Skip to content

Instantly share code, notes, and snippets.

  • Star 80 You must be signed in to star a gist
  • Fork 12 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Split tunneling with openconnect - A guide on how to use openconnect to establish a vpn connection to an enterprise cisco anyconnect vpn endpoint with client side routing.


The purpose of this short howto is to show you how to:

  • use openconnect [1] to connect to an enterprise cisco anyconnect endpoint
  • whilst minimizing the amount of traffic that your route through the vpn connection

Usually VPN administrators will puth the default route to the users, so that all user traffic is routed through the vpn connection. This is to address the various security concerns around compromised user computers bridging external internet traffic into the secure VPN network.

While the VPN administrator can push routes to the clients, the client can ignore these default routes and establish client side routing so that only the required A.B.C.D/E network is routed through the VPN. All other traffic will still use the clients default route and default outbound internet connection.

This is called split-tunneling VPN routing and it is the type of setup you'll have at the end of this small howto.

Setup on a linux operating system


  • install openconnect on your operating system

openconnect binary kernel capabilities

  • the openconnect binary won't be allowed to create the tun0 tunnel without being granted some the root capability to administer networks - see man 7 capabilities for details
sudo setcap cap_net_admin+ep /usr/bin/openconnect
  • to check if this capability was added, run getcap
getcap -rv /usr/bin/openconnect
/usr/bin/openconnect = cap_net_admin+ep

install vpn-slice

By default openconnect comes with vpnc-script [3] which is a bash script that can be run, on the client side, to setup routing. While this can work perfectly fine it needs manual user interaction to modify this script whenever changes are needed.

A more automated way of adding/removing routing and other settings can be achieved using vpn-slice

  • [2] vpn-slice will aid with automatically adding and removing routes and adding and removing /etc/hosts entries.
  • I've used pip and virtualenv to create a separate python virtual environment for vpn-slice.
mkvirtualenv vpn-slice
pip3 install

Establish vpn connection

Establish a vpn connection to the corporate network only routing the required subnet through the vpn tunnel. Replace all bits between < > with your vpn settings.

sudo openconnect <corporate-vpn-endpoint> \
     -m 1290 \
     -u <your-vpn-user> \
     --servercert sha256:<0446a7EXAMPLE8901278394> \
     -s 'vpn-slice <>'
  • the first time when you connect, openconnect will print on your terminal the servercert shasum, on subsequent connections use this printend shasum as the value for --servercert
  • replace <> with the subnet you want to route over the corporate vpn.

These are the routes before starting the vpn:

default via dev wlp4s0 proto static metric 600 dev wlp4s0 proto kernel scope link src metric 600 dev docker0 proto kernel scope link src

These are the routes after connecting to the vpn. vpn-slice will only create routes for the vpn subnet and the vpn dns servers and the rest of your traffic goes out though your default route which hasn't changed after connecting to the vnp.

default via dev wlp4s0 proto static metric 600 dev wlp4s0 proto kernel scope link src metric 600 dev tun0 scope link dev tun0 scope link metric 6 dev docker0 proto kernel scope link src dev tun0 scope link dev tun0 scope link metric 6


Copy link

Thanks for this, although I didn't have to use it. First I checked if all traffic was routed through the VPN connection and it wasn't the case. For anyone out there reading this, you can check by using the answers here:

Copy link

Great that this gist was of help for you!

Copy link

bilak commented May 13, 2021

what about DNS resolution, or even worse if I'm able to access specific endpoints (e.g only through VPN? This currently doesn't work for me.

Copy link


Copy link

JekRock commented Mar 14, 2023

@bilak I know it's been a while, but maybe the answer will be useful for someone else too.
In the vpn-slice documentation, they show how to add split tunneling based on host names or IPs.

sudo openconnect -u user1234 -s 'vpn-slice'

In the example above, only requests to,, and will be routed through the VPN connection.
You can combine that with subnet routing as well:

sudo openconnect -u user1234 -s 'vpn-slice'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment