0

Feel free to give me a course correction. I'm out of my depth here.

I'm using openconnect to connect to a vpn. This creates a device tun0, which I can see when I run ip address. I've successfully added entries to my routing table with ip route add $IP_ADDR dev tun0 and been able to access servers on my vpn.

I want to try using this vpn connection as my default route, and I've seen other posts, such as the following two, which instruct me to perform a command like this: ip route add default via 192.168.30.1 dev mydevice

Well, I've tried something similar, but I omit the via $IP_ADDR because I can't find an ip address for this device:

dhclient tun0 # => outputs nothing
ip route del default
ip route add default dev tun0

...and when I do so, it appears that I can't connect to any servers at all. If I add a route that uses tun0 to my routing table without making it the default route, though, I can reach servers on the vpn for as many routing rules as I've created.

Edit: here's the output of ip route show (before trying to change the default): https://pastebin.com/0X9rqgne

JellicleCat
  • 294
  • 2
  • 4
  • 17
  • What are the details for the VPN server? Is it set up by someone else? Have you set it up? How does the VPN server provision IP addresses? – Tero Kilkanen Jan 22 '22 at 06:21
  • @TeroKilkanen the VPN server is set up by IT at my employer, and they're an impenetrable group. I connect to it with `openconnect --protocol=anyconnect --user=$ME $VPN_DOMAIN`. – JellicleCat Jan 24 '22 at 15:37

3 Answers3

1

You need to do three steps:

Add a route to the VPN server via your physical gateway so that VPN tunnel packets can reach the VPN server

ip route add <VPN server IP address> via 192.168.68.1

Delete existing default route

ip route delete default via 192.168.68.1

Add default route via the tunnel

ip route add default dev tun0

However, if the VPN server doesn't forward packets to the internet, then adding this configuration doesn't help. In that case, you need to convince the VPN server operators to forward traffic to the internet.

There are legitimate reasons why the VPN server wouldn't forward traffic to the internet.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
0
route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0

Should do the trick.

another victim of the mouse
  • 209
  • 1
  • 6
0

My university's VPN (Cisco) forces split tunneling. I was able to force all my traffic to be tunneled through the VPN. This answer is written for Mac, but might apply to all unix systems.

  1. First I had to install the vpnc-script, as described here. You can get a current version of the script from here. Save it somewhere on your drive, I saved it to /opt/local/etc/vpnc/vpnc-script.

  2. As it turns out, the newest versions of the script have an issue that prevents them from working on new versions of MacOS (Montenery), as described here. The solution was replacing the newest version with an older one, specifically with this.

  3. As described in this superuser post, insert the following line in the downloaded vpnc-script to unset the CISCO_SPLIT_INC variable.

# ...
# =========== script (variable) setup ====================================

# Insert this line:
CISCO_SPLIT_INC=
  1. Connect to the VPN via openconnect and specify that the script should be run:
    sudo openconnect --script="/opt/local/etc/vpnc/vpnc-script" --protocol=anyconnect -u <username> https://<university-domain>
Filippo Orrù
  • 1