Vpnc
From IckyWiki
This is fairly specific to my work, and my particular machine (which is inside a firewall so it has a 10.1.1.* address, and uses our internal DNS servers most of the time). It could probably be modified to work with other setups.
Contents |
Installing on gentoo
Also see: Gentoo vpnc-howto
emerge vpnc
Note: if using 0.3.3 and you want to use the rekeying patch (--rekey-interval):
- cd to a source directory
- svn co http://svn.unix-ag.uni-kl.de/vpnc
- obtain the rekey patch
- cd into the 'trunk' directory and:
patch -p1 < ../path/to/patch/file
- make
- If you want, you can make install, or if you already have /etc/vpnc.conf and such out there for a vpnc from portage, you might want to just run it in place.
scripts, config
- /etc/init.d/vpnc to start it up (gentoo specific)
- see vpnc-script script below
- if your version of vpnc isn't patched for rekeying, comment out the REKEY line
Note: this is for 0.4.0 version, no rekeying set up
#!/bin/bash
#
#REKEY="--rekey-interval 7200"
REKEY=""
UDP="--natt-mode cisco-udp"
DEBUG="--debug 1"
#DETACH="--no-detach"
DETACH=""
SCRIPT="--script /etc/vpnc/vpnc-script"
PIDFILE="--pid-file /var/run/vpnc/pid"
/usr/sbin/vpnc \
$REKEY \
$UDP \
$DEBUG \
--application-version "Cisco Systems VPN Client 4.5 (A):Linux" \
$SCRIPT \
$PIDFILE \
$DETACH
- /etc/vpnc/vpnc-script script, used when vpnc start is successful:
- the environment stuff is really only useful should you want the vpnc environment variables to be in the environment of any shells you open after this starts up. You can add 'source /path/to/env' in your .bashrc if this is the case.
- resolv.conf stuff is so that work DNS will work. To do this, you run bind on the machine you're running vpnc on, and while you're vpn'ed you list 127.0.0.1 as your first DNS server in resolv.conf. More on this in the DNS section.
- check all paths for your particular situation
#!/bin/bash
#set -x
## exit early
if [ -z "$reason" ]; then
echo "this script should be called from inside vpnc" 1>&2
exit 1
fi
##
## stuff
##
ROUTE=/sbin/route
PUTVARS=/etc/vpnc/env
# this is to back up your resolv.conf and set up a temporary one upon vpnc connection
RESOLV=/etc/resolv.conf
RESOLVBAK=/etc/vpnc/resolv.conf.bak
RESOLVLOC=/etc/vpnc/resolv.conf.vpnc
# i'm not using iptables...
#IPTABLES=/sbin/iptables
# these subnets will be routed through intranet
INTRASUBNET="172.31.0.0/16 172.32.0.0/16 172.30.0.0/16 172.18.0.0/16 10.0.0.0/8"
# individual ips here, like ldap and ossdb
INTRAHOST="ip1 ip2 ..."
# this is your machine's IP. Set appropriately.
LAPTOP_IP="10.1.1.XXX"
#LAPTOP_IP="10.1.1.XXX"
do_pre_init() {
if [ ! -e /dev/net/tun ]; then
echo "You don't seem to have a tun device at /dev/net/tun" 1>&2
echo "Ker die" 1>&2
exit 1
fi
}
save_vars() {
# save environment info in case you need it
if [ -f $PUTVARS ]; then
rm $PUTVARS
fi
echo "reason=\"$reason\"" >> $PUTVARS;
echo "VPNGATEWAY=\"$VPNGATEWAY\"" >> $PUTVARS;
echo "TUNDEV=\"$TUNDEV\"" >> $PUTVARS;
echo "INTERNAL_IP4_ADDRESS=\"$INTERNAL_IP4_ADDRESS\"" >> $PUTVARS;
echo "INTERNAL_IP4_NETMASK=\"$INTERNAL_IP4_NETMASK\"" >> $PUTVARS;
echo "INTERNAL_IP4_DNS=\"$INTERNAL_IP4_DNS\"" >> $PUTVARS;
echo "INTERNAL_IP4_NBNS=\"$INTERNAL_IP4_NBNS\"" >> $PUTVARS;
echo "CISCO_DEF_DOMAIN=\"$CISCO_DEF_DOMAIN\"" >> $PUTVARS;
echo "CISCO_BANNER=\"$CISCO_BANNER\"" >> $PUTVARS;
echo "CISCO_SPLIT_INC=\"$CISCO_SPLIT_INC\"" >> $PUTVARS;
}
resolvConf() {
# if you have an alternate, vpnc resolv.conf, copy it over here
if [ -e $RESOLVLOC ]; then
echo "Backing up $RESOLV to $RESOLVBAK..."
