From 0fdc0d1eff53f5e94897a9d226ebdc04eb3584a5 Mon Sep 17 00:00:00 2001
From: Wolfgang Klinger <wk@plan2.net>
Date: Thu, 29 Nov 2018 13:07:38 +0100
Subject: [PATCH] First version
---
README.md | 66 ++-
build/Dockerfile | 19 +
build/entrypoint.sh | 10 +
build/tinyproxy.conf | 331 ++++++++++++++
build/vpnc-script | 1030 ++++++++++++++++++++++++++++++++++++++++++
connect | 47 ++
6 files changed, 1501 insertions(+), 2 deletions(-)
create mode 100644 build/Dockerfile
create mode 100644 build/entrypoint.sh
create mode 100644 build/tinyproxy.conf
create mode 100644 build/vpnc-script
create mode 100755 connect
diff --git a/README.md b/README.md
index a8e03bc..3dc5226 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,64 @@
-# openconnect-proxy
-docker openconnect proxy
+# openconnect + tinyproxy
+
+This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) and the [tinyproxy proxy server](https://tinyproxy.github.io/)
+on a very small [alpine linux](https://www.alpinelinux.org/) image (requires around 60 MB of download).
+
+# Run
+
+First set the variables in `connect` according to your credentials.
+
+ OPENCONNECT_URL=<VPN URL>
+ OPENCONNECT_USER=<VPN User>
+ OPENCONNECT_OPTIONS="--authgroup <VPN Group> --servercert <VPN Server Certificate>"
+ PROXY_PORT=8888
+
+Next start the container with
+
+ chmod 755 ./connect
+ ./connect
+
+The container will be started in the foreground.
+If you want to start it in the background in daemon mode you can call
+
+ ./connect -d
+
+In daemon mode you can view the stderr log with
+
+ docker logs <container ID>
+ docker logs `docker ps|grep "wazum/openconnect-proxy"|awk -F' ' '{print $1}'`
+
+# Configure proxy
+
+The container is connected via openconnect and you can configure your browser
+to use the proxy on port 8888 (see configuration above),
+e.g. with FoxyProxy or any suitable extension.
+
+Or set environment variables with
+
+ export http_proxy="http://127.0.0.1:8888/"
+ export https_proxy="http://127.0.0.1:8888/"
+
+(composer, git and others use these)
+
+# ssh through the proxy
+
+Install _corkscrew_ (e.g. with `brew install corkscrew` on macOS)
+and if the container is running (see above) connect with
+
+ ./connect ssh <user>@<host>
+
+or if you always use the same port simply add the following in your
+`~/.ssh/config`
+
+ Host <hostname>
+ User <user>
+ ProxyCommand corkscrew 127.0.0.1 8888 %h %p
+
+and your connection will be passed through the proxy.
+
+# Build
+
+You can build the container yourself with
+
+ docker build -f build/Dockerfile -t wazum/openconnect-proxy:latest ./build
+
diff --git a/build/Dockerfile b/build/Dockerfile
new file mode 100644
index 0000000..70932b9
--- /dev/null
+++ b/build/Dockerfile
@@ -0,0 +1,19 @@
+FROM alpine:3.8
+MAINTAINER Wolfgang Klinger <wolfgang@wazum.com>
+
+# openconnect is not yet available on main
+RUN apk add --no-cache tinyproxy openconnect --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing
+
+COPY tinyproxy.conf /etc/tinyproxy.conf
+
+# https://github.com/gliderlabs/docker-alpine/issues/367
+RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
+
+# Use an up-to-date version of vpnc-script
+COPY vpnc-script /etc/vpnc/vpnc-script
+RUN chmod 755 /etc/vpnc/vpnc-script
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/build/entrypoint.sh b/build/entrypoint.sh
new file mode 100644
index 0000000..cda65ad
--- /dev/null
+++ b/build/entrypoint.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Set proxy port
+sed "s/^Port .*$/Port $PROXY_PORT/" -i /etc/tinyproxy.conf
+
+# Start proxy
+tinyproxy -c /etc/tinyproxy.conf
+
+# Start openconnect
+echo "$OPENCONNECT_PASSWORD" | openconnect -v -u $OPENCONNECT_USER --no-dtls --passwd-on-stdin $OPENCONNECT_OPTIONS $OPENCONNECT_URL
diff --git a/build/tinyproxy.conf b/build/tinyproxy.conf
new file mode 100644
index 0000000..4903a70
--- /dev/null
+++ b/build/tinyproxy.conf
@@ -0,0 +1,331 @@
+##
+## tinyproxy.conf -- tinyproxy daemon configuration file
+##
+## This example tinyproxy.conf file contains example settings
+## with explanations in comments. For decriptions of all
+## parameters, see the tinproxy.conf(5) manual page.
+##
+
+#
+# User/Group: This allows you to set the user and group that will be
+# used for tinyproxy after the initial binding to the port has been done
+# as the root user. Either the user or group name or the UID or GID
+# number may be used.
+#
+User root
+Group root
+
+#
+# Port: Specify the port which tinyproxy will listen on. Please note
+# that should you choose to run on a port lower than 1024 you will need
+# to start tinyproxy using root.
+#
+Port 8888
+
+#
+# Listen: If you have multiple interfaces this allows you to bind to
+# only one. If this is commented out, tinyproxy will bind to all
+# interfaces present.
+#
+#Listen 192.168.0.1
+
+#
+# Bind: This allows you to specify which interface will be used for
+# outgoing connections. This is useful for multi-home'd machines where
+# you want all traffic to appear outgoing from one particular interface.
+#
+#Bind 192.168.0.1
+
+#
+# BindSame: If enabled, tinyproxy will bind the outgoing connection to the
+# ip address of the incoming connection.
+#
+#BindSame yes
+
+#
+# Timeout: The maximum number of seconds of inactivity a connection is
+# allowed to have before it is closed by tinyproxy.
+#
+Timeout 600
+
+#
+# ErrorFile: Defines the HTML file to send when a given HTTP error
+# occurs. You will probably need to customize the location to your
+# particular install. The usual locations to check are:
+# /usr/local/share/tinyproxy
+# /usr/share/tinyproxy
+# /etc/tinyproxy
+#
+#ErrorFile 404 "/usr/local/share/tinyproxy/404.html"
+#ErrorFile 400 "/usr/local/share/tinyproxy/400.html"
+#ErrorFile 503 "/usr/local/share/tinyproxy/503.html"
+#ErrorFile 403 "/usr/local/share/tinyproxy/403.html"
+#ErrorFile 408 "/usr/local/share/tinyproxy/408.html"
+
+#
+# DefaultErrorFile: The HTML file that gets sent if there is no
+# HTML file defined with an ErrorFile keyword for the HTTP error
+# that has occured.
+#
+DefaultErrorFile "/usr/local/share/tinyproxy/default.html"
+
+#
+# StatHost: This configures the host name or IP address that is treated
+# as the stat host: Whenever a request for this host is received,
+# Tinyproxy will return an internal statistics page instead of
+# forwarding the request to that host. The default value of StatHost is
+# tinyproxy.stats.
