1OCPROXY(1)                  General Commands Manual                 OCPROXY(1)
2
3
4

NAME

6       ocproxy - lwip based proxy for openconnect
7

SYNOPSIS

9       ocproxy [options]
10

DESCRIPTION

12       This manual page documents briefly the ocproxy command.
13
14       ocproxy  is  a  program that provides a SOCKS and port-forwarding proxy
15       when used in conjunction  with  openconnect(1).   When  using  ocproxy,
16       OpenConnect  only  handles  network activity that the user specifically
17       asks to proxy, so the VPN tunnel no longer "hijacks" all network  traf‐
18       fic on the host.
19
20
21       ocproxy  accomplishes this by running a lwIP network stack in userland,
22       so the OS kernel is no longer directly handling  packets  sent  to  and
23       from the VPN connection.
24
25

BASIC USAGE

27       ocproxy should be invoked directly from OpenConnect or another VPN pro‐
28       gram; a file descriptor number is passed through the VPNFD  environment
29       variable  to  tell  ocproxy  how  to send and receive VPN traffic.  For
30       example:
31
32              openconnect   --script-tun   --script    "ocproxy    -D    11080
33              -L2222:unix-host:22" vpn.example.com
34
35
36       Commonly used options include:
37
38
39       -D, --dynfw [bind_address:]port
40              Start up a SOCKS5 server on TCP port port to dynamically forward
41              application-level traffic over the VPN proxy.  This is  intended
42              to resemble the -D option to ssh(1).  If bind_address is unspec‐
43              ified, ocproxy will bind to the loopback  interface  by  default
44              unless --allow-remote is used.
45
46
47       -L, --localfw port:host:hostport
48              Bind  to  port local TCP port port, and forward incoming connec‐
49              tions to host:hostport on the VPN.  host can be a DNS name or  a
50              dotted-quad  IP address.  Do not use localhost.  If the VPN sup‐
51              plied a default DNS domain name or --domain was specified on the
52              command  line,  unqualified  hostnames  may  be  used.   This is
53              intended to resemble the -L option to ssh(1).
54
55
56       -g, --allow-remote
57              Local listening sockets opened  by  the  --dynfw  and  --localfw
58              options,  by  default,  will  be bound to the loopback interface
59              only (127.0.0.1)  so  they  are  only  available  on  the  local
60              machine.   If  --allow-remote  is specified, the sockets will be
61              bound to INADDR_ANY (0.0.0.0) instead, and other hosts may  con‐
62              nect  to  them.   This  is intended to resemble the -g option to
63              ssh(1).
64
65
66       -k, --keepalive interval
67              Send a TCP keepalive packet every interval seconds on each  open
68              connection, on the VPN side.  This can help avoid idle timeouts,
69              both on the VPN gateway and on any stateful firewalls in between
70              the two ends.
71
72

ADVANCED USAGE

74       These  options  may be useful for debugging ocproxy or diagnosing prob‐
75       lems:
76
77
78       -v, --verbose
79              Enable verbose debugging output.
80
81
82       -T, --tcpdump
83              Write a log of all TCP or UDP  packets  traversing  the  VPN  to
84              /tmp/tcpdump.  The format largely mirrors the output of the tcp‐
85              dump(8) utility.
86
87
88       ocproxy will normally  retrieve  IP  configuration  parameters  through
89       environment  variables  provided  by OpenConnect.  These options may be
90       used to override the autodetected parameters:
91
92
93       -I, --ip local_ip
94              Use  local_ip  for  the   VPN   side   IP   address.    Example:
95              192.168.5.20.    This   is   normally  set  through  the  INTER‐
96              NAL_IP4_ADDRESS environment variable.
97
98
99       -M, --mtu mtu_bytes
100              Use mtu_bytes as the maximum transmit unit on the VPN interface;
101              it  generally depends on DTLS and UDP packet overhead.  Example:
102              1300.  This is normally set through the  INTERNAL_IP4_MTU  envi‐
103              ronment variable.
104
105
106       -d, --dns dns_ip
107              Send  all  VPN  side  DNS  queries  to  server dns_ip.  Example:
108              192.168.5.2.  This is normally set through the  INTERNAL_IP4_DNS
109              environment variable.
110
111
112       -o, --domain domain
113              Use domain as the default DNS domain, for unqualified hostnames.
114              This is normally set through  the  CISCO_DEF_DOMAIN  environment
115              variable.
116
117

SEE ALSO

119       vpnns(1), openconnect(8), ssh(1)
120
121       http://savannah.nongnu.org/projects/lwip/
122
123
124
125                               November 20, 2012                    OCPROXY(1)
Impressum