Score:0

Unable to route all traffic through openconnect vpn

us flag

Feel free to give me a course correction. I'm out of my depth here.

I'm using openconnect to connect to a vpn. This creates a device tun0, which I can see when I run ip address. I've successfully added entries to my routing table with ip route add $IP_ADDR dev tun0 and been able to access servers on my vpn.

I want to try using this vpn connection as my default route, and I've seen other posts, such as the following two, which instruct me to perform a command like this: ip route add default via 192.168.30.1 dev mydevice

Well, I've tried something similar, but I omit the via $IP_ADDR because I can't find an ip address for this device:

dhclient tun0 # => outputs nothing
ip route del default
ip route add default dev tun0

...and when I do so, it appears that I can't connect to any servers at all. If I add a route that uses tun0 to my routing table without making it the default route, though, I can reach servers on the vpn for as many routing rules as I've created.

Edit: here's the output of ip route show (before trying to change the default): https://pastebin.com/0X9rqgne

us flag
What are the details for the VPN server? Is it set up by someone else? Have you set it up? How does the VPN server provision IP addresses?
JellicleCat avatar
us flag
@TeroKilkanen the VPN server is set up by IT at my employer, and they're an impenetrable group. I connect to it with `openconnect --protocol=anyconnect --user=$ME $VPN_DOMAIN`.
Score:1
us flag

You need to do three steps:

Add a route to the VPN server via your physical gateway so that VPN tunnel packets can reach the VPN server

ip route add <VPN server IP address> via 192.168.68.1

Delete existing default route

ip route delete default via 192.168.68.1

Add default route via the tunnel

ip route add default dev tun0

However, if the VPN server doesn't forward packets to the internet, then adding this configuration doesn't help. In that case, you need to convince the VPN server operators to forward traffic to the internet.

There are legitimate reasons why the VPN server wouldn't forward traffic to the internet.

Score:0
sv flag

My university's VPN (Cisco) forces split tunneling. I was able to force all my traffic to be tunneled through the VPN. This answer is written for Mac, but might apply to all unix systems.

  1. First I had to install the vpnc-script, as described here. You can get a current version of the script from here. Save it somewhere on your drive, I saved it to /opt/local/etc/vpnc/vpnc-script.

  2. As it turns out, the newest versions of the script have an issue that prevents them from working on new versions of MacOS (Montenery), as described here. The solution was replacing the newest version with an older one, specifically with this.

  3. As described in this superuser post, insert the following line in the downloaded vpnc-script to unset the CISCO_SPLIT_INC variable.

# ...
# =========== script (variable) setup ====================================

# Insert this line:
CISCO_SPLIT_INC=
  1. Connect to the VPN via openconnect and specify that the script should be run:
    sudo openconnect --script="/opt/local/etc/vpnc/vpnc-script" --protocol=anyconnect -u <username> https://<university-domain>
Score:0
cf flag
route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0

Should do the trick.

JellicleCat avatar
us flag
Thanks. But I'm getting no internet when after running that command. Is there more to it?
another victim of the mouse avatar
cf flag
can you add the output of `ip route` to the original post?
JellicleCat avatar
us flag
Added (link to pastebin)
another victim of the mouse avatar
cf flag
did you manually add all those routes?
JellicleCat avatar
us flag
Yes, I manually added all of those `tun0` routes (but not the other routes).
another victim of the mouse avatar
cf flag
`ip route del default via 192.168.68.1 dev wlp0s20f3 proto dhcp metric 600 route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0`
djdomi avatar
za flag
please dont paste on nopadte bor as comment such information. you can and have to edit the question to add them
JellicleCat avatar
us flag
This is still a no-go. After failing with that I command, I even flushed my entire routing table (`ip r flush table 0`) and added only the rule you specified, but I still can't reach any servers.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.