fix comment

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

OSX - Fix split DNS when doing split routing

Currently one can choose between two scenarios:

- overriding the default gateway, which breaks split routing, and honoring the
  DNS server as proposed by the server
- not overriding the default gateway, which enables split routing, but without
  honoring the DNS server as proposed by the server

446  # next line overrides the default gateway and breaks split routing
447  # d.add Router $INTERNAL_IP4_ADDRESS

Split DNS, when doing split routing, is enabled by adding INTERNAL_IP4_DNS to
the list of DNS servers.

Signed-off-by: Björn Ketelaars <bjorn.ketelaars@hydroxide.nl>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Enable resolvconf on FreeBSD too

According to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195359
this should work fine. I've no idea why it wasn't enable for FreeBSD
in the first place; perhaps just lack of testing and conservatism.

Signed-off-by: John Baldwin <jhb@FreeBSD.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add support for "unbound" DNS resolver

Original patch from Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>
posted at Red Hat Bugzilla - Bug #865092
https://bugzilla.redhat.com/show_bug.cgi?id=865092

Removed bashism, removed trailing spaces, use tab for indentation.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>

Fix quoting on network comparisons

Spotted by Marcus Müller <marcus@hostalia.de>

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix default route handling in vpnc-script-win.js

Implement full tunnel route setup, and get the $VPNGATEWAY route correct.

Signed-off-by: Jonathan Lauvernier <Jonathan.Lauvernier@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Set MTU on Windows

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Support IPv6 on Windows

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import vpnc-script-win.js from vpnc (r540).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

vpnc-script: document "reason=reconnect"

After recent modification, a new value can be passed through
environment variable "reason".
Add it in comment header.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix various issues on FreeBSD

- duplicate creation of tun devices
- cleanup of created tun device
- deadlock of vpnc holding an open file descriptor on /dev/tunN
- properly restoring /etc/resolv.conf

Signed-off-by: Emanuel Haupt <ehaupt@FreeBSD.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

handle creating/destroying the tun device on OpenBSD

Signed-off-by: Stuart Henderson <sthen@openbsd.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

redirect stderr from which (not grep) to /dev/null

Signed-off-by: Stuart Henderson <sthen@openbsd.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix bashisms for shell compatibility

Signed-off-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle IPv6 configuration in sshd variant

Signed-off-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Replace netunshare with ip netns

Signed-off-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use /32 for netmask to iproute, not /255.255.255.255

Older versions of iproute (e.g. 2.6.18-7 on RHEL5.2) can't cope with seeing
/255.255.255.255.

Thanks to Andrew Daviel for pointing it out.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add COPYING file and clarify licences

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add script hooks

This is based loosely in concept on the Debian patch, and is also needed for
OpenWrt unless we want to add a bunch of OpenWrt-specific stuff in here too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add support for OpenWrt DNS management

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

BusyBox ifconfig doesn't like the "inet" argument.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix compatibility with Solaris 10 /bin/sh

It doesn't support $( ) or $(( )) or [ -e ] or if !

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

document INTERNAL_IP4_MTU

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Support for /sbin/netconfig under OpenSuse 11.1

I added support for OpenSuse 11.1's netconfig system for managing
resolv.conf as modify_resolvconf no longer exists.

Signed-off-by: Mike Kienenberger <mkienenb@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix typo inside comment

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add IPv6 new variables to comment header

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Reuse function and value for default GW

Remove duplicated code to get default GW and
use existing get_default_gw().

Reuse default GW value just obtained, don't
call get_default_gw() twice.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

No need to add link-local address on Solaris.

Revert commit 9e277b5e64315aa3e1a2f2472e9c2d55f9b0f788. Now that we plumb
the interface from openconnect instead of with ifconfig from vpnc-script,
the issues with link-local addresses no longer seem to bother us.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

vpnc-script: fix for Suse pre 11.1

To handle /etc/resolv.conf file, Suse Linux pre 11.1
uses /sbin/modify_resolvconf script.
The same parameter "-s <service>" have to be passed
to modify_resolvconf on both "modify" and "restore".

Original vpnc-script.in from vpnc project runs:
  /sbin/modify_resolvconf modify -s $SCRIPTNAME ...
  /sbin/modify_resolvconf restore -s vpnc  ...
with $SCRIPTNAME=="vpnc".

In this repository, vpnc-script.in has been converted
to vpnc-script. Doing this, the value $SCRIPTNAME has
changed from "vpnc" to "vpnc-script".
This breaks the "restore" and left /etc/resolv.conf
modified for the (already closed) VPN tunnel.

Replace "-s $SCRIPTNAME" with fixed value "-s vpnc".

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Do not plumb interface for IPv6 on Solaris. The VPN client should do that.

... and does, as of openconnect commit c77af62db. (vpnc doesn't do IPv6 yet)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Manually assign link-local IPv6 addresses on Solaris

Solaris 11 *really* wants the interface to have a link-local address, and
doesn't add one automatically.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix stderr redirection for 'which ip' output

We really want to redirect stderr from 'which'; not from 'grep'.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tidy up IPv6 address/netmask handling a little, fix netmask handling on *BSD.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove dest_address from IPv6 ifconfig for all but Solaris

This makes OpenBSD unhappy, and it looks like OpenVPN *only* does it on
Solaris.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add restorecon calls for /var/run/vpnc and /dev/net/tun (Red Hat bug #731382)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix calculation of MTU. Bash doesn't like numbers in quotes.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix MTU calculation (Red Hat bug #693235)

Newer iproute doesn't give the mtu in 'ip route get' output, so get the
device and then get the device's MTU (which theoretically could be
different to the route MTU but this is good enough for now).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Merge branch 'vpnc-script' of git://github.com/falconindy/vpnc-scripts

Be more robust with unknown 'ip route get' output.

Make it opt-in, not opt-out for unknown options.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

vpnc-script: use iproute to create ptp link if possible

This should make net-tools completely optional on Linux.

Signed-off-by: Dave Reisner <dreisner@archlinux.org>

vpnc-script: prevent negative MTU

We can't be sure that the route shown by 'ip route get' will return
anything. Restructure the logic to only perform the subtraction if it
does. Otherwise, fall back to the default 1412.

Signed-off-by: Dave Reisner <dreisner@archlinux.org>

Cope with new kernel/iproute including ipid in route list

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Set route to VPN gateway before configuring tunnel

In some circumstances (with $VPNGATEWAY being inside of
$INTERNAL_IP4_ADDRESS/$INTERNAL_IP4_NETMASK, for example when the netmask
was set incorrectly) the hostroute to $VPNGATEWAY pointed to the
tunnel device, creating a routing recursion.

Set the host route before configuring the tun interface to fix this.

Signed-off-by: Bernhard Schmidt <berni@birkenwald.de>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Only remove IPv6 default route if we had IPv6

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix up FreeBSD support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add IPv6 support for Solaris (and maybe BSD)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

no grep -q on solaris

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle IPv6 nameservers (in $INTERNAL_IP4_DNS variable)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle IPv6 routes

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Set IPv6 address on interface; no routes yet

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix MTU when no default route

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525389

Patch from Jonathan Miner

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make basic vpnc-script work with Solaris

Add -interface flag when adding routes, specify gateway for default
route when deleting it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add pTRTd script for NAT-PT address to VPN

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add netunshare

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

set up dnsmasq in netns

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add ssh-inside-vpn-namespace script

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove the substitution in vpnc-script, to remove the need for vpnc-script.in

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import vpnc-script from vpnc

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>