9

I'm using the Juniper client for OSX ('Network Connect') to access a client's VPN. It appears that the client is configured to not use split-routing. The client's VPN host is not willing to enable split-routing.

Is there a way for me to over-ride this configuration or do sometime on my workstation to get the non-client network traffic to by-pass the VPN? This wouldn't be a big deal, but none of my streaming radio stations (e.g. XM) work will connected to their VPN.

Apologies for any inaccuracies in the terminology.

** edit **

The Juniper client changes my system's resolve.conf file from:

nameserver 192.168.0.1

to:

search XXX.com [redacted]
nameserver 10.30.16.140
nameserver 10.30.8.140

I've attempted to restore my preferred DNS entry to the file

$ sudo echo "nameserver 192.168.0.1" >> /etc/resolv.conf

but this results in the following error:

-bash: /etc/resolv.conf: Permission denied

How does the super-user account not have access to this file? Is there a way to prevent the Juniper client from making changes to this file?

Ben Campbell
  • 557
  • 4
  • 16
craibuc
  • 457
  • 2
  • 5
  • 14

8 Answers8

3

About the permission problem Marcus is correct in his answer but there is a simpler way to append to files requiring super user privileges:

$ echo "nameserver 192.168.0.1" | sudo tee -a /etc/resolv.conf

The tee command will split output (like a T-junction) to both a file and stdout. -a will make sure it appends to the file instead of completely overwriting it (which you most likely don't want when manipulating system files such as resolve.conf or hosts). sudo will make sure tee runs with super user access so that it can change the file.

gabrielf
  • 131
  • 2
  • ++ for the `sudo tee` approach, but this technique won't override the VPN client's DNS resolver settings. `/etc/resolve.conf` contains the following warning on OSX: `# This file is not used by the host name and address resolution # or the DNS query routing mechanisms used by most processes on # this Mac OS X system.` – mklement Apr 30 '16 at 00:16
2

I think the problem is what is executed as root in this line:

sudo echo "nameserver 192.168.0.1" >> /etc/resolv.conf

Only the "echo" command is run as root and the file writing output is done with your regular user - which probably doesn't have access to /etc/resolv.conf.

Try to run it this way:

sudo su
echo "nameserver 192.168.0.1" >> /etc/resolv.conf
exit
Marcus
  • 21
  • 2
2

As they have explained you already, the issue is that the policy is enforced client-side but setup on the server-side. This is a security feature, which allows the connecting network to avoid clients "bridging" unsecure and secure networks together.

The only way is to "hack" the client not to obey the server-side command.

There is a tutorial you can find on the web (http://www.digitalinternals.com/network/workaround-juniper-junos-pulse-split-tunneling-restriction/447/) which is Windows-based, but actually requires tools such as IDA Pro and Assembly-language skills to patch the Pulse binary. This can also be considered illegal in several countries.

Basically, although the user experience may be degraded by forcing your client to fully route through the destination network, this allows network administrators to keep their network safer, and you should simply not do that.

Hope this helps.

1

I believe the policy is forced down from the server. Unless you somehow hack the juniper vpn client software you'll have to use the routing dictated.

It's part of VPN software feature-set that it can enforce security policies on clients.

Coops
  • 5,967
  • 1
  • 31
  • 52
1

The only way to prevent this is to not connect. This is a security feature built into the back-end juniper appliance. The juniper client that launches merely enforces policy configured by the juniper/network admins that work for your client company. It is very easy to configure the juniper appliance to allow split-tunneling. If it isn't configured, it's either an oversight or a choice. Ask them to enable it. If they can't or won't , then it's their security policy. Fair warning: Hacking or exploiting a way to circumvent that policy breaches your code of conduct with your client (assuming that they have online use policies) and in many cases can be considered criminal. It can also destroy any security they attempted to build into their network from remote users... You've become a vector to them.

I know it's very slow to browse this way, streaming video is particularly fun, not to mention every single step is logged on the juniper appliance! It's really hurts the clients bandwidth too since it takes a bite out of resources multiple times just rerouting traffing in and out of their network to you.

Ben Campbell
  • 557
  • 4
  • 16
1

Launch the vpn client from a virtual machine... voilà. Obviously you need to work from the virtual machine.

Luca
  • 19
  • 1
0

I hope i understand your question, you are VPN into a client but cannot access your XM or other sites. This may be due to a web filter on their end. I'd suggest, if there is an option for it, to enable local LAN access on your VPN client. This may solve your problem.

Split71
  • 548
  • 4
  • 9
  • An option of this type doesn't exist. – craibuc Mar 14 '11 at 14:10
  • Ok, i think you may be forced to use what ever the policy is that's being pushed out. Especially if it's not your network and you don't have access to the router/firewall. – Split71 Mar 14 '11 at 14:27
0

I'm using the Juniper NC client on a Fedora Linux client and I am able to create static routes to specific services or net segments. For example, the network I'm connecting to doesn't allow outgoing IMAP so I make a static route to my mail account. You need root access, of course. I also tried deleting the default route that NC creates but it has a deamon that re-adds it within seconds.