Join Log in
Score:0
Gabriel Staples avatar Ubuntu

Disable VPN for certain local devices, such as an embedded Linux board I need to ssh into (Allow local (LAN) access when using VPN)

cn flag
Gabriel Staples

I have the Cisco Annyconnect VPN on my Ubuntu 18.04 machine. I also have an embedded Linux board plugged in that I need to connect to over ssh.

Whenever I connect to my VPN, however, I can no longer talk to my local board (ping 10.1.2.3 fails with the VPN connected, as does ssh root@10.1.2.3). How can I disable the VPN for this board only, so that the interface talking to this local board does not go through the VPN?

Example info:

  1. My main Ubuntu machine:
    1. Interface name for the interface connecting to this local Linux board (as shown by ifconfig): enxf8e43b9df776
    2. Static IP to the local Linux board: 10.1.2.1
    3. Netmask: 255.255.255.0
  2. Local embedded Linux board which I need to ssh into:
    1. Static IP address: 10.1.2.3
    2. Netmask: 255.255.255.0

This doesn't work for me: Is it possible to stop using VPN on some application?

I need to be able to use the VPN to connect to some remote networks while simultaneously using my local embedded Linux board.

Possibly useful:

  1. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html
    1. grep -rn 'LocalLanAccess' /opt/cisco
    2. grep -rn '<AnyConnectProfile' /opt/cisco
  2. I need to try this out; this is quite the hack!--building a custom function, C++ name-mangling and all!--and preloading it at the library load time to override the internal function by that name: Super User: How to allow local LAN access while connected to Cisco VPN?
  3. OpenConnect - an alternative to try, which is apparently compatible with Cisco AnyConnect
    1. https://gitlab.com/openconnect/openconnect
    2. http://www.infradead.org/openconnect/

Here are some things I did which did not prove to solve the problem or be useful (at least not yet, anyway):

grep -rn 'LocalLanAccess' /opt/cisco


$ grep -rn 'LocalLanAccess' /opt/cisco
/opt/cisco/anyconnect/.anyconnect_global:15:<LocalLanAccess>false</LocalLanAccess></ControllablePreferences>
Binary file /opt/cisco/anyconnect/lib/libvpnapi.so matches
Binary file /opt/cisco/anyconnect/lib/libvpnagentutilities.so matches
/opt/cisco/anyconnect/profile/vpn_profile.xml:15:       <LocalLanAccess UserControllable="true">false</LocalLanAccess>
/opt/cisco/anyconnect/profile/AnyConnectProfile.xsd:325:            <xs:element name="LocalLanAccess" default="false" minOccurs="0">


cp -i /opt/cisco/anyconnect/.anyconnect_global /opt/cisco/anyconnect/.anyconnect_global.bak
cp -i /opt/cisco/anyconnect/profile/vpn_profile.xml /opt/cisco/anyconnect/profile/vpn_profile.xml.bak
cp -i /opt/cisco/anyconnect/profile/AnyConnectProfile.xsd /opt/cisco/anyconnect/profile/AnyConnectProfile.xsd.bak


# manually update all 3 files to true

$ grep -rn 'LocalLanAccess' /opt/cisco
/opt/cisco/anyconnect/.anyconnect_global:15:<LocalLanAccess>true</LocalLanAccess></ControllablePreferences>
Binary file /opt/cisco/anyconnect/lib/libvpnapi.so matches
Binary file /opt/cisco/anyconnect/lib/libvpnagentutilities.so matches
/opt/cisco/anyconnect/profile/vpn_profile.xml:15:       <LocalLanAccess UserControllable="true">true</LocalLanAccess>
/opt/cisco/anyconnect/profile/AnyConnectProfile.xsd:325:            <xs:element name="LocalLanAccess" default="true" minOccurs="0">
325
1 + 2
ssh
vpn
ip
David avatar
cn flag
David
This is something you need to ask the Cisco VPN people about. I use ExpressVPN and their product is an all or nothing. I have to stop the VPN to use ssh even internal. It "protects" the machine completely.
1
Reply
muru avatar
us flag
muru
What's the output of `ip route -n` before and after connecting to the VPN?
0
Reply
Score:0
Gabriel Staples avatar Ubuntu
cn flag
Gabriel Staples

Solved!

Use openconnect via the openconnect-sso wrapper instead! Cisco AnyConnect intentionally blocks LAN access.

Basic usage of openconnect-sso:

VPN_SERVER_ADDRESS="myvpn.whatever.com"   # example server address to connect to
VPN_SAML_GROUP="whatever-saml-whatever"   # example SAML group name
VPN_USER="my.username@something.com"      # example username
# or perhaps just this for the username:
# VPN_USER="my.username"

# connect via `openconnect-sso`
# The first time ever, you must specify everything
openconnect-sso --server "${VPN_SERVER_ADDRESS}/${VPN_SAML_GROUP}" --user "${VPN_USER}"
# Subsequent connection attempts can be done with just this, since apparently
# the server address, SAML group, and username are cached after the first usage
openconnect-sso

For full details, screenshots, and installation instructions, see my answer here: How to use "openconnect" (via the openconnect-sso wrapper) with SAML and Duo two-factor authentication via Okta Single-Sign-on (SSO)

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.