Limiting changes to routing table and resolver with vpnc-script(s)
Christopher Schultz
chris at christopherschultz.net
Thu Jul 31 10:42:42 PDT 2014
Hello!
I've just begun using OpenConnect from a Linux server and I have to
admit that I was pleasantly surprised that I got things up and running
so quickly. As a programmer and not a network engineer, it was easy to
get lost in the sea of FooSwan and BarSwan the last time I tried to
figure out how to connect to a remote VPN. My customer using Cisco
AnyConnect gave me some new avenues to try to "just get connected". You
have done great work, here, and I thank you.
What is frustrating, though, is that vpnc-script ends up setting-up all
of the routes that are suggested by the VPN server. As it happens, I
need to contact exactly one port on one host via the VPN, and I don't
need DNS or anything like that, so I was hoping there was a way to limit
the amount of routing and resolver "damage" that the VPN server's
laundry list of routes would do.
I did notice that there is a vpnc-script-ssh and the documentation
sounds encouraging: use that script instead and then you can use ssh
tunnels and such to poke individual connections through the VPN
connection. Yay! Unfortunately, when I use vpnc-script-ssh, I get an
error saying that the netns command is failing possible due to missing
kernel support.
Here's my kernel info:
Linux dev.chadis.com 2.6.32-312-ec2 #24-Ubuntu SMP Fri Jan 7 18:30:50
UTC 2011 x86_64 GNU/Linux
This is on Debian Wheezy (current stable), and I built OpenConnect from
source rather than install the Debian package which has something like
10,000 dependent packages including Gnome Streaming Media Framework and
a whole bunch of other utter garbage. The build went well after
installing some -dev packages and everything else seems to be working
just fine.
The vpnc-scripts have indeed come from the Debian package repository so
I would imagine that they have been customized if necessary for my local
environment.
If I run "ip netns list" or "ip netns monitor", I don't get any errors.
"list" gives no output and "monitor" just sits there, presumably
monitoring :)
Any ideas of what might be the problem with netns for me?
Are there ways to limit what the "standard" vpnc-script will change --
e.g. don't change resolver settings and limit static routes to some
particular host or netmask or something?
Thanks very much,
-chris
More information about the openconnect-devel
mailing list