On Thu, 2015-06-25 at 22:18 -0700, Openconnect User wrote: > Hi. > > Why does openconnect add a default route through the vpn? Since the > existing default is still there now I have two. (This is openconnect on > osx from homebrew.) Traceroutes to various systems inside and outside > the remote end seem to go the right way though. By default, openconnect (well, vpnc-script) will set up the routes that the server tells it to. Some VPN servers use a 'split tunnel' configuration, where only certain IP ranges are routed to the VPN. Others are 'full tunnel', and we're supposed to route *everything* to the VPN. (Except the packets which run over the real Internet to the VPN server, of course. Otherwise it gets silly.) > It doesn't add default routes on my linux box with openconnect that I > built myself, but maybe I removed something from the vpnc-script. It has > been a while since I set it up so I can't remember. Possibly. Another option is to just use a trivial wrapper around vpnc -script, which sets the CISCO_SPLIT_INC* variables for the IP ranges you *do* want to route to the VPN, then invokes the real vpnc-script. If any include routes are set, then it won't set a default route. > I'd also like to know what people do about dns. On windows with the > cisco client, dns magically works, resolving through the vpn to internal > dns servers when necessary. For linux/osx openconnect clients I run a > caching dns server with forwarders for domains inside the vpn. The > problem is I don't know every possible domain I should forward, as the > company is big and uses a lot of them. If adding '-v' to the openconnect command line doesn't show the list in some header somewhere, I'm not quite sure how the Windows client can get this right. Does it really do *all* the domains that you need? See the response I just sent to Patrick O'Brien on precisely this topic. NetworkManager will do it for the single domain that we *do* get from the Cisco server ? and I think NetworkManager can also be told a list of additional domains. We could make vpnc-script do it too. (Note that we'd also want our dnsmasq setup to do reverse IP searches in the in-addr.arpa and ip6.arpa domains corresponding to the addresses which are routed to the VPN). -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150702/b3768341/attachment-0001.bin>
