INTL 3:770/1 3:770/3
REPLYADDR no_reply@dipl-ing-kessler.de
REPLYTO 3:770/3.0 UUCP
MSGID: 9ec2b040
REPLY: f9798147
PID: SoupGate-Win32 v1.05
XPost: alt.os.linux.ubuntu, alt.os.linux.mageia
Hello all,
here is what I've done in short:
First I wrote to openconnect mailinglist and got an email back, just
recommending to install "vpn-slice" instead.
This was not an answer to my question.
Next, after analyzing openconnect's behaviour, I found out that this one
does nothing about manipulating routing etc. This is solely done by "vpnc-
script", which is directly invoked from openconnect. And, hence, it
inherits all the env variables, which are not visible from outside.
So, I created a new "vpnc-script" file with content
#!/usr/bin/sh
env | sort
and set a symlink, so that openconnect invoked this one now. (Done in
foreground mode, i.e. no -b on commandline).
Watching its output I saw the more than hundred routes which are
transferred to the client via server-side "route push..." command.
They are stored in ${CISCO_SPLIT_EXC_${i}_ADDR}, and their total number,
i.e. the vector size is stored in $CISCO_SPLIT_EXC.
To prevent openconnect from accepting all that trash, I could easily set
this vector to empty, i.e. include
CISCO_SPLIT_EXC=''
as one the first commands in vpnc-script file, and, that's it!
The reason why Suse's approach, which I took to build my own vpnc rpm
from, and from which vpnc-script is taken from, does not accept all that
routes, is that in this version the whole section is not included.
If you are interested in seeing how they differ, you may have a look at
the vimdiff file I created:
https://www.dipl-ing-kessler.de/tmp/vpnc-script
This afternoon I tested above solution on Raspbian OS and it worked
instantly.
It took me some time to find out, but it was worth every minute :-)
Best regards,
Markus
On Mon, 1 Apr 2024 18:35:49 -0000 (UTC) Markus Robert Kessler wrote:
> Hi all,
>
> I am running several machines for connecting to our company intranet,
> using openconnect VPN.
>
> So far, it works. But:
>
> The debian based systems, i.e. Ubuntu 23.10 and Raspbian OS show up
> hundreds of routes after connect. And it's clear that they are brought
> to my client via server-initiated 'push route ...' command.
>
> Some of these routes are conflicting with machines in my home office
> net.
>
> So, I'd like to skip getting such a huge amount of useless routes. I
> want to set the routing by my own script, instead.
>
> The funny thing is that a Redhat-based OS, Mageia 9 (64 and 32 bit),
> does not behave like this, instead only the default route (10.0.0.0/8)
> is sent through tun0.
>
> So, maybe this is a matter of compilation?
>
> Or something else to look after, to prevent openconnect from doing this?
>
> Maybe someone can give a hint where to download the openconnect sources
> for Ubuntu?
>
> Thanks in advance!
>
> Best regards,
>
> Markus
--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
SEEN-BY: 10/0 1 15/0 90/1 103/705 105/81 106/201 128/260 129/305 135/220
SEEN-BY: 135/225 153/757 7715 218/0 1 601 700 840 870 930 220/70 221/1
SEEN-BY: 221/6 360 226/17 30 100 227/114 229/110 111 112 113 200 206
SEEN-BY: 229/307 317 400 426 428 470 550 616 664 700 240/1120 266/512
SEEN-BY: 267/800 282/1038 291/111 292/854 301/1 113 812 310/31 320/219
SEEN-BY: 322/757 335/364 341/66 342/200 396/45 460/58 633/280 712/848
SEEN-BY: 770/1 3 100 330 340 772/210 220 230 5020/400 1042 5058/104
SEEN-BY: 5075/35
PATH: 770/3 1 218/840 221/6 301/1 218/700 229/426
|
