David, On 7/31/14, 2:17 PM, David Woodhouse wrote: > On Thu, 2014-07-31 at 14:02 -0400, Christopher Schultz wrote: >> David, >> >> (Thanks for the quick reply!) >> >> On 7/31/14, 1:54 PM, David Woodhouse wrote: >>> On Thu, 2014-07-31 at 13:42 -0400, Christopher Schultz wrote: >>>> >>>> Are there ways to limit what the "standard" vpnc-script will change -- >>>> e.g. don't change resolver settings and limit static routes to some >>>> particular host or netmask or something? >>> >>> One way is to configure the network in advance with a static >>> configuration, then don't let the vpnc-script do *anything*. You can >>> even run openconnect without any privileges then ? it just opens the tun >>> device that was previously assigned to the user in question, and >>> sends/receives packets. >> >> Interesting. That would be good, since I only have a single route to set >> (easy) and it doesn't need to go anywhere else when the VPN isn't >> connected (e.g. it's not some kind of body-snatching route that replaces >> one reachable host with another when the VPN is active). >> >> In this case, would I just use --script /dev/null to disable the use of >> a vpnc-script entirely? > > Right. Or /bin/true if /dev/null doesn't do the right thing. It seems that didn't work, but again I'm bumbling through, here. > Start with 'ip tuntap add dev foobar mode tun user $WHOEVER', then > configure it as you see fit, and then you can run openconnect as > $WHOEVER with '--interface foobar --script /bin/true' at your leisure to > make the connection. Gotcha. When I ended up doing was writing a simple vpnc-custom script that uses INTERNAL_IPV4_ADDRESS and TUNDEV and stuff to actually call ifconfig and route for that single address. It seems to work, but I like what you have above better, so I'll try that. > The Fedora initscripts do support that kind of thing out of the box and > can automatically set it up for you with a static network configuration. > Not sure about Ubuntu/Debian though. Yeah, I should be able to persist such things across a reboot. >>> Or you could use a trivial wrapper which sets/unsets the environment >>> variables that vpnc-script uses. >> >> Yeah, I don't know ... anything about what those variables are for, what >> their content looks, like, etc. I decided to ask here before >> instrumenting the script to see what openconnect passes to them. > > They're all documented in the start of vpnc-script itself: > http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob/HEAD:/vpnc-script Yes, they are, but that doesn't mean that I understand what they all do. ;) My vpnc-custom script is dumping those values out when it runs so I can see what they contain. It's instructive. Thanks again for your speedy help! -chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 924 bytes Desc: OpenPGP digital signature URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140731/3a872987/attachment.sig>