Ajout d'une route speciale VPN

Support Debian
#1

Salut,

je me connecte avec openconnect au VPN du travail car il utilise Juniper et je n’ai jamais pu faire fonctionner le truck java Juniper. En tout cas avec ./openconnect --juniper monsupervpn.com ca fonctionne super bien.

ca ajoute une cart Tun0 :

[code]ifconfig
eth0 Link encap:Ethernet HWaddr 84:c9:b2:3c:27:56
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::86c9:b2ff:fe3c:2756/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28224055 errors:0 dropped:21322 overruns:0 frame:0
TX packets:30713308 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23364692212 (21.7 GiB) TX bytes:32081574773 (29.8 GiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1057 errors:0 dropped:0 overruns:0 frame:0
TX packets:1057 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:701817 (685.3 KiB) TX bytes:701817 (685.3 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.26.52.181 P-t-P:172.26.52.181 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:128521 errors:0 dropped:0 overruns:0 frame:0
[/code]

comment je peux procéder au niveau des routes histoire d’utiliser la tun0 que pour des connections vers 10.100.0 et tout le reste le garder par eth0. C’est la seule plage ip qui m’intéresse pour le boulot mon surf internet et le reste je n’ai pas besoin qu’il passe dans le VPN.

je sais que ca utilise le script de connexion de vpnc

[code]# =========== script (variable) setup ====================================

PATH=/sbin:/usr/sbin:$PATH

OS="uname -s"

HOOKS_DIR=/etc/vpnc
DEFAULT_ROUTE_FILE=/var/run/vpnc/defaultroute
RESOLV_CONF_BACKUP=/var/run/vpnc/resolv.conf-backup
SCRIPTNAME=basename $0

some systems, eg. Darwin & FreeBSD, prune /var/run on boot

if [ ! -d “/var/run/vpnc” ]; then
mkdir -p /var/run/vpnc
[ -x /sbin/restorecon ] && /sbin/restorecon /var/run/vpnc
fi

stupid SunOS: no blubber in /usr/local/bin … (on stdout)

IPROUTE="which ip 2> /dev/null | grep '^/'"

if ifconfig --help 2>&1 | grep BusyBox > /dev/null; then
ifconfig_syntax_inet=""
else
ifconfig_syntax_inet="inet"
fi

if [ “$OS” = “Linux” ]; then
ifconfig_syntax_ptp="pointopoint"
route_syntax_gw=“gw"
route_syntax_del=“del"
route_syntax_netmask=“netmask"
else
ifconfig_syntax_ptp=”“
route_syntax_gw=”“
route_syntax_del=“delete"
route_syntax_netmask=”-netmask"
fi
if [ “$OS” = “SunOS” ]; then
route_syntax_interface=”-interface"
ifconfig_syntax_ptpv6=”$INTERNAL_IP6_ADDRESS"
else
route_syntax_interface=”“
ifconfig_syntax_ptpv6=”"
fi

if [ -r /etc/openwrt_release ] && [ -n “$OPENWRT_INTERFACE” ]; then
. /etc/functions.sh
include /lib/network
MODIFYRESOLVCONF=modify_resolvconf_openwrt
RESTORERESOLVCONF=restore_resolvconf_openwrt
elif [ -x /sbin/resolvconf ]; then # Optional tool on Debian, Ubuntu, Gentoo and FreeBSD
MODIFYRESOLVCONF=modify_resolvconf_manager
RESTORERESOLVCONF=restore_resolvconf_manager
elif [ -x /sbin/netconfig ]; then # tool on Suse after 11.1
MODIFYRESOLVCONF=modify_resolvconf_suse_netconfig
RESTORERESOLVCONF=restore_resolvconf_suse_netconfig
elif [ -x /sbin/modify_resolvconf ]; then # Mandatory tool on Suse earlier than 11.1
MODIFYRESOLVCONF=modify_resolvconf_suse
RESTORERESOLVCONF=restore_resolvconf_suse
elif [ -x /usr/sbin/unbound-control ] && /usr/sbin/unbound-control status > /dev/null 2>&1; then
MODIFYRESOLVCONF=modify_resolvconf_unbound
RESTORERESOLVCONF=restore_resolvconf_unbound
else # Generic for any OS
MODIFYRESOLVCONF=modify_resolvconf_generic
RESTORERESOLVCONF=restore_resolvconf_generic
fi