+#
+StatHost "tinyproxy.stats"
+#
+
+#
+# StatFile: The HTML file that gets sent when a request is made
+# for the stathost. If this file doesn't exist a basic page is
+# hardcoded in tinyproxy.
+#
+StatFile "/usr/local/share/tinyproxy/stats.html"
+
+#
+# LogFile: Allows you to specify the location where information should
+# be logged to. If you would prefer to log to syslog, then disable this
+# and enable the Syslog directive. These directives are mutually
+# exclusive.
+#
+#LogFile "/logs/tinyproxy.log"
+
+#
+# Syslog: Tell tinyproxy to use syslog instead of a logfile. This
+# option must not be enabled if the Logfile directive is being used.
+# These two directives are mutually exclusive.
+#
+#Syslog On
+#
+# Log to stdout if no Syslog and no LogFile given
+
+#
+# LogLevel:
+#
+# Set the logging level. Allowed settings are:
+# Critical (least verbose)
+# Error
+# Warning
+# Notice
+# Connect (to log connections without Info's noise)
+# Info (most verbose)
+#
+# The LogLevel logs from the set level and above. For example, if the
+# LogLevel was set to Warning, then all log messages from Warning to
+# Critical would be output, but Notice and below would be suppressed.
+#
+LogLevel Info
+
+#
+# PidFile: Write the PID of the main tinyproxy thread to this file so it
+# can be used for signalling purposes.
+#
+PidFile "/tmp/tinyproxy.pid"
+
+#
+# XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which
+# contains the client's IP address.
+#
+#XTinyproxy Yes
+
+#
+# Upstream:
+#
+# Turns on upstream proxy support.
+#
+# The upstream rules allow you to selectively route upstream connections
+# based on the host/domain of the site being accessed.
+#
+# For example:
+# # connection to test domain goes through testproxy
+# upstream testproxy:8008 ".test.domain.invalid"
+# upstream testproxy:8008 ".our_testbed.example.com"
+# upstream testproxy:8008 "192.168.128.0/255.255.254.0"
+#
+# # no upstream proxy for internal websites and unqualified hosts
+# no upstream ".internal.example.com"
+# no upstream "www.example.com"
+# no upstream "10.0.0.0/8"
+# no upstream "192.168.0.0/255.255.254.0"
+# no upstream "."
+#
+# # connection to these boxes go through their DMZ firewalls
+# upstream cust1_firewall:8008 "testbed_for_cust1"
+# upstream cust2_firewall:8008 "testbed_for_cust2"
+#
+# # default upstream is internet firewall
+# upstream firewall.internal.example.com:80
+#
+# The LAST matching rule wins the route decision. As you can see, you
+# can use a host, or a domain:
+# name matches host exactly
+# .name matches any host in domain "name"
+# . matches any host with no domain (in 'empty' domain)
+# IP/bits matches network/mask
+# IP/mask matches network/mask
+#
+#Upstream some.remote.proxy:port
+
+#
+# MaxClients: This is the absolute highest number of threads which will
+# be created. In other words, only MaxClients number of clients can be
+# connected at the same time.
+#
+MaxClients 10
+
+#
+# MinSpareServers/MaxSpareServers: These settings set the upper and
+# lower limit for the number of spare servers which should be available.
+#
+# If the number of spare servers falls below MinSpareServers then new
+# server processes will be spawned. If the number of servers exceeds
+# MaxSpareServers then the extras will be killed off.
+#
+MinSpareServers 2
+MaxSpareServers 10
+
+#
+# StartServers: The number of servers to start initially.
+#
+StartServers 5
+
+#
+# MaxRequestsPerChild: The number of connections a thread will handle
+# before it is killed. In practise this should be set to 0, which
+# disables thread reaping. If you do notice problems with memory
+# leakage, then set this to something like 10000.
+#
+MaxRequestsPerChild 0
+
+#
+# Allow: Customization of authorization controls. If there are any
+# access control keywords then the default action is to DENY. Otherwise,
+# the default action is ALLOW.
+#
+# The order of the controls are important. All incoming connections are
+# tested against the controls based on order.
+#
+Allow 127.0.0.1
+
+#
+# AddHeader: Adds the specified headers to outgoing HTTP requests that
+# Tinyproxy makes. Note that this option will not work for HTTPS
+# traffic, as Tinyproxy has no control over what headers are exchanged.
+#
+#AddHeader "X-My-Header" "Powered by Tinyproxy"
+
+#
+# ViaProxyName: The "Via" header is required by the HTTP RFC, but using
+# the real host name is a security concern. If the following directive
+# is enabled, the string supplied will be used as the host name in the
+# Via header; otherwise, the server's host name will be used.
+#
+ViaProxyName "tinyproxy"
+
+#
+# DisableViaHeader: When this is set to yes, Tinyproxy does NOT add
+# the Via header to the requests. This virtually puts Tinyproxy into
+# stealth mode. Note that RFC 2616 requires proxies to set the Via
+# header, so by enabling this option, you break compliance.
+# Don't disable the Via header unless you know what you are doing...
+#
+#DisableViaHeader Yes
+
+#
+# Filter: This allows you to specify the location of the filter file.
+#
+#Filter "/etc/filter"
+
+#
+# FilterURLs: Filter based on URLs rather than domains.
+#
+#FilterURLs On
+
+#
+# FilterExtended: Use POSIX Extended regular expressions rather than
+# basic.
+#
+#FilterExtended On
+
+#
+# FilterCaseSensitive: Use case sensitive regular expressions.
+#
+#FilterCaseSensitive On
+
+#
+# FilterDefaultDeny: Change the default policy of the filtering system.
+# If this directive is commented out, or is set to "No" then the default
+# policy is to allow everything which is not specifically denied by the
+# filter file.
+#
+# However, by setting this directive to "Yes" the default policy becomes
+# to deny everything which is _not_ specifically allowed by the filter
+# file.
+#
+#FilterDefaultDeny Yes
+
+#
+# Anonymous: If an Anonymous keyword is present, then anonymous proxying
+# is enabled. The headers listed are allowed through, while all others
+# are denied. If no Anonymous keyword is present, then all headers are
+# allowed through. You must include quotes around the headers.
+#
+# Most sites require cookies to be enabled for them to work correctly, so
+# you will need to allow Cookies through if you access those sites.
+#
+#Anonymous "Host"
+#Anonymous "Authorization"
+#Anonymous "Cookie"
+
+#
+# ConnectPort: This is a list of ports allowed by tinyproxy when the
+# CONNECT method is used. To disable the CONNECT method altogether, set
+# the value to 0. If no ConnectPort line is found, all ports are
+# allowed (which is not very secure.)
+#
+# The following two ports are used by SSL.
+#
+#ConnectPort 443
+#ConnectPort 563
+
+#
+# Configure one or more ReversePath directives to enable reverse proxy
+# support. With reverse proxying it's possible to make a number of
+# sites appear as if they were part of a single site.
