Limiting changes to routing table and resolver with vpnc-script(s)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2014-07-31 at 14:02 -0400, Christopher Schultz wrote:
> David,
> 
> (Thanks for the quick reply!)
> 
> On 7/31/14, 1:54 PM, David Woodhouse wrote:
> > On Thu, 2014-07-31 at 13:42 -0400, Christopher Schultz wrote:
> >>
> >> Are there ways to limit what the "standard" vpnc-script will change --
> >> e.g. don't change resolver settings and limit static routes to some
> >> particular host or netmask or something?
> > 
> > One way is to configure the network in advance with a static
> > configuration, then don't let the vpnc-script do *anything*. You can
> > even run openconnect without any privileges then ? it just opens the tun
> > device that was previously assigned to the user in question, and
> > sends/receives packets.
> 
> Interesting. That would be good, since I only have a single route to set
> (easy) and it doesn't need to go anywhere else when the VPN isn't
> connected (e.g. it's not some kind of body-snatching route that replaces
> one reachable host with another when the VPN is active).
> 
> In this case, would I just use --script /dev/null to disable the use of
> a vpnc-script entirely?

Right. Or /bin/true if /dev/null doesn't do the right thing.

Start with 'ip tuntap add dev foobar mode tun user $WHOEVER', then
configure it as you see fit, and then you can run openconnect as
$WHOEVER with '--interface foobar --script /bin/true' at your leisure to
make the connection.

The Fedora initscripts do support that kind of thing out of the box and
can automatically set it up for you with a static network configuration.
Not sure about Ubuntu/Debian though.

> > Or you could use a trivial wrapper which sets/unsets the environment
> > variables that vpnc-script uses.
> 
> Yeah, I don't know ... anything about what those variables are for, what
> their content looks, like, etc. I decided to ask here before
> instrumenting the script to see what openconnect passes to them.

They're all documented in the start of vpnc-script itself:
http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob/HEAD:/vpnc-script

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140731/ae2f4680/attachment-0001.bin>


[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux