slingamn / namespaced-openvpn

Long time lover of this script but for work, i want to be able do the same idea with openconnect, which supports anyconnect protocols.
Any suggestions on where to mod / perhaps you've considered this?

If I'm understanding this documentation correctly:

http://www.infradead.org/openconnect/vpnc-script.html

this may be significantly easier (or at least less architecturally complicated) for OpenConnect relative to openvpn, since OpenConnect already defers all routing table modifications to a script. Basically, you'll need to rewrite vpnc-script to support moving the tunnel adapter to the new network namespace:

namespaced-openvpn/namespaced-openvpn

Line 199 in a3fa42b

# transfer the tunnel interface and set it to UP

and set up the routes:

namespaced-openvpn/namespaced-openvpn

Line 212 in a3fa42b

[IP_CMD, 'addr', 'add', ifconfig_local, 'peer', peer_addr, 'dev', dev]

and DNS.

Ok, awesome. I'll take a crack at it when I'm in the office next

I'm at a loss, I don't think i know what i'm doing lol

Unfortunately I don't really have the resources to get into this.

No worry, i'll keep poking around.

…

On Mon, Sep 7, 2020 at 7:21 PM Shivaram Lingamneni ***@***.***> wrote: Unfortunately I don't really have the resources to get into this. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABEJRXT2TAD2SVCRUTI6DVTSEVTH5ANCNFSM4Q3QHRRQ> .

So i'm narrowed it down to these steps through experimentation but I have an issue that when I move the interface into the namespace, it becomes uncconfigured again.
I'm not how to get that to work, any thoughts?

ip netns add workvpn
ip netns exec workvpn ip addr add 127.0.0.1/8 dev lo
ip netns exec workvpn ip link set lo up
echo 'pwd' | /usr/sbin/openconnect -b -i work.vpn --protocol=anyconnect --user=user ADDRESS --passwd-on-stdin
sleep 5
ip link set work.vpn netns workvpn

Ah, yes, you have to do this in the opposite order --- first move the interface, then run the configuration commands inside the namespace. See the route_up function in namespaced-openvpn, in particular its use of _enter_namespace_cmd.

Ahh, that's what I was missing. I see why you call openvpn as a route-up now.
I was trying to do it manually to make sure I understood the process before trying to write the codey bits.
Thank you!

So this seems to be the bit I need.
I see you're taking things from the env that you're picking up from the established tunnel?
So I understand this as
0. Connect to vpn

Move the interface
Assign the VPN assigned ip as a peer to the default gw on the dev
Add a default route to the dev

if ipv4_enabled:
peer_addr = '%s/32' % (route_vpn_gateway,)
# give it its ipv4 address
subprocess.check_call(
_enter_namespace_cmd(namespace) +
[IP_CMD, 'addr', 'add', ifconfig_local, 'peer', peer_addr, 'dev', dev]
)
# route all traffic over the tunnel
subprocess.check_call(
_enter_namespace_cmd(namespace) +
[IP_CMD, 'route', 'add', 'default', 'dev', dev]
)

This seems to be the bit i need to modify in vpnc-script
do_ifconfig() {
if [ -n "$INTERNAL_IP4_MTU" ]; then
MTU=$INTERNAL_IP4_MTU
elif [ -n "$IPROUTE" ]; then
MTUDEV=$IPROUTE route get "$VPNGATEWAY" | sed -ne 's/^.*dev $[a-z0-9]*$.*$/\1/p'
MTU=$IPROUTE link show "$MTUDEV" | sed -ne 's/^.*mtu $[[:digit:]]\+$.*$/\1/p'
if [ -n "$MTU" ]; then
MTU=expr $MTU - 88
fi
fi

if [ -z "$MTU" ]; then
	MTU=1412
fi

# Point to point interface require a netmask of 255.255.255.255 on some systems
if [ -n "$IPROUTE" ]; then
	$IPROUTE link set dev "$TUNDEV" up mtu "$MTU"
	$IPROUTE addr add "$INTERNAL_IP4_ADDRESS/32" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV"
else
	ifconfig "$TUNDEV" ${ifconfig_syntax_inet} "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu ${MTU} up
fi

if [ -n "$INTERNAL_IP4_NETMASK" ]; then
	set_network_route $INTERNAL_IP4_NETADDR $INTERNAL_IP4_NETMASK $INTERNAL_IP4_NETMASKLEN
fi

# If the netmask is provided, it contains the address _and_ netmask
if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
    INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
fi
if [ -n "$INTERNAL_IP6_NETMASK" ]; then
    if [ -n "$IPROUTE" ]; then
	$IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV
    else
	# Unlike for Legacy IP, we don't specify the dest_address
	# here on *BSD. OpenBSD for one will refuse to accept
	# incoming packets to that address if we do.
	# OpenVPN does the same (gives dest_address for Legacy IP
	# but not for IPv6).
	# Only Solaris needs it; hence $ifconfig_syntax_ptpv6
        ifconfig "$TUNDEV" inet6 $INTERNAL_IP6_NETMASK $ifconfig_syntax_ptpv6 mtu $MTU up
    fi
fi

}

actually, i found this process that i'm having success with
https://austinjadams.com/blog/running-select-applications-through-anyconnect/

Excellent! Yeah, the vpnc-script-netns in that post looks correct to me.

Thanks. I appreciate your help as always.

…

On Fri, Sep 11, 2020 at 2:36 PM Shivaram Lingamneni < ***@***.***> wrote: Excellent! Yeah, the vpnc-script-netns in that post looks correct to me. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABEJRXTM35X6ZK2PZOLECLLSFJUZRANCNFSM4Q3QHRRQ> .

openconnect flavour?