Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
vpnc launchd and start/stop control scripts
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>org.macports.vpnc</string>
<key>ProgramArguments</key>
<array>
<string>/opt/local/sbin/vpnc</string>
<string>--debug</string>
<string>2</string>
<string>--no-detach</string>
<string>/opt/local/etc/vpnc/default.conf</string>
</array>
<key>StandardErrorPath</key>
<string>/opt/local/var/log/vpnc/vpnc.log</string>
<key>StandardOutPath</key>
<string>/opt/local/var/log/vpnc/vpnc.log</string>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<!-- NetworkState key is no longer implemented in OS X 10.10 Yosemite.
<dict>
<key>NetworkState</key>
<true/>
</dict> -->
<true/>
</dict>
</plist>
#!/bin/sh
if [ "$(id -u)" -ne 0 ]; then
SELF=`echo $0 | sed -ne 's|^.*/||p'`
echo "$SELF must be run as root." 1>&2
echo "try: sudo $SELF" 1>&2
exit 1
fi
PLIST=/Library/LaunchDaemons/org.macports.vpnc.plist
CONF=`grep \.conf $PLIST | sed 's/<[^>]*>//g' | tr -d " \t"`
GATEWAY=`grep gateway $CONF`
ERROR=$( { /bin/launchctl load -w $PLIST; } 2>&1 )
if [ -z "$ERROR" ]; then
echo "starting vpnc daemon connection to $GATEWAY."
else
echo $ERROR
fi
#!/bin/sh
if [ "$(id -u)" -ne 0 ]; then
SELF=`echo $0 | sed -ne 's|^.*/||p'`
echo "$SELF must be run as root." 1>&2
echo "try: sudo $SELF" 1>&2
exit 1
fi
PLIST=/Library/LaunchDaemons/org.macports.vpnc.plist
CONF=`grep \.conf $PLIST | sed 's/<[^>]*>//g' | tr -d " \t"`
GATEWAY=`grep gateway $CONF`
ERROR=$( { /bin/launchctl unload -w $PLIST; } 2>&1 )
if [ -z "$ERROR" ]; then
echo "stopping vpnc daemon connection to $GATEWAY."
else
echo $ERROR
fi
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/opt/local/var/vpnc/*.log 644 3 1000 * J
@breiter

This comment has been minimized.

Copy link
Owner Author

breiter commented Sep 5, 2014

Installing vpnc from MacPorts

sudo port install vpnc tuntaposx
sudo launchctl -w load /Library/LaunchDaemons/org.macports.tuntaposx
  • Configure VPN connection in /opt/local/etc/vpnc/defualt.conf
  • use cisco-derypt(1) to convert enc_GroupPwd from corporate .pcf file to "IPSec secret" field in default.conf

Example config

IPSec gateway **vpn-server-hostname-or-ip**
IPSec ID **GroupName-from-.pcf**
IPSec secret **output-of-cisco-decrypt-here**
IKE Authmode psk
Xauth username **my-corporate-username**
Xauth password **super-secure-password**
NAT Traversal Mode cisco-udp
DPD idle timeout (our side) 0

File locations

  • plist goes in /Library/LaunchDaemons
    • when plist is loaded it will restart vpnc and reconnect as long as network is available
  • start/stop shell scripts go in /usr/local/bin (or somewhere in path) with +x bit set.
  • vpnc.conf goes in /etc/newsyslog.d
  • create /var/log/vpnc and symlink /opt/local/var/log/vpnc/vpnc.log to /var/log/vpnc/vpnc.log for integration with Console.app

Usage

$ sudo vpnc-start
Password:
starting vpnc daemon connection to IPSec gateway vpn.corporate.com.
$ sudo vpnc-stop
stopping vpnc daemon connection to IPSec gateway vpn.corporate.com.
$ 
@breiter

This comment has been minimized.

Copy link
Owner Author

breiter commented Oct 23, 2014

Yosemite disables loading of unsigned kernel extensions by default which makes tuntaposx build by MacPorts fail to load and vpnc fail to work. Enabling kext developer mode solves the problem at the expense of a less secure posture than the default.

sudo nvram boot-args="kext-dev-mode=1" 

Reversible:

sudo nvram -d boot-args
@breiter

This comment has been minimized.

Copy link
Owner Author

breiter commented Oct 24, 2014

Alternative. Replace tun.kext and tap.kext built by MacPorts with signed versions.

curl -O http://download.wolfereiter.com/tuntaposx.extensions.tgz
tar xzvf tuntaposx.extensions.tgz -C /opt/local

(These came from Tunnelblick v3.4.1.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.