How do I route all traffic through my openconnect VPN?

By default, my company's AnyConnect VPN (Which I'm connecting to on ubuntu with openconnect) only tunnels traffic to certain corporate sites.

Unfortunately, I'm currently in China and the Great Firewall is blocking me from accessing many of our cloud services (e.g. Google Apps), so I wish to route all my computer's traffic through the vpn to get around the block. How do I do this?


Solution 1:

If your VPN gateway only advertises routes to specific networks, openconnect communicates this information to your vpnc-script by setting the CISCO_SPLIT_INC environment variables:

#* CISCO_SPLIT_INC              -- number of networks in split-network-list
#* CISCO_SPLIT_INC_%d_ADDR      -- network address
#* CISCO_SPLIT_INC_%d_MASK      -- subnet mask (for example: 255.255.255.0)
#* CISCO_SPLIT_INC_%d_MASKLEN   -- subnet masklen (for example: 24)

On Ubuntu, you can edit /etc/vpnc/vpnc-script and try overriding CISCO_SPLIT_INC to an empty string so that vpnc-script sets up tun0 as the system's default route:

# =========== script (variable) setup ====================================

# >>>INSERT THIS LINE:
CISCO_SPLIT_INC=

PATH=/sbin:/usr/sbin:$PATH

OS="`uname -s`"

The gateway has separate settings for its split tunnel includes and for routing. It is possible that the gateway's routing rules were only set up to allow traffic destined for the networks listed in the split tunnel setting, even if you add other routes (or a default route) on the client side. You'll have to try it and see.

On OpenConnect for Android, there is a per-VPN profile option to override the split tunnel setting. Set Split Tunnel Mode to "On - DNS uses VPN" and set Split Tunnel Networks to "0.0.0.0/0". This is equivalent to the vpnc-script change on Ubuntu.

If none of this works using your company's existing AnyConnect gateway, you might consider setting up a cheap VPS and running your own private ocserv installation.