+#
+# If you uncomment the following two directives and run tinyproxy
+# on your own computer at port 8888, you can access Google using
+# http://localhost:8888/google/ and Wired News using
+# http://localhost:8888/wired/news/. Neither will actually work
+# until you uncomment ReverseMagic as they use absolute linking.
+#
+#ReversePath "/google/" "http://www.google.com/"
+#ReversePath "/wired/" "http://www.wired.com/"
+
+#
+# When using tinyproxy as a reverse proxy, it is STRONGLY recommended
+# that the normal proxy is turned off by uncommenting the next directive.
+#
+#ReverseOnly Yes
+
+#
+# Use a cookie to track reverse proxy mappings. If you need to reverse
+# proxy sites which have absolute links you must uncomment this.
+#
+#ReverseMagic Yes
+
+#
+# The URL that's used to access this reverse proxy. The URL is used to
+# rewrite HTTP redirects so that they won't escape the proxy. If you
+# have a chain of reverse proxies, you'll need to put the outermost
+# URL here (the address which the end user types into his/her browser).
+#
+# If not set then no rewriting occurs.
+#
+#ReverseBaseURL "http://localhost:8888/"
+
+Allow 0.0.0.0/0
diff --git a/build/vpnc-script b/build/vpnc-script
new file mode 100644
index 0000000..6a55546
--- /dev/null
+++ b/build/vpnc-script
@@ -0,0 +1,1030 @@
+#!/bin/sh
+#
+# Originally part of vpnc source code:
+# © 2005-2012 Maurice Massar, Jörg Mayer, Antonio Borneo et al.
+# © 2009-2012 David Woodhouse <dwmw2@infradead.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+#
+################
+#
+# List of parameters passed through environment
+#* reason -- why this script was called, one of: pre-init connect disconnect reconnect
+#* VPNGATEWAY -- vpn gateway address (always present)
+#* TUNDEV -- tunnel device (always present)
+#* INTERNAL_IP4_ADDRESS -- address (always present)
+#* INTERNAL_IP4_MTU -- mtu (often unset)
+#* INTERNAL_IP4_NETMASK -- netmask (often unset)
+#* INTERNAL_IP4_NETMASKLEN -- netmask length (often unset)
+#* INTERNAL_IP4_NETADDR -- address of network (only present if netmask is set)
+#* INTERNAL_IP4_DNS -- list of dns servers
+#* INTERNAL_IP4_NBNS -- list of wins servers
+#* INTERNAL_IP6_ADDRESS -- IPv6 address
+#* INTERNAL_IP6_NETMASK -- IPv6 netmask
+#* INTERNAL_IP6_DNS -- IPv6 list of dns servers
+#* CISCO_DEF_DOMAIN -- default domain name
+#* CISCO_BANNER -- banner from server
+#* CISCO_SPLIT_INC -- number of networks in split-network-list
+#* CISCO_SPLIT_INC_%d_ADDR -- network address
+#* CISCO_SPLIT_INC_%d_MASK -- subnet mask (for example: 255.255.255.0)
+#* CISCO_SPLIT_INC_%d_MASKLEN -- subnet masklen (for example: 24)
+#* CISCO_SPLIT_INC_%d_PROTOCOL -- protocol (often just 0)
+#* CISCO_SPLIT_INC_%d_SPORT -- source port (often just 0)
+#* CISCO_SPLIT_INC_%d_DPORT -- destination port (often just 0)
+#* CISCO_IPV6_SPLIT_INC -- number of networks in IPv6 split-network-list
+#* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address
+#* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen
+
+# FIXMEs:
+
+# Section A: route handling
+
+# 1) The 3 values CISCO_SPLIT_INC_%d_PROTOCOL/SPORT/DPORT are currently being ignored
+# In order to use them, we'll probably need os specific solutions
+# * Linux: iptables -t mangle -I PREROUTING <conditions> -j ROUTE --oif $TUNDEV
+# This would be an *alternative* to changing the routes (and thus 2) and 3)
+# shouldn't be relevant at all)
+# 2) There are two different functions to set routes: generic routes and the
+# default route. Why isn't the defaultroute handled via the generic route case?
+# 3) In the split tunnel case, all routes but the default route might get replaced
+# without getting restored later. We should explicitely check and save them just
+# like the defaultroute
+# 4) Replies to a dhcp-server should never be sent into the tunnel
+
+# Section B: Split DNS handling
+
+# 1) Maybe dnsmasq can do something like that
+# 2) Parse dns packets going out via tunnel and redirect them to original dns-server
+
+#env | sort
+#set -x
+
+# =========== script (variable) setup ====================================
+
+PATH=/sbin:/usr/sbin:$PATH
+
+OS="`uname -s`"
+
+HOOKS_DIR=/etc/vpnc
+DEFAULT_ROUTE_FILE=/var/run/vpnc/defaultroute
+RESOLV_CONF_BACKUP=/var/run/vpnc/resolv.conf-backup
+SCRIPTNAME=`basename $0`
+
+# some systems, eg. Darwin & FreeBSD, prune /var/run on boot
+if [ ! -d "/var/run/vpnc" ]; then
+ mkdir -p /var/run/vpnc
+ [ -x /sbin/restorecon ] && /sbin/restorecon /var/run/vpnc
+fi
+
+# stupid SunOS: no blubber in /usr/local/bin ... (on stdout)
+IPROUTE="`which ip 2> /dev/null | grep '^/'`"
+
+if ifconfig --help 2>&1 | grep BusyBox > /dev/null; then
+ ifconfig_syntax_inet=""
+else
+ ifconfig_syntax_inet="inet"
+fi
+
+if [ "$OS" = "Linux" ]; then
+ ifconfig_syntax_ptp="pointopoint"
+ route_syntax_gw="gw"
+ route_syntax_del="del"
+ route_syntax_netmask="netmask"
+else
+ ifconfig_syntax_ptp=""
+ route_syntax_gw=""
+ route_syntax_del="delete"
+ route_syntax_netmask="-netmask"
+fi
+if [ "$OS" = "SunOS" ]; then
+ route_syntax_interface="-interface"
+ ifconfig_syntax_ptpv6="$INTERNAL_IP6_ADDRESS"
+else
+ route_syntax_interface=""
+ ifconfig_syntax_ptpv6=""
+fi
+
+grep ^hosts /etc/nsswitch.conf|grep resolve >/dev/null 2>&1
+if [ $? = 0 ];then
+ RESOLVEDENABLED=1
+else
+ RESOLVEDENABLED=0
+fi
+
+if [ -r /etc/openwrt_release ] && [ -n "$OPENWRT_INTERFACE" ]; then
