Pass radius attributes to connect-script
curiousemeric at rotacioskapa.com
curiousemeric at rotacioskapa.com
Fri Oct 7 01:49:31 PDT 2016
2016-10-07 09:18 keltezéssel, Nikos Mavrogiannopoulos írta:
>> My plan is to add the /32 route to the loopback interface so the running
>> dynamic routing daemon can pick it up,
>> ip route add $FRAMEDIP/255.255.255.255 dev lo
>> Then do something like this
>> iptables -t nat -I POSTROUTING -s $IP_REMOTE -j SNAT --to $FRAMEDIP
> I see now that you distinguish between IP_REMOTE and FRAMEDIP, why is
> that? ocserv should have assigned the framedip received from radius as
> the remote IP.
Thank you for answering!
Sorry if I was vague on the details, but let me be more elaborate:
The university has an ipv4 /16 allocated for it. Say 111.191.0.0/16
(which is obviosly not a part of rfc1918 and not the real subnet either).
The vpn users get their ip addresses from 3 /24 pools 111.191.88.0/24,
111.191.110.0/24 and 111.191.240.0/24.
Currently all of these routes are advertised with their full /24 on the
old (but still staying) vpn server. This can't be changed.
However if we advertise only the /32 address that the client has, than
it will be favored over the /24 group. (smallest match)
So I decided to do 1-1 nat for the users; they get an unrouted
172.16.0.0/21 address and that gets nated over their original address.
regards
Emeric
PS: the above pools are about 70% used up and we have a daily of 200-300
vpn users and usually peaks out at 500.
More information about the openconnect-devel
mailing list