Re: Non default VPN route patch, 1.369

From: Bill Moss <bmoss clemson edu>
To: networkmanager list <networkmanager-list gnome org>
Subject: Re: Non default VPN route patch, 1.369
Date: Mon, 16 May 2005 10:11:10 -0400

On Mon, 16 May 2005, Tomislav Vujec wrote:

Hi all,

I made some changes to the current CVS head, which allow setting up
non-default routes for the VPN. In case your home connection is much
better than through the office, you don't want your default route to go
through the VPN.

This only works for the RedHat back end now, but it should be easy to
adjust for other distributions. You'll need an additional gconf key,
called routes in your VPN set up. It should be a list of strings, each
of them representing a single non default route, e.g. "172.16.0.0/16"
which you want to pass through the VPN. If the list is empty, the
behavior should stay the same.

Dan wrote

Cool! One thing I noticed with VPN setup was that the subnet mask passed backfrom the concentrator that gets set on tun0 isn't inclusive enough to eveninclude the nameservers that the concentrator sends back. That really seemslike a config error, and that was one reason why the default was to routeeverything through tun0... But using 172.16.0.0/16 would solve that.


Bill:

How could this potentially mesh with your vpnc config? Would we need to addadditional functionality to allow your config to be used?



Bill's reply:

With vpnc-0.3.2, I stole the vpnc-connect script from Debian and used itwith Fedora Core. The Debian script added an additional key to vpnc.confcalled 'Target networks'. The functionality added is precisely whatTomislav has added with his patch and the new GConf key 'routes'. I havetested it and it works. The motivation for this patch is well stated byTomislav: "In case your home connection is much better than through theoffice, you don't want your default route to go through the VPN. Theroute I use for the office is for the subnet that holds all the criticalservers I use. I don't need access to the rest of the campus."

On May 14, vpnc-0.3.3 came out. I was expecting it to be backwardcompatible with vpnc-0.3.2 as far as NM is concerned but I was wrong.When I try it, vpnc fails to start but I get no error messages from NM.Version 0.3.3 outputs more environment variables than 0.3.2. I put thelist below. When the VPN enabled NM hits the 'streets' this may be anissue for people downloading vpnc.


Information is passed from vpnc via enviroment variables:

#* reason -- why this script was called, one of:pre-init connect disconnect

#* VPNGATEWAY                   -- vpn gateway address (always present)
#* TUNDEV                       -- tunnel device (always present)
#* INTERNAL_IP4_ADDRESS         -- address (always present)
#* INTERNAL_IP4_NETMASK         -- netmask (often unset)
#* INTERNAL_IP4_DNS             -- list of dns serverss
#* INTERNAL_IP4_NBNS            -- list of wins servers
#* CISCO_DEF_DOMAIN             -- default domain name
#* CISCO_BANNER                 -- banner from server
#* CISCO_SPLIT_INC              -- number of networks in split-network-list
#* CISCO_SPLIT_INC_%d_ADDR      -- network address
#* CISCO_SPLIT_INC_%d_MASK      -- subnet mask (for example: 255.255.255.0)
#* CISCO_SPLIT_INC_%d_MASKLEN   -- subnet masklen (for example: 24)
#* CISCO_SPLIT_INC_%d_PROTOCOL  -- protocol (often just 0)
#* CISCO_SPLIT_INC_%d_SPORT     -- source port (often just 0)
#* CISCO_SPLIT_INC_%d_DPORT     -- destination port (often just 0)



--
Bill Moss
Professor, Mathematical Sciences
Clemson University

Follow-Ups:
- Re: Non default VPN route patch, 1.369
  - From: Dan Williams
- Re: Non default VPN route patch, 1.369
  - From: Derek Atkins

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]