Limiting changes to routing table and resolver with vpnc-script(s)

Christopher Schultz chris at
Thu Jul 31 11:02:27 PDT 2014


(Thanks for the quick reply!)

On 7/31/14, 1:54 PM, David Woodhouse wrote:
> On Thu, 2014-07-31 at 13:42 -0400, Christopher Schultz wrote:
>> Are there ways to limit what the "standard" vpnc-script will change --
>> e.g. don't change resolver settings and limit static routes to some
>> particular host or netmask or something?
> One way is to configure the network in advance with a static
> configuration, then don't let the vpnc-script do *anything*. You can
> even run openconnect without any privileges then — it just opens the tun
> device that was previously assigned to the user in question, and
> sends/receives packets.

Interesting. That would be good, since I only have a single route to set
(easy) and it doesn't need to go anywhere else when the VPN isn't
connected (e.g. it's not some kind of body-snatching route that replaces
one reachable host with another when the VPN is active).

In this case, would I just use --script /dev/null to disable the use of
a vpnc-script entirely?

> Or you could use a trivial wrapper which sets/unsets the environment
> variables that vpnc-script uses.

Yeah, I don't know ... anything about what those variables are for, what
their content looks, like, etc. I decided to ask here before
instrumenting the script to see what openconnect passes to them.

> Like this one, for example (although you'd also want to mess with the
> DNS settings...)
> #!/bin/sh
> MASKS[1]=""
> MASKS[2]=""
> MASKS[3]=""
> MASKS[4]=""
> MASKS[5]=""
> MASKS[6]=""
> MASKS[7]=""
> MASKS[8]=""
> MASKS[9]=""
> MASKS[10]=""
> MASKS[11]=""
> MASKS[12]=""
> MASKS[13]=""
> MASKS[14]=""
> MASKS[15]=""
> MASKS[16]=""
> MASKS[17]=""
> MASKS[18]=""
> MASKS[19]=""
> MASKS[20]=""
> MASKS[21]=""
> MASKS[22]=""
> MASKS[23]=""
> MASKS[24]=""
> MASKS[25]=""
> MASKS[26]=""
> MASKS[27]=""
> MASKS[28]=""
> MASKS[29]=""
> MASKS[30]=""
> MASKS[31]=""
> export CISCO_SPLIT_INC=0
> function addroute()
> {
>     local ROUTE="$1"
>     export CISCO_SPLIT_INC=$((${CISCO_SPLIT_INC}+1))
> }
> for r in $ROUTES; do
>     addroute $r
> done
> exec $0.orig

That's currently all Greek to me. I'll try the no-on vpnc-script with a
pre-configured static route and see how much mileage I can get out of
that. Failing that, I'll dive into munging the routes and masks the VPN
server is trying to force on me.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 924 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openconnect-devel mailing list