Limiting changes to routing table and resolver with vpnc-script(s)

[Christopher Schultz]

David,

On 7/31/14, 2:02 PM, Christopher Schultz wrote:
> David,
> 
> (Thanks for the quick reply!)
> 
> On 7/31/14, 1:54 PM, David Woodhouse wrote:
>> On Thu, 2014-07-31 at 13:42 -0400, Christopher Schultz wrote:
>>>
>>> Are there ways to limit what the "standard" vpnc-script will change --
>>> e.g. don't change resolver settings and limit static routes to some
>>> particular host or netmask or something?
>>
>> One way is to configure the network in advance with a static
>> configuration, then don't let the vpnc-script do *anything*. You can
>> even run openconnect without any privileges then — it just opens the tun
>> device that was previously assigned to the user in question, and
>> sends/receives packets.
> 
> Interesting. That would be good, since I only have a single route to set
> (easy) and it doesn't need to go anywhere else when the VPN isn't
> connected (e.g. it's not some kind of body-snatching route that replaces
> one reachable host with another when the VPN is active).

I tried to set up a route before connecting to the VPN server, but route
doesn't like it if the device doesn't already exist. So, I connected (as
before, with a full route/resolv.conf setup, etc.) and set up the route
for that one particular host, then shut down the VPN. Shutting it down
ended up removing that route as well.

It looks like I might have to write a script that sets up the specific
route after OpenConnect actually connects. That would again require root
access (which I do have, but I'd prefer not to require it is possible).
Am I missing something?

Thanks,
-chris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 924 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140731/5d5aa923/attachment.sig>