cp $RESOLV $RESOLVBAK
if [ -e $RESOLVBAK ]; then
echo "Copying $RESOLVLOC to $RESOLV"
cp $RESOLVLOC $RESOLV
fi
fi
}
do_connect() {
echo "Gw: $VPNGATEWAY Tun: $TUNDEV IP: $INTERNAL_IP4_ADDRESS Mask: $INTERNAL_IP4_NETMASK"
echo "DNS: $INTERNAL_IP4_DNS Wins: $INTERNAL_IP4_NBNS Domain: $CISCO_DEF_DOMAIN"
echo "Banner: $CISCO_BANNER"
save_vars
# left this as it's the default --script for vpnc; might be important to
# do this still. or not.
ifconfig $TUNDEV inet $INTERNAL_IP4_ADDRESS pointopoint $INTERNAL_IP4_ADDRESS netmask 255.255.255.255 mtu 1412 up
# do some routing...
if [ $INTERNAL_IP4_ADDRESS ]; then
dev=`/bin/netstat -rn | /bin/grep ^0.0.0.0 | /usr/bin/awk '{print $8}'`
for net in $INTRASUBNET; do
echo "Setting up route for $net through $INTERNAL_IP4_ADDRESS"
$ROUTE add -net $net gw $INTERNAL_IP4_ADDRESS
#$IPTABLES -t nat -A POSTROUTING -o $dev -d $net -j MASQUERADE
done
for host in $INTRAHOST; do
echo "Setting up route for $host through $INTERNAL_IP4_ADDRESS"
$ROUTE add -host $host gw $INTERNAL_IP4_ADDRESS
#$IPTABLES -t nat -A POSTROUTING -o $dev -d $net -j MASQUERADE
done
# this is for local routing, since it's a subset of 10.0.0.0/8
echo "Setting up route for 10.1.1.0/24 through $LAPTOP_IP"
$ROUTE add -net 10.1.1.0/24 gw $LAPTOP_IP
echo "Setting up default route through $LAPTOP_IP"
$ROUTE add default gw $LAPTOP_IP
echo "Removing route for 0.0.0.0: $dev"
$ROUTE del -net 0.0.0.0 dev $dev
echo "Successfully set up routing"
resolvConf
echo
else
echo "Failed to get IP4 address; no routing set up"
fi
}
do_disconnect() {
echo "Disconnect"
}
echo "call for $reason" 1>&2
case "$reason" in
pre-init)
do_pre_init
;;
connect)
do_connect
;;
disconnect)
do_disconnect
;;
*)
echo "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2
exit 1
;;
esac
exit 0
#
#
- An example resolv.conf.vpnc for /etc/vpnc (used by vpnc-script above). Modify for your local domain. Note that 127.0.0.1 is first so that the vpn'ed dns can be forwarded through bind locally (see DNS section below). Then normal nameservers follow for other DNS lookups. Search should have the vpn'ed domains to be looked up first.
domain erkkila.org nameserver 127.0.0.1 nameserver 10.1.1.1 nameserver 10.1.1.5 search ams.gblxint.com gcintranet.net erkkila.org
- You will need an /etc/vpnc/default.conf file (or similar location). It'll look something like this. Get info from your workplace as needed:
IPSec gateway [a gateway hostname or IP for your workplace] IPSec ID [better get this from work] IPSec secret [obtain from work] Xauth username [your username for access at work]
- Disconnect script: /etc/init.d/vpnc-disconnect:
#!/bin/sh
pid=/var/run/vpnc/pid
if [ $# -ne 0 ]; then
echo "Usage: $0" 1>&2
exit 1
fi
PID="$(cat "$pid" 2> /dev/null)"
if [ -z "$PID" ]; then
echo "no vpnc found running"
exit 1
fi
if ! kill -0 "$PID" > /dev/null 2>&1; then
echo "no vpnc found running"
exit 1
fi
# reset dns resolution
echo "Restoring /etc/vpnc/resolv.conf.bak to /etc/resolv.conf"
cp /etc/vpnc/resolv.conf.bak /etc/resolv.conf
echo "Removing /etc/vpnc/env"
rm /etc/vpnc/env
echo "Terminating vpnc daemon (pid: $PID)"
exec kill $PID
DNS
On the machine you'll be running vpnc on,
emerge bind emerge bind-tools (optional, this is for some handy dns tools)
Find /etc/bind/named.conf and add to it:
zone "gcintranet.net" IN {
type forward;
forwarders { 10.60.30.26; 10.60.30.27; };
};
zone "gblxint.com" IN {
type forward;
forwarders { 10.60.30.26; 10.60.30.27; };
};
Substitute whatever internal IPs are currently in use for DNS there.
Be sure to start named on your machine. I added it to run on boot as a default service:
rc-update add named default
If you don't do this, be sure that before you run /etc/init.d/vpnc start that you /etc/init.d/named start successfully
start/stop
If set up as above:
Start:
- /etc/init.d/vpnc
Stop:
- /etc/init.d/vpnc-disconnect
This runs in the background. Pid is in /var/run/vpnc/pid.
notes
I have trouble with routing if I'm running both net.ath0 and net.eth0 when starting vpnc. I usually kill net.eth0 first (or whichever one you're not using as an IP in vpnc_routing script.
