNOmq6_TgzCaA3VQySks5vUmrRgaJpZM4XZ0tz>.
|
|
Hello Doomedrave,
I fixed some issues :
- some files where missing : I was listing the sudo in front of unbound-anchor -a /usr/local/etc/unbound/root.key and unbound-control-setup -d /usr/local/etc/unbound
- The service couldn’t start correctly with brew services start unbound (user agent) because I also started it as daemon (with sudo).
Now my dig is correct but resolution within firefox/safari is not good.
Regards,
XL
… Le 8 mars 2019 à 15:07, Xavier Lacoste ***@***.***> a écrit :
Thanks lot, I’ll try that !
> Le 8 mars 2019 à 14:51, doomedraven ***@***.*** ***@***.***>> a écrit :
>
> to check your dns do few things
>
> dig @dns_IP some_corp_domain
> dig @localhost some_corp_domain
>
> to simplify debug of issue in unbound.conf uncomment
>
> # logfile: "/tmp/unbound.log"
> # log-queries: yes
> # log-time-ascii: yes
> and do tail -f /tmp/unbound.log in another terminal, and exec dig command to see whats going on
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub <#11 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABfOMoj5p_QmJ7ZNOmq6_TgzCaA3VQySks5vUmrRgaJpZM4XZ0tz>.
>
|
|
hm, i just do this and it works fine, try maybe cidr 8 instead of 9 |
|
Finally my kinit issue was not link with that at all, I just had to copy my company krb5.conf in /etc/, all is fine now ! |
|
glad that works :) |
|
Works great for me at gmacon@eb4f7e3. Thanks! |
|
Hi gmacon, great job, thanks a lot for the mac port. ;) |
1. Missing `destination` parameter. 2. Inconsistently named `output_start` vs. `start_output`. 3. Parsing the output of iproute is finicky and there's no guarantee that a words occur in sensible pairs.
While the BSD `route add` may simply ignore re-addition of existing routes, `ip route add` does NOT behave in this way. `ip route replace` needs to be used in this case. I prefer to keep `RouteProvider.add_route` and `RouteProvider.replace_route` distinct on platforms where it's easy to do so, since this stricter behavior helps catch other mistakes in the routing configuration.
…nnel device So restore that behavior of `reason=pre-init` by creating a new `TunnelPrepProvider` class.
This leaves `os.environ`, `os.path`, and `os.fork` as the three OS-specific bits which are not abstracted out into providers. The first two are essentially universal, while `os.fork` will need to be rethought if anyone ever tries to make this work on Windows.
|
Sorry for the long delay… and many thanks to @gmacon for the excellent, excellent work of abstracting and porting to macOS. 👍 👍 👍 I fixed several bits of macOS users, please test and let me know if this is still working for you guys. (It should be… I really didn't change anything of consequence in With this we should be in a very good position to port to other BSDs, if anyone's interested. |
Unfortunately, dig does not correctly handle the specification of multiple `+domain` arguments, discarding all but the last one. Therefore we need to run it multiple times and combine the results if multiple `search_domains` are specified. This is a very important use case for me, and several other known users.
|
Turns out the Being able to do |
|
One last thing for @gmacon: is there a known minimum version of macOS required for this to work? |
|
hey @dlenski thanks for start lookin on this, so now with all your changes |
|
@doomedraven, derp derp derp 🤦♂️. Fixed in edfa341. Thanks for testing. |
|
now works just fine :) thanks a lot |
|
I'm gonna merge and assume we can clean up any other leftover bits later as needed. Thanks again to @gmacon for the great work and others, in particular @doomedraven, for testing and refinement. |
|
amazing, thanks a lot @dlenski and @gmacon . I have updated my script https://github.com/doomedraven/Tools/blob/master/Mac/VPN_split.sh |
I don't know what the minimum required version is, but I suspect that it would work on any version of macOS because the tools we're interacting with here were all inherited from FreeBSD. |
Thanks. I googled around some, and that was my impression… the userland interface for routing on macOS doesn't seem to have changed much in the last ~20 years. So I'll just leave the docs as-is unless we find a clear counterexample. |
|
Thank you @dlenski @gmacon @doomedraven et al!!! |
|
Thanks all, I've got this pulled down and working! 👏🏻👏🏻 |
|
I'm going to lock this issue, so that if any new issues with Mac support are found… people will open new issues rather than be tempted to pile on this one. 😎 |
This adds support for macOS as discussed in #5.