Skip to content

Various improvements to vpnc-script-win.js

Daniel Lenskirequested to merge
various_improvements into master

  • Remove unnecessary quotes around numeric interface identifier (TUNIDX) in vpnc-script-win.js

    Missed these in 6a78d3c7.

  • Add logLevel and logTimestamps options to vpnc-script-win.js

    Based on discussions about how to improve vpnc-script logging in #32 (comment 810779624).

    At some point, we'll make OpenConnect pass environment variables to trigger this behavior automatically.

  • More logging and better ordering in vpnc-script-win.js

    1. We should put some logging on the 'disconnect' handler. We probably missed this before, because the 'disconnect' handler was never being run on Windows due to openconnect#362 (closed), until this was fixed in openconnect!323 (merged)
    2. Set up the explicit route to the VPN gateway before configuring anything else, and include default/Internet-facing gateway in the logging output.

  • On newer versions of Windows, need validate=no when adding DNS servers

    This should fix openconnect#375 (closed). It appears that on newer Windows systems, netsh interface ipvX add dns can take a long time to run, over 10 seconds. (See openconnect#375 (comment 818616048) for examples.)

    This appears to be because of unwanted network I/O. Specifically, unless validate=no is specified, Windows will try to immediately connect to the server. Because OpenConnect is not yet exchanging packets over the tunnel when the vpnc-script is invoked, and hasn't even added IP routes for the tunnel yet, this connection cannot succeed in most configurations. If it can't connect:

    1. It times out after ~10 seconds.
    2. It prints a warning: "The configured DNS server is incorrect or does not exist."
    3. It nevertheless adds the specified DNS server for the interface.
    4. It returns success (exit status 0).

    This combination of effects explains why we weren't detecting and displaying the error.

    The validate option appears to be poorly documented; it appears in the help output of netsh interface ipvX add dns on Windows 10, but it doesn't appear in Microsoft's web documentation of netsh interface ipvX add dns for Windows 2008 (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731521(v=ws.10)#add-dnsserver), which is what their "netsh overview" documentation for Windows 2012 (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129394(v=ws.11)) refers readers to for comprehensive information.

    Furthermore, the validate option does not exist on older versions of Windows, but it's enabled by default on Windows 10. This means that we have to be sure to append validate=no on newer versions of Windows, but not to append it on older version.

    Bang-up job as usual, Microsoft. 🤬

Edited by Daniel Lenski

Merge request reports