Vpn-slice in NixOS wants write access to /etc/hosts

mcbeth · April 8, 2022, 11:10am

I’m trying to set up openconnect and vpn-slice (both of which are already packages within nixpkgs)
openconnect works in isolation (with sudo, unfortunately), but vpn-slice then fails to set up the split routing.

> sudo vpn-slice --self-test
WARNING: Couldn't configure hosts provider: Cannot read/write /etc/hosts
 ******************************************************************************************
*** Self-test did not pass. Double-check that you are running as root (e.g. with sudo) ***
******************************************************************************************
Aborting because providers for hosts are required; use --help for more information

The fact that this fails makes good sense to me, half the point of NixOS is to keep things declarative and read-only. Splitting the routing so only vpn-needed things go over the VPN is a valuable capability. I’m suspecting that vpn-slice is just the wrong tool, and doesn’t belong in nixpkgs because it can’t work, but any suggestions on how to move forward would be appreciated

Pamplemousse · April 8, 2022, 1:20pm

Sadly, this is quite common for tools to break Nix/NixOS requirements…

Generally, our community tries to “fix upstream rather than patch upstream”;
In such case, it would mean to submit a PR to vpn-slice to make this failing check “NixOS-aware”.

alyaeanyx · April 8, 2022, 5:29pm

As far as I can tell, vpn-slice wants to copy the custom host entries provided by the VPN DNS to avoid using the VPN DNS. I think this can’t be done declaratively that easily. An easy solution if you don’t mind using the VPN DNS or not having VPN specific hostnames would be to pass --no-host-names to vpn-slice.

I currently have a PR open for declarative OpenConnect profiles (nixos/openconnect: Add NixOS module for declarative OpenConnect VPNs by alyaeanyx · Pull Request #165883 · NixOS/nixpkgs · GitHub), and the VPN of my uni is also rather intrusive, so I’m interested in this too. I think the problem could be solved by either making /etc/hosts a dynamic file with a configuration option, or dynamically fire up a dnsmasq resolver with a separate host file generated by vpn-slice.

mcbeth · April 9, 2022, 1:18am

@Pamplemousse . Yeah, I understand lots of tools break the core assumptions of NixOS, which is why I was first surprised that vpn-slice was already packaged by NixOS and then that it didn’t work anyway. I’m sorry I didn’t convey that properly.

As for some way to make that work. @alyaeanyx , yeah, my VPN is deeply intrusive and internet-breaking, so I want as little traffic routing across it as possible, so I’ll keep messing around to see if I can figure something out that’ll work in NixOS

alyaeanyx · April 9, 2022, 6:12am

I just figured out another “quick and dirty” way to make this work:

Make your hosts file temporarily dynamic with rm /etc/hosts && cp /etc/static/hosts /etc/hosts
Run vpn-slice and see what it writes to /etc/hosts
Add the extra hosts to you NixOS config with networking.extraHosts
Rebuild and use vpn-slice with the --no-host-names option in the future

mcbeth · April 9, 2022, 11:52am

Reading through their code, there’s a couple sketchy places with silly assumptions. You have a good idea do work around things for now. I’ll give it a go, thank you