OpenWrt Forum Archive

Topic: Notes on vpnc in Kamikaze 7.09

The content of this topic has been archived on 20 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
misha680
4 Jan 2008, 03:52

Just wanted to document these for anyone that needs them.

Followed the instructions on http://wiki.openwrt.org/VPNC . Worked fine, there was no need to change the scripts for ash like apparently there was in the WhiteRussian version. However, I have made some modifications as I only want selective routing through the VPN (the LAN is somewhat restrictive but I need to access it for some things) and I want it on 24/7.

-- UPDATED AND SIMPLIFIED ---

No vpnc-script changes are necessary. Instead I made a /etc/vpnc/custom-script file (make sure to chmod +x /etc/vpnc/custom-script) as follows:

#!/bin/sh

# this effectively disables changes to /etc/resolv.conf
INTERNAL_IP4_DNS=

# This sets up split networking regardless
# of the concentrators specifications.
#
# (This allows you to specify which routes go through the VPN)
CISCO_SPLIT="x.x.x.x/255.255.255.255/32 y.y.y.y/255.255.252.0/22 etc "

i=0
for line in $CISCO_SPLIT ; do
    export CISCO_SPLIT_INC_${i}_ADDR=`echo $line | cut -d '/' -f 1`
    export CISCO_SPLIT_INC_${i}_MASK=`echo $line | cut -d '/' -f 2`
    export CISCO_SPLIT_INC_${i}_MASKLEN=`echo $line | cut -d '/' -f 3`
    i=`expr $i + 1`
done
export CISCO_SPLIT_INC=$i

#
# Add/remove routes for external routers to connect back to us through ppp0
#
case "$reason" in
        connect)
                route add -host a.b.c.d dev ppp0 
                route add -host e.f.g.h dev ppp0
                ;;
        disconnect)
                route del -host e.f.g.h dev ppp0
                route del -host a.b.c.d dev ppp0 
                ;;
esac

. /etc/vpnc/vpnc-script

To the end of whatever vpnc connection configuration file (I use /etc/vpn/vpnc.conf) add the following:

Script /etc/vpnc/vpnc-script

Then here is my /etc/init.d/vpnc file:

#!/bin/sh /etc/rc.common
START=75
STOP=10

start() {
        mkdir -p -m777 /var/run/vpnc
        vpnc /etc/vpnc/vpnc.conf
}

stop() {
        PID_F=/var/run/vpnc/pid
        if [ -f $PID_F ]; then
           PID=$(cat $PID_F)
           kill $PID
           while [ -d /proc/$PID ];
           do
                sleep 1
           done
        fi
}

Crontab (crontab -e) has an entry to prevent connection "dying" due to rekeying probs in vpnc (same as before):

# Make sure vpnc gets restarted if the VPN goes down
0,15,30,45 * * * *      /usr/bin/vpnc-keepalive HOST1 HOST2

Here is /usr/bin/vpnc-keepalive:

#!/bin/sh
#
# Restart VPNC if both of the specified hosts on the command line are unavailable

if ! [ $(ping -q -c 1 ${1} 2>&1 | grep "1 packets received" | sed "s/.*\(1\) packets received.*/\1/") ] ||
   ! [ $(ping -q -c 1 ${2} 2>&1 | grep "1 packets received" | sed "s/.*\(1\) packets received.*/\1/") ]; then
   echo Not alive $1 or $2, restarting VPNC
   /etc/init.d/vpnc restart
else
   echo Alive $1 or $2
fi

Finally to have the K* scripts run on shutdown so that the vpn is really disconnected.
To fix this, I had to change /etc/init.d/rcS to the following (but do this at your own
risk as your router might not restart afterwards; I experienced this with a different rcS script initially):

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

if [ "$1" == "K" ]; then
        # Run synchronously
        {
                for i in /etc/rc.d/$1*; do
                        $i $2 2>&1
                done 
        } | logger -s -p 6 -t ''
else
        # Run asynchronously
        {
                for i in /etc/rc.d/$1*; do
                        $i $2 2>&1
                done 
        } | logger -s -p 6 -t '' &
fi

--- OLD VERSION including what exactly I was trying to set up ---

1. Not routing all traffic through the VPN

Just go down to the do_connect() function in vpnc-script and change:

    if [ -n "$CISCO_SPLIT_INC" ]; then
        i=0
        while [ $i -lt $CISCO_SPLIT_INC ] ; do
            eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
            eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
            eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
            set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
            i=`expr $i + 1`
        done
        for i in $INTERNAL_IP4_DNS ; do
            set_network_route "$i" "255.255.255.255" "32"
        done
    else
        set_default_route
    fi

to

    if [ -n "$CISCO_SPLIT_INC" ]; then
        i=0
        while [ $i -lt $CISCO_SPLIT_INC ] ; do
            eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
            eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
            eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
            set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
            i=`expr $i + 1`
        done
        for i in $INTERNAL_IP4_DNS ; do
            set_network_route "$i" "255.255.255.255" "32"
        done
#    else
#        set_default_route
    fi

