From 1fdc3e6494650d309418bec7ceb0c310cf500541 Mon Sep 17 00:00:00 2001
From: Daniel Lenski <dlenski@gmail.com>
Date: Wed, 7 Oct 2020 17:51:29 -0700
Subject: [PATCH] don't try to set an explicit route to VPN gateway if
 localhost, and ignore bogus non-forwardable exclude routes

This should fix confusing errors (see https://gitlab.com/openconnect/openconnect/-/issues/172 and
https://gitlab.com/openconnect/openconnect/-/issues/173) and close #8.

Per IANA (https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml#note1),
there are other IPv4 blocks which are effectively unrouteable (not "Forwardable"), but the ones included here
(0.*, 127.*, 169.254.*) are the ones we've actually seen in real VPNs in the wild.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---
 vpnc-script | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/vpnc-script b/vpnc-script
index 24788fe..4e2d6ea 100755
--- a/vpnc-script
+++ b/vpnc-script
@@ -879,7 +879,10 @@ do_connect() {
 		echo
 	fi
 
-	set_vpngateway_route
+	case "$VPNGATEWAY" in
+		127.*|::1) ;; # localhost (probably proxy)
+		*) set_vpngateway_route ;;
+	esac
 	do_ifconfig
 	if [ -n "$CISCO_SPLIT_EXC" ]; then
 		i=0
@@ -887,7 +890,10 @@ do_connect() {
 			eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}"
 			eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}"
 			eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}"
-			set_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
+			case "$NETWORK" in
+				0.*|127.*|169.254.*) echo "ignoring non-forwardable exclude route $NETWORK/$NETMASKLEN" >&2 ;;
+				*) set_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" ;;
+			esac
 			i=`expr $i + 1`
 		done
 	fi
-- 
2.50.1