Tue, 25 Jan 2011
Sometimes, our customers can't or won't give us direct SSH access to their CanIt machines. Instead, we have to use the dreaded commercial VPN client.
One of our customers asked us to use the Juniper Networks Network Connect client. This is a monstrosity that uses Java to give you a GUI (what? You didn't know that VPNs require a GUI?) and a shared library to do the actual encryption.
I use the XFCE desktop. Here's a screen shot of a typical terminal window:
And here's a screenshot of the Juniper VPN client:
Note the different window decorations? Yes, the Juniper VPN client sets the OverrideRedirect window property so it is not managed by a window manager. And then it reimplements the typical "Minimize / Maximize / Close" Window manager buttons! WTF??
Except it doesn't do it properly. I have 6 virtual desktops. The Juniper VPN client doesn't know about virtual desktops. So I can't move it off virtual desktop 1 by dragging it "off the edge" of the desktop. (I can move it in the little virtual-desktop overview grid. So it looks like there is some kind of communication with the window manager going on...)
Also, the Juniper VPN client wants my default route to be via the VPN. Excuse me... I don't want that! I only want a specific subnet to be routed via the VPN. So I had to make an LD_PRELOAD shared library that prevents the Juniper client from touching the routing table. Every few seconds, the client notices that its route is missing and attempts to add it back, so we get cute log messages like this:
ncsvc[p7274.t7274] rmon.warn adding back the missing route to [redacted]... ncsvc[p7274.t7274] rmon.warn adding back the missing route to [redacted]...
but of course, the ioctl system calls are intercepted by my shared library. The Juniper VPN client seems to hum along happily in spite of its routes not being present, just so long as the ioctl call pretends to succeed. :)
So what's the moral of the story? Simply that closed-source VPN products are usually inferior, filled with WTFs and require stupid workarounds to break out of their limitations. Why can't everyone just use OpenVPN?
