----------------------------------------------------------------------------------
@MSGID: 1@dont-email.me> 9ec2b040
@REPLY: 1@dont-email.me> f9798147
@INTL 3:770/1 3:770/3
@REPLYADDR no_reply@dipl-ing-kessler.de
@REPLYTO 3:770/3.0 UUCP
@PID: SoupGate-Win32 v1.05
XPost: alt.os.linux.ubuntu, alt.os.linux.mageia
Hello all,
here is what I`ve done in short:
First I wrote to openconnect mailinglist and got an email back, just
recommending to install "vpn-slice" instead.
This was not an answer to my question.
Next, after analyzing openconnect`s behaviour, I found out that this one
does nothing about manipulating routing etc. This is solely done by "vpnc-
script", which is directly invoked from openconnect. And, hence, it
inherits all the env variables, which are not visible from outside.
So, I created a new "vpnc-script" file with content
#!/usr/bin/sh
env | sort
and set a symlink, so that openconnect invoked this one now. (Done in
foreground mode, i.e. no -b on commandline).
Watching its output I saw the more than hundred routes which are
transferred to the client via server-side "route push..." command.
They are stored in ${CISCO_SPLIT_EXC_${i}_ADDR}, and their total number,
i.e. the vector size is stored in $CISCO_SPLIT_EXC.
To prevent openconnect from accepting all that trash, I could easily set
this vector to empty, i.e. include
CISCO_SPLIT_EXC=``
as one the first commands in vpnc-script file, and, that`s it!
The reason why Suse`s approach, which I took to build my own vpnc rpm
from, and from which vpnc-script is taken from, does not accept all that
routes, is that in this version the whole section is not included.
If you are interested in seeing how they differ, you may have a look at
the vimdiff file I created:
https://www.dipl-ing-kessler.de/tmp/vpnc-script
This afternoon I tested above solution on Raspbian OS and it worked
instantly.
It took me some time to find out, but it was worth every minute :-)
Best regards,
Markus
On Mon, 1 Apr 2024 18:35:49 -0000 (UTC) Markus Robert Kessler wrote:
> Hi all,
>
> I am running several machines for connecting to our company intranet,
> using openconnect VPN.
>
> So far, it works. But:
>
> The debian based systems, i.e. Ubuntu 23.10 and Raspbian OS show up
> hundreds of routes after connect. And it`s clear that they are brought
> to my client via server-initiated `push route ...` command.
>
> Some of these routes are conflicting with machines in my home office
> net.
>
> So, I`d like to skip getting such a huge amount of useless routes. I
> want to set the routing by my own script, instead.
>
> The funny thing is that a Redhat-based OS, Mageia 9 (64 and 32 bit),
> does not behave like this, instead only the default route (10.0.0.0/8)
> is sent through tun0.
>
> So, maybe this is a matter of compilation?
>
> Or something else to look after, to prevent openconnect from doing this?
>
> Maybe someone can give a hint where to download the openconnect sources
> for Ubuntu?
>
> Thanks in advance!
>
> Best regards,
>
> Markus
--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
SEEN-BY: 50/109 153/757 218/840 840 220/70 221/1 6
360 226/17 100 240/1120
SEEN-BY: 267/800 301/1 113 812 310/31 335/364
341/66 463/68 467/888 633/280
SEEN-BY: 712/848 770/1 3 100 330 340 772/210 220
230 3634/12 5005/49 5019/40
SEEN-BY: 5020/715 848 1042 4441 12000 5030/49 722
1081 1474 5054/8 5058/104
SEEN-BY: 5061/133 5075/128
@PATH: 770/3 1 218/840 221/6 301/1 5020/1042 4441