David, On 7/31/14, 2:02 PM, Christopher Schultz wrote: > David, > > (Thanks for the quick reply!) > > On 7/31/14, 1:54 PM, David Woodhouse wrote: >> On Thu, 2014-07-31 at 13:42 -0400, Christopher Schultz wrote: >>> >>> Are there ways to limit what the "standard" vpnc-script will change -- >>> e.g. don't change resolver settings and limit static routes to some >>> particular host or netmask or something? >> >> One way is to configure the network in advance with a static >> configuration, then don't let the vpnc-script do *anything*. You can >> even run openconnect without any privileges then ? it just opens the tun >> device that was previously assigned to the user in question, and >> sends/receives packets. > > Interesting. That would be good, since I only have a single route to set > (easy) and it doesn't need to go anywhere else when the VPN isn't > connected (e.g. it's not some kind of body-snatching route that replaces > one reachable host with another when the VPN is active). I tried to set up a route before connecting to the VPN server, but route doesn't like it if the device doesn't already exist. So, I connected (as before, with a full route/resolv.conf setup, etc.) and set up the route for that one particular host, then shut down the VPN. Shutting it down ended up removing that route as well. It looks like I might have to write a script that sets up the specific route after OpenConnect actually connects. That would again require root access (which I do have, but I'd prefer not to require it is possible). Am I missing something? Thanks, -chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 924 bytes Desc: OpenPGP digital signature URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140731/5d5aa923/attachment.sig>