XPost: comp.sys.raspberry-pi, alt.os.linux.mageia
From: unruh@invalid.ca
On 2024-04-13, Markus Robert Kessler wrote:
> On Fri, 12 Apr 2024 18:52:37 -0000 (UTC) William Unruh wrote:
>
>> On 2024-04-12, Markus Robert Kessler
>> wrote:
>>> On Thu, 11 Apr 2024 18:43:19 -0000 (UTC) William Unruh wrote:
>>>
>
> No, not from openconnect's side.
>
> Instead, when openconnect runs in foreground mode ( i.e. not being started
> with -b ), it can be terminated cleanly with CTRL-C.
So I presume that openconnect sends a disconnect to vpnc-script to tear
down the routes through tun.
>
> Alternatively, vpnc-disconnect ( out of vpnc package ) can be used, as
> long as openconnect writes the same pid file, which vpnc-disconnect takes
> the pid number from to ( also cleanly ) terminate the process.
>
OK, that's a good suggestion.
I have now implimented my idea on two different vpns -- one at UBC and
ont at tamu, and it seems to work on both. Of course if a web page in
either links to something outside their address space that I specified
in the altered lines in the vpnc-script, then that goes through the
original connection. If I wanted to view US netflix programs from
Canada, that would not work, since netflix would see the packets as
coming from Canada, rather then the US. So, some way of adding to the
list of the IP addresses that the connections tunnels dynamically would
be good. But I guess I can always use ip commend to add routes to my
systems routing table through tun.
The alternative, that everything gets routed through tun really is not
very good (never mind that all connections I have to any outside
computers get broken when I start the openconnect connection.
Anyway, thanks for pointing me to the way to get this working.
> In my case, I start it like so:
>
> sudo openconnect --pid-file /var/run/vpnc.pid -b ...
> ( on debian based systems the path and filename may differ ),
> hence, I can easily end it with vpnc-disconnect.
>
>>
>>> Openconnect is calling vpnc-script for several reasons, see line
>>>
>>> #* reason -- why this script was called, one of:
>>> pre-init connect disconnect reconnect attempt-reconnect
>>>
>>> So, when openconnect is cleanly terminating (not kill -9 ...), it will
>>> finally invoke vpnc-script with cause 'disconnect' and the original
>>> route is being restored
>>>
>>>> _
>>>>
>>>>
>>>>> i.e. the vector size is stored in $CISCO_SPLIT_EXC.
>>>>>
>>>>> To prevent openconnect from accepting all that trash, I could easily
>>>>> set this vector to empty, i.e. include
>>>>>
>>>>> CISCO_SPLIT_EXC=''
>>>>>
>>>>> as one the first commands in vpnc-script file, and, that's it!
>>>>>
>>>>> The reason why Suse's approach, which I took to build my own vpnc rpm
>>>>> from, and from which vpnc-script is taken from, does not accept all
>>>>> that routes, is that in this version the whole section is not
>>>>> included.
>>>>>
>>>>> If you are interested in seeing how they differ, you may have a look
>>>>> at the vimdiff file I created:
>>>>>
>>>>> https://www.dipl-ing-kessler.de/tmp/vpnc-script
>>>>
>>>> White letters on light green is almost unreadable.
>>>
>>> Yes, it's never easy to find a colorscheme in vimdiff which displays
>>> everything perfectly. But you can always select the relevant section to
>>> have blue on white text or vice versa
>>>
>>>>> This afternoon I tested above solution on Raspbian OS and it worked
>>>>> instantly.
>>>>>
>>>>> It took me some time to find out, but it was worth every minute :-)
>
> Best regards,
>
> Markus
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
