Provided by: ocproxy_1.60-1build2_amd64 
NAME
ocproxy - lwip based proxy for openconnect
SYNOPSIS
ocproxy [options]
DESCRIPTION
This manual page documents briefly the ocproxy command.
ocproxy is a program that provides a SOCKS and port-forwarding proxy when used in conjunction with
openconnect(1). When using ocproxy, OpenConnect only handles network activity that the user specifically
asks to proxy, so the VPN tunnel no longer "hijacks" all network traffic on the host.
ocproxy accomplishes this by running a lwIP network stack in userland, so the OS kernel is no longer
directly handling packets sent to and from the VPN connection.
BASIC USAGE
ocproxy should be invoked directly from OpenConnect or another VPN program; a file descriptor number is
passed through the VPNFD environment variable to tell ocproxy how to send and receive VPN traffic. For
example:
openconnect --script-tun --script "ocproxy -D 11080 -L2222:unix-host:22" vpn.example.com
Commonly used options include:
-D, --dynfw [bind_address:]port
Start up a SOCKS5 server on TCP port port to dynamically forward application-level traffic over
the VPN proxy. This is intended to resemble the -D option to ssh(1). If bind_address is
unspecified, ocproxy will bind to the loopback interface by default unless --allow-remote is used.
-L, --localfw port:host:hostport
Bind to port local TCP port port, and forward incoming connections to host:hostport on the VPN.
host can be a DNS name or a dotted-quad IP address. If the VPN supplied a default DNS domain name
or --domain was specified on the command line, unqualified hostnames may be used. This is
intended to resemble the -L option to ssh(1).
-g, --allow-remote
Local listening sockets opened by the --dynfw and --localfw options, by default, will be bound to
the loopback interface only (127.0.0.1) so they are only available on the local machine. If
--allow-remote is specified, the sockets will be bound to INADDR_ANY (0.0.0.0) instead, and other
hosts may connect to them. This is intended to resemble the -g option to ssh(1).
-k, --keepalive interval
Send a TCP keepalive packet every interval seconds on each open connection, on the VPN side. This
can help avoid idle timeouts, both on the VPN gateway and on any stateful firewalls in between the
two ends.
ADVANCED USAGE
These options may be useful for debugging ocproxy or diagnosing problems:
-v, --verbose
Enable verbose debugging output.
-T, --tcpdump
Write a log of all TCP or UDP packets traversing the VPN to /tmp/tcpdump. The format largely
mirrors the output of the tcpdump(8) utility.
ocproxy will normally retrieve IP configuration parameters through environment variables provided by
OpenConnect. These options may be used to override the autodetected parameters:
-I, --ip local_ip
Use local_ip for the VPN side IP address. Example: 192.168.5.20. This is normally set through
the INTERNAL_IP4_ADDRESS environment variable.
-M, --mtu mtu_bytes
Use mtu_bytes as the maximum transmit unit on the VPN interface; it generally depends on DTLS and
UDP packet overhead. Example: 1300. This is normally set through the INTERNAL_IP4_MTU
environment variable.
-d, --dns dns_ip
Send all VPN side DNS queries to server dns_ip. Example: 192.168.5.2. This is normally set
through the INTERNAL_IP4_DNS environment variable.
-o, --domain domain
Use domain as the default DNS domain, for unqualified hostnames. This is normally set through the
CISCO_DEF_DOMAIN environment variable.
SEE ALSO
vpnns(1), openconnect(8), ssh(1)
http://savannah.nongnu.org/projects/lwip/
November 20, 2012 OCPROXY(1)