persistent SSH connection while connecting to VPN

ssh networking linux vpn

is there a way to keep the SSH connection alive while connecting to the VPN?

No. That system's routing changes dramatically when you connect to the VPN, which breaks all established TCP sockets.

You should look into using a terminal multiplexer like screen or tmux in your ssh session - that way you can have a persistent shell that you can re-connect to.


General Answer

You should use --script and --script-tun options of openconnect and provide a custom vpnc-script. A good starting point is the vpnc-script distributed already with your openconnect, For Example on OSX(HomeBrewed openconnect) it is located at /usr/local/etc/vpnc-script.

Note that according to openconnect official documentation:

OpenConnect just handles the communication with the VPN server; it does not know how to configure the network routing and name service on all the various operating systems that it runs on.

To set the routing and name service up, it uses an external script which is usually called vpnc-script.

Better Solution

There is already a good project called ocproxy which acts as a proxy server for openconnect, hence the name ocproxy(OpenConnectProxy).

ocproxy is a user-level SOCKS and port forwarding proxy for OpenConnect based on lwIP. When using ocproxy, OpenConnect only handles network activity that the user specifically asks from proxy, so the VPN interface no longer "hijacks" all network traffic on the host.

Example OpenConnect Command:

echo $1 | sudo openconnect -u $2 -d --timestamp -v --passwd-on-stdin --script-tun --script "ocproxy -D $3 -v" $4

Replace:

  • $1 with: OpenConnect Password
  • $2 with: OpenConnect Username
  • $3 with: Desired Socks5 Proxy Port
  • $4 with: OpenConnect Server Address

You may want to look into what is in the iptables, which handles packet filtering within the kernel. I use openconnect from the other direction, and the default setting is to remove access to the standard interfaces in favor of the newly created VPN interface. The first thing to do is figure out what routes are being created by the VPN connection. Then you can write a script to handle the gateway and routes, and then finally flush the iptables and clear the VPN "chain" (term used in iptables). I have a script that looks something like:

IPADDR=NN.NN.NN.N
DESIREDNET1=MM.MM.MM.MM
GATEWAY_LINE=$(netstat -rn | grep ${IPADDR})
GATEWAY=$(echo "$GATEWAY_LINE" | awk '{print $2}')
GATEWAY_DEV=gw
if [ "$GATEWAY" = "*" ]; then
    GATEWAY=$(echo "$GATEWAY_LINE" | awk '{print $8}')
    GATEWAY_DEV=''
fi
# add custom routes
route add -net $DESIREDNET1 netmask 255.255.0.0 dev cscotun0
...
# reset the default route
route del default
route add default $GATEWAY_DEV $GATEWAY

# flush iptables to clear the ciscovpn chain
iptables --flush
iptables --delete-chain
# Add out own nameservers back
if [ -f /etc/resolv.conf.vpnbackup ]
then
   cat /etc/resolf.conf /etc/resolv.conf.vpnbackup > /etc/resolv.conf
   echo "nameserver $GATEWAY" >> /etc/resolv.conf
fi

You'll need to copy the /etc/resolv.conf to /etc/resolf.conf while off the VPN to be able to add back the 'normal' settings.

Good luck.

Related

Zabbix key with comma
use "rewrite" and "try_files" together [Nginx]
"aureport -x --summary" shows -> /usr/sbin/sshd;61b30d72 (deleted)
HA-Proxy and ACL for http-request deny
Is there a command line two-factor authentication verification code generator?
Dnsmasq server does not work when configured as the primary DNS in my router
Changes in compression rate
Helm: how to add elements to a list of default values?
Windows CLI way to copy to the same directory and only change the case of the filename?
Certbot https not working for example.com, only for www.example.com
Any reason not to use 512-bytes clusters for NTFS?
SQL developer refine connections view