+ . /etc/functions.sh
+ include /lib/network
+ MODIFYRESOLVCONF=modify_resolvconf_openwrt
+ RESTORERESOLVCONF=restore_resolvconf_openwrt
+elif [ -x /usr/bin/busctl ] && [ ${RESOLVEDENABLED} = 1 ]; then # For systemd-resolved (version 229 and above)
+ MODIFYRESOLVCONF=modify_resolved_manager
+ RESTORERESOLVCONF=restore_resolved_manager
+elif [ -x /sbin/resolvconf ]; then # Optional tool on Debian, Ubuntu, Gentoo and FreeBSD
+ MODIFYRESOLVCONF=modify_resolvconf_manager
+ RESTORERESOLVCONF=restore_resolvconf_manager
+elif [ -x /sbin/netconfig ]; then # tool on Suse after 11.1
+ MODIFYRESOLVCONF=modify_resolvconf_suse_netconfig
+ RESTORERESOLVCONF=restore_resolvconf_suse_netconfig
+elif [ -x /sbin/modify_resolvconf ]; then # Mandatory tool on Suse earlier than 11.1
+ MODIFYRESOLVCONF=modify_resolvconf_suse
+ RESTORERESOLVCONF=restore_resolvconf_suse
+elif [ -x /usr/sbin/unbound-control ] && /usr/sbin/unbound-control status > /dev/null 2>&1; then
+ MODIFYRESOLVCONF=modify_resolvconf_unbound
+ RESTORERESOLVCONF=restore_resolvconf_unbound
+else # Generic for any OS
+ MODIFYRESOLVCONF=modify_resolvconf_generic
+ RESTORERESOLVCONF=restore_resolvconf_generic
+fi
+
+
+# =========== script hooks =================================================
+
+run_hooks() {
+ HOOK="$1"
+
+ if [ -d ${HOOKS_DIR}/${HOOK}.d ]; then
+ for script in ${HOOKS_DIR}/${HOOK}.d/* ; do
+ [ -f $script ] && . $script
+ done
+ fi
+}
+
+# =========== tunnel interface handling ====================================
+
+do_ifconfig() {
+ if [ -n "$INTERNAL_IP4_MTU" ]; then
+ MTU=$INTERNAL_IP4_MTU
+ elif [ -n "$IPROUTE" ]; then
+ MTUDEV=`$IPROUTE route get "$VPNGATEWAY" | sed -ne 's/^.*dev \([a-z0-9]*\).*$/\1/p'`
+ MTU=`$IPROUTE link show "$MTUDEV" | sed -ne 's/^.*mtu \([[:digit:]]\+\).*$/\1/p'`
+ if [ -n "$MTU" ]; then
+ MTU=`expr $MTU - 88`
+ fi
+ fi
+
+ if [ -z "$MTU" ]; then
+ MTU=1412
+ fi
+
+ # Point to point interface require a netmask of 255.255.255.255 on some systems
+ if [ -n "$IPROUTE" ]; then
+ $IPROUTE link set dev "$TUNDEV" up mtu "$MTU"
+ $IPROUTE addr add "$INTERNAL_IP4_ADDRESS/32" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV"
+ else
+ ifconfig "$TUNDEV" ${ifconfig_syntax_inet} "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu ${MTU} up
+ fi
+
+ if [ -n "$INTERNAL_IP4_NETMASK" ]; then
+ set_network_route "$INTERNAL_IP4_NETADDR" "$INTERNAL_IP4_NETMASK" "$INTERNAL_IP4_NETMASKLEN" "$TUNDEV"
+ fi
+
+ # If the netmask is provided, it contains the address _and_ netmask
+ if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
+ INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
+ fi
+ if [ -n "$INTERNAL_IP6_NETMASK" ]; then
+ if [ -n "$IPROUTE" ]; then
+ $IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV
+ else
+ # Unlike for Legacy IP, we don't specify the dest_address
+ # here on *BSD. OpenBSD for one will refuse to accept
+ # incoming packets to that address if we do.
+ # OpenVPN does the same (gives dest_address for Legacy IP
+ # but not for IPv6).
+ # Only Solaris needs it; hence $ifconfig_syntax_ptpv6
+ ifconfig "$TUNDEV" inet6 $INTERNAL_IP6_NETMASK $ifconfig_syntax_ptpv6 mtu $MTU up
+ fi
+ fi
+}
+
+destroy_tun_device() {
+ case "$OS" in
+ NetBSD|OpenBSD) # and probably others...
+ ifconfig "$TUNDEV" destroy
+ ;;
+ FreeBSD)
+ ifconfig "$TUNDEV" destroy > /dev/null 2>&1 &
+ ;;
+ esac
+}
+
+# =========== route handling ====================================
+
+if [ -n "$IPROUTE" ]; then
+ fix_ip_get_output () {
+ sed -e 's/ /\n/g' | \
+ sed -ne '1p;/via/{N;p};/dev/{N;p};/src/{N;p};/mtu/{N;p}'
+ }
+
+ set_vpngateway_route() {
+ $IPROUTE route add `$IPROUTE route get "$VPNGATEWAY" | fix_ip_get_output`
+ $IPROUTE route flush cache
+ }
+
+ del_vpngateway_route() {
+ $IPROUTE route $route_syntax_del "$VPNGATEWAY"
+ $IPROUTE route flush cache
+ }
+
+ set_default_route() {
+ $IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE"
+ $IPROUTE route replace default dev "$TUNDEV"
+ $IPROUTE route flush cache
+ }
+
+ set_network_route() {
+ NETWORK="$1"
+ NETMASK="$2"
+ NETMASKLEN="$3"
+ NETDEV="$4"
+ NETGW="$5"
+ if [ -n "$NETGW" ]; then
+ $IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" via "$NETGW"
+ else
+ $IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV"
+ fi
+ $IPROUTE route flush cache
+ }
+
+ set_exclude_route() {
+ # add explicit route to keep current routing for this target
+ # (keep traffic separate from VPN tunnel)
+ NETWORK="$1"
+ NETMASK="$2"
+ NETMASKLEN="$3"
+ $IPROUTE route add `$IPROUTE route get "$NETWORK/$NETMASKLEN" | fix_ip_get_output`
+ $IPROUTE route flush cache
+ }
+
+ del_exclude_route() {
+ # FIXME: In theory, this could delete existing routes which are
+ # identical to split-exclude routes specificed by VPNGATEWAY
+ NETWORK="$1"
+ NETMASK="$2"
+ NETMASKLEN="$3"
+ $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN"
+ $IPROUTE route flush cache
+ }
+
+ reset_default_route() {
+ if [ -s "$DEFAULT_ROUTE_FILE" ]; then
+ $IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"`
+ $IPROUTE route flush cache
+ rm -f -- "$DEFAULT_ROUTE_FILE"
+ fi
+ }
+
+ del_network_route() {
+ NETWORK="$1"
+ NETMASK="$2"
+ NETMASKLEN="$3"
+ NETDEV="$4"
+ $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$NETDEV"
+ $IPROUTE route flush cache
+ }
+
+ set_ipv6_default_route() {
+ # We don't save/restore IPv6 default route; just add a higher-priority one.
