On Wed, Feb 21, 2018 at 8:46 AM, Gernot Hillier <gernot.hillier at siemens.com> wrote: > The vpnc-script used by OpenConnect only supports "split include" rules (default > route unchanged, specific VPN routes added). We add support for Pulse's "split > exclude" rules (default route to VPN, exclude rules for targets to be connected > via normal uplink). > > For targets specified as split-exclude by the gateway, we add additional routes > which keep traffic as-is (i.e. separate from tunnel). On platforms only > providing /sbin/route, we guess that those are reached via default gateway. This might not work if the VPN gateway is