2. Accessing your router from the network you are VPNing to

Ssh back to my OpenWRT router did not work. At work (where I was VPNing to) there is a firewall/router that directs traffic out; apparently the router was sending requests on ppp0 but responding on tun0 which the router did not like. To fix this, figure out the IP(s) of your LAN router (I did this by ssh'ing somewhere a couple of times and seeing where "last logged in from" would come up as). Then edit /etc/vpnc/vpnc-script, and add the following at the beginning of 
start_vpn_nat:

route add -net x.x.x.x/n dev ppp0

and at the end of stop_vpn_nat:

route del -net x.x.x.x/n dev ppp0

3. Directing certain other sites/subnets through the VPN

We have some online subscriptions that can only be accessed from work. This is very similar to the above, with the following changes; To /etc/vpnc/vpnc-script after the line above add (for a subnet):

route add -net x.x.x.x/n dev $TUNDEV

or (for a host):

route add -host x.x.x.x dev $TUNDEV

Notice that these examples have $TUNDEV and the ones in the first section had ppp0. You want this traffic to go through the VPN, but in the first case you wanted the traffic that would be directed to the VPN to keep going through ppp0. Oh and in this case the tunnel will be closed on disconnect so no need to remove the rules upon closure.

4. VPN rekeying or my vpnc is still alive after n hours but I don't actually have a VPN connection anymore

This took some modifications. I finally went with the following, I added a CONNECTED_FILE in vpnc-script

DEFAULT_ROUTE_FILE=/var/run/vpnc/defaultroute
RESOLV_CONF_BACKUP=/var/run/vpnc/resolv.conf-backup
CONNECTED_FILE=/var/run/vpnc/connected

which is written here:

do_connect() {
        touch "$CONNECTED_FILE"
        
    if [ -n "$CISCO_BANNER" ]; then

and removed here (at the end of do_disconnect()):

    if [ -n "$INTERNAL_IP4_DNS" ]; then
        reset_resolvconf
    fi
    
    rm "$CONNECTED_FILE"
}

Then I made this my /etc/init.d/vpnc file:

#!/bin/sh /etc/rc.common
START=75
STOP=10
start() {
        mkdir -p -m777 /var/run/vpnc
        vpnc /etc/vpnc/vpnc.conf
}
stop() {
        kill `cat /var/run/vpnc/pid`
        while [ -f /var/run/vpnc/connected ];
        do
           sleep 1
        done
}

otherwise /etc/init.d/vpnc restart doesn't always wait long enough and masquerading ends up messed up.

Now for the actual restarting I just use cron, which seems to work:

crontab -e

and add a line something like this:

# Restart vpnc every six hours to avoid vpnc bugginess with rekeying
0 0,6,12,18 * * * /etc/init.d/vpnc restart

For mine i do six hours. You should do a little less than whatever the n hours after which you notice a disconnect.

Finally, on Kamikaze 7.09 the /etc/rc.d/K* scripts don't get to finish on system shutdown (they run but since they are executed in the background, rcS ends before they finish and then init halts the system). Hence my VPN still thought I was connected if I did a reboot and I had to wait for the connection to timeout.

To fix this, I had to change /etc/init.d/rcS to the following (but do this at your own
risk as your router might not restart afterwards; I experienced this with a different rcS script initially):

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

if [ "$1" == "K" ]; then
        # Run synchronously
        {
                for i in /etc/rc.d/$1*; do
                        $i $2 2>&1
                done 
        } | logger -s -p 6 -t ''
else
        # Run asynchronously
        {
                for i in /etc/rc.d/$1*; do
                        $i $2 2>&1
                done 
        } | logger -s -p 6 -t '' &
fi

Hope this helps someone.

Misha

(Last edited by misha680 on 14 Jun 2008, 05:51)

Post #2
soytuit
1 Jul 2009, 23:31

Mr. Koshelev,

thank you....

Post #3
misha680
2 Jul 2009, 00:00

No prob. Didn't realize my last name was public on these forums wink

Anyway glad someone else is using vpnc. Beware btw, if you use it this way you're really circumventing your institution's security. You become potentially the weakest link on their network.

Misha

The discussion might have continued from here.