+ $IPROUTE -6 route add default dev "$TUNDEV" metric 1
+ $IPROUTE -6 route flush cache
+ }
+
+ set_ipv6_network_route() {
+ NETWORK="$1"
+ NETMASKLEN="$2"
+ NETDEV="$3"
+ NETGW="$4"
+ if [ -n "$NETGW" ]; then
+ $IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" via "$NETGW"
+ else
+ $IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV"
+ fi
+ $IPROUTE route flush cache
+ }
+
+ set_ipv6_exclude_route() {
+ # add explicit route to keep current routing for this target
+ # (keep traffic separate from VPN tunnel)
+ NETWORK="$1"
+ NETMASKLEN="$2"
+ $IPROUTE -6 route add `$IPROUTE route get "$NETWORK/$NETMASKLEN" | fix_ip_get_output`
+ $IPROUTE route flush cache
+ }
+
+ reset_ipv6_default_route() {
+ $IPROUTE -6 route del default dev "$TUNDEV"
+ $IPROUTE route flush cache
+ }
+
+ del_ipv6_network_route() {
+ NETWORK="$1"
+ NETMASKLEN="$2"
+ NETDEV="$3"
+ $IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$NETDEV"
+ $IPROUTE -6 route flush cache
+ }
+
+ del_ipv6_exclude_route() {
+ # FIXME: In theory, this could delete existing routes which are
+ # identical to split-exclude routes specificed by VPNGATEWAY
+ NETWORK="$1"
+ NETMASKLEN="$2"
+ $IPROUTE -6 route del "$NETWORK/$NETMASKLEN"
+ $IPROUTE -6 route flush cache
+ }
+else # use route command
+ get_default_gw() {
+ # isn't -n supposed to give --numeric output?
+ # apperently not...
+ # Get rid of lines containing IPv6 addresses (':')
+ netstat -r -n | awk '/:/ { next; } /^(default|0\.0\.0\.0)/ { print $2; }'
+ }
+
+ set_vpngateway_route() {
+ route add -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`"
+ }
+
+ del_vpngateway_route() {
+ route $route_syntax_del -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`"
+ }
+
+ set_default_route() {
+ DEFAULTGW="`get_default_gw`"
+ echo "$DEFAULTGW" > "$DEFAULT_ROUTE_FILE"
+ route $route_syntax_del default $route_syntax_gw "$DEFAULTGW"
+ route add default $route_syntax_gw "$INTERNAL_IP4_ADDRESS" $route_syntax_interface
+ }
+
+ set_network_route() {
+ NETWORK="$1"
+ NETMASK="$2"
+ NETMASKLEN="$3"
+ if [ -n "$5" ]; then
+ NETGW="$5"
+ else
+ NETGW="$INTERNAL_IP4_ADDRESS"
+ fi
+ route add -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$NETGW" $route_syntax_interface
+ }
+
+ set_exclude_route() {
+ NETWORK="$1"
+ NETMASK="$2"
+ NETMASKLEN="$3"
+ if [ -z "$DEFAULTGW" ]; then
+ DEFAULTGW="`get_default_gw`"
+ fi
+ # Add explicit route to keep traffic for this target separate
+ # from tunnel. FIXME: We use default gateway - this is our best
+ # guess in absence of "ip" command to query effective route.
+ route add -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$DEFAULTGW" $route_syntax_interface
+ }
+
+ del_exclude_route() {
+ # FIXME: This can delete existing routes in case they're
+ # identical to split-exclude routes specified by VPNGATEWAY
+ NETWORK="$1"
+ NETMASK="$2"
+ NETMASKLEN="$3"
+ route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK"
+ }
+
+ reset_default_route() {
+ if [ -s "$DEFAULT_ROUTE_FILE" ]; then
+ route $route_syntax_del default $route_syntax_gw "`get_default_gw`" $route_syntax_interface
+ route add default $route_syntax_gw `cat "$DEFAULT_ROUTE_FILE"`
+ rm -f -- "$DEFAULT_ROUTE_FILE"
+ fi
+ }
+
+ del_network_route() {
+ NETWORK="$1"
+ NETMASK="$2"
+ NETMASKLEN="$3"
+ if [ -n "$5" ]; then
+ NETGW="$5"
+ else
+ NETGW="$INTERNAL_IP4_ADDRESS"
+ fi
+ route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$NETGW"
+ }
+
+ set_ipv6_default_route() {
+ route add -inet6 default "$INTERNAL_IP6_ADDRESS" $route_syntax_interface
+ }
+
+ set_ipv6_network_route() {
+ NETWORK="$1"
+ NETMASK="$2"
+ if [ -n "$4" ]; then
+ NETGW="$4"
+ else
+ NETGW="$INTERNAL_IP6_ADDRESS"
+ fi
+
+ route add -inet6 -net "$NETWORK/$NETMASK" "$NETGW" $route_syntax_interface
+ :
+ }
+
+ set_ipv6_exclude_route() {
+ NETWORK="$1"
+ NETMASK="$2"
+ # Add explicit route to keep traffic for this target separate
+ # from tunnel. FIXME: We use default gateway - this is our best
+ # guess in absence of "ip" command to query effective route.
+ route add -inet6 -net "$NETWORK/$NETMASK" "`get_default_gw`" $route_syntax_interface
+ :
+ }
+
+ reset_ipv6_default_route() {
+ route $route_syntax_del -inet6 default "$INTERNAL_IP6_ADDRESS"
+ :
+ }
+
+ del_ipv6_network_route() {
+ NETWORK="$1"
+ NETMASK="$2"
+ if [ -n "$4" ]; then
+ NETGW="$4"
+ else
+ NETGW="$INTERNAL_IP6_ADDRESS"
+ fi
+ route $route_syntax_del -inet6 "$NETWORK/$NETMASK" "$NETGW"
+ :
+ }
+
+ del_ipv6_exclude_route() {
+ NETWORK="$1"
+ NETMASK="$2"
+ route $route_syntax_del -inet6 "$NETWORK/$NETMASK"
+ :
+ }
+
+fi
+
+# =========== resolv.conf handling ====================================
+
+# =========== resolv.conf handling for any OS =========================
+
+modify_resolvconf_generic() {
+ grep '^#@VPNC_GENERATED@' /etc/resolv.conf > /dev/null 2>&1 || cp -- /etc/resolv.conf "$RESOLV_CONF_BACKUP"
+ NEW_RESOLVCONF="#@VPNC_GENERATED@ -- this file is generated by vpnc
+# and will be overwritten by vpnc
+# as long as the above mark is intact"
