Instructions on how to share the connection of a Zscaler installed in a virtual machine can be found below.
Killing Zscaler on macOS
Zscaler can be annoying if you're trying to stop it. Despite having administrative rights, usually it asks for a password.
Pick one of the following options to take back control.
Using the App
People who prefer to use apps over command lines, can use
Kill Zscaler.app which is a simple wrapper of the shell script described below.
- Download this repository as an archive.
- Open
Kill Zscaler.appto kill Zscaler. - To use Zscaler again, reboot or open
Start Zscaler.app.
Using a Shell Script
- Open Terminal or whatever terminal you prefer (e.g. iTerm2).
- Type
git clone https://github.com/bkahlert/kill-zscaler.git - Type
cd kill-zscalerto change into the newly cloned repository. - Make sure the scripts are executable by running
chmod +x kill-zscaler.sh start-zscaler.sh - Type
./kill-zscaler.shto kill Zscaler. - To use Zscaler again, reboot or type
./start-zscaler.sh.
Using a Shell
- Open Terminal or whatever terminal you prefer (e.g. iTerm2).
- Type
find /Library/LaunchAgents -name '*zscaler*' -exec launchctl unload {} \;;sudo find /Library/LaunchDaemons -name '*zscaler*' -exec launchctl unload {} \;to kill Zscaler. - To use Zscaler again, reboot or
type
open -a /Applications/Zscaler/Zscaler.app --hide; sudo find /Library/LaunchDaemons -name '*zscaler*' -exec launchctl load {} \;.
Using an Alias
To kill Zscaler by typing kill-zscaler (and to start it with start-zscaler) do the following steps:
- Open the shell initialization file of your shell
- Bash: ~/.bashrc
- ZSH: ~/.zshrc
- For more information aliases, read https://medium.com/@rajsek/zsh-bash-startup-files-loading-order-bashrc-zshrc-etc-e30045652f2e or any other appropriate Google match.
- Add the contents of
kill-zscaler.alias.txtor the following lines to it:alias start-zscaler="open -a /Applications/Zscaler/Zscaler.app --hide; sudo find /Library/LaunchDaemons -name '*zscaler*' -exec launchctl load {} \;" alias kill-zscaler="find /Library/LaunchAgents -name '*zscaler*' -exec launchctl unload {} \;;sudo find /Library/LaunchDaemons -name '*zscaler*' -exec launchctl unload {} \;"
- Open a new shell (or type
source ~/.bashrc/source ~/.zshrc/ β¦ to load your changes) - Type
kill-zscalerto kill Zscaler - To use Zscaler again, reboot or type
start-zscaler.
Sharing Zscaler
To share an existing Zscaler VPN tunnel you can use share-zscaler.v2.sh on the machine with Zscaler installed as follows:
./share-zscaler.sh \
--probe foo.bar.internal \
--domain internal- The script sets up network address translation (NAT) on the VPN client machine
so that its VPN tunnel can be shared.
- The
--propeargument can be any hostname you want to connect to using the VPN tunnel. It's used to determine the connection details of your VPN connection. - The domains specified with one or more
--domainarguments are used to customize the DNS name resolution on your host. This makes your host use your VPN client's name resolution for the specified domains (and sub-domains).
- The
- It prints a configuration script that needs to be run on your host to make it use the just shared tunnel.
If you prefer to have a one-liner without having to download anything you can use the following command at your own risk:
bash -c "$(curl -so- https://raw.githubusercontent.com/bkahlert/kill-zscaler/main/share-zscaler.v2.sh)" -- \
--probe foo.bar.internal \
--domain internalParallels macOS VM
If you only have a macOS client at hand you can set up a virtual macOS machine using Parallels.
- Install Parallels
- Set up a virtual machine
- The following scripts sets up a macOS machine with minimal footprint:
Take the chance to customize the above settings to your requirements.
declare -r PARALLELS=/Applications/Parallels\ Desktop.app declare -r VMDIR=$HOME/Parallels declare -r NAME=Zscaler curl -LfSo "$VMDIR/macOS.ipsw" "$("$PARALLELS"/Contents/MacOS/prl_macvm_create --getipswurl)" "$PARALLELS"/Contents/MacOS/prl_macvm_create "$VMDIR/macOS.ipsw" "$VMDIR/$NAME.macvm" --disksize 40000000000 cat <<CONFIG >"$VMDIR/$NAME.macvm/config.ini" [Hardware] vCPU.Count=1 Memory.Size=2147483648 Display.Width=1920 Display.Height=1080 Display.DPI=96 Sound.Enabled=0 Network.Type=1 CONFIG open "$VMDIR" open -a "$PARALLELS" "$VMDIR/$NAME.macvm"
At the time of writing, the disk size cannot be altered later.
