vpnc script to route all AWS IP ranges over VPN.

vpnc-script-aws

#!/bin/bash

# vpnc-script wrapper for use with openconnect that routes all AWS IP ranges over the VPN.
# Pass any additional IP ranges to be routed as args to the script.
#
# Requirements: bash, curl and jq.
#
# Example usage:
# openconnect https://vpn.example.com/profile --script '/path/to/vpnc-script-aws'
#
# Example with additional IP added
# openconnect https://vpn.example.com/profile --script '/path/to/vpnc-script-aws 192.0.2.110/32'

set -euo pipefail

IPRANGES_URL=https://ip-ranges.amazonaws.com/ip-ranges.json

export CISCO_SPLIT_INC=0

masklen_to_mask ()
{
  local bits=$1
  local M=$(( 0xffffffff ^ ((1 << (32-$bits)) -1) ))
  echo "$(( (M>>24) & 0xff )).$(( (M>>16) & 0xff )).$(( (M>>8) & 0xff )).$(( M & 0xff ))"
}

add_range ()
{
  local range=$1
  export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=${range%/*}
  export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=${range#*/}
  export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=$(masklen_to_mask ${range#*/})
  export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
}

if [ "${reason}" = "connect" ]; then

  for range in $(curl -L -s -S -f "${IPRANGES_URL}" | jq -r '[.prefixes[].ip_prefix] | unique[]'); do
    add_range $range
  done

  while [ -n "${1-}" ]; do
    add_range $1
    shift
  done
fi

unset INTERNAL_IP4_DNS
unset CISCO_DEF_DOMAIN

set +eu

SCRIPT_LOCATIONS="
/etc/vpnc/vpnc-script
/usr/share/vpnc-scripts/vpnc-script
/usr/local/etc/vpnc-script
/opt/boxen/homebrew/etc/vpnc-script
"
for script in $SCRIPT_LOCATIONS; do
  if [ -f "${script}" ]; then
    . "${script}"
    exit 0
  fi
done

echo "$0: Cannot locate vpnc-script"
exit 1