The purpose of this short howto is to show you how to:
openconnect to connect to an enterprise cisco anyconnect endpoint
- whilst minimizing the amount of traffic that your route through the vpn connection
Usually VPN administrators will puth the default route to the users, so that all user traffic is routed through the vpn connection. This is to address the various security concerns around compromised user computers bridging external internet traffic into the secure VPN network.
While the VPN administrator can push routes to the clients, the client can ignore these default routes and establish client side routing so that only the required A.B.C.D/E network is routed through the VPN. All other traffic will still use the clients default route and default outbound internet connection.
This is called
split-tunneling VPN routing and it is the type of setup you'll have at the end of this small howto.
openconnecton your operating system
openconnectbinary won't be allowed to create the
tun0tunnel without being granted some the
rootcapability to administer networks - see
man 7 capabilitiesfor details
sudo setcap cap_net_admin+ep /usr/bin/openconnect
- to check if this capability was added, run
getcap -rv /usr/bin/openconnect ... /usr/bin/openconnect = cap_net_admin+ep
openconnect comes with
vpnc-script  which is a bash script that can be run, on the client side, to setup routing. While this can work perfectly fine it needs manual user interaction to modify this script whenever changes are needed.
A more automated way of adding/removing routing and other settings can be achieved using
vpn-slicewill aid with automatically adding and removing routes and adding and removing
- I've used
virtualenvto create a separate python virtual environment for
mkvirtualenv vpn-slice pip3 install https://github.com/dlenski/vpn-slice/archive/master.zip
Establish a vpn connection to the corporate network only routing the required subnet through the vpn tunnel. Replace all bits between
< > with your vpn settings.
sudo openconnect <corporate-vpn-endpoint> \ -m 1290 \ -u <your-vpn-user> \ --servercert sha256:<0446a7EXAMPLE8901278394> \ -s 'vpn-slice <10.10.0.0/14>'
- the first time when you connect,
openconnectwill print on your terminal the servercert shasum, on subsequent connections use this printend shasum as the value for
<10.10.0.0/14>with the subnet you want to route over the corporate vpn.
These are the routes before starting the vpn:
default via 10.1.1.1 dev wlp4s0 proto static metric 600 10.1.1.0/24 dev wlp4s0 proto kernel scope link src 10.1.1.50 metric 600 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
These are the routes after connecting to the vpn.
vpn-slice will only create routes for the vpn subnet and the vpn dns servers and the rest of your traffic goes out though your default route which hasn't changed after connecting to the vnp.
default via 10.1.1.1 dev wlp4s0 proto static metric 600 10.1.1.0/24 dev wlp4s0 proto kernel scope link src 10.1.1.50 metric 600 10.10.0.0/14 dev tun0 scope link 10.10.0.0/14 dev tun0 scope link metric 6 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 126.96.36.199 dev tun0 scope link 188.8.131.52 dev tun0 scope link metric 6