Limiting changes to routing table and resolver with vpnc-script(s)

David Woodhouse dwmw2 at infradead.org
Thu Jul 31 10:54:29 PDT 2014 

On Thu, 2014-07-31 at 13:42 -0400, Christopher Schultz wrote:
> 
> Are there ways to limit what the "standard" vpnc-script will change --
> e.g. don't change resolver settings and limit static routes to some
> particular host or netmask or something?

One way is to configure the network in advance with a static
configuration, then don't let the vpnc-script do *anything*. You can
even run openconnect without any privileges then — it just opens the tun
device that was previously assigned to the user in question, and
sends/receives packets.

Or you could use a trivial wrapper which sets/unsets the environment
variables that vpnc-script uses.

Like this one, for example (although you'd also want to mess with the
DNS settings...)

#!/bin/sh

ROUTES="10.0.0.0/8 172.16.0.0/12 192.168.21.0/24 192.168.65.0/24"

MASKS[1]="128.0.0.0"
MASKS[2]="192.0.0.0"
MASKS[3]="224.0.0.0"
MASKS[4]="240.0.0.0"
MASKS[5]="248.0.0.0"
MASKS[6]="252.0.0.0"
MASKS[7]="254.0.0.0"
MASKS[8]="255.0.0.0"
MASKS[9]="255.128.0.0"
MASKS[10]="255.192.0.0"
MASKS[11]="255.224.0.0"
MASKS[12]="255.240.0.0"
MASKS[13]="255.248.0.0"
MASKS[14]="255.252.0.0"
MASKS[15]="255.254.0.0"
MASKS[16]="255.255.0.0"
MASKS[17]="255.255.128.0"
MASKS[18]="255.255.192.0"
MASKS[19]="255.255.224.0"
MASKS[20]="255.255.240.0"
MASKS[21]="255.255.248.0"
MASKS[22]="255.255.252.0"
MASKS[23]="255.255.254.0"
MASKS[24]="255.255.255.0"
MASKS[25]="255.255.255.128"
MASKS[26]="255.255.255.192"
MASKS[27]="255.255.255.224"
MASKS[28]="255.255.255.240"
MASKS[29]="255.255.255.248"
MASKS[30]="255.255.255.252"
MASKS[31]="255.255.255.254"

export CISCO_SPLIT_INC=0

function addroute()
{
    local ROUTE="$1"
    export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=${ROUTE%%/*}
    export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=${ROUTE##*/}
    export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=${MASKS[${ROUTE##*/}]}
    export CISCO_SPLIT_INC=$((${CISCO_SPLIT_INC}+1))
}

for r in $ROUTES; do
    addroute $r
done

exec $0.orig


-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140731/ce1ac8e0/attachment-0001.bin>

More information about the openconnect-devel mailing list