Mailing List Archive

Thank you very much for your email.



I am away from the office until Monday, October 14 and your email will not be forwarded.



Best regards,

Fabian Jäger

- ChungwaSoft -



_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

On Tue, 2013-10-01 at 14:46 -0400, Lance Blais wrote:
> Can someone provide an example or documentation on how to pass a fd to
> VPNC ? ANYTHING
>
> I need to be able to pass data to VPNC so that it can forward it over
> the encrypted tunnel it creates with the firewall.

You mean that it should pass data over your provided fd *instead* of
opening a kernel tun device and appearing as a 'real' network interface
to the kernel?

I don't believe vpnc has this option. OpenConnect supports it by using a
'--script-tun' option, and then the 'vpnc-script' is invoked with one
end of a socketpair that's used to actually exchange data (along with
all the environment variables that give the IP configuration, as usual).

This allows us to do cute things like the lwip-based SOCKS server¹ so
you can do it entirely without root privs and gain SOCKS access to the
VPN.

It'd be useful if someone were to provide patches to make vpnc do the
same. Please do try to keep it compatible with ocproxy though.

--
dwmw2

¹ http://repo.or.cz/w/ocproxy.git

Hey David,

can you explain in detail what the parameters are for and also what to
pass as ARG?
-ifmode fd -ifname ARG

thanks

On Tue, Oct 1, 2013 at 2:55 PM, David Woodhouse <dwmw2@infradead.org> wrote:
> On Tue, 2013-10-01 at 14:46 -0400, Lance Blais wrote:
>> Can someone provide an example or documentation on how to pass a fd to
>> VPNC ? ANYTHING
>>
>> I need to be able to pass data to VPNC so that it can forward it over
>> the encrypted tunnel it creates with the firewall.
>
> You mean that it should pass data over your provided fd *instead* of
> opening a kernel tun device and appearing as a 'real' network interface
> to the kernel?
>
> I don't believe vpnc has this option. OpenConnect supports it by using a
> '--script-tun' option, and then the 'vpnc-script' is invoked with one
> end of a socketpair that's used to actually exchange data (along with
> all the environment variables that give the IP configuration, as usual).
>
> This allows us to do cute things like the lwip-based SOCKS server¹ so
> you can do it entirely without root privs and gain SOCKS access to the
> VPN.
>
> It'd be useful if someone were to provide patches to make vpnc do the
> same. Please do try to keep it compatible with ocproxy though.
>
> --
> dwmw2
>
> ¹ http://repo.or.cz/w/ocproxy.git
>



--
Lance Blais
Software Developer - Security, Web & Mobile
http://blog.codeartifacts.com

_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

On Tue, 2013-10-01 at 16:26 -0400, Lance Blais wrote:
> Hey David,
>
> can you explain in detail what the parameters are for and also what to
> pass as ARG?
> -ifmode fd -ifname ARG

I told you vpnc doesn't support this, and that it would be nice if
someone wrote a patch. You now appear to be asking me what arguments you
can use to make vpnc do this.

But that's really up to whoever writes the patch, surely... ? :)

I'd probably go for '-ifmode script' and *no* '-ifname' argument.

Or am I misunderstanding your question above?

--
dwmw2

Sorry David! I was referencing the wrong thing -- ignore my previous post.

On Tue, Oct 1, 2013 at 4:41 PM, David Woodhouse <dwmw2@infradead.org> wrote:
> On Tue, 2013-10-01 at 16:26 -0400, Lance Blais wrote:
>> Hey David,
>>
>> can you explain in detail what the parameters are for and also what to
>> pass as ARG?
>> -ifmode fd -ifname ARG
>
> I told you vpnc doesn't support this, and that it would be nice if
> someone wrote a patch. You now appear to be asking me what arguments you
> can use to make vpnc do this.
>
> But that's really up to whoever writes the patch, surely... ? :)
>
> I'd probably go for '-ifmode script' and *no* '-ifname' argument.
>
> Or am I misunderstanding your question above?
>
> --
> dwmw2
>



--
Lance Blais
Software Developer - Security, Web & Mobile
http://blog.codeartifacts.com
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/