40GB disk space (see--disksizeargument) are recommended.
32GB disk space are the bare minimum. - Create a macOS user
- Install Parallels Tools and reboot
- Install Zscaler
- Login
- The following scripts sets up a macOS machine with minimal footprint:
- Establish connection
- Start Zscaler (if not already running)
- Run share-zscaler.sh
- Use connection
- On your local machine open a terminal
- Paste the host configuration script (that was printed in the previous step) in the terminal and run it
You can now connect to all hosts you listed in step 2 π
Optionally, you can set the name of your VM in
- System Preferences β Network β Ethernet β Advanced... β WINS β NetBIOS Name
- System Preferences β Sharing β Computer Name
Remote Execution
This section describes the necessary steps to run share-zscaler.v2.sh on your
local machine instead of the virtual Zscaler machine using SSH.
Preparation
On your virtual machine
- Activate SSH by checking System Preferences β Sharing β Remote Login
- Optionally extend your sudoers so that you may run
sysctlandpfctlwithout having to enter your password:( echo "$(whoami) ALL=NOPASSWD: /usr/sbin/sysctl *" echo "$(whoami) ALL=NOPASSWD: /sbin/pfctl *" ) | sudo tee /etc/sudoers.d/zscaler
- Optionally prepare a script with the following contents to lock your screen
and run it on login via System Preferences β Choose your user β Login items β + β Select your lock screen script
cat << 'LOCK_SCREEN' > ~/Desktop/lock-screen #!/bin/bash osascript -e 'tell application "System Events" to keystroke "q" using {command down,control down}' LOCK_SCREEN chmod +x ~/Desktop/lock-screen
Don't forget to make it executable usingchmod +xand to run it once to provide it with sufficient permissions. - If the IP of your VPN client machine is dynamic and you can't reliably resolve its IP, a workaround can be to install GeekTool and display the output of
ipconfig getifaddr en0in a script Geeklet. At least you now find out the current IP easily.
On your local machine
- Create an SSH key or use an existing one
- Copy the public key of your just created key pair to your Zscaler machine:
This snippet assumes that your Zscaler host has the name
ssh-copy-id -i ~/.ssh/id_rsa [email protected]
Zscalerand your user account on that machine iszscaler. - Check if you can log in:
If the output shows the environment variables of your Zscaler host, all is fine.
ssh [email protected] printenv
Execution
The following command needs to be run on your working machine,
which then connects to the host Zscaler with user zscaler,
and finishes configuring your working machine using the returned configuration Bash script:
(
bash <<'SHARE_ZSCALER_V2'
ssh -4t [email protected] '
bash -c "$(curl -so- https://raw.githubusercontent.com/bkahlert/kill-zscaler/main/share-zscaler.v2.sh)" -- \
--probe foo.bar.internal \
--domain internal
'
SHARE_ZSCALER_V2
) | bashYou get prompted for the password of user zscaler (unless you did the optional sudoers configuration).
π‘ Users with a VPN host machine with dynamic IP can try to change the
sshcommand to:ssh -4t "zscaler@$(sudo nmap -n -p 22 192.168.206.2-254 -oG - | awk '/Up$/{print $2}')"Be sure to change the
192.168.206part to match the client's address range. The abovenmapcommand looks for a machine with an open SSH port and pass the match to thesshcommand.
Example output:
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf not enabled
No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
nat cleared
dummynet cleared
0 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
βββββββ SHARE ZSCALER HOST CONFIGURATION
Configuring route to 10Γ.200.0.0
route: writing to routing socket: not in table
delete net 100.200.0.0: not in table
add net 100.200.0.0: gateway 192.168.206.14
Configuring resolver for internal
Flushing DNS cache
Host configuration completed β
Troubleshooting
- You can run the setup script as many times as you like.
- The output script to run on your local machine updates your name resolution accordingly, that is, it updates existing hosts and adds new ones.
- You will very likely have to update
SHARE_ZSCALER_SOURCE_ADDRESSto the network used by your Parallels installation.- You can look it up by opening System Preferences β Network β Ethernet β IP Address
- As an example: if the screen shows
192.168.42.3you'll have to useSHARE_ZSCALER_SOURCE_ADDRESS=192.168.42.0/24
- If you happen to have no access anymore
- check if Zscaler is actually connected
- run (1) your customized
share-zscaler.shcall on the VM and (2) its output script on your local machine again.