On Mon, Nov 28, 2016 at 7:42 PM, Stuart Luppescu <slu at ccsr.uchicago.edu> wrote: > On Mon, 2016-11-28 at 16:34 -0800, Daniel Lenski wrote: >> Why are you sending all your internet-bound traffic through the VPN >> if it's not necessary to do so? Sounds like you want to do split >> tunneling. > > I was not aware of this before but it sounds like a good thing to do. > Do I just export those environment variables that start with > CISCO_SPLIT_INC and start the script as usual? Here's a tutorial on how to wrap the default vpnc-script to do split tunneling: https://gist.github.com/jagtesh/5531300 If you only need to access a few hosts behind the VPN, then have a look at vpn-slice, which I wrote to make this simpler: http://github.com/dlenski/vpn-slice. It's a Linux-only drop-in replacement for the vpnc-script. It ignores the routing configuration sent by the VPN gateway, and only routes traffic to specific hosts or subnets through the VPN, and leaves everything else alone. For example: openconnect gateway.company.com \ --script 'vpn-slice myhost myotherhost 192.168.0.0/16' That will only route traffic to the two named hosts and one subnet through the VPN. It will not change your DNS configuration either, but it will do a DNS lookup for the two hosts using the VPN's DNS servers, and add them to /etc/hosts, so that you can refer to them by name. Dan
