Check if on VPN before download of Software Update

[tranziq]

Downloading software updates while on VPN can be very bandwidth demanding on most corporate infrastructure. We currently have in place a VPN check that we added to Super v2 for consideration to be placed as optional in the Main Code

checkVPN() {
local onPPP=$(ifconfig | grep -iv inet6 | grep ppp0 | wc -l | sed 's/ //g')
local onIPSEC=$(ifconfig | grep -iv inet6 | grep utun | grep -i noarp | wc -l | sed 's/ //g')
    if [[ ${onPPP} -gt 0 || ${onIPSEC} -gt 0 ]]; then
		echo " >>> Active VPN connection detected! Should not Install or run SUPER while connected to VPN!... Bail, Bail, Bail..."
    	exit 1
    fi
}

this confirm works with Forticlient and Cisco Anyconnect in our environment with Super v2

[Macjutsu]

Good feature request! However, this likely won't be implemented until after v3.0 ships.

[tranziq]

I got this working in V3b6 if your interested:
Hit me up in #super in slack (Brent David)

Mon Feb 13 15:05:17: Status: Active VPN connection detected!

[Macjutsu]

Depends... is this specific to one VPN vendor or can it be used generically?

[scoobydooxp]

Unfortunately this does not work with Palo Alto Global Protect 6.x.

@tranziq - Which VPN software do you use?

[sean-alex]

the checkVPN() function does not work on Ivanti Secure Access Client. Both variables output "0", but a VPN connection is detected at "greater than" zero for either variable.

There is nothing vendor-related in the code, so makes me think there is a typo in code, or code is not accurate in detecting VPN status.

[smilieK]

Here is what I use to check for Global Protect VPN being connected. Maybe it will work for others.

ifconfigResults=$( ifconfig )
getVPNIP=$( echo "$ifconfigResults" 2> /dev/null | grep -v "broadcast" | grep "0xffffffff" | awk '{print $2}' )
echo "$getVPNIP"
if [ "$getVPNIP" != "" ]; then # If Computer has a IP
	pingResults=$( ping -t 3 "$getVPNIP" 2> /dev/null | grep "bytes from $getVPNIP: icmp_seq=" | grep "time=") # if Results, Computer is Connected to VPN, Computer can hold unto an old VPN IPG in a UTUNX
	if [ "$pingResults" != "" ]; then # If Results blank; Not on VPN
		echo "Computer 'IS' connected to VPN"
		echo "Current VPN IP: $getVPNIP"
		onVPN="Yes"
	else # VPN NOT Connected
		echo "Computer 'IS NOT' connected to VPN"
		echo "Last VPN IP: $getVPNIP"
		onVPN="No"		
	fi
else # VPN Found, but no IP for the uTun interface found
	echo "No VPN IP Address found"
	onVPN="No"
fi

[sean-alex]

@smilieK, unfortunately, your code is partially, but not completely, accurate with Ivanti Secure Client.
When connected to VPN, your code reports that I am not connected to VPN, though it picks up an IP address.

my output:

10.xx.xx.xx
Computer 'IS NOT' connected to VPN
Last VPN IP: 10.xx.xx.xx

I thought counting "tun" would work, but that is not accurate as not all VPN solutions use "tun" (some use the ipsec interface, for example).

I cheated and asked Apple enterprise support and, according to that engineer, the only way that they found to consistently way is to detect the IP --> IP string.

ifconfig | grep -c -e '-->'

If VPN exists, then you should receive an output greater than 0.

So, try this code and see if it works in your VPN; it reliably detected the Ivanti Secure Client VPN.

[iDrewbs]

I ran ifconfig | grep -c -e '-->' with Cisco AnyConnect and it returned a value of 1, so it looks like it works for Ciscos VPN

[smilieK]

@sean-alex

I get 1 as a result if on or off VPN, until reboot then I get 0 for result until I connect to vpn. :(

even after VPN disconnected this is found:
utun3: flags=8050<POINTOPOINT,RUNNING,MULTICAST> mtu 1400
inet 10.xxx.xxx.xxx --> 10.xxx.xxx.xxx netmask 0xffffffff

thats why I had the ping in my code, to see if the Ping replies or not. if reply VPN connected, if no reply or error then not connected to vpn.