Stop Connection on Disconnect on Remote Server

Got a problem with Viscosity or need help? Ask here!

gbung

Posts: 2
Joined: Wed May 07, 2014 11:52 pm

Post by gbung » Wed May 07, 2014 11:57 pm
Hi guys,

I just purchased 6 licenses for Viscosity and have just loaded them up onto my Windows Servers and all is well so far.
What I need to do now is have it so that when the VPN connection drops out/disconnects, the software running on my servers can no longer connect to websites on the server's real IP address. The catch is that I will still need to able to connect to these machines remotely using RDP to the machiness real IP address.

I was told by a friend that when a VPN connection drops out in Viscocity, the running software cannot access the internet but RDP is still available to connect in. Is this the case? From what I've read on the forums it seems that additional steps are needed to prevent the default IP being used.

Any help would be much appreciated.

Thanks

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu May 08, 2014 1:13 pm
Hi gbung,

You will need to control a dropout via scripting. A few things to note straight up:
If a dropout occurs, Viscosity will attempt to reconnect. During this period, you will have Internet access over your normal IP. If you do not want this to happen, or reconnects are failing, adding the following Advanced command to your configuration will cause a dropout to disconnect completely instead so Disconnect scripts can run:

remap-usr1 SIGTERM

So from here, you will need to write some scripts to cut your Internet access. Some generic ones (that will cut Internet access completely) can be found below, as well as some details on script support for Windows:

http://www.sparklabs.com/support/preven ... fic_leaks/
http://www.sparklabs.com/support/viswin_scripting/

The issue is if you cut your Internet access completely, RDP will not be accessible either, so you will need to be creative. You have two options:

By far the easiest is simply killing the applications you do not want to have normal Internet access. You can find a VBS script the second article above on how to do this. You can then write a similar script to start these applications again automatically when you connect using the Connected Script option.

Your second option is selective routing. When a disconnect occurs, you can remove the primary 0.0.0.0 route. You will then need to add a route though that points to the computer you are RDPing from. So if you RDP from home, and your home ISP IP address is 1.2.3.4, you will need to do the following on a disconnect:

route delete 0.0.0.0 mask 0.0.0.0
route add 1.2.3.4 mask 255.255.255.255 <ip for your primary gateway>

Then as a Before Connect Script, you will need to add the 0.0.0.0 route back.

You may find you don't need to add the route back to the computer you are connecting too. Depending on how firewall rules are setup on your servers, Windows can try to add temporary routes for incoming connections. Unless you have another way to access your server remotely (or at least reboot them without accessing them), I would not risk this.

Regards,

Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

gbung

Posts: 2
Joined: Wed May 07, 2014 11:52 pm

Post by gbung » Thu May 15, 2014 1:20 am
Brilliant. Thanks Eric. I really appreciate the detail you went into in your reply.

What I have noticed is that with my curent VPN provider, it doesn't disconnect as such. It just loses it's IP address when the VPN connection is unavailable (like whilst they are being DDOSed for example) and then Viscosity will just say "Connecting" with no assigned IP address. During this period, I can still connect to the servers with RDP but if I open a web browser or have some applications running, for example, these will have no internet connection.

Am I safe to assume that in this scenario it is safe during this period while the VPN connection is unavailable? I'm also not sure if the disconnect scripts will run at this point, do you know if they would? No way to force the situation unfortunuately!

Thanks

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu May 15, 2014 5:58 am
Hi gbung,

The Disconnect script will only run when a complete Disconnect occurs. A drop out will automatically attempt a reconnect unless you specify OpenVPN/Viscosity not to try (see my previous post).

If you have lost your IP address and Viscosity is stating that it is in a connecting state, this means that the tunnel is gone, so all your traffic is routing via your ISP instead of via your VPN Provider. Unfortunately without knowing the specifics of how traffic is routed to your servers with no VPN connection active, I'm not sure how access via RDP would be routed. The fact that you can't access anything via your Web Browser probably just means that DNS is not available depending on how you have that setup on your server.

Regards,

Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
4 posts Page 1 of 1