=========== script hooks =================================================

run_hooks() {
HOOK="$1"

if [ -d ${HOOKS_DIR}/${HOOK}.d ]; then
    for script in ${HOOKS_DIR}/${HOOK}.d/* ; do
	[ -f $script ] && . $script
    done
fi

}

=========== tunnel interface handling ====================================

do_ifconfig() {
if [ -n “$INTERNAL_IP4_MTU” ]; then
MTU=$INTERNAL_IP4_MTU
elif [ -n “$IPROUTE” ]; then
MTUDEV=$IPROUTE route get "$VPNGATEWAY" | sed -ne 's/^.*dev \([a-z0-9]*\).*$/\1/p'
MTU=$IPROUTE link show "$MTUDEV" | sed -ne 's/^.*mtu \([[:digit:]]\+\).*$/\1/p'
if [ -n “$MTU” ]; then
MTU=expr $MTU - 88
fi
fi

if [ -z "$MTU" ]; then
	MTU=1412
fi

# Point to point interface require a netmask of 255.255.255.255 on some systems
if [ -n "$IPROUTE" ]; then
	$IPROUTE link set dev "$TUNDEV" up mtu "$MTU"
	$IPROUTE addr add "$INTERNAL_IP4_ADDRESS/32" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV"
else
	ifconfig "$TUNDEV" ${ifconfig_syntax_inet} "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu ${MTU} up
fi

if [ -n "$INTERNAL_IP4_NETMASK" ]; then
	set_network_route $INTERNAL_IP4_NETADDR $INTERNAL_IP4_NETMASK $INTERNAL_IP4_NETMASKLEN
fi

# If the netmask is provided, it contains the address _and_ netmask
if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
    INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
fi
if [ -n "$INTERNAL_IP6_NETMASK" ]; then
    if [ -n "$IPROUTE" ]; then
	$IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV
    else
	# Unlike for Legacy IP, we don't specify the dest_address
	# here on *BSD. OpenBSD for one will refuse to accept
	# incoming packets to that address if we do.
	# OpenVPN does the same (gives dest_address for Legacy IP
	# but not for IPv6).
	# Only Solaris needs it; hence $ifconfig_syntax_ptpv6
        ifconfig "$TUNDEV" inet6 $INTERNAL_IP6_NETMASK $ifconfig_syntax_ptpv6 mtu $MTU up
    fi
fi

}

destroy_tun_device() {
case “$OS” in
NetBSD|OpenBSD) # and probably others…
ifconfig “$TUNDEV” destroy
;;
FreeBSD)
ifconfig “$TUNDEV” destroy > /dev/null 2>&1 &
;;
esac
}

=========== route handling ====================================

if [ -n “$IPROUTE” ]; then
fix_ip_get_output () {
sed -e ‘s/ /\n/g’ |
sed -ne ‘1p;/via/{N;p};/dev/{N;p};/src/{N;p};/mtu/{N;p}’
}

set_vpngateway_route() {
	$IPROUTE route add `$IPROUTE route get "$VPNGATEWAY" | fix_ip_get_output`
	$IPROUTE route flush cache
}

del_vpngateway_route() {
	$IPROUTE route $route_syntax_del "$VPNGATEWAY"
	$IPROUTE route flush cache
}

set_default_route() {
	$IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE"
	$IPROUTE route replace default dev "$TUNDEV"
	$IPROUTE route flush cache
}

set_network_route() {
	NETWORK="$1"
	NETMASK="$2"
	NETMASKLEN="$3"
	$IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
	$IPROUTE route flush cache
}

reset_default_route() {
	if [ -s "$DEFAULT_ROUTE_FILE" ]; then
		$IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"`
		$IPROUTE route flush cache
		rm -f -- "$DEFAULT_ROUTE_FILE"
	fi
}

del_network_route() {
	NETWORK="$1"
	NETMASK="$2"
	NETMASKLEN="$3"
	$IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
	$IPROUTE route flush cache
}

