xenial (1) ocproxy.1.gz

Provided by: ocproxy_1.50-1_amd64 bug

NAME

       ocproxy - lwip based proxy for openconnect

SYNOPSIS

       ocproxy [options]

DESCRIPTION

       This manual page documents briefly the ocproxy command.

       ocproxy  is  a  program  that  provides  a  SOCKS and port-forwarding proxy when used in conjunction with
       openconnect(1).  When using ocproxy, OpenConnect only handles network activity that the user specifically
       asks to proxy, so the VPN tunnel no longer "hijacks" all network traffic on the host.

       ocproxy  accomplishes  this  by  running  a lwIP network stack in userland, so the OS kernel is no longer
       directly handling packets sent to and from the VPN connection.

BASIC USAGE

       ocproxy should be invoked directly from OpenConnect or another VPN program; a file descriptor  number  is
       passed  through  the VPNFD environment variable to tell ocproxy how to send and receive VPN traffic.  For
       example:

              openconnect --script-tun --script "ocproxy -D 11080 -L2222:unix-host:22" vpn.example.com

       Commonly used options include:

       -D, --dynfw port
              Start up a SOCKS5 server on TCP port port to dynamically forward  application-level  traffic  over
              the VPN proxy.  This is intended to resemble the -D option to ssh(1).

       -L, --localfw port:host:hostport
              Bind  to  port  local TCP port port, and forward incoming connections to host:hostport on the VPN.
              host can be a DNS name or a dotted-quad IP address.  If the VPN supplied a default DNS domain name
              or  --domain  was  specified  on  the  command  line,  unqualified hostnames may be used.  This is
              intended to resemble the -L option to ssh(1).

       -g, --allow-remote
              Local listening sockets opened by the --dynfw and --localfw options, by default, will be bound  to
              the  loopback  interface  only  (127.0.0.1)  so  they are only available on the local machine.  If
              --allow-remote is specified, the sockets will be bound to INADDR_ANY (0.0.0.0) instead, and  other
              hosts may connect to them.  This is intended to resemble the -g option to ssh(1).

       -k, --keepalive interval
              Send a TCP keepalive packet every interval seconds on each open connection, on the VPN side.  This
              can help avoid idle timeouts, both on the VPN gateway and on any stateful firewalls in between the
              two ends.

ADVANCED USAGE

       These options may be useful for debugging ocproxy or diagnosing problems:

       -v, --verbose
              Enable verbose debugging output.

       -T, --tcpdump
              Write  a  log  of  all  TCP or UDP packets traversing the VPN to /tmp/tcpdump.  The format largely
              mirrors the output of the tcpdump(8) utility.

       ocproxy will normally retrieve IP configuration parameters  through  environment  variables  provided  by
       OpenConnect.  These options may be used to override the autodetected parameters:

       -I, --ip local_ip
              Use  local_ip  for  the VPN side IP address.  Example: 192.168.5.20.  This is normally set through
              the INTERNAL_IP4_ADDRESS environment variable.

       -M, --mtu mtu_bytes
              Use mtu_bytes as the maximum transmit unit on the VPN interface; it generally depends on DTLS  and
              UDP  packet  overhead.   Example:  1300.   This  is  normally  set  through  the  INTERNAL_IP4_MTU
              environment variable.

       -d, --dns dns_ip
              Send all VPN side DNS queries to server dns_ip.   Example:  192.168.5.2.   This  is  normally  set
              through the INTERNAL_IP4_DNS environment variable.

       -o, --domain domain
              Use domain as the default DNS domain, for unqualified hostnames.  This is normally set through the
              CISCO_DEF_DOMAIN environment variable.

SEE ALSO

       openconnect(1), ssh(1)

       http://savannah.nongnu.org/projects/lwip/

                                                November 20, 2012                                     OCPROXY(1)