I'm using the Juniper client for OSX ('Network Connect') to access a client's VPN. It appears that the client is configured to not use split-routing. The client's VPN host is not willing to enable split-routing.
Is there a way for me to over-ride this configuration or do sometime on my workstation to get the non-client network traffic to by-pass the VPN? This wouldn't be a big deal, but none of my streaming radio stations (e.g. XM) work will connected to their VPN.
Apologies for any inaccuracies in the terminology.
** edit **
The Juniper client changes my system's resolve.conf file from:
nameserver 192.168.0.1
to:
search XXX.com [redacted]
nameserver 10.30.16.140
nameserver 10.30.8.140
I've attempted to restore my preferred DNS entry to the file
$ sudo echo "nameserver 192.168.0.1" >> /etc/resolv.conf
but this results in the following error:
-bash: /etc/resolv.conf: Permission denied
How does the super-user account not have access to this file? Is there a way to prevent the Juniper client from making changes to this file?
About the permission problem Marcus is correct in his answer but there is a simpler way to append to files requiring super user privileges:
The tee command will split output (like a T-junction) to both a file and stdout. -a will make sure it appends to the file instead of completely overwriting it (which you most likely don't want when manipulating system files such as resolve.conf or hosts). sudo will make sure tee runs with super user access so that it can change the file.
I think the problem is what is executed as root in this line:
Only the "echo" command is run as root and the file writing output is done with your regular user - which probably doesn't have access to /etc/resolv.conf.
Try to run it this way:
As they have explained you already, the issue is that the policy is enforced client-side but setup on the server-side. This is a security feature, which allows the connecting network to avoid clients "bridging" unsecure and secure networks together.
The only way is to "hack" the client not to obey the server-side command.
There is a tutorial you can find on the web (http://www.digitalinternals.com/network/workaround-juniper-junos-pulse-split-tunneling-restriction/447/) which is Windows-based, but actually requires tools such as IDA Pro and Assembly-language skills to patch the Pulse binary. This can also be considered illegal in several countries.
Basically, although the user experience may be degraded by forcing your client to fully route through the destination network, this allows network administrators to keep their network safer, and you should simply not do that.
Hope this helps.
I believe the policy is forced down from the server. Unless you somehow hack the juniper vpn client software you'll have to use the routing dictated.
It's part of VPN software feature-set that it can enforce security policies on clients.
The only way to prevent this is to not connect. This is a security feature built into the back-end juniper appliance. The juniper client that launches merely enforces policy configured by the juniper/network admins that work for your client company. It is very easy to configure the juniper appliance to allow split-tunneling. If it isn't configured, it's either an oversight or a choice. Ask them to enable it. If they can't or won't , then it's their security policy. Fair warning: Hacking or exploiting a way to circumvent that policy breaches your code of conduct with your client (assuming that they have online use policies) and in many cases can be considered criminal. It can also destroy any security they attempted to build into their network from remote users... You've become a vector to them.
I know it's very slow to browse this way, streaming video is particularly fun, not to mention every single step is logged on the juniper appliance! It's really hurts the clients bandwidth too since it takes a bite out of resources multiple times just rerouting traffing in and out of their network to you.
Launch the vpn client from a virtual machine... voilà. Obviously you need to work from the virtual machine.
I hope i understand your question, you are VPN into a client but cannot access your XM or other sites. This may be due to a web filter on their end. I'd suggest, if there is an option for it, to enable local LAN access on your VPN client. This may solve your problem.
I'm using the Juniper NC client on a Fedora Linux client and I am able to create static routes to specific services or net segments. For example, the network I'm connecting to doesn't allow outgoing IMAP so I make a static route to my mail account. You need root access, of course. I also tried deleting the default route that NC creates but it has a deamon that re-adds it within seconds.