set_ipv6_default_route() {
	# We don't save/restore IPv6 default route; just add a higher-priority one.
	$IPROUTE -6 route add default dev "$TUNDEV" metric 1
	$IPROUTE -6 route flush cache
}

set_ipv6_network_route() {
	NETWORK="$1"
	NETMASKLEN="$2"
	$IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
	$IPROUTE route flush cache
}

reset_ipv6_default_route() {
	$IPROUTE -6 route del default dev "$TUNDEV"
	$IPROUTE route flush cache
}

del_ipv6_network_route() {
	NETWORK="$1"
	NETMASKLEN="$2"
	$IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
	$IPROUTE -6 route flush cache
}

else # use route command
get_default_gw() {
# isn’t -n supposed to give --numeric output?
# apperently not…
# Get rid of lines containing IPv6 addresses (’:’)
netstat -r -n | awk ‘/:confused: { next; } /^(default|0.0.0.0)/ { print $2; }’
}

set_vpngateway_route() {
	route add -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`"
}

del_vpngateway_route() {
	route $route_syntax_del -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`"
}

set_default_route() {
	DEFAULTGW="`get_default_gw`"
	echo "$DEFAULTGW" > "$DEFAULT_ROUTE_FILE"
	route $route_syntax_del default $route_syntax_gw "$DEFAULTGW"
	route add default $route_syntax_gw "$INTERNAL_IP4_ADDRESS" $route_syntax_interface
}

set_network_route() {
	NETWORK="$1"
	NETMASK="$2"
	NETMASKLEN="$3"
	del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
	route add -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$INTERNAL_IP4_ADDRESS" $route_syntax_interface
}

reset_default_route() {
	if [ -s "$DEFAULT_ROUTE_FILE" ]; then
		route $route_syntax_del default $route_syntax_gw "`get_default_gw`" $route_syntax_interface
		route add default $route_syntax_gw `cat "$DEFAULT_ROUTE_FILE"`
		rm -f -- "$DEFAULT_ROUTE_FILE"
	fi
}

del_network_route() {
	case "$OS" in
	Linux|NetBSD|OpenBSD|Darwin|SunOS) # and probably others...
		# routes are deleted automatically on device shutdown
		return
		;;
	esac
	NETWORK="$1"
	NETMASK="$2"
	NETMASKLEN="$3"
	route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$INTERNAL_IP4_ADDRESS"
}

set_ipv6_default_route() {
	route add -inet6 default "$INTERNAL_IP6_ADDRESS" $route_syntax_interface
}

set_ipv6_network_route() {
	NETWORK="$1"
	NETMASK="$2"
	route add -inet6 -net "$NETWORK/$NETMASK" "$INTERNAL_IP6_ADDRESS" $route_syntax_interface
	:
}

reset_ipv6_default_route() {
	route $route_syntax_del -inet6 default "$INTERNAL_IP6_ADDRESS"
	:
}

del_ipv6_network_route() {
	NETWORK="$1"
	NETMASK="$2"
	route $route_syntax_del -inet6 "$NETWORK/$NETMASK" "$INTERNAL_IP6_ADDRESS"
	:
}

fi

=========== resolv.conf handling ====================================

=========== resolv.conf handling for any OS =========================

modify_resolvconf_generic() {
grep ‘^#@VPNC_GENERATED@’ /etc/resolv.conf > /dev/null 2>&1 || cp – /etc/resolv.conf “$RESOLV_CONF_BACKUP"
NEW_RESOLVCONF=”#@VPNC_GENERATED@ – this file is generated by vpnc

and will be overwritten by vpnc

as long as the above mark is intact"

# Remember the original value of CISCO_DEF_DOMAIN we need it later
CISCO_DEF_DOMAIN_ORIG="$CISCO_DEF_DOMAIN"
# Don't step on INTERNAL_IP4_DNS value, use a temporary variable
INTERNAL_IP4_DNS_TEMP="$INTERNAL_IP4_DNS"
exec 6< "$RESOLV_CONF_BACKUP"
while read LINE <&6 ; do
	case "$LINE" in
		nameserver*)
			if [ -n "$INTERNAL_IP4_DNS_TEMP" ]; then
				read ONE_NAMESERVER INTERNAL_IP4_DNS_TEMP <<-EOF
$INTERNAL_IP4_DNS_TEMP

