Limiting changes to routing table and resolver with vpnc-script(s)
David Woodhouse
dwmw2 at infradead.org
Thu Jul 31 11:17:32 PDT 2014
On Thu, 2014-07-31 at 14:02 -0400, Christopher Schultz wrote:
> David,
>
> (Thanks for the quick reply!)
>
> On 7/31/14, 1:54 PM, David Woodhouse wrote:
> > On Thu, 2014-07-31 at 13:42 -0400, Christopher Schultz wrote:
> >>
> >> Are there ways to limit what the "standard" vpnc-script will change --
> >> e.g. don't change resolver settings and limit static routes to some
> >> particular host or netmask or something?
> >
> > One way is to configure the network in advance with a static
> > configuration, then don't let the vpnc-script do *anything*. You can
> > even run openconnect without any privileges then — it just opens the tun
> > device that was previously assigned to the user in question, and
> > sends/receives packets.
>
> Interesting. That would be good, since I only have a single route to set
> (easy) and it doesn't need to go anywhere else when the VPN isn't
> connected (e.g. it's not some kind of body-snatching route that replaces
> one reachable host with another when the VPN is active).
>
> In this case, would I just use --script /dev/null to disable the use of
> a vpnc-script entirely?
Right. Or /bin/true if /dev/null doesn't do the right thing.
Start with 'ip tuntap add dev foobar mode tun user $WHOEVER', then
configure it as you see fit, and then you can run openconnect as
$WHOEVER with '--interface foobar --script /bin/true' at your leisure to
make the connection.
The Fedora initscripts do support that kind of thing out of the box and
can automatically set it up for you with a static network configuration.
Not sure about Ubuntu/Debian though.
> > Or you could use a trivial wrapper which sets/unsets the environment
> > variables that vpnc-script uses.
>
> Yeah, I don't know ... anything about what those variables are for, what
> their content looks, like, etc. I decided to ask here before
> instrumenting the script to see what openconnect passes to them.
They're all documented in the start of vpnc-script itself:
http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob/HEAD:/vpnc-script
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140731/ae2f4680/attachment-0001.bin>
More information about the openconnect-devel
mailing list