From beb122162bf1cede0c065641d07a6b89389a7c75 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Sat, 22 Jan 2022 12:58:55 -0800 Subject: [PATCH] Better ordering, more logging, and disconnect handler fixes on Windows Set up the explicit route to the VPN gateway before configuring *anything else*, and include default/Internet-facing gateway in the logging output. Fixed a couple issues in the 'disconnect' handler. We missed these until now because the 'disconnect' handler was *never being run on Windows* due to https://gitlab.com/openconnect/openconnect/-/issues/362, until this was fixed in https://gitlab.com/openconnect/openconnect/-/merge_requests/323 1. Need to specify 'store=active' when deleting an IPv6 address on disconnect (missed this in 3a11fc7c971a28e375cc1fb2defe9d829aed2a4f) 2. Put some logging on the 'disconnect' handler. Signed-off-by: Daniel Lenski --- vpnc-script-win.js | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/vpnc-script-win.js b/vpnc-script-win.js index 6ae727d..29b53c8 100644 --- a/vpnc-script-win.js +++ b/vpnc-script-win.js @@ -106,11 +106,11 @@ case "connect": var internal_ip4_netmask = env("INTERNAL_IP4_NETMASK") || "255.255.255.255"; var internal_gw = env("INTERNAL_IP4_ADDRESS"); - echo(INFO, "VPN Gateway: " + env("VPNGATEWAY")); - echo(INFO, "Internal Address: " + env("INTERNAL_IP4_ADDRESS")); - echo(INFO, "Internal Netmask: " + internal_ip4_netmask); - echo(INFO, "Internal Gateway: " + internal_gw); - echo(INFO, "Interface: \"" + env("TUNDEV") + "\" / " + env("TUNIDX")); + echo(INFO, "Default/Internet gateway : " + gw); + echo(INFO, "VPN Interface Identifiers : \"" + env("TUNDEV") + "\" / " + env("TUNIDX")); + echo(INFO, "Public VPN Gateway Address: " + env("VPNGATEWAY")); + echo(INFO, "Internal Legacy IP Address: " + env("INTERNAL_IP4_ADDRESS")); + echo(INFO, "Internal Legacy IP Netmask: " + internal_ip4_netmask); if (env("INTERNAL_IP4_MTU")) { @@ -124,6 +124,12 @@ case "connect": } } + // Add explicit route for the VPN gateway to avoid routing loops + // FIXME: handle IPv6 gateway address + echo(INFO, "Configuring explicit route to VPN gateway " + env("VPNGATEWAY")); + run("route add " + env("VPNGATEWAY") + " mask 255.255.255.255 " + gw); + echo(INFO, "done."); + echo(INFO, "Configuring \"" + env("TUNDEV") + "\" / " + env("TUNIDX") + " interface for Legacy IP..."); if (!env("CISCO_SPLIT_INC") && REDIRECT_GATEWAY_METHOD != 2) { @@ -141,10 +147,6 @@ case "connect": " gwmetric=1 store=active"); } - // Add direct route for the VPN gateway to avoid routing loops - // FIXME: handle IPv6 gateway address - run("route add " + env("VPNGATEWAY") + " mask 255.255.255.255 " + gw); - run("netsh interface ipv4 del wins " + env("TUNIDX") + " all"); if (env("INTERNAL_IP4_NBNS")) { var wins = env("INTERNAL_IP4_NBNS").split(/ /); @@ -237,19 +239,24 @@ case "connect": } break; case "disconnect": - // Delete direct route for the VPN gateway + echo(INFO, "Deconfiguring \"" + env("TUNDEV") + "\" / " + env("TUNIDX") + " interface..."); + + // Delete explicit route for the VPN gateway // FIXME: handle IPv6 gateway address + echo(INFO, "Removing explicit route to VPN gateway " + env("VPNGATEWAY")); run("route delete " + env("VPNGATEWAY") + " mask 255.255.255.255"); // Delete address + echo(INFO, "Removing" + (env("INTERNAL_IP6_ADDRESS") ? " IPv6 and" : "") + " Legacy IP addresses"); run("netsh interface ipv4 del address " + env("TUNIDX") + " " + env("INTERNAL_IP4_ADDRESS") + " gateway=all"); if (env("INTERNAL_IP6_ADDRESS")) { - run("netsh interface ipv6 del address " + env("TUNIDX") + " " + env("INTERNAL_IP6_ADDRESS")); + run("netsh interface ipv6 del address " + env("TUNIDX") + " " + env("INTERNAL_IP6_ADDRESS") + " store=active"); } // Delete Legacy IP split-exclude routes if (env("CISCO_SPLIT_EXC")) { + echo(INFO, "Removing Legacy IP split-exclude routes"); for (var i = 0 ; i < parseInt(env("CISCO_SPLIT_EXC")); i++) { var network = env("CISCO_SPLIT_EXC_" + i + "_ADDR"); var netmask = env("CISCO_SPLIT_EXC_" + i + "_MASK"); @@ -259,5 +266,6 @@ case "disconnect": } // FIXME: handle IPv6 split-excludes + echo(INFO, "done."); } WScript.Quit(accumulatedExitCode); -- 2.50.1