Vpn-slice in NixOS wants write access to /etc/hosts

I’m trying to set up openconnect and vpn-slice (both of which are already packages within nixpkgs)
openconnect works in isolation (with sudo, unfortunately), but vpn-slice then fails to set up the split routing.

> sudo vpn-slice --self-test
WARNING: Couldn't configure hosts provider: Cannot read/write /etc/hosts
*** Self-test did not pass. Double-check that you are running as root (e.g. with sudo) ***
Aborting because providers for hosts are required; use --help for more information

The fact that this fails makes good sense to me, half the point of NixOS is to keep things declarative and read-only. Splitting the routing so only vpn-needed things go over the VPN is a valuable capability. I’m suspecting that vpn-slice is just the wrong tool, and doesn’t belong in nixpkgs because it can’t work, but any suggestions on how to move forward would be appreciated

Sadly, this is quite common for tools to break Nix/NixOS requirements…

Generally, our community tries to “fix upstream rather than patch upstream”;
In such case, it would mean to submit a PR to vpn-slice to make this failing check “NixOS-aware”.

As far as I can tell, vpn-slice wants to copy the custom host entries provided by the VPN DNS to avoid using the VPN DNS. I think this can’t be done declaratively that easily. An easy solution if you don’t mind using the VPN DNS or not having VPN specific hostnames would be to pass --no-host-names to vpn-slice.

I currently have a PR open for declarative OpenConnect profiles (nixos/openconnect: Add NixOS module for declarative OpenConnect VPNs by alyaeanyx · Pull Request #165883 · NixOS/nixpkgs · GitHub), and the VPN of my uni is also rather intrusive, so I’m interested in this too. I think the problem could be solved by either making /etc/hosts a dynamic file with a configuration option, or dynamically fire up a dnsmasq resolver with a separate host file generated by vpn-slice.

@Pamplemousse . Yeah, I understand lots of tools break the core assumptions of NixOS, which is why I was first surprised that vpn-slice was already packaged by NixOS and then that it didn’t work anyway. I’m sorry I didn’t convey that properly.

As for some way to make that work. @alyaeanyx , yeah, my VPN is deeply intrusive and internet-breaking, so I want as little traffic routing across it as possible, so I’ll keep messing around to see if I can figure something out that’ll work in NixOS

I just figured out another “quick and dirty” way to make this work:

  1. Make your hosts file temporarily dynamic with rm /etc/hosts && cp /etc/static/hosts /etc/hosts
  2. Run vpn-slice and see what it writes to /etc/hosts
  3. Add the extra hosts to you NixOS config with networking.extraHosts
  4. Rebuild and use vpn-slice with the --no-host-names option in the future

Reading through their code, there’s a couple sketchy places with silly assumptions. You have a good idea do work around things for now. I’ll give it a go, thank you