Home » Forums » Evil Client Forum

Split Tunnel, on <access local lan>

Hi Gyus,

I use the stnd. vpnclient with a patch to enforce local access running on a ubuntu 8.10 with kernel above 2.6.20 the configuration works like a charm.

for windows I havent seen any chance of getting this done.
Is there any plan to include this into the evil client? or is there at this point in time allready a chance of getting the split tunnel to work even if the concetrator disables it?

thanks for a very nice tool makes the live for some remote users more simple.

take care
Joe

‹ kein sync mit einem 4.0.4 client Wartezeit zwischen Disconnect und Reconnect ›
Submitted by Anonymous on Fri, 12/19/2008 - 14:13

Split Tunnel, on <access local lan>

Submitted by jan newger on Fri, 12/19/2008 - 15:42.

Hi,

the EC doesn't support this right now. I suppose you patched the source code of the kernel module?
I'm sure the same idea could be applied to the windows driver, though one would need to apply some reverse engineering and perform a binary patch. This seems to be a) very invasive and b) probably prone to severe errors/security risks, so it's unlikely the EC will ever implement such a feature. On the other hand i see the convenience of having a split tunnel. Is there a good solution anyway?

cheers
Jan

»

Hi Jan yes I did patch the

Submitted by Anonymous (not verified) on Mon, 12/22/2008 - 21:39.

Hi Jan

yes I did patch the source code, I have to look into the forums again to find that specific patch again i was using. I understand that the change is quite "invasive". however I dont see that this is a significant problem from the security point of view. as you currently can achieve the same thing with a USB Host connection to the router or using a split tunnel on the linux router himself. I do of course understand the implications.

If needed I can look again for the patch and publish it here ( it was only a 10 line change ) nothing serious as least as I understand it ;-)

Any input needed?

Joe

»

Split Tunnel, on <access local lan>

Submitted by jan newger on Mon, 12/22/2008 - 22:53.

Could you point me to the location where patching the linux klm is described? Maybe it's possible to port this technique over to the windows drivers.

Cheers
Jan

»

Hi Jan, the initial source

Submitted by Joe (not verified) on Sat, 12/27/2008 - 21:21.

Hi Jan,

the initial source was
http://ubuntuforums.org/showthread.php?t=430136

the main page for any feedback on the Cisco VPN on linux for is still

http://projects.tuxx-home.at/?id=projects

the patch among others is located under -

http://projects.tuxx-home.at/ciscovpn/patches/

I also publish the original threat here

Thanks for looking at this topic

---- SNIP ----

Re: Cisco VPN client: Lan access Disabled
you will not become access to local lan if an administrator of cisco box you connecting to has disabled tunnel splitting (client settings of EnableLocalLAN does not matter)

after short inspection of vpnclient-4.8.00.0490-k9 i wrote a simple patch that overrides settigs of cisco box giving you the local lan back:

--------------------------------------------------------------------------------------------------------
--- vpnclient-4.8.00.0490-k9.orig/interceptor.c 2007-12-11 03:22:01.000000000 +0100
+++ vpnclient-4.8.00.0490-k9/interceptor.c 2007-12-11 03:26:44.000000000 +0100
@@ -644,8 +644,12 @@

break;
case CNI_DISCARD:
+ /* override local lan access */
+ rc2 = original_ip_handler.orig_handler_func(skb, dev, type);
+ /*
dev_kfree_skb(skb);
rx_dropped++;
+ */
break;
default:
printk(KERN_DEBUG "RECV: Unhandled case in %s rc was %x\n",
@@ -757,8 +761,12 @@
/* packet dropped */
else
{
+ /* override local lan access */
+ rc2 = pBinding->InjectSend(skb, dev);
+ /*
dev_kfree_skb(skb);
tx_dropped++;
+ */
}
break;
case CNI_CHAIN:
--------------------------------------------------------------------------------------------------------

do not forget to restore a routing table and resolv.conf after connecting to vpn box:

root@localhost:/usr/src> route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0

root@localhost:~> vpnclient connect xxx
Cisco Systems VPN Client Version 4.8.00 (0490)
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.23.9 #2 SMP PREEMPT Fri Dec 7 21:55:21 CET 2007 x86_64
Config file directory: /etc/opt/cisco-vpnclient

Enter Certificate password:
Initializing the VPN connection.
Contacting the gateway at xxx.xxx.xxx.xxx
User Authentication for xxx

Enter Username and Password.

Username [xxxx]:
Password []:
Authenticating user.
Negotiating security policies.
Securing communication channel.

Welcome to bla bla bla

Your VPN connection is secure.

VPN tunnel information.
Client address: xxx.xxx.xxx.xxx
Server address: xxx.xxx.xxx.xxx
Encryption: 168-bit 3-DES
Authentication: HMAC-SHA
IP Compression: None
NAT passthrough is active on port UDP 4500
Local LAN Access is disabled

root@localhost:/usr/src> route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
cisco.box.remote.ip 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
vpn.net.addr.0 0.0.0.0 255.0.0.0 U 0 0 0 cipsec0
0.0.0.0 your.client.vpn.ip 0.0.0.0 UG 0 0 0 cipsec0

root@localhost:/usr/src> route del -net 0.0.0.0 dev cipsec0
root@localhost:/usr/src> route add -host 192.168.1.1 dev wlan0
root@localhost:/usr/src> route add default gw 192.168.1.1
root@localhost:/usr/src> route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 wlan0
cisco.box.remote.ip 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
vpn.net.addr.0 0.0.0.0 255.0.0.0 U 0 0 0 cipsec0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0

assuming 192.168.1.1 is an address of you gateway and wlan0 is a primary network interface

enjoy

»

one add here a interessting

Submitted by Joe (not verified) on Sat, 12/27/2008 - 21:23.

one add here a interessting forum post at the same website regarding the rout restore.

http://forum.tuxx-home.at/viewtopic.php?f=15&t=463

»

Split Tunnel, on <access local lan>

Submitted by jan newger on Sun, 12/28/2008 - 21:08.

Hi Joe,

i had some time to look at the patch. After reading a few docs and doing some random reverse engineering, i came to the conclusion that the techniques used to enforce a split tunnel on linux, cannot be easily ported to windows. This is mainly due to fundamental differences in network driver architectures. To be honest, i don't have a clue how one would (un)block access to the LAN via NDIS API. Quick googling didn't bring up any relevant information. I guess without having an expert in NDIS around or without spending some time reverse engineering / debugging the cisco drivers, there is no chance to develop a patch to address your issue. Unfortunately i don't have much spare time recently so i can't help you at this time - sorry. Any ideas are welcome

cheers
Jan

»

Hi , thanks for looking into

Submitted by Joe (not verified) on Sat, 01/10/2009 - 17:58.

Hi ,

thanks for looking into this topic. I myself are not even close to a beginner in NDIS or worse driver reverse eng. Im afraid Im not a big help here either. It was worth a shot on the topic and I appreciate the whole discussion. Jan thanks for the time and the concideration on the topic. I think this is closed now atleast we can say we tried as much as possible. If you ever come across later on a similar request or even find an idea, Im glad for all the users of evil client.

take care and enjoy live.

Joe

»
© 2010 newgre.net // jan newger