openconnect and ifup on Debian 8

David Woodhouse dwmw2 at infradead.org
Mon Aug 14 05:04:32 PDT 2017


On Thu, 2017-07-20 at 12:04 +0200, Olaf Klinke wrote:
> 
> I have a shell script which is referenced by /etc/network/interfaces so
> that I can open a connection with ifup:
> 
> # /etc/network/interfaces
> iface myvpn0 inet manual
>         up /root/my-vpn.sh up
>         down /root/my-vpn.sh down
>         post-up /root/my-vpn.sh configure
> 
> The "up" part of the script starts openconnect with the proper
> credentials, the "down" part sends SIGINT to the openconnect process and
> the "configure" part alters the routes, which I believe are
> ill-specified by the Cisco server. 
> 
> Now here's the catch: The server will terminate the connection when
> there is no traffic for 15 minutes. 
> 
> # openconnect output
> Received server disconnect: b0 'Idle Timeout'
> Send BYE packet: Server request
> RTNETLINK answers: No such process
> RTNETLINK answers: No such process
> RTNETLINK answers: No such process
> Session terminated by server; exiting.
> 
> In that case, openconnect exits but ifup still thinks that myvpn0 is
> configured. I need the connection to stay open no matter what, or
> re-open from userspace. 
> 
> I have a script keepalive.py that sends some packets across the tunnel
> every 3 minutes, and exits with code 1 if the socket times out. 
> 
> How could I achieve that the interface goes up again if the server
> closes the tunnel? I understand that the post-up command must terminate,
> so a monitoring script should not be placed there. 
> 
> Currently my idea is that post-up triggers a script, say monitor.sh,
> which itself will launch keepalive.py. When keepalive.py exits with
> status 1, monitor.sh will call ifdown myvpn0 to mark the interface as
> unconfigured, then call ifup myvpn0 and exit. Should this be placed
> in /etc/network/if-up.d/ ? 

Why do that in post-up? The way I've have approached this is for
/root/my-vpn.sh to start the monitoring. Fork and essentially spawn a
dæmon which continually restarts openconnect each time it dies (with a
rate limit so they don't hunt you down and hurt you when something goes
wrong). It doesn't even need to run that loop as root, since you can
create the interface in advance with 'ip tuntap' and you are setting up
the routing manually anyway.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4938 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170814/22040865/attachment.bin>


More information about the openconnect-devel mailing list