Skip to content

Add ipv[46]_unreachable flags to struct oc_ip_info, and pass to vpnc-script

Daniel Lenski requested to merge add_ipvX_unreachable_flags into master

This adds ipv[46]_unreachable flags to struct oc_ip_info, and passes them to the tunnel configuration script (e.g. vpnc-script) as IP[46]_UNREACHABLE=true.

These flags are set by servers which wish for the client to block access to IPv4 and/or IPv6 except through the VPN tunnel interface. Cisco, ocserv, GlobalProtect, F5, and Fortinet servers are all known to send such flags. See individual commits for how different protocols indicate this behavior.

Any vpnc-script that follows these flags will need to take care to:

  1. Not block access to the VPN server's external address
  2. Clean up after the VPN tunnel is closed (similar to explicit gateway routes and split-exclude routes) so as not to leave the system in a state with a broken routing table.

This behavior is generally unfriendly and unwanted by the end user. The reason for supporting it, in the words of @dwmw2:

IT departments stop saying "you are not allowed to use OpenConnect because it doesn't set the routing up correctly"

Edited by Daniel Lenski

Merge request reports