Macjutsu
Check if on VPN before download of Software Update
Downloading software updates while on VPN can be very bandwidth demanding on most corporate infrastructure. We currently have in place a VPN check that we added to Super v2 for consideration to be placed as optional in the Main Code
checkVPN() {
local onPPP=$(ifconfig | grep -iv inet6 | grep ppp0 | wc -l | sed 's/ //g')
local onIPSEC=$(ifconfig | grep -iv inet6 | grep utun | grep -i noarp | wc -l | sed 's/ //g')
if [[ ${onPPP} -gt 0 || ${onIPSEC} -gt 0 ]]; then
echo " >>> Active VPN connection detected! Should not Install or run SUPER while connected to VPN!... Bail, Bail, Bail..."
exit 1
fi
}
this confirm works with Forticlient and Cisco Anyconnect in our environment with Super v2
Good feature request! However, this likely won't be implemented until after v3.0 ships.
I got this working in V3b6 if your interested:
Hit me up in #super in slack (Brent David)
Mon Feb 13 15:05:17: Status: Active VPN connection detected!
Depends... is this specific to one VPN vendor or can it be used generically?
Unfortunately this does not work with Palo Alto Global Protect 6.x.
@tranziq - Which VPN software do you use?
the checkVPN() function does not work on Ivanti Secure Access Client. Both variables output "0", but a VPN connection is detected at "greater than" zero for either variable.
There is nothing vendor-related in the code, so makes me think there is a typo in code, or code is not accurate in detecting VPN status.
Here is what I use to check for Global Protect VPN being connected. Maybe it will work for others.
ifconfigResults=$( ifconfig )
getVPNIP=$( echo "$ifconfigResults" 2> /dev/null | grep -v "broadcast" | grep "0xffffffff" | awk '{print $2}' )
echo "$getVPNIP"
if [ "$getVPNIP" != "" ]; then # If Computer has a IP
pingResults=$( ping -t 3 "$getVPNIP" 2> /dev/null | grep "bytes from $getVPNIP: icmp_seq=" | grep "time=") # if Results, Computer is Connected to VPN, Computer can hold unto an old VPN IPG in a UTUNX
if [ "$pingResults" != "" ]; then # If Results blank; Not on VPN
echo "Computer 'IS' connected to VPN"
echo "Current VPN IP: $getVPNIP"
onVPN="Yes"
else # VPN NOT Connected
echo "Computer 'IS NOT' connected to VPN"
echo "Last VPN IP: $getVPNIP"
onVPN="No"
fi
else # VPN Found, but no IP for the uTun interface found
echo "No VPN IP Address found"
onVPN="No"
fi
@smilieK, unfortunately, your code is partially, but not completely, accurate with Ivanti Secure Client. When connected to VPN, your code reports that I am not connected to VPN, though it picks up an IP address.
my output:
10.xx.xx.xx
Computer 'IS NOT' connected to VPN
Last VPN IP: 10.xx.xx.xx
I thought counting "tun" would work, but that is not accurate as not all VPN solutions use "tun" (some use the ipsec interface, for example).
I cheated and asked Apple enterprise support and, according to that engineer, the only way that they found to consistently way is to detect the IP --> IP string.
ifconfig | grep -c -e '-->'
If VPN exists, then you should receive an output greater than 0.
So, try this code and see if it works in your VPN; it reliably detected the Ivanti Secure Client VPN.
I ran ifconfig | grep -c -e '-->' with Cisco AnyConnect and it returned a value of 1, so it looks like it works for Ciscos VPN
@sean-alex
I get 1 as a result if on or off VPN, until reboot then I get 0 for result until I connect to vpn. :(
even after VPN disconnected this is found: utun3: flags=8050<POINTOPOINT,RUNNING,MULTICAST> mtu 1400 inet 10.xxx.xxx.xxx --> 10.xxx.xxx.xxx netmask 0xffffffff
thats why I had the ping in my code, to see if the Ping replies or not. if reply VPN connected, if no reply or error then not connected to vpn.