GlobalProtect-openconnect icon indicating copy to clipboard operation
GlobalProtect-openconnect copied to clipboard

Published 20 hours ago verified publisher icon yuezk

Split tunnel support?

Open redneckdiver opened this issue 5 years ago • 9 comments

Wondering if there is a command switch or an option somewhere to do a split tunnel. I'm being lazy and don't want to manually delete the additional default gateway every time I connect.

redneckdiver avatar Jul 16 '20 15:07 redneckdiver

Hi, @redneckdiver what do you mean by split tunnel and manually delete the additional default gateway? Can you provide some screenshots or something to illustrate it? Thanks.

yuezk avatar Jul 17 '20 02:07 yuezk

That just means our VPN supports us not having to route all traffic through its interface. I happened to notice that after firing up gpclient and connecting with it, I had an additional default gateway defined to route traffic through the VPN interface in addition to all the specific routes for our corporate network. So I'd like to keep that route from being added to begin with.

redneckdiver avatar Jul 17 '20 19:07 redneckdiver

Disregard - I see now that openconnect is doing this and doesn't seem to have anything to do with your code.

redneckdiver avatar Jul 18 '20 12:07 redneckdiver

I may have said disregard too soon. I can get around my issue now that I understand it better, but a better solution would be to have some way of specifying custom command line arguments to the openconnect process when it is started by gpservice.cpp. For anyone who also faces this, the current way to get around this is to comment out all the *default_route functions within /usr/share/vpnc-scripts/vpnc-script and references to them.

redneckdiver avatar Jul 18 '20 12:07 redneckdiver

@redneckdiver You can open /etc/systemd/system/gpservice.service and append any arguments supported by the openconnect cli to /usr/bin/gpservice

https://github.com/yuezk/GlobalProtect-openconnect/blob/76a4977e9260a8123c39fc439944355ff6bff9aa/GPService/systemd/gpservice.service#L7

Because it will pass the arguments specified to /usr/bin/gpservice to the OpenConnect CLI, show as below:

https://github.com/yuezk/GlobalProtect-openconnect/blob/d91fad089f453f55e3d61f12e32ef477cb9a5ce2/GPService/gpservice.cpp#L66

Related to #7

yuezk avatar Jul 19 '20 13:07 yuezk

@yuezk I guess that OP was in the same situation I'm in: once the VPN tunnel is established, a new default route is added (with 0 as metric, thus taking precedence over the previous default gw route) sending all traffic through the VPN interface (tun0), plus another set of routes is added to send specific whitelisted IPs through the lan interface (most likely Windows Update server IPs and such).

Example...

E0557546 ~ # route -vn                
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 lan0
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 lan0
E0557546 ~ # route -vn | grep lan0 | wc -l
2
E0557546 ~ # route -vn | grep tun0 | wc -l   
0
E0557546 ~ # # established VPN connection...
E0557546 ~ # route -vn | grep tun0 | wc -l
4
E0557546 ~ # route -vn | grep lan0 | wc -l   
58

hrk avatar Aug 05 '21 13:08 hrk