+
+ DOMAINS="$CISCO_DEF_DOMAIN"
+
+ exec 6< "$RESOLV_CONF_BACKUP"
+ while read LINE <&6 ; do
+ case "$LINE" in
+ # omit; we will overwrite these
+ nameserver*) ;;
+ # extract listed domains and prepend to list
+ domain* | search*) DOMAINS="${LINE#* } $DOMAINS" ;;
+ # retain other lines
+ *) NEW_RESOLVCONF="$NEW_RESOLVCONF
+$LINE" ;;
+ esac
+ done
+ exec 6<&-
+
+ for i in $INTERNAL_IP4_DNS ; do
+ NEW_RESOLVCONF="$NEW_RESOLVCONF
+nameserver $i"
+ done
+ # note that "search" is mutually exclusive with "domain";
+ # "search" allows multiple domains to be listed, so use that
+ if [ -n "$DOMAINS" ]; then
+ NEW_RESOLVCONF="$NEW_RESOLVCONF
+search $DOMAINS"
+ fi
+ echo "$NEW_RESOLVCONF" > /etc/resolv.conf
+
+ if [ "$OS" = "Darwin" ]; then
+ case "`uname -r`" in
+ # Skip for pre-10.4 systems
+ 4.*|5.*|6.*|7.*)
+ ;;
+ # 10.4 and later require use of scutil for DNS to work properly
+ *)
+ OVERRIDE_PRIMARY=""
+ if [ -n "$CISCO_SPLIT_INC" ]; then
+ if [ $CISCO_SPLIT_INC -lt 1 ]; then
+ # Must override for correct default route
+ # Cannot use multiple DNS matching in this case
+ OVERRIDE_PRIMARY='d.add OverridePrimary # 1'
+ fi
+ # Overriding the default gateway breaks split routing
+ OVERRIDE_GATEWAY=""
+ # Not overriding the default gateway breaks usage of
+ # INTERNAL_IP4_DNS. Prepend INTERNAL_IP4_DNS to list
+ # of used DNS servers
+ SERVICE=`echo "show State:/Network/Global/IPv4" | scutil | grep -oE '[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}'`
+ SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}' | xargs`
+ if [ X"$SERVICE_DNS" != X"$INTERNAL_IP4_DNS" ]; then
+ scutil >/dev/null 2>&1 <<-EOF
+ open
+ get State:/Network/Service/$SERVICE/DNS
+ d.add ServerAddresses * $INTERNAL_IP4_DNS $SERVICE_DNS
+ set State:/Network/Service/$SERVICE/DNS
+ close
+ EOF
+ fi
+ else
+ # No split routing. Override default gateway
+ OVERRIDE_GATEWAY="d.add Router $INTERNAL_IP4_ADDRESS"
+ fi
+ # Uncomment the following if/fi pair to use multiple
+ # DNS matching when available. When multiple DNS matching
+ # is present, anything reading the /etc/resolv.conf file
+ # directly will probably not work as intended.
+ #if [ -z "$CISCO_DEF_DOMAIN" ]; then
+ # Cannot use multiple DNS matching without a domain
+ OVERRIDE_PRIMARY='d.add OverridePrimary # 1'
+ #fi
+ scutil >/dev/null 2>&1 <<-EOF
+ open
+ d.init
+ d.add ServerAddresses * $INTERNAL_IP4_DNS
+ set State:/Network/Service/$TUNDEV/DNS
+ d.init
+ $OVERRIDE_GATEWAY
+ d.add Addresses * $INTERNAL_IP4_ADDRESS
+ d.add SubnetMasks * 255.255.255.255
+ d.add InterfaceName $TUNDEV
+ $OVERRIDE_PRIMARY
+ set State:/Network/Service/$TUNDEV/IPv4
+ close
+ EOF
+ if [ -n "$CISCO_DEF_DOMAIN" ]; then
+ scutil >/dev/null 2>&1 <<-EOF
+ open
+ get State:/Network/Service/$TUNDEV/DNS
+ d.add DomainName $CISCO_DEF_DOMAIN
+ d.add SearchDomains * $CISCO_DEF_DOMAIN
+ d.add SupplementalMatchDomains * $CISCO_DEF_DOMAIN
+ set State:/Network/Service/$TUNDEV/DNS
+ close
+ EOF
+ fi
+ ;;
+ esac
+ fi
+}
+
+restore_resolvconf_generic() {
+ if [ ! -f "$RESOLV_CONF_BACKUP" ]; then
+ return
+ fi
+ grep '^#@VPNC_GENERATED@' /etc/resolv.conf > /dev/null 2>&1 && cat "$RESOLV_CONF_BACKUP" > /etc/resolv.conf
+ rm -f -- "$RESOLV_CONF_BACKUP"
+
+ if [ "$OS" = "Darwin" ]; then
+ case "`uname -r`" in
+ # Skip for pre-10.4 systems
+ 4.*|5.*|6.*|7.*)
+ ;;
+ # 10.4 and later require use of scutil for DNS to work properly
+ *)
+ scutil >/dev/null 2>&1 <<-EOF
+ open
+ remove State:/Network/Service/$TUNDEV/IPv4
+ remove State:/Network/Service/$TUNDEV/DNS
+ close
+ EOF
+ # Split routing required prepending of INTERNAL_IP4_DNS
+ # to list of used DNS servers
+ if [ -n "$CISCO_SPLIT_INC" ]; then
+ SERVICE=`echo "show State:/Network/Global/IPv4" | scutil | grep -oE '[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}'`
+ SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}' | xargs`
+ if [ X"$SERVICE_DNS" != X"$INTERNAL_IP4_DNS" ]; then
+ scutil >/dev/null 2>&1 <<-EOF
+ open
+ get State:/Network/Service/$SERVICE/DNS
+ d.add ServerAddresses * ${SERVICE_DNS##$INTERNAL_IP4_DNS}
+ set State:/Network/Service/$SERVICE/DNS
+ close
+ EOF
+ fi
+ fi
+ ;;
+ esac
+ fi
+}
+# === resolv.conf handling via /sbin/netconfig (Suse 11.1) =====================
+
+# Suse provides a script that modifies resolv.conf. Use it because it will
+# restart/reload all other services that care about it (e.g. lwresd). [unclear if this is still true, but probably --mlk]
+
+modify_resolvconf_suse_netconfig()
+{
+ /sbin/netconfig modify -s vpnc -i "$TUNDEV" <<-EOF
+ INTERFACE='$TUNDEV'
+ DNSSERVERS='$INTERNAL_IP4_DNS'
+ DNSDOMAIN='$CISCO_DEF_DOMAIN'
+ EOF
+}
+# Restore resolv.conf to old contents on Suse
+restore_resolvconf_suse_netconfig()
+{
+ /sbin/netconfig remove -s vpnc -i "$TUNDEV"
+}
+
+# === resolv.conf handling via /sbin/modify_resolvconf (Suse) =====================
+
+# Suse provides a script that modifies resolv.conf. Use it because it will
+# restart/reload all other services that care about it (e.g. lwresd).