EOF
LINE=“nameserver $ONE_NAMESERVER"
else
LINE=”“
fi
;;
search*)
if [ -n “$CISCO_DEF_DOMAIN” ]; then
LINE=”$LINE $CISCO_DEF_DOMAIN"
CISCO_DEF_DOMAIN=""
fi
;;
domain*)
if [ -n “$CISCO_DEF_DOMAIN” ]; then
LINE=“domain $CISCO_DEF_DOMAIN"
CISCO_DEF_DOMAIN=”“
fi
;;
esac
NEW_RESOLVCONF=”$NEW_RESOLVCONF
$LINE"
done
exec 6<&-

for i in $INTERNAL_IP4_DNS_TEMP ; do
	NEW_RESOLVCONF="$NEW_RESOLVCONF

nameserver $i"
done
if [ -n “$CISCO_DEF_DOMAIN” ]; then
NEW_RESOLVCONF="$NEW_RESOLVCONF
search $CISCO_DEF_DOMAIN"
fi
echo “$NEW_RESOLVCONF” > /etc/resolv.conf

if [ "$OS" = "Darwin" ]; then
	case "`uname -r`" in
		# Skip for pre-10.4 systems
		4.*|5.*|6.*|7.*)
			;;
		# 10.4 and later require use of scutil for DNS to work properly
		*)
			OVERRIDE_PRIMARY=""
			if [ -n "$CISCO_SPLIT_INC" ]; then
				if [ $CISCO_SPLIT_INC -lt 1 ]; then
					# Must override for correct default route
					# Cannot use multiple DNS matching in this case
					OVERRIDE_PRIMARY='d.add OverridePrimary # 1'
				fi
				# Overriding the default gateway breaks split routing
				OVERRIDE_GATEWAY=""
				# Not overriding the default gateway breaks usage of
				# INTERNAL_IP4_DNS. Prepend INTERNAL_IP4_DNS to list
				# of used DNS servers
				SERVICE=`echo "show State:/Network/Global/IPv4" | scutil | grep -oE '[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}'`
				SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}' | xargs`
				if [ X"$SERVICE_DNS" != X"$INTERNAL_IP4_DNS" ]; then
					scutil >/dev/null 2>&1 <<-EOF
						open
						get State:/Network/Service/$SERVICE/DNS
						d.add ServerAddresses * $INTERNAL_IP4_DNS $SERVICE_DNS
						set State:/Network/Service/$SERVICE/DNS
						close
					EOF
				fi
			else
				# No split routing. Override default gateway
				OVERRIDE_GATEWAY="d.add Router $INTERNAL_IP4_ADDRESS"
			fi
			# Uncomment the following if/fi pair to use multiple
			# DNS matching when available.  When multiple DNS matching
			# is present, anything reading the /etc/resolv.conf file
			# directly will probably not work as intended.
			#if [ -z "$CISCO_DEF_DOMAIN_ORIG" ]; then
				# Cannot use multiple DNS matching without a domain
				OVERRIDE_PRIMARY='d.add OverridePrimary # 1'
			#fi
			scutil >/dev/null 2>&1 <<-EOF
				open
				d.init
				d.add ServerAddresses * $INTERNAL_IP4_DNS
				set State:/Network/Service/$TUNDEV/DNS
				d.init
				$OVERRIDE_GATEWAY
				d.add Addresses * $INTERNAL_IP4_ADDRESS
				d.add SubnetMasks * 255.255.255.255
				d.add InterfaceName $TUNDEV
				$OVERRIDE_PRIMARY
				set State:/Network/Service/$TUNDEV/IPv4
				close
			EOF
			if [ -n "$CISCO_DEF_DOMAIN_ORIG" ]; then
				scutil >/dev/null 2>&1 <<-EOF
					open
					get State:/Network/Service/$TUNDEV/DNS
					d.add DomainName $CISCO_DEF_DOMAIN_ORIG
					d.add SearchDomains * $CISCO_DEF_DOMAIN_ORIG
					d.add SupplementalMatchDomains * $CISCO_DEF_DOMAIN_ORIG
					set State:/Network/Service/$TUNDEV/DNS
					close
				EOF
			fi
			;;
	esac
fi

