Re: Presence of ip-up script destroys VPN connectivity?
Re: Presence of ip-up script destroys VPN connectivity?
- Subject: Re: Presence of ip-up script destroys VPN connectivity?
- From: email@hidden
- Date: 20 Dec 2006 07:12:06 -0000
- Encoding: 8bit
> I held my nose while I typed my suggestion until I realized that I
> first noticed the problem more than a year ago.
>
> Realizing that, and hoping for ANY solution, I hope you'll share some
> of your implementation (I haven't used the launchd). This list gets
> very few VPN or security related posts, so I'm not hopeful for a fix
> any time soon.
Sure.
I added some code to my installer application which dynamically populates the ProgramArguments of the following Launch Agent, drops it into ~/Library/LaunchAgents and loads it up:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.khiltd.panopticon</string>
<key>ServiceDescription</key>
<string>Updates private DNS records when L2TP connection is established</string>
<key>ProgramArguments</key>
<array>
<string>***placeholder***</string>
</array>
<key>RunAtLoad</key>
<false/>
<key>StandardErrorPath</key>
<string>/dev/console</string>
<key>StandardOutPath</key>
<string>/dev/console</string>
<key>WatchPaths</key>
<array>
<string>/private/var/log/ppp.log</string>
</array>
</dict>
</plist>
In my case, the arguments consist of:
1. The path to the shell script responsible for updating the DNS records.
2. The VPN username (necessary because the DNS records I'm updating include this info and it is impossible to get it out of the user's keychain when launchd is running your script as root, oblivious to the existence of said keychain).
Basically every time /var/log/ppp.log's modification date changes, launchd calls my script. This means it's going to get a lot of false positives, and it's not going to be handed all the relevant information it would be in an ip-up script, so there's a lot more work to do to make sure we're really connected to what we think we are.
This is probably the fourth shell script I've written in my life, so I'm sure someone can find fault with what I've done, but it works well enough for my needs at the moment:
-------8<------- BEGIN SNIPPET-------
#! /bin/sh
#Assume our private server is here, running
#BIND, pppd and vpnd all on the same box
nameserver="123.123.123.123"
#Walk through all available PPP interfaces. If none exist
#then we know we're not connected to anything
ifconfig -a | awk -F':' '/^ppp[0-9]*/ { print $1 }' |
while read interface; do
#Get the IP of the PPP server
hostip=`ifconfig $interface | awk '/inet/ { print $4 }'`
#Does it look like it's ours?
if [ "$hostip" = "$nameserver" ]; then
#Try and lookup a private address on the server
#no one outside the network should know about. If
#it succeeds, then we can assume this is the right
#PPP connection
serverIP=`dig @$nameserver private.domain.com A +short`
if [ -n $serverIP ]; then
#Get the IP address the server assigned us
ip=`ifconfig $interface | awk '/inet/ { print $2 }'`
#Username is passed in the first arg
panousername=$1
if [ -n "$panousername" ]; then
#Build DNS record here and send it along with nsupdate
fi
fi
fi
done
------->8-------END SNIPPET
It should be fairly easy to repurpose the last part there to do something else if updating DNS records isn't your goal. You could also parse ppp.log directly, but then you have to worry about timestamps and how many lines to read and whether or not it's lying to you and all kinds of things, so I opted to get my info from ifconfig instead.
Now I just have to figure out how to delete the stale A records after they disconnect the way Bonjour does :)
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden