Skip to content

Instantly share code, notes, and snippets.

@jmark

jmark/vpnc.md

Last active March 29, 2017 12:11
Show Gist options
  • Save jmark/805a7de452adfee2791874f5f152924d to your computer and use it in GitHub Desktop.
Save jmark/805a7de452adfee2791874f5f152924d to your computer and use it in GitHub Desktop.
Download ZIP
Configuring vpnc on Arch Linux box
Raw
vpnc.md

Vpnc and Split Tunnel

Synopsis

How to setup a vpn tunnel to a CISCO(tm)-type vpn connection via the vpn tool and configure the ip routing in a way that only the packets destined for the vpn network are routed there. Thus, normal packets, like internet, are just handled like normal. I will show this by a specific example on connecting to the UKlan network of the University of Cologne.

Following HowTo is based on a tutorial written by Antonio Borneo posted on the mailinglist 'vpnc-devel'.

As disclaimed there, I a want to raise possible security issues, too. By establishing a route from your local network over a vpn, every user on your machine has access to the other coorporate network, as well. Be aware of this!

My system is an Arch Linux box.

Install vpnc

pacman -S vpnc

Save following config to: '/etc/vpnc/uklan.conf'

Script	/etc/vpnc/vpnc-script-uklan-split
IPSec	gateway vpngate.uni-koeln.de 
IPSec	ID uklan-full
IPSec	secret uklan
Xauth	username <your username>

The config file as well as further instructions are publicly available on uklan.

Write the connection script file mentionend in above config file

#!/bin/sh

# Initialize empty split tunnel list
export CISCO_SPLIT_INC=0

# Delete DNS info provided by VPN server to use internet DNS
# Comment following line to use DNS beyond VPN tunnel
unset INTERNAL_IP4_DNS

source /etc/vpnc/vpnc-script

Don't forget to make '/etc/vpnc/vpnc-script-uklan-split' executable. The script disables more or less the tampering of the local routing table by 'vpnc'. We will configure the routing manually later on.

Start the vpn demon

sudo vpnc uklan.conf

vpnc will interactively asks you for a password and if everthings is working allright greets with a banner of the vpn network.

Add a dns nameserver of the UKlan network

echo nameserver noc2.rrz.uni-koeln.de | sudo tee -a /etc/resolv.conf

On most systems one has to wait for a while till the nameserver gets propagated through the ip stack. Warning: I'm not quite sure if this is the right way. I had some hickups.

Configure new route

sudo ip route add 134.95.0.0/16 dev tun0

The address space 134.95.xxx.xxx belongs to the University of Cologne which is our network we wanted to connect via vpn in the first place.

Conclusion

Finally, one should be able to reach the private hosts of UKlan and browse the internet as usual.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment