Routing setup with --script-tun
David Woodhouse
dwmw2 at infradead.org
Mon Dec 3 05:29:41 EST 2012
On Mon, 2012-12-03 at 10:17 +0000, David Edmondson wrote:
> On 2 Dec 2012, at 21:44, David Woodhouse <dwmw2 at infradead.org> wrote:
> > I could contrive a scenario in which your assumption isn't valid — for
> > example if you want stuff to 'just work' regardless of whether you're
> > contacting a machine inside or outside the VPN, and don't want to have
> > to manually enable/disable SOCKS support. A user might want to just
> > configure their software to use SOCKS for everything, and have it the
> > SOCKS proxy do the right thing.
>
> This would imply that the SOCKS server is running when the VPN is
> down. That's not the case with ocproxy. One could chain a normal SOCKS
> proxy in front of ocproxy, of course, but then the configuration that
> you describe would be part of that proxy rather than ocproxy.
Or you run a traditional SOCKS server normally, and kill it when you
bring the VPN up.
Or you can relatively easily configure all your software with a big
switch that turns SOCKS on or off, and do that automatically when the
VPN goes up or down. But not "Use SOCKS for this site, but not for that"
which is harder. Browsers can do that with a PAC script, but not a lot
else.
I'm not necessarily advocating that we should *care* about this
scenario; merely observing that it exists. I'm happy with the behaviour
suggested in Kevin's original email — if someone later wants to add
"split tunnelling" functionality to ocproxy, let them worry about it
then.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20121203/49479994/attachment-0001.bin>
More information about the openconnect-devel
mailing list