}

restore_resolvconf_generic() {
if [ ! -f “$RESOLV_CONF_BACKUP” ]; then
return
fi
grep ‘^#@VPNC_GENERATED@’ /etc/resolv.conf > /dev/null 2>&1 && cat “$RESOLV_CONF_BACKUP” > /etc/resolv.conf
rm -f – “$RESOLV_CONF_BACKUP”

if [ "$OS" = "Darwin" ]; then
	case "`uname -r`" in
		# Skip for pre-10.4 systems
		4.*|5.*|6.*|7.*)
			;;
		# 10.4 and later require use of scutil for DNS to work properly
		*)
			scutil >/dev/null 2>&1 <<-EOF
				open
				remove State:/Network/Service/$TUNDEV/IPv4
				remove State:/Network/Service/$TUNDEV/DNS
				close
			EOF
			# Split routing required prepending of INTERNAL_IP4_DNS
			# to list of used DNS servers
			if [ -n "$CISCO_SPLIT_INC" ]; then
				SERVICE=`echo "show State:/Network/Global/IPv4" | scutil | grep -oE '[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}'`
				SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}' | xargs`
				if [ X"$SERVICE_DNS" != X"$INTERNAL_IP4_DNS" ]; then
					scutil >/dev/null 2>&1 <<-EOF
						open
						get State:/Network/Service/$SERVICE/DNS
						d.add ServerAddresses * ${SERVICE_DNS##$INTERNAL_IP4_DNS}
						set State:/Network/Service/$SERVICE/DNS
						close
					EOF
				fi
			fi
			;;
	esac
fi

}

=== resolv.conf handling via /sbin/netconfig (Suse 11.1) =====================

Suse provides a script that modifies resolv.conf. Use it because it will

restart/reload all other services that care about it (e.g. lwresd). [unclear if this is still true, but probably --mlk]

modify_resolvconf_suse_netconfig()
{
/sbin/netconfig modify -s vpnc -i “$TUNDEV” <<-EOF
INTERFACE=’$TUNDEV’
DNSSERVERS=’$INTERNAL_IP4_DNS’
DNSDOMAIN=’$CISCO_DEF_DOMAIN’
EOF
}

Restore resolv.conf to old contents on Suse

restore_resolvconf_suse_netconfig()
{
/sbin/netconfig remove -s vpnc -i “$TUNDEV”
}

=== resolv.conf handling via /sbin/modify_resolvconf (Suse) =====================

Suse provides a script that modifies resolv.conf. Use it because it will

restart/reload all other services that care about it (e.g. lwresd).

modify_resolvconf_suse()
{
FULL_SCRIPTNAME=readlink -f $0
RESOLV_OPTS=’'
test -n “$INTERNAL_IP4_DNS” && RESOLV_OPTS="-n “$INTERNAL_IP4_DNS”“
test -n “$CISCO_DEF_DOMAIN” && RESOLV_OPTS=”$RESOLV_OPTS -d $CISCO_DEF_DOMAIN"
test -n “$RESOLV_OPTS” && eval /sbin/modify_resolvconf modify -s vpnc -p $SCRIPTNAME -f $FULL_SCRIPTNAME -e $TUNDEV $RESOLV_OPTS -t “This file was created by $SCRIPTNAME”
}

Restore resolv.conf to old contents on Suse

restore_resolvconf_suse()
{
FULL_SCRIPTNAME=readlink -f $0
/sbin/modify_resolvconf restore -s vpnc -p $SCRIPTNAME -f $FULL_SCRIPTNAME -e $TUNDEV
}

