Pass radius attributes to connect-script

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Fri Oct 7 00:18:24 PDT 2016

On Thu, Oct 6, 2016 at 5:37 PM,  <curiousemeric at> wrote:
> Hi,
> We at the university (which cannot be named) would like to deploy a new vpn
> solution next to our existing one.
> I know this sounds crazy, but all of our users have real globally route-able
> ipv4 vpn addresses.
> This is for historical and licensing reasons.
> The current l2tp/ipsec vpn uses /32 routes and addresses which it receives
> from a radius server.
> Now as far as i know the tun/tap device can at minimum use /30 routes. (for
> windows compability).
> What I would like to ask; Is there a way for the "up" and "down" script to
> get the framed-ip-address sent by radius?

I assume that you are talking how to use ocserv in that setup, right?
The radius variables are not passed directly to the up/down script.
However, the ocserv translated ones such as IP_REMOTE should contain
the actual value.

> My plan is to add the /32 route to the loopback interface so the running
> dynamic routing daemon can pick it up,
>     ip route add $FRAMEDIP/ dev lo
> Then do something like this
>     iptables -t nat -I POSTROUTING -s $IP_REMOTE -j SNAT --to $FRAMEDIP

I see now that you distinguish between IP_REMOTE and FRAMEDIP, why is
that? ocserv should have assigned the framedip received from radius as
the remote IP.


More information about the openconnect-devel mailing list