For a customer deployment we needed to be able to make various computers auto-connect to a Cisco VPN concentrator. Googling around, I found a lot of people asking how to connect vpnc on-demand, but no answers. I built a solution using OpenWRT, so we can put any type of client machine on the LAN side and build a VPN tunnel as needed. The solution was built on Kamikaze (we haven't qualified Backfire yet).

To build vpn tunnels on-demand, you first need to install and configure vpnc. Then you set up dnsmasq to reroute DNS queries for the VPN domain to the behind-the-VPN network, in /etc/config/dhcp, for example:

# EXAMPLE.ORG private servers
list server '/example.org/aaa.bbb.ccc.ddd'
list server '/example.org/aaa.bbb.ccc.eee'

Next, you need to trap any packets being sent to the VPN network, using iptables and ulogd. Install and start ulogd. The iptables rules look something like (depending on your network configuration):

iptables -N vpn_trigger
iptables -A vpn_trigger -o eth0.1 --dest 10.0.0.0/8 -j ULOG
iptables -I OUTPUT  4 -j vpn_trigger
iptables -I FORWARD 4 -j vpn_trigger

I wrote a fairly long shell script that monitors ulogd, and starts up vpnc, and also cleans up after vpnc shuts down. A /sbin/resolvconf script helps with the vpnc cleanup. Finally I wrote an init.d script to start up the whole thing. The scripts are fairly long, so I've posted them on my blog here and here.

This is a fairly involved hack, it helps a lot if you have some experience with VPN clients and iptables. I've deployed a couple of these setups (we're using ASUS WL520gUs), and it works pretty well.

Hi dhkaufman!

Would you be so kind as to repost your two scripts or your two blog posts for that matter? I'm interested in the exact same thing (and a similar solution for PPTP, too). So your work would make things a lot easier.

Thank you very much for sharing your work with us!!