Instructions on how to share the connection of a Zscaler installed in a virtual machine can be found below.
Killing Zscaler on macOS
Zscaler can be annoying if you're trying to stop it. Despite having administrative rights, usually it asks for a password.
Pick one of the following options to take back control.
Using the App
People who prefer to use apps over command lines, can use
Kill Zscaler.app
which is a simple wrapper of the shell script described below.
- Download this repository as an archive.
- Open
Kill Zscaler.app
to kill Zscaler. - To use Zscaler again, reboot or open
Start Zscaler.app
.
Using a Shell Script
- Open Terminal or whatever terminal you prefer (e.g. iTerm2).
- Type
git clone https://github.com/bkahlert/kill-zscaler.git
- Type
cd kill-zscaler
to change into the newly cloned repository. - Make sure the scripts are executable by running
chmod +x kill-zscaler.sh start-zscaler.sh
- Type
./kill-zscaler.sh
to kill Zscaler. - To use Zscaler again, reboot or type
./start-zscaler.sh
.
Using a Shell
- Open Terminal or whatever terminal you prefer (e.g. iTerm2).
- Type
find /Library/LaunchAgents -name '*zscaler*' -exec launchctl unload {} \;;sudo find /Library/LaunchDaemons -name '*zscaler*' -exec launchctl unload {} \;
to kill Zscaler. - To use Zscaler again, reboot or
type
open -a /Applications/Zscaler/Zscaler.app --hide; sudo find /Library/LaunchDaemons -name '*zscaler*' -exec launchctl load {} \;
.
Using an Alias
To kill Zscaler by typing kill-zscaler
(and to start it with start-zscaler
) do the following steps:
- Open the shell initialization file of your shell
- Bash: ~/.bashrc
- ZSH: ~/.zshrc
- For more information aliases, read https://medium.com/@rajsek/zsh-bash-startup-files-loading-order-bashrc-zshrc-etc-e30045652f2e or any other appropriate Google match.
- Add the contents of
kill-zscaler.alias.txt
or the following lines to it:alias start-zscaler="open -a /Applications/Zscaler/Zscaler.app --hide; sudo find /Library/LaunchDaemons -name '*zscaler*' -exec launchctl load {} \;" alias kill-zscaler="find /Library/LaunchAgents -name '*zscaler*' -exec launchctl unload {} \;;sudo find /Library/LaunchDaemons -name '*zscaler*' -exec launchctl unload {} \;"
- Open a new shell (or type
source ~/.bashrc
/source ~/.zshrc
/ โฆ to load your changes) - Type
kill-zscaler
to kill Zscaler - To use Zscaler again, reboot or type
start-zscaler
.
Sharing Zscaler
To share an existing Zscaler VPN tunnel you can use share-zscaler.v2.sh on the machine with Zscaler installed as follows:
./share-zscaler.sh \
--probe foo.bar.internal \
--domain internal
- The script sets up network address translation (NAT) on the VPN client machine
so that its VPN tunnel can be shared.
- The
--prope
argument can be any hostname you want to connect to using the VPN tunnel. It's used to determine the connection details of your VPN connection. - The domains specified with one or more
--domain
arguments are used to customize the DNS name resolution on your host. This makes your host use your VPN client's name resolution for the specified domains (and sub-domains).
- The
- It prints a configuration script that needs to be run on your host to make it use the just shared tunnel.
If you prefer to have a one-liner without having to download anything you can use the following command at your own risk:
bash -c "$(curl -so- https://raw.githubusercontent.com/bkahlert/kill-zscaler/main/share-zscaler.v2.sh)" -- \
--probe foo.bar.internal \
--domain internal
Parallels macOS VM
If you only have a macOS client at hand you can set up a virtual macOS machine using Parallels.
- Install Parallels
- Set up a virtual machine
- The following scripts sets up a macOS machine with minimal footprint:
Take the chance to customize the above settings to your requirements.
declare -r PARALLELS=/Applications/Parallels\ Desktop.app declare -r VMDIR=$HOME/Parallels declare -r NAME=Zscaler curl -LfSo "$VMDIR/macOS.ipsw" "$("$PARALLELS"/Contents/MacOS/prl_macvm_create --getipswurl)" "$PARALLELS"/Contents/MacOS/prl_macvm_create "$VMDIR/macOS.ipsw" "$VMDIR/$NAME.macvm" --disksize 40000000000 cat <<CONFIG >"$VMDIR/$NAME.macvm/config.ini" [Hardware] vCPU.Count=1 Memory.Size=2147483648 Display.Width=1920 Display.Height=1080 Display.DPI=96 Sound.Enabled=0 Network.Type=1 CONFIG open "$VMDIR" open -a "$PARALLELS" "$VMDIR/$NAME.macvm"
At the time of writing, the disk size cannot be altered later.
