1OCPROXY(1) General Commands Manual OCPROXY(1)
2
3
4
6 ocproxy - lwip based proxy for openconnect
7
9 ocproxy [options]
10
12 This manual page documents briefly the ocproxy command.
13
14 ocproxy is a program that provides a SOCKS and port-forwarding proxy
15 when used in conjunction with openconnect(1). When using ocproxy,
16 OpenConnect only handles network activity that the user specifically
17 asks to proxy, so the VPN tunnel no longer "hijacks" all network traf‐
18 fic on the host.
19
20
21 ocproxy accomplishes this by running a lwIP network stack in userland,
22 so the OS kernel is no longer directly handling packets sent to and
23 from the VPN connection.
24
25
27 ocproxy should be invoked directly from OpenConnect or another VPN pro‐
28 gram; a file descriptor number is passed through the VPNFD environment
29 variable to tell ocproxy how to send and receive VPN traffic. For
30 example:
31
32 openconnect --script-tun --script "ocproxy -D 11080
33 -L2222:unix-host:22" vpn.example.com
34
35
36 Commonly used options include:
37
38
39 -D, --dynfw [bind_address:]port
40 Start up a SOCKS5 server on TCP port port to dynamically forward
41 application-level traffic over the VPN proxy. This is intended
42 to resemble the -D option to ssh(1). If bind_address is unspec‐
43 ified, ocproxy will bind to the loopback interface by default
44 unless --allow-remote is used.
45
46
47 -L, --localfw port:host:hostport
48 Bind to port local TCP port port, and forward incoming connec‐
49 tions to host:hostport on the VPN. host can be a DNS name or a
50 dotted-quad IP address. Do not use localhost. If the VPN sup‐
51 plied a default DNS domain name or --domain was specified on the
52 command line, unqualified hostnames may be used. This is
53 intended to resemble the -L option to ssh(1).
54
55
56 -g, --allow-remote
57 Local listening sockets opened by the --dynfw and --localfw
58 options, by default, will be bound to the loopback interface
59 only (127.0.0.1) so they are only available on the local
60 machine. If --allow-remote is specified, the sockets will be
61 bound to INADDR_ANY (0.0.0.0) instead, and other hosts may con‐
62 nect to them. This is intended to resemble the -g option to
63 ssh(1).
64
65
66 -k, --keepalive interval
67 Send a TCP keepalive packet every interval seconds on each open
68 connection, on the VPN side. This can help avoid idle timeouts,
69 both on the VPN gateway and on any stateful firewalls in between
70 the two ends.
71
72
74 These options may be useful for debugging ocproxy or diagnosing prob‐
75 lems:
76
77
78 -v, --verbose
79 Enable verbose debugging output.
80
81
82 -T, --tcpdump
83 Write a log of all TCP or UDP packets traversing the VPN to
84 /tmp/tcpdump. The format largely mirrors the output of the tcp‐
85 dump(8) utility.
86
87
88 ocproxy will normally retrieve IP configuration parameters through
89 environment variables provided by OpenConnect. These options may be
90 used to override the autodetected parameters:
91
92
93 -I, --ip local_ip
94 Use local_ip for the VPN side IP address. Example:
95 192.168.5.20. This is normally set through the INTER‐
96 NAL_IP4_ADDRESS environment variable.
97
98
99 -M, --mtu mtu_bytes
100 Use mtu_bytes as the maximum transmit unit on the VPN interface;
101 it generally depends on DTLS and UDP packet overhead. Example:
102 1300. This is normally set through the INTERNAL_IP4_MTU envi‐
103 ronment variable.
104
105
106 -d, --dns dns_ip
107 Send all VPN side DNS queries to server dns_ip. Example:
108 192.168.5.2. This is normally set through the INTERNAL_IP4_DNS
109 environment variable.
110
111
112 -o, --domain domain
113 Use domain as the default DNS domain, for unqualified hostnames.
114 This is normally set through the CISCO_DEF_DOMAIN environment
115 variable.
116
117
119 vpnns(1), openconnect(8), ssh(1)
120
121 http://savannah.nongnu.org/projects/lwip/
122
123
124
125 November 20, 2012 OCPROXY(1)