openconnect flavour?

[mgaulton]

Long time lover of this script but for work, i want to be able do the same idea with openconnect, which supports anyconnect protocols. Any suggestions on where to mod / perhaps you've considered this?

[slingamn]

If I'm understanding this documentation correctly:

http://www.infradead.org/openconnect/vpnc-script.html

this may be significantly easier (or at least less architecturally complicated) for OpenConnect relative to openvpn, since OpenConnect already defers all routing table modifications to a script. Basically, you'll need to rewrite vpnc-script to support moving the tunnel adapter to the new network namespace:

https://github.com/slingamn/namespaced-openvpn/blob/a3fa42b2d8645272cbeb6856e26a7ea9547cb7d1/namespaced-openvpn#L199

and set up the routes:

https://github.com/slingamn/namespaced-openvpn/blob/a3fa42b2d8645272cbeb6856e26a7ea9547cb7d1/namespaced-openvpn#L212

and DNS.

[mgaulton]

Ok, awesome. I'll take a crack at it when I'm in the office next

[mgaulton]

I'm at a loss, I don't think i know what i'm doing lol

[slingamn]

Unfortunately I don't really have the resources to get into this.

[mgaulton]

No worry, i'll keep poking around.

On Mon, Sep 7, 2020 at 7:21 PM Shivaram Lingamneni notifications@github.com wrote:

Unfortunately I don't really have the resources to get into this.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/slingamn/namespaced-openvpn/issues/38#issuecomment-688538166, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABEJRXT2TAD2SVCRUTI6DVTSEVTH5ANCNFSM4Q3QHRRQ .

[mgaulton]

So i'm narrowed it down to these steps through experimentation but I have an issue that when I move the interface into the namespace, it becomes uncconfigured again. I'm not how to get that to work, any thoughts?

ip netns add workvpn ip netns exec workvpn ip addr add 127.0.0.1/8 dev lo ip netns exec workvpn ip link set lo up echo 'pwd' | /usr/sbin/openconnect -b -i work.vpn --protocol=anyconnect --user=user ADDRESS --passwd-on-stdin sleep 5 ip link set work.vpn netns workvpn

[slingamn]

Ah, yes, you have to do this in the opposite order --- first move the interface, then run the configuration commands inside the namespace. See the route_up function in namespaced-openvpn, in particular its use of _enter_namespace_cmd.

[mgaulton]

Ahh, that's what I was missing. I see why you call openvpn as a route-up now. I was trying to do it manually to make sure I understood the process before trying to write the codey bits. Thank you!

[mgaulton]

So this seems to be the bit I need. I see you're taking things from the env that you're picking up from the established tunnel? So I understand this as

0. Connect to vpn
1. Move the interface
2. Assign the VPN assigned ip as a peer to the default gw on the dev

3. Add a default route to the dev

   if ipv4_enabled: peer_addr = '%s/32' % (route_vpn_gateway,)

   give it its ipv4 address

   subprocess.check_call(
       _enter_namespace_cmd(namespace) +
       [IP_CMD, 'addr', 'add', ifconfig_local, 'peer', peer_addr, 'dev', dev]
   )
   # route all traffic over the tunnel
   subprocess.check_call(
       _enter_namespace_cmd(namespace) +
       [IP_CMD, 'route', 'add', 'default', 'dev', dev]
   )

[mgaulton]

This seems to be the bit i need to modify in vpnc-script do_ifconfig() { if [ -n "$INTERNAL_IP4_MTU" ]; then MTU=$INTERNAL_IP4_MTU elif [ -n "$IPROUTE" ]; then MTUDEV=$IPROUTE route get "$VPNGATEWAY" | sed -ne 's/^.*dev \([a-z0-9]*\).*$/\1/p' MTU=$IPROUTE link show "$MTUDEV" | sed -ne 's/^.*mtu \([[:digit:]]\+\).*$/\1/p' if [ -n "$MTU" ]; then MTU=expr $MTU - 88 fi fi

if [ -z "$MTU" ]; then
    MTU=1412
fi

# Point to point interface require a netmask of 255.255.255.255 on some systems
if [ -n "$IPROUTE" ]; then
    $IPROUTE link set dev "$TUNDEV" up mtu "$MTU"
    $IPROUTE addr add "$INTERNAL_IP4_ADDRESS/32" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV"
else
    ifconfig "$TUNDEV" ${ifconfig_syntax_inet} "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu ${MTU} up
fi

if [ -n "$INTERNAL_IP4_NETMASK" ]; then
    set_network_route $INTERNAL_IP4_NETADDR $INTERNAL_IP4_NETMASK $INTERNAL_IP4_NETMASKLEN
fi

# If the netmask is provided, it contains the address _and_ netmask
if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
    INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
fi
if [ -n "$INTERNAL_IP6_NETMASK" ]; then
    if [ -n "$IPROUTE" ]; then
    $IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV
    else
    # Unlike for Legacy IP, we don't specify the dest_address
    # here on *BSD. OpenBSD for one will refuse to accept
    # incoming packets to that address if we do.
    # OpenVPN does the same (gives dest_address for Legacy IP
    # but not for IPv6).
    # Only Solaris needs it; hence $ifconfig_syntax_ptpv6
        ifconfig "$TUNDEV" inet6 $INTERNAL_IP6_NETMASK $ifconfig_syntax_ptpv6 mtu $MTU up
    fi
fi

}

[mgaulton]

actually, i found this process that i'm having success with https://austinjadams.com/blog/running-select-applications-through-anyconnect/

[slingamn]

Excellent! Yeah, the vpnc-script-netns in that post looks correct to me.

[mgaulton]

Thanks. I appreciate your help as always.

On Fri, Sep 11, 2020 at 2:36 PM Shivaram Lingamneni < notifications@github.com> wrote:

Excellent! Yeah, the vpnc-script-netns in that post looks correct to me.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/slingamn/namespaced-openvpn/issues/38#issuecomment-691251187, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABEJRXTM35X6ZK2PZOLECLLSFJUZRANCNFSM4Q3QHRRQ .