=== resolv.conf handling via UCI (OpenWRT) =========

modify_resolvconf_openwrt() {
add_dns $OPENWRT_INTERFACE $INTERNAL_IP4_DNS
}

restore_resolvconf_openwrt() {
remove_dns $OPENWRT_INTERFACE
}

=== resolv.conf handling via /sbin/resolvconf (Debian, Ubuntu, Gentoo)) =========

modify_resolvconf_manager() {
NEW_RESOLVCONF="“
for i in $INTERNAL_IP4_DNS; do
NEW_RESOLVCONF=”$NEW_RESOLVCONF
nameserver $i"
done
if [ -n “$CISCO_DEF_DOMAIN” ]; then
NEW_RESOLVCONF="$NEW_RESOLVCONF
domain $CISCO_DEF_DOMAIN"
fi
echo “$NEW_RESOLVCONF” | /sbin/resolvconf -a $TUNDEV
}

restore_resolvconf_manager() {
/sbin/resolvconf -d $TUNDEV
}

=== resolv.conf handling via unbound =========

modify_resolvconf_unbound() {
if [ -n “$CISCO_DEF_DOMAIN” ]; then
/usr/sbin/unbound-control forward_add +i ${CISCO_DEF_DOMAIN} ${INTERNAL_IP4_DNS}
/usr/sbin/unbound-control flush_requestlist
/usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN}
fi
}

restore_resolvconf_unbound() {
if [ -n “$CISCO_DEF_DOMAIN” ]; then
/usr/sbin/unbound-control forward_remove +i ${CISCO_DEF_DOMAIN}
/usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN}
/usr/sbin/unbound-control flush_requestlist
fi
}

========= Toplevel state handling =======================================

kernel_is_2_6_or_above() {
case uname -r in
1.|2.[012345])
return 1
;;
*)
return 0
;;
esac
}

do_pre_init() {
if [ “$OS” = “Linux” ]; then
if (exec 6<> /dev/net/tun) > /dev/null 2>&1 ; then
:
else # can’t open /dev/net/tun
test -e /proc/sys/kernel/modprobe && cat /proc/sys/kernel/modprobe tun 2>/dev/null
# fix for broken devfs in kernel 2.6.x
if [ “readlink /dev/net/tun” = misc/net/tun
-a ! -e /dev/net/misc/net/tun -a -e /dev/misc/net/tun ] ; then
ln -sf /dev/misc/net/tun /dev/net/tun
fi
# make sure tun device exists
if [ ! -e /dev/net/tun ]; then
mkdir -p /dev/net
mknod -m 0640 /dev/net/tun c 10 200
[ -x /sbin/restorecon ] && /sbin/restorecon /dev/net/tun
fi
# workaround for a possible latency caused by udev, sleep max. 10s
if kernel_is_2_6_or_above ; then
for x in seq 100 ; do
(exec 6<> /dev/net/tun) > /dev/null 2>&1 && break;
sleep 0.1
done
fi
fi
elif [ “$OS” = “FreeBSD” ]; then
if ! kldstat -q -m if_tun > /dev/null; then
kldload if_tun
fi

	if ! ifconfig $TUNDEV > /dev/null; then
		ifconfig $TUNDEV create
	fi
elif [ "$OS" = "GNU/kFreeBSD" ]; then
	if [ ! -e /dev/tun ]; then
		kldload if_tun
	fi
elif [ "$OS" = "NetBSD" ]; then
	:
elif [ "$OS" = "OpenBSD" ]; then
	if ! ifconfig $TUNDEV > /dev/null; then
		ifconfig $TUNDEV create
	fi
	:
elif [ "$OS" = "SunOS" ]; then
	:
elif [ "$OS" = "Darwin" ]; then
	:
fi

}

do_connect() {
if [ -n “$CISCO_BANNER” ]; then
echo "Connect Banner:"
echo “$CISCO_BANNER” | while read LINE ; do echo “|” “$LINE” ; done
echo
fi

set_vpngateway_route
do_ifconfig
if [ -n "$CISCO_SPLIT_INC" ]; then
	i=0
	while [ $i -lt $CISCO_SPLIT_INC ] ; do
		eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
		eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
		eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
		if [ "$NETWORK" != "0.0.0.0" ]; then
			set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
		else
			set_default_route
		fi
		i=`expr $i + 1`
	done
	for i in $INTERNAL_IP4_DNS ; do
		echo "$i" | grep : >/dev/null || \
			set_network_route "$i" "255.255.255.255" "32"
	done
elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then
	set_default_route
fi
if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
	i=0
	while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
		eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
		eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
		if [ $NETMASKLEN -lt 128 ]; then
			set_ipv6_network_route "$NETWORK" "$NETMASKLEN"
		else
			set_ipv6_default_route
		fi
		i=`expr $i + 1`
	done
	for i in $INTERNAL_IP4_DNS ; do
		if echo "$i" | grep : >/dev/null; then
			set_ipv6_network_route "$i" "128"
		fi
	done
elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
	set_ipv6_default_route
fi

