VPNC-Wrapper
VPNC-Wrapper, or vpnc-wrapper, is a generic wrapper script
around VPNC. These days, vpnc comes with an improved script
mechanism which also works on BSD, so there is no point in
using VPNC-Wrapper anymore. I still keep this page around
for historical reasons.
VPNC is an open source client for Cisco VPN concentrators. It can replace the binary Cisco client in most scenarios just fine, and has lots of advantages such as stability and total control over routing. And unlike Cisco’s client, it also runs on BSD.
Unfortunately, the vpnc-connect / vpnc-disconnect scripts
that come with it are specific to Linux. To get a convenient
wrapper around VPNC on BSD, I wrote vpnc-wrapper. In the most
common (fulltunnel) case, it can automagically set up your
VPNC tunnel for you, including setting up the routing, handling
the DNS resolver, loading the tun kld, and undo all changes to
routing and resolver when you pull down the tunnel.
- vpnc-wrapper-1.28 – latest release for vpnc <= 0.3.2 (does not work with vpnc >= 0.3.3)
- vpnc >= 0.3.3 comes with a
vpnc-scriptthat (almost) works on *BSD these days…
Basic Usage
Configuration should in most cases not be necessary, the script
greps all it needs from your vpnc.conf. If you want to disable
or tweak resolv.conf handling (think profile.sh), read the
comments in the script, and adjust the RESOLVCONF var accordingly.
The script is designed to be run manually after network connectivity
is up, ie. when your VPN gateway is reachable. You can optionally
specify the vpnc.conf file to use as second parameter.
Starting the tunnel:
roe@marvin ~ $ sudo vpnc-wrapper start
===> Starting vpnc daemon...
===> Writing /etc/resolv.conf...
Herzlich willkommen im HSR-LAN
VPNC started in background (pid: 1110)...
===> Changing route table...
add host 127.0.0.42: gateway 172.16.116.9
delete net default
add net default: gateway tun0
===> done.
roe@marvin ~ $
Likewise, stopping the tunnel:
roe@marvin ~ $ sudo vpnc-wrapper stop
===> Restoring /etc/resolv.conf...
===> Killing vpnc daemon...
===> Restoring route table...
delete net default
add net default: gateway 172.16.116.9
delete host 127.0.0.42
===> done.
roe@marvin ~ $
I use vpnc-wrapper at several differently configured sites, and it works for me. If it doesn’t for you, please drop me a line.
Supported Systems
FreeBSD is fully supported (4.x, 5.x, 6.x).
The security/vpnc port installs VPNC-Wrapper as vpnc.sh-sample-fulltunnel.
As of vpnc-wrapper-1.24, DragonFlyBSD should also be supported.
Doug Held has ported vpnc-wrapper to MacOS X / Darwin, and
included it in his
VPNC package for MacOS X.
As of vpnc-wrapper-1.23, experimental support for MacOS X is
built into the script. Tobias Bender wants you to know that his
package of vpnc-0.3.3 with a modified vpnc-script for MacOS X
works on Tiger.
NetBSD and OpenBSD should be straightforward to support, but nobody has done this yet. If you do, please do send me a patch.
To Do
- Check out
Target networks 123.123.123.0/24option, implement support intovpnc-wrapper - Check on
dhclient<->vpncinteraction; lease renewal outside VPN (add route?), some people have to killdhclientin order to runvpnc. - Maybe add a generic per config file env var facility; this would be especially nice in conjunction with:
- Everything should be configurable through environment vars.
- There is no man-page.