Limiting changes to routing table and resolver with vpnc-script(s)

Christopher Schultz chris at christopherschultz.net
Thu Jul 31 11:31:04 PDT 2014


David,

On 7/31/14, 2:17 PM, David Woodhouse wrote:
> On Thu, 2014-07-31 at 14:02 -0400, Christopher Schultz wrote:
>> David,
>>
>> (Thanks for the quick reply!)
>>
>> On 7/31/14, 1:54 PM, David Woodhouse wrote:
>>> On Thu, 2014-07-31 at 13:42 -0400, Christopher Schultz wrote:
>>>>
>>>> Are there ways to limit what the "standard" vpnc-script will change --
>>>> e.g. don't change resolver settings and limit static routes to some
>>>> particular host or netmask or something?
>>>
>>> One way is to configure the network in advance with a static
>>> configuration, then don't let the vpnc-script do *anything*. You can
>>> even run openconnect without any privileges then — it just opens the tun
>>> device that was previously assigned to the user in question, and
>>> sends/receives packets.
>>
>> Interesting. That would be good, since I only have a single route to set
>> (easy) and it doesn't need to go anywhere else when the VPN isn't
>> connected (e.g. it's not some kind of body-snatching route that replaces
>> one reachable host with another when the VPN is active).
>>
>> In this case, would I just use --script /dev/null to disable the use of
>> a vpnc-script entirely?
> 
> Right. Or /bin/true if /dev/null doesn't do the right thing.

It seems that didn't work, but again I'm bumbling through, here.

> Start with 'ip tuntap add dev foobar mode tun user $WHOEVER', then
> configure it as you see fit, and then you can run openconnect as
> $WHOEVER with '--interface foobar --script /bin/true' at your leisure to
> make the connection.

Gotcha. When I ended up doing was writing a simple vpnc-custom script
that uses INTERNAL_IPV4_ADDRESS and TUNDEV and stuff to actually call
ifconfig and route for that single address. It seems to work, but I like
what you have above better, so I'll try that.

> The Fedora initscripts do support that kind of thing out of the box and
> can automatically set it up for you with a static network configuration.
> Not sure about Ubuntu/Debian though.

Yeah, I should be able to persist such things across a reboot.

>>> Or you could use a trivial wrapper which sets/unsets the environment
>>> variables that vpnc-script uses.
>>
>> Yeah, I don't know ... anything about what those variables are for, what
>> their content looks, like, etc. I decided to ask here before
>> instrumenting the script to see what openconnect passes to them.
> 
> They're all documented in the start of vpnc-script itself:
> http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob/HEAD:/vpnc-script

Yes, they are, but that doesn't mean that I understand what they all do.
;) My vpnc-custom script is dumping those values out when it runs so I
can see what they contain. It's instructive.

Thanks again for your speedy help!
-chris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 924 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140731/3a872987/attachment.sig>


More information about the openconnect-devel mailing list