if [ -n "$INTERNAL_IP4_DNS" ]; then
	$MODIFYRESOLVCONF
fi

}

do_disconnect() {
if [ -n “$CISCO_SPLIT_INC” ]; then
i=0
while [ $i -lt $CISCO_SPLIT_INC ] ; do
eval NETWORK="${CISCO_SPLIT_INC_${i}ADDR}“
eval NETMASK=”${CISCO_SPLIT_INC${i}MASK}“
eval NETMASKLEN=”${CISCO_SPLIT_INC${i}MASKLEN}"
if [ “$NETWORK” != “0.0.0.0” ]; then
# FIXME: This doesn’t restore previously overwritten
# routes.
del_network_route “$NETWORK” “$NETMASK” "$NETMASKLEN"
else
reset_default_route
fi
i=expr $i + 1
done
for i in $INTERNAL_IP4_DNS ; do
del_network_route “$i” “255.255.255.255” “32"
done
else
reset_default_route
fi
if [ -n “$CISCO_IPV6_SPLIT_INC” ]; then
i=0
while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
eval NETWORK=”${CISCO_IPV6_SPLIT_INC${i}ADDR}“
eval NETMASKLEN=”${CISCO_IPV6_SPLIT_INC${i}_MASKLEN}"
if [ $NETMASKLEN -eq 0 ]; then
reset_ipv6_default_route
else
del_ipv6_network_route “$NETWORK” "$NETMASKLEN"
fi
i=expr $i + 1
done
for i in $INTERNAL_IP6_DNS ; do
del_ipv6_network_route “$i” "128"
done
elif [ -n “$INTERNAL_IP6_NETMASK” -o -n “$INTERNAL_IP6_ADDRESS” ]; then
reset_ipv6_default_route
fi

del_vpngateway_route

if [ -n "$INTERNAL_IP4_DNS" ]; then
	$RESTORERESOLVCONF
fi


if [ -n "$IPROUTE" ]; then
	if [ -n "$INTERNAL_IP4_ADDRESS" ]; then
		$IPROUTE addr del "$INTERNAL_IP4_ADDRESS/255.255.255.255" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV"
	fi
	# If the netmask is provided, it contains the address _and_ netmask
	if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
		INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
	fi
	if [ -n "$INTERNAL_IP6_NETMASK" ]; then
		$IPROUTE -6 addr del $INTERNAL_IP6_NETMASK dev $TUNDEV
	fi
else
	if [ -n "$INTERNAL_IP4_ADDRESS" ]; then
		ifconfig "$TUNDEV" 0.0.0.0
	fi
	if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
		INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
	fi
	if [ -n "$INTERNAL_IP6_NETMASK" ]; then
		ifconfig "$TUNDEV" inet6 del $INTERNAL_IP6_NETMASK
	fi
fi

destroy_tun_device

}

Main

if [ -z “$reason” ]; then
echo “this script must be called from vpnc” 1>&2
exit 1
fi

case “$reason” in
pre-init)
run_hooks pre-init
do_pre_init
;;
connect)
run_hooks connect
do_connect
run_hooks post-connect
;;
disconnect)
run_hooks disconnect
do_disconnect
run_hooks post-disconnect
;;
reconnect)
run_hooks reconnect
;;
*)
echo “unknown reason ‘$reason’. Maybe vpnc-script is out of date” 1>&2
exit 1
;;
esac

exit 0
[/code]

que je n’ai pas touché, par défaut…

vous pensez que c’est possible de quel façon ?

Merci

#2

Ce script est une usine à gaz…
En résumé, il ne faut pas que le VPN modifie la route par défaut mais crée à la place une route vers la plage qui t’intéresse sur l’interface tun du VPN.

Par contre en général les entreprises n’aiment pas trop qu’un poste se connecte en VPN à leur réseau tout en ayant accès à tout internet (et vice versa), ça peut créer une “connexion de pont”.

#3

en dehors du script alors ?