Pass radius attributes to connect-script

curiousemeric at curiousemeric at
Thu Oct 6 08:37:21 PDT 2016


We at the university (which cannot be named) would like to deploy a new 
vpn solution next to our existing one.
I know this sounds crazy, but all of our users have real globally 
route-able ipv4 vpn addresses.
This is for historical and licensing reasons.

The current l2tp/ipsec vpn uses /32 routes and addresses which it 
receives from a radius server.
Now as far as i know the tun/tap device can at minimum use /30 routes. 
(for windows compability).

What I would like to ask; Is there a way for the "up" and "down" script 
to get the framed-ip-address sent by radius?

My plan is to add the /32 route to the loopback interface so the running 
dynamic routing daemon can pick it up,
     ip route add $FRAMEDIP/ dev lo
Then do something like this
     iptables -t nat -I POSTROUTING -s $IP_REMOTE -j SNAT --to $FRAMEDIP


I remember in the golden days pppd with radiusclient stored attribute 
files for logged in users in /var/run/ppp<num>.attr files,
but radcli doesn't.

More information about the openconnect-devel mailing list