+
+modify_resolvconf_suse()
+{
+ FULL_SCRIPTNAME=`readlink -f $0`
+ RESOLV_OPTS=''
+ test -n "$INTERNAL_IP4_DNS" && RESOLV_OPTS="-n \"$INTERNAL_IP4_DNS\""
+ test -n "$CISCO_DEF_DOMAIN" && RESOLV_OPTS="$RESOLV_OPTS -d $CISCO_DEF_DOMAIN"
+ test -n "$RESOLV_OPTS" && eval /sbin/modify_resolvconf modify -s vpnc -p $SCRIPTNAME -f $FULL_SCRIPTNAME -e $TUNDEV $RESOLV_OPTS -t \"This file was created by $SCRIPTNAME\"
+}
+
+# Restore resolv.conf to old contents on Suse
+restore_resolvconf_suse()
+{
+ FULL_SCRIPTNAME=`readlink -f $0`
+ /sbin/modify_resolvconf restore -s vpnc -p $SCRIPTNAME -f $FULL_SCRIPTNAME -e $TUNDEV
+}
+
+# === resolv.conf handling via UCI (OpenWRT) =========
+
+modify_resolvconf_openwrt() {
+ add_dns $OPENWRT_INTERFACE $INTERNAL_IP4_DNS
+}
+
+restore_resolvconf_openwrt() {
+ remove_dns $OPENWRT_INTERFACE
+}
+# === resolv.conf handling via /sbin/resolvconf (Debian, Ubuntu, Gentoo)) =========
+
+modify_resolvconf_manager() {
+ NEW_RESOLVCONF=""
+ for i in $INTERNAL_IP4_DNS; do
+ NEW_RESOLVCONF="$NEW_RESOLVCONF
+nameserver $i"
+ done
+ if [ -n "$CISCO_DEF_DOMAIN" ]; then
+ NEW_RESOLVCONF="$NEW_RESOLVCONF
+domain $CISCO_DEF_DOMAIN"
+ fi
+ echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV
+}
+
+restore_resolvconf_manager() {
+ /sbin/resolvconf -d $TUNDEV
+}
+
+AF_INET=2
+
+get_if_index() {
+ local link
+ link="$(ip link show dev "$1")" || return $?
+ echo ${link} | awk -F: '{print $1}'
+}
+
+busctl_call() {
+ local dest node
+ dest=org.freedesktop.resolve1
+ node=/org/freedesktop/resolve1
+ busctl call "$dest" "${node}" "${dest}.Manager" "$@"
+}
+
+busctl_set_nameservers() {
+ local if_index addresses args addr
+ if_index=$1
+ shift
+ addresses="$@"
+ args="$if_index $#"
+ for addr in ${addresses}; do
+ args="$args ${AF_INET} 4 $(echo $addr | sed 's/[.]/ /g')"
+ done
+ busctl_call SetLinkDNS 'ia(iay)' ${args}
+}
+
+busctl_set_search() {
+ local if_index domains args domain
+ if_index=$1
+ shift
+ domains="$@"
+ args="$if_index $#"
+ for domain in ${domains}; do
+ args="$args ${domain} false"
+ done
+ busctl_call SetLinkDomains 'ia(sb)' ${args}
+}
+
+modify_resolved_manager() {
+ local if_index
+ if_index=$(get_if_index $TUNDEV)
+ busctl_set_nameservers $if_index $INTERNAL_IP4_DNS
+ if [ -n "$CISCO_DEF_DOMAIN" ]; then
+ busctl_set_search $if_index $CISCO_DEF_DOMAIN
+ fi
+}
+
+restore_resolved_manager() {
+ local if_index
+ if_index=$(get_if_index $TUNDEV)
+ busctl_call RevertLink 'i' $if_index
+}
+
+# === resolv.conf handling via unbound =========
+
+modify_resolvconf_unbound() {
+ if [ -n "$CISCO_DEF_DOMAIN" ]; then
+ /usr/sbin/unbound-control forward_add +i ${CISCO_DEF_DOMAIN} ${INTERNAL_IP4_DNS}
+ /usr/sbin/unbound-control flush_requestlist
+ /usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN}
+ fi
+}
+
+restore_resolvconf_unbound() {
+ if [ -n "$CISCO_DEF_DOMAIN" ]; then
+ /usr/sbin/unbound-control forward_remove +i ${CISCO_DEF_DOMAIN}
+ /usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN}
+ /usr/sbin/unbound-control flush_requestlist
+ fi
+}
+
+# ========= Toplevel state handling =======================================
+
+kernel_is_2_6_or_above() {
+ case `uname -r` in
+ 1.*|2.[012345]*)
+ return 1
+ ;;
+ *)
+ return 0
+ ;;
+ esac
+}
+
+do_pre_init() {
+ if [ "$OS" = "Linux" ]; then
+ if (exec 6< /dev/net/tun) > /dev/null 2>&1 ; then
+ :
+ else # can't open /dev/net/tun
+ test -e /proc/sys/kernel/modprobe && `cat /proc/sys/kernel/modprobe` tun 2>/dev/null
+ # fix for broken devfs in kernel 2.6.x
+ if [ "`readlink /dev/net/tun`" = misc/net/tun \
+ -a ! -e /dev/net/misc/net/tun -a -e /dev/misc/net/tun ] ; then
+ ln -sf /dev/misc/net/tun /dev/net/tun
+ fi
+ # make sure tun device exists
+ if [ ! -e /dev/net/tun ]; then
+ mkdir -p /dev/net
+ mknod -m 0640 /dev/net/tun c 10 200
+ [ -x /sbin/restorecon ] && /sbin/restorecon /dev/net/tun
+ fi
+ # workaround for a possible latency caused by udev, sleep max. 10s
+ if kernel_is_2_6_or_above ; then
+ for x in `seq 100` ; do
+ (exec 6<> /dev/net/tun) > /dev/null 2>&1 && break;
+ sleep 0.1
+ done
+ fi
+ fi
+ elif [ "$OS" = "FreeBSD" ]; then
+ if ! kldstat -q -m if_tun > /dev/null; then
+ kldload if_tun
+ fi
+
+ if ! ifconfig $TUNDEV > /dev/null; then
+ ifconfig $TUNDEV create
+ fi
+ elif [ "$OS" = "GNU/kFreeBSD" ]; then
+ if [ ! -e /dev/tun ]; then
+ kldload if_tun
+ fi
+ elif [ "$OS" = "NetBSD" ]; then
+ :
+ elif [ "$OS" = "OpenBSD" ]; then
+ if ! ifconfig $TUNDEV > /dev/null; then
+ ifconfig $TUNDEV create
+ fi
+ :
+ elif [ "$OS" = "SunOS" ]; then
+ :
+ elif [ "$OS" = "Darwin" ]; then
+ :
+ fi
+}
+
+do_connect() {
+ if [ -n "$CISCO_BANNER" ]; then
+ echo "Connect Banner:"
+ echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ; done
+ echo
+ fi
+
+ set_vpngateway_route
+ do_ifconfig
+ if [ -n "$CISCO_SPLIT_EXC" ]; then
+ i=0
+ while [ $i -lt $CISCO_SPLIT_EXC ] ; do
+ eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}"
+ eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}"
+ eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}"
+ set_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
+ i=`expr $i + 1`
+ done
+ fi
+ if [ -n "$CISCO_IPV6_SPLIT_EXC" ]; then
+ # untested
+ i=0
+ while [ $i -lt $CISCO_IPV6_SPLIT_EXC ] ; do
+ eval NETWORK="\${CISCO_IPV6_SPLIT_EXC_${i}_ADDR}"
+ eval NETMASKLEN="\${CISCO_IPV6_SPLIT_EXC_${i}_MASKLEN}"
+ set_ipv6_exclude_route "$NETWORK" "$NETMASKLEN"
+ i=`expr $i + 1`
+ done
+ fi
+ if [ -n "$CISCO_SPLIT_INC" ]; then
+ i=0
+ while [ $i -lt $CISCO_SPLIT_INC ] ; do
+ eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
+ eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
+ eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
+ if [ "$NETWORK" != "0.0.0.0" ]; then
+ set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" "$TUNDEV"
+ else
+ set_default_route
+ fi
+ i=`expr $i + 1`
+ done
+ for i in $INTERNAL_IP4_DNS ; do
+ echo "$i" | grep : >/dev/null || \
+ set_network_route "$i" "255.255.255.255" "32" "$TUNDEV"
+ done
+ elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then
+ set_default_route
+ fi
+ if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
+ i=0
+ while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
+ eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
+ eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
+ if [ $NETMASKLEN -lt 128 ]; then
+ set_ipv6_network_route "$NETWORK" "$NETMASKLEN" "$TUNDEV"
+ else
+ set_ipv6_default_route
+ fi
+ i=`expr $i + 1`
+ done
+ for i in $INTERNAL_IP4_DNS ; do
+ if echo "$i" | grep : >/dev/null; then
+ set_ipv6_network_route "$i" "128" "$TUNDEV"
+ fi
+ done
+ elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
+ set_ipv6_default_route
+ fi
+
+ if [ -n "$INTERNAL_IP4_DNS" ]; then
+ $MODIFYRESOLVCONF
+ fi
+}
+
+do_disconnect() {
+ if [ -n "$CISCO_SPLIT_INC" ]; then
+ i=0
+ while [ $i -lt $CISCO_SPLIT_INC ] ; do
+ eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
+ eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
+ eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
+ if [ "$NETWORK" != "0.0.0.0" ]; then
+ # FIXME: This doesn't restore previously overwritten
+ # routes.
