Limiting changes to routing table and resolver with vpnc-script(s)

Christopher Schultz chris at christopherschultz.net
Thu Jul 31 11:02:27 PDT 2014


David,

(Thanks for the quick reply!)

On 7/31/14, 1:54 PM, David Woodhouse wrote:
> On Thu, 2014-07-31 at 13:42 -0400, Christopher Schultz wrote:
>>
>> Are there ways to limit what the "standard" vpnc-script will change --
>> e.g. don't change resolver settings and limit static routes to some
>> particular host or netmask or something?
> 
> One way is to configure the network in advance with a static
> configuration, then don't let the vpnc-script do *anything*. You can
> even run openconnect without any privileges then — it just opens the tun
> device that was previously assigned to the user in question, and
> sends/receives packets.

Interesting. That would be good, since I only have a single route to set
(easy) and it doesn't need to go anywhere else when the VPN isn't
connected (e.g. it's not some kind of body-snatching route that replaces
one reachable host with another when the VPN is active).

In this case, would I just use --script /dev/null to disable the use of
a vpnc-script entirely?

> Or you could use a trivial wrapper which sets/unsets the environment
> variables that vpnc-script uses.

Yeah, I don't know ... anything about what those variables are for, what
their content looks, like, etc. I decided to ask here before
instrumenting the script to see what openconnect passes to them.

> Like this one, for example (although you'd also want to mess with the
> DNS settings...)
> 
> #!/bin/sh
> 
> ROUTES="10.0.0.0/8 172.16.0.0/12 192.168.21.0/24 192.168.65.0/24"
> 
> MASKS[1]="128.0.0.0"
> MASKS[2]="192.0.0.0"
> MASKS[3]="224.0.0.0"
> MASKS[4]="240.0.0.0"
> MASKS[5]="248.0.0.0"
> MASKS[6]="252.0.0.0"
> MASKS[7]="254.0.0.0"
> MASKS[8]="255.0.0.0"
> MASKS[9]="255.128.0.0"
> MASKS[10]="255.192.0.0"
> MASKS[11]="255.224.0.0"
> MASKS[12]="255.240.0.0"
> MASKS[13]="255.248.0.0"
> MASKS[14]="255.252.0.0"
> MASKS[15]="255.254.0.0"
> MASKS[16]="255.255.0.0"
> MASKS[17]="255.255.128.0"
> MASKS[18]="255.255.192.0"
> MASKS[19]="255.255.224.0"
> MASKS[20]="255.255.240.0"
> MASKS[21]="255.255.248.0"
> MASKS[22]="255.255.252.0"
> MASKS[23]="255.255.254.0"
> MASKS[24]="255.255.255.0"
> MASKS[25]="255.255.255.128"
> MASKS[26]="255.255.255.192"
> MASKS[27]="255.255.255.224"
> MASKS[28]="255.255.255.240"
> MASKS[29]="255.255.255.248"
> MASKS[30]="255.255.255.252"
> MASKS[31]="255.255.255.254"
> 
> export CISCO_SPLIT_INC=0
> 
> function addroute()
> {
>     local ROUTE="$1"
>     export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=${ROUTE%%/*}
>     export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=${ROUTE##*/}
>     export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=${MASKS[${ROUTE##*/}]}
>     export CISCO_SPLIT_INC=$((${CISCO_SPLIT_INC}+1))
> }
> 
> for r in $ROUTES; do
>     addroute $r
> done
> 
> exec $0.orig

That's currently all Greek to me. I'll try the no-on vpnc-script with a
pre-configured static route and see how much mileage I can get out of
that. Failing that, I'll dive into munging the routes and masks the VPN
server is trying to force on me.

Thanks!

-chris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 924 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140731/a0b374f7/attachment.sig>


More information about the openconnect-devel mailing list