David, (Thanks for the quick reply!) On 7/31/14, 1:54 PM, David Woodhouse wrote: > On Thu, 2014-07-31 at 13:42 -0400, Christopher Schultz wrote: >> >> Are there ways to limit what the "standard" vpnc-script will change -- >> e.g. don't change resolver settings and limit static routes to some >> particular host or netmask or something? > > One way is to configure the network in advance with a static > configuration, then don't let the vpnc-script do *anything*. You can > even run openconnect without any privileges then ? it just opens the tun > device that was previously assigned to the user in question, and > sends/receives packets. Interesting. That would be good, since I only have a single route to set (easy) and it doesn't need to go anywhere else when the VPN isn't connected (e.g. it's not some kind of body-snatching route that replaces one reachable host with another when the VPN is active). In this case, would I just use --script /dev/null to disable the use of a vpnc-script entirely? > Or you could use a trivial wrapper which sets/unsets the environment > variables that vpnc-script uses. Yeah, I don't know ... anything about what those variables are for, what their content looks, like, etc. I decided to ask here before instrumenting the script to see what openconnect passes to them. > Like this one, for example (although you'd also want to mess with the > DNS settings...) > > #!/bin/sh > > ROUTES="10.0.0.0/8 172.16.0.0/12 192.168.21.0/24 192.168.65.0/24" > > MASKS[1]="128.0.0.0" > MASKS[2]="192.0.0.0" > MASKS[3]="224.0.0.0" > MASKS[4]="240.0.0.0" > MASKS[5]="248.0.0.0" > MASKS[6]="252.0.0.0" > MASKS[7]="254.0.0.0" > MASKS[8]="255.0.0.0" > MASKS[9]="255.128.0.0" > MASKS[10]="255.192.0.0" > MASKS[11]="255.224.0.0" > MASKS[12]="255.240.0.0" > MASKS[13]="255.248.0.0" > MASKS[14]="255.252.0.0" > MASKS[15]="255.254.0.0" > MASKS[16]="255.255.0.0" > MASKS[17]="255.255.128.0" > MASKS[18]="255.255.192.0" > MASKS[19]="255.255.224.0" > MASKS[20]="255.255.240.0" > MASKS[21]="255.255.248.0" > MASKS[22]="255.255.252.0" > MASKS[23]="255.255.254.0" > MASKS[24]="255.255.255.0" > MASKS[25]="255.255.255.128" > MASKS[26]="255.255.255.192" > MASKS[27]="255.255.255.224" > MASKS[28]="255.255.255.240" > MASKS[29]="255.255.255.248" > MASKS[30]="255.255.255.252" > MASKS[31]="255.255.255.254" > > export CISCO_SPLIT_INC=0 > > function addroute() > { > local ROUTE="$1" > export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=${ROUTE%%/*} > export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=${ROUTE##*/} > export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=${MASKS[${ROUTE##*/}]} > export CISCO_SPLIT_INC=$((${CISCO_SPLIT_INC}+1)) > } > > for r in $ROUTES; do > addroute $r > done > > exec $0.orig That's currently all Greek to me. I'll try the no-on vpnc-script with a pre-configured static route and see how much mileage I can get out of that. Failing that, I'll dive into munging the routes and masks the VPN server is trying to force on me. Thanks! -chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 924 bytes Desc: OpenPGP digital signature URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140731/a0b374f7/attachment.sig>