+ del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" "$TUNDEV"
+ else
+ reset_default_route
+ fi
+ i=`expr $i + 1`
+ done
+ for i in $INTERNAL_IP4_DNS ; do
+ del_network_route "$i" "255.255.255.255" "32" "$TUNDEV"
+ done
+ else
+ reset_default_route
+ fi
+ if [ -n "$CISCO_SPLIT_EXC" ]; then
+ i=0
+ while [ $i -lt $CISCO_SPLIT_EXC ] ; do
+ eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}"
+ eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}"
+ eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}"
+ del_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
+ i=`expr $i + 1`
+ done
+ fi
+ if [ -n "$CISCO_IPV6_SPLIT_EXC" ]; then
+ # untested
+ i=0
+ while [ $i -lt $CISCO_IPV6_SPLIT_EXC ] ; do
+ eval NETWORK="\${CISCO_IPV6_SPLIT_EXC_${i}_ADDR}"
+ eval NETMASKLEN="\${CISCO_IPV6_SPLIT_EXC_${i}_MASKLEN}"
+ del_ipv6_exclude_route "$NETWORK" "$NETMASKLEN"
+ i=`expr $i + 1`
+ done
+ fi
+ if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
+ i=0
+ while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
+ eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
+ eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
+ if [ $NETMASKLEN -eq 0 ]; then
+ reset_ipv6_default_route
+ else
+ del_ipv6_network_route "$NETWORK" "$NETMASKLEN" "$TUNDEV"
+ fi
+ i=`expr $i + 1`
+ done
+ for i in $INTERNAL_IP6_DNS ; do
+ del_ipv6_network_route "$i" "128" "$TUNDEV"
+ done
+ elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
+ reset_ipv6_default_route
+ fi
+
+ del_vpngateway_route
+
+ if [ -n "$INTERNAL_IP4_DNS" ]; then
+ $RESTORERESOLVCONF
+ fi
+
+
+ if [ -n "$IPROUTE" ]; then
+ if [ -n "$INTERNAL_IP4_ADDRESS" ]; then
+ $IPROUTE addr del "$INTERNAL_IP4_ADDRESS/255.255.255.255" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV"
+ fi
+ # If the netmask is provided, it contains the address _and_ netmask
+ if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
+ INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
+ fi
+ if [ -n "$INTERNAL_IP6_NETMASK" ]; then
+ $IPROUTE -6 addr del $INTERNAL_IP6_NETMASK dev $TUNDEV
+ fi
+ else
+ if [ -n "$INTERNAL_IP4_ADDRESS" ]; then
+ ifconfig "$TUNDEV" 0.0.0.0
+ fi
+ if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
+ INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
+ fi
+ if [ -n "$INTERNAL_IP6_NETMASK" ]; then
+ ifconfig "$TUNDEV" inet6 del $INTERNAL_IP6_NETMASK
+ fi
+ fi
+
+ destroy_tun_device
+}
+
+#### Main
+
+if [ -z "$reason" ]; then
+ echo "this script must be called from vpnc" 1>&2
+ exit 1
+fi
+
+case "$reason" in
+ pre-init)
+ run_hooks pre-init
+ do_pre_init
+ ;;
+ connect)
+ run_hooks connect
+ do_connect
+ run_hooks post-connect
+ ;;
+ disconnect)
+ run_hooks disconnect
+ do_disconnect
+ run_hooks post-disconnect
+ ;;
+ reconnect)
+ run_hooks reconnect
+ ;;
+ *)
+ echo "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/connect b/connect
new file mode 100755
index 0000000..dbce51a
--- /dev/null
+++ b/connect
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# Edit this
+
+OPENCONNECT_USER=
+OPENCONNECT_URL=
+OPENCONNECT_OPTIONS="--authgroup <VPN Group> --servercert <VPN Server Certificate>"
+PROXY_PORT=8888
+
+# Don't touch this
+
+container() {
+ # Ask for password on the commandline
+ stty -echo
+ printf "VPN password: "
+ read OPENCONNECT_PASSWORD
+ stty echo
+ printf "\n\n"
+
+ # Start container with proxy on specified port
+ docker run -it --rm "$@" --privileged \
+ -e OPENCONNECT_URL="$OPENCONNECT_URL" \
+ -e OPENCONNECT_OPTIONS="$OPENCONNECT_OPTIONS" \
+ -e OPENCONNECT_USER="$OPENCONNECT_USER" \
+ -e OPENCONNECT_PASSWORD="$OPENCONNECT_PASSWORD" \
+ -e PROXY_PORT="$PROXY_PORT" \
+ -p $PROXY_PORT:$PROXY_PORT \
+ "wazum/openconnect-proxy:latest"
+}
+
+ssh_proxy() {
+ if hash corkscrew 2>/dev/null; then
+ ssh -o ProxyCommand="corkscrew 127.0.0.1 $PROXY_PORT %h %p" "$@"
+ else
+ printf "The ssh command requires 'corkscrew' to be installed and executable.\n"
+ fi
+}
+
+case $1 in
+ ssh)
+ shift
+ ssh_proxy "$@"
+ ;;
+ *)
+ container "$@"
+ ;;
+esac