Split tunneling with openconnect - A guide on how to use openconnect to establish a vpn connection to an enterprise cisco anyconnect vpn endpoint with client side routing.

vpn-openconnect-connect-to-cisco-anyconnect.md

Introduction

The purpose of this short howto is to show you how to:

• use openconnect [1] to connect to an enterprise cisco anyconnect endpoint
• whilst minimizing the amount of traffic that your route through the vpn connection

Usually VPN administrators will puth the default route to the users, so that all user traffic is routed through the vpn connection. This is to address the various security concerns around compromised user computers bridging external internet traffic into the secure VPN network.

While the VPN administrator can push routes to the clients, the client can ignore these default routes and establish client side routing so that only the required A.B.C.D/E network is routed through the VPN. All other traffic will still use the clients default route and default outbound internet connection.

This is called split-tunneling VPN routing and it is the type of setup you'll have at the end of this small howto.

Setup on a linux operating system

installation

• install openconnect on your operating system

openconnect binary kernel capabilities

• the openconnect binary won't be allowed to create the tun0 tunnel without being granted some the root capability to administer networks - see man 7 capabilities for details

sudo setcap cap_net_admin+ep /usr/bin/openconnect

• to check if this capability was added, run getcap

getcap -rv /usr/bin/openconnect
...
/usr/bin/openconnect = cap_net_admin+ep

install vpn-slice

By default openconnect comes with vpnc-script [3] which is a bash script that can be run, on the client side, to setup routing. While this can work perfectly fine it needs manual user interaction to modify this script whenever changes are needed.

A more automated way of adding/removing routing and other settings can be achieved using vpn-slice

• [2] vpn-slice will aid with automatically adding and removing routes and adding and removing /etc/hosts entries.
• I've used pip and virtualenv to create a separate python virtual environment for vpn-slice.

mkvirtualenv vpn-slice
pip3 install https://github.com/dlenski/vpn-slice/archive/master.zip

Establish vpn connection

Establish a vpn connection to the corporate network only routing the required subnet through the vpn tunnel. Replace all bits between < > with your vpn settings.

sudo openconnect <corporate-vpn-endpoint> \
     -m 1290 \
     -u <your-vpn-user> \
     --servercert sha256:<0446a7EXAMPLE8901278394> \
     -s 'vpn-slice <10.10.0.0/14>'

• the first time when you connect, openconnect will print on your terminal the servercert shasum, on subsequent connections use this printend shasum as the value for --servercert
• replace <10.10.0.0/14> with the subnet you want to route over the corporate vpn.

These are the routes before starting the vpn:

default via 10.1.1.1 dev wlp4s0 proto static metric 600
10.1.1.0/24 dev wlp4s0 proto kernel scope link src 10.1.1.50 metric 600
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1

These are the routes after connecting to the vpn. vpn-slice will only create routes for the vpn subnet and the vpn dns servers and the rest of your traffic goes out though your default route which hasn't changed after connecting to the vnp.

default via 10.1.1.1 dev wlp4s0 proto static metric 600
10.1.1.0/24 dev wlp4s0 proto kernel scope link src 10.1.1.50 metric 600
10.10.0.0/14 dev tun0 scope link
10.10.0.0/14 dev tun0 scope link metric 6
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
180.10.34.165 dev tun0 scope link
180.10.34.165 dev tun0 scope link metric 6

Resources

• [1] http://www.infradead.org/openconnect/index.html
• [2] https://github.com/dlenski/vpn-slice
• [3] http://www.infradead.org/openconnect/vpnc-script.html
• [4] https://gist.github.com/jagtesh/5531300