40GB disk space (see--disksize
argument) are recommended.
32GB disk space are the bare minimum. - Create a macOS user
- Install Parallels Tools and reboot
- Install Zscaler
- Login
- The following scripts sets up a macOS machine with minimal footprint:
- Establish connection
- Start Zscaler (if not already running)
- Run share-zscaler.sh
- Use connection
- On your local machine open a terminal
- Paste the host configuration script (that was printed in the previous step) in the terminal and run it
You can now connect to all hosts you listed in step 2 ๐
Optionally, you can set the name of your VM in
- System Preferences โ Network โ Ethernet โ Advanced... โ WINS โ NetBIOS Name
- System Preferences โ Sharing โ Computer Name
Remote Execution
This section describes the necessary steps to run share-zscaler.v2.sh
on your
local machine instead of the virtual Zscaler machine using SSH.
Preparation
On your virtual machine
- Activate SSH by checking System Preferences โ Sharing โ Remote Login
- Optionally extend your sudoers so that you may run
sysctl
andpfctl
without having to enter your password:( echo "$(whoami) ALL=NOPASSWD: /usr/sbin/sysctl *" echo "$(whoami) ALL=NOPASSWD: /sbin/pfctl *" ) | sudo tee /etc/sudoers.d/zscaler
- Optionally prepare a script with the following contents to lock your screen
and run it on login via System Preferences โ Choose your user โ Login items โ + โ Select your lock screen script
cat << 'LOCK_SCREEN' > ~/Desktop/lock-screen #!/bin/bash osascript -e 'tell application "System Events" to keystroke "q" using {command down,control down}' LOCK_SCREEN chmod +x ~/Desktop/lock-screen
Don't forget to make it executable usingchmod +x
and to run it once to provide it with sufficient permissions. - If the IP of your VPN client machine is dynamic and you can't reliably resolve its IP, a workaround can be to install GeekTool and display the output of
ipconfig getifaddr en0
in a script Geeklet. At least you now find out the current IP easily.
On your local machine
- Create an SSH key or use an existing one
- Copy the public key of your just created key pair to your Zscaler machine:
This snippet assumes that your Zscaler host has the name
ssh-copy-id -i ~/.ssh/id_rsa [email protected]
Zscaler
and your user account on that machine iszscaler
. - Check if you can log in:
If the output shows the environment variables of your Zscaler host, all is fine.
ssh [email protected] printenv
Execution
The following command needs to be run on your working machine,
which then connects to the host Zscaler
with user zscaler
,
and finishes configuring your working machine using the returned configuration Bash script:
(
bash <<'SHARE_ZSCALER_V2'
ssh -4t [email protected] '
bash -c "$(curl -so- https://raw.githubusercontent.com/bkahlert/kill-zscaler/main/share-zscaler.v2.sh)" -- \
--probe foo.bar.internal \
--domain internal
'
SHARE_ZSCALER_V2
) | bash
You get prompted for the password of user zscaler
(unless you did the optional sudoers configuration).
๐ก Users with a VPN host machine with dynamic IP can try to change the
ssh
command to:ssh -4t "zscaler@$(sudo nmap -n -p 22 192.168.206.2-254 -oG - | awk '/Up$/{print $2}')"
Be sure to change the
192.168.206
part to match the client's address range. The abovenmap
command looks for a machine with an open SSH port and pass the match to thessh
command.
Example output:
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf not enabled
No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
nat cleared
dummynet cleared
0 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
โโโโโโโ SHARE ZSCALER HOST CONFIGURATION
Configuring route to 10ร.200.0.0
route: writing to routing socket: not in table
delete net 100.200.0.0: not in table
add net 100.200.0.0: gateway 192.168.206.14
Configuring resolver for internal
Flushing DNS cache
Host configuration completed โ
Troubleshooting
- You can run the setup script as many times as you like.
- The output script to run on your local machine updates your name resolution accordingly, that is, it updates existing hosts and adds new ones.
- You will very likely have to update
SHARE_ZSCALER_SOURCE_ADDRESS
to the network used by your Parallels installation.- You can look it up by opening System Preferences โ Network โ Ethernet โ IP Address
- As an example: if the screen shows
192.168.42.3
you'll have to useSHARE_ZSCALER_SOURCE_ADDRESS=192.168.42.0/24
- If you happen to have no access anymore
- check if Zscaler is actually connected
- run (1) your customized
share-zscaler.sh
call on the VM and (2) its output script on your local machine again.