plugins
plugins copied to clipboard
opnsense
openconnect changes default route
Right now openconnect automatically changes the default route, which may break internet connectivity in many setups.
It would be nice if there could be an option to ignore the routes announced by the remote server, so that routes or NAT can be set up manually.
@klada Hm, I don't think this is a good idea. When the OpenConnect server (or ASA or whatever) pushes you a default gateway through the tunnel, there's probably a security reason why they did it.
You have to check that the server only pushes the routes you want (which works perfectly fine)
@mimugmail The thing is that you might not always have control over the default route which is pushed to you.
For example I am getting a default route from my workplace's VPN. This way I am usually forced to route all of my private traffic through the company network, which I don't want. That's why I only want the traffic, which also goes to my company's network, to pass through the openconnect interface.
I also found the "config file" for this, which is /usr/local/sbin/vpnc-script (set_default_route/reset_default_route). Maybe calling that code can be controlled through a GUI config option.
Is there any update to this issue? It would be very nice if could define my own routes. In this state this plugin is useless for me.
@staeglis pardon the question, if it's useless to you why do you think telling others will motivate them to help? ;)
What so you want to achieve, or where is the problem? You receive default gateway and want only single routes?
Yes, I want only to access internal networks and not to redirect my whole internet traffic over the VPN.
@fichtner I wanted only to tell that this can be an essential feature and so isn't only nice nice to have. I'm very happy that this plugin exist. So there is the possibility that I can use this plugin in future.
@mimugmail I would be very happy if you could also solve this issue. Also important for are the DNS settings. Maybe this option should be evaluated: "Allow DNS server list to be overridden by DHCP/PPP on WAN"
By the way, what's the official way to disable OpenConnect? I've changed the specific option again (I haven't stop the OpenConnect service manually before) and after this the VPN connection was disabled again but the routes and the DNS settings wasn't reverted back.
By the way, the "normal" IPSec implementation of OPNSense doesn't allow to act as client, do it?
@staeglis fom a technical view. IPsec has no client - it is a feature of IPv6 and required in a compliant implementation.
@fabianfrz Yes I know it theoretically ;)
Better said: Can I configure a host-to-site VPN, so make it acting like vpnc?
In a road warrior setup like this you will very likely get problems with the routing.
@staeglis Did you find any solution which a tunnel client only send traffics with specific determined destinations through tunnel ? In theory we can delete default gateway after connecting to tunnel then create static routes manually in client side, But isn't supported automatically?
I would also appreciate the option to not replace the default route. I would like to send none work related traffic over my ISP instead of my work VPN
I would also appreciate the option to not replace the default route. I would like to send none work related traffic over my ISP instead of my work VPN
I tried this solution and it worked: https://gist.github.com/stefancocora/686bbce938f27ef72649a181e7bd0158
Pip is not an option, but I found a link with a vpnc script which might work
I've been using this vpn script for my routes. It works good
#!/usr/bin/env sh
# Set up split tunneling
CISCO_SPLIT_INC=1
CISCO_SPLIT_INC_0_ADDR=10.0.0.0
CISCO_SPLIT_INC_0_MASK=255.0.0.0
CISCO_SPLIT_INC_0_MASKLEN=8
CISCO_SPLIT_INC_0_PROTOCOL=0
CISCO_SPLIT_INC_0_SPORT=0
CISCO_SPLIT_INC_0_DPORT=0
# Call regular vpnc-script
. /usr/local/sbin/vpnc-script
Would like to follow up on this-- It's one thing for the default route for my linux workstation, or my Windows pc, to be changed to route through my office network. But I don't think they want me to route my entire home network through their system, which is what happens when opnsense connects to their VPN.
Can we get an "override default route" button, and create our own routes for VPN networks? I've got the interface, it's easy enough to add the two routes I need, but I'd rather not have to script a workaround to delete the default network from the VPN.
Workaround:
Create /usr/local/etc/vpnc/connect.d
create a file in there with any name, containing (from above comment):
---- cut here ---
Set up split tunneling
CISCO_SPLIT_INC=1 CISCO_SPLIT_INC_0_ADDR=10.0.0.0 # Route you want to route through VPN CISCO_SPLIT_INC_0_MASK=255.0.0.0 # netmask for said route CISCO_SPLIT_INC_0_MASKLEN=8 # netmask for said route CISCO_SPLIT_INC_0_PROTOCOL=0 CISCO_SPLIT_INC_0_SPORT=0 CISCO_SPLIT_INC_0_DPORT=0 ---- cut here ---
Still need to get routing working outside the opnSense box, but this is a start.
--John
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
