lunar (1) ocproxy.1.gz

Provided by: ocproxy_1.60-1build3_amd64 bug

NAME

       ocproxy - lwip based proxy for openconnect

SYNOPSIS

       ocproxy [options]

DESCRIPTION

       This manual page documents briefly the ocproxy command.

       ocproxy  is  a  program  that  provides  a  SOCKS  and  port-forwarding proxy when used in
       conjunction with openconnect(1).  When using ocproxy,  OpenConnect  only  handles  network
       activity  that  the user specifically asks to proxy, so the VPN tunnel no longer "hijacks"
       all network traffic on the host.

       ocproxy accomplishes this by running a lwIP network stack in userland, so the OS kernel is
       no longer directly handling packets sent to and from the VPN connection.

BASIC USAGE

       ocproxy  should  be  invoked  directly  from  OpenConnect  or  another VPN program; a file
       descriptor number is passed through the VPNFD environment variable to tell ocproxy how  to
       send and receive VPN traffic.  For example:

              openconnect   --script-tun   --script   "ocproxy   -D   11080  -L2222:unix-host:22"
              vpn.example.com

       Commonly used options include:

       -D, --dynfw [bind_address:]port
              Start up a SOCKS5 server on TCP port port to dynamically forward  application-level
              traffic  over the VPN proxy.  This is intended to resemble the -D option to ssh(1).
              If bind_address is unspecified, ocproxy will bind  to  the  loopback  interface  by
              default unless --allow-remote is used.

       -L, --localfw port:host:hostport
              Bind to port local TCP port port, and forward incoming connections to host:hostport
              on the VPN.  host can be a DNS name or  a  dotted-quad  IP  address.   If  the  VPN
              supplied  a  default DNS domain name or --domain was specified on the command line,
              unqualified hostnames may be used.  This is intended to resemble the -L  option  to
              ssh(1).

       -g, --allow-remote
              Local  listening  sockets  opened by the --dynfw and --localfw options, by default,
              will be bound to the loopback interface only (127.0.0.1) so they are only available
              on the local machine.  If --allow-remote is specified, the sockets will be bound to
              INADDR_ANY (0.0.0.0) instead, and  other  hosts  may  connect  to  them.   This  is
              intended to resemble the -g option to ssh(1).

       -k, --keepalive interval
              Send  a TCP keepalive packet every interval seconds on each open connection, on the
              VPN side.  This can help avoid idle timeouts, both on the VPN gateway  and  on  any
              stateful firewalls in between the two ends.

ADVANCED USAGE

       These options may be useful for debugging ocproxy or diagnosing problems:

       -v, --verbose
              Enable verbose debugging output.

       -T, --tcpdump
              Write  a  log  of  all  TCP or UDP packets traversing the VPN to /tmp/tcpdump.  The
              format largely mirrors the output of the tcpdump(8) utility.

       ocproxy will normally retrieve IP configuration parameters through  environment  variables
       provided  by  OpenConnect.   These  options  may  be  used  to  override  the autodetected
       parameters:

       -I, --ip local_ip
              Use local_ip for the VPN side IP address.  Example: 192.168.5.20.  This is normally
              set through the INTERNAL_IP4_ADDRESS environment variable.

       -M, --mtu mtu_bytes
              Use  mtu_bytes  as  the  maximum  transmit  unit on the VPN interface; it generally
              depends on DTLS and UDP packet overhead.  Example:  1300.   This  is  normally  set
              through the INTERNAL_IP4_MTU environment variable.

       -d, --dns dns_ip
              Send  all  VPN  side  DNS queries to server dns_ip.  Example: 192.168.5.2.  This is
              normally set through the INTERNAL_IP4_DNS environment variable.

       -o, --domain domain
              Use domain as the default DNS domain, for unqualified hostnames.  This is  normally
              set through the CISCO_DEF_DOMAIN environment variable.

SEE ALSO

       vpnns(1), openconnect(8), ssh(1)

       http://savannah.nongnu.org/projects/lwip/

                                        November 20, 2012                              OCPROXY(1)