Pass radius attributes to connect-script

curiousemeric at curiousemeric at
Fri Oct 7 01:49:31 PDT 2016

2016-10-07 09:18 keltezéssel, Nikos Mavrogiannopoulos írta:
>> My plan is to add the /32 route to the loopback interface so the running
>> dynamic routing daemon can pick it up,
>>      ip route add $FRAMEDIP/ dev lo
>> Then do something like this
>>      iptables -t nat -I POSTROUTING -s $IP_REMOTE -j SNAT --to $FRAMEDIP
> I see now that you distinguish between IP_REMOTE and FRAMEDIP, why is
> that? ocserv should have assigned the framedip received from radius as
> the remote IP.
Thank you for answering!

Sorry if I was vague on the details, but let me be more elaborate:
The university has an ipv4 /16 allocated for it. Say 
(which is obviosly not a part of rfc1918 and not the real subnet either).
The vpn users get their ip addresses from 3 /24 pools, and
Currently all of these routes are advertised with their full /24 on the 
old (but still staying) vpn server. This can't be changed.
However if we advertise only the /32 address that the client has, than 
it will be favored over the /24 group. (smallest match)
So I decided to do 1-1 nat for the users; they get an unrouted address and that gets nated over their original address.


PS: the above pools are about 70% used up and we have a daily of 200-300 
vpn users and usually peaks out at 500.

More information about the openconnect-devel mailing list