On Thu, 2014-07-31 at 14:02 -0400, Christopher Schultz wrote: > David, > > (Thanks for the quick reply!) > > On 7/31/14, 1:54 PM, David Woodhouse wrote: > > On Thu, 2014-07-31 at 13:42 -0400, Christopher Schultz wrote: > >> > >> Are there ways to limit what the "standard" vpnc-script will change -- > >> e.g. don't change resolver settings and limit static routes to some > >> particular host or netmask or something? > > > > One way is to configure the network in advance with a static > > configuration, then don't let the vpnc-script do *anything*. You can > > even run openconnect without any privileges then ? it just opens the tun > > device that was previously assigned to the user in question, and > > sends/receives packets. > > Interesting. That would be good, since I only have a single route to set > (easy) and it doesn't need to go anywhere else when the VPN isn't > connected (e.g. it's not some kind of body-snatching route that replaces > one reachable host with another when the VPN is active). > > In this case, would I just use --script /dev/null to disable the use of > a vpnc-script entirely? Right. Or /bin/true if /dev/null doesn't do the right thing. Start with 'ip tuntap add dev foobar mode tun user $WHOEVER', then configure it as you see fit, and then you can run openconnect as $WHOEVER with '--interface foobar --script /bin/true' at your leisure to make the connection. The Fedora initscripts do support that kind of thing out of the box and can automatically set it up for you with a static network configuration. Not sure about Ubuntu/Debian though. > > Or you could use a trivial wrapper which sets/unsets the environment > > variables that vpnc-script uses. > > Yeah, I don't know ... anything about what those variables are for, what > their content looks, like, etc. I decided to ask here before > instrumenting the script to see what openconnect passes to them. They're all documented in the start of vpnc-script itself: http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob/HEAD:/vpnc-script -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140731/ae2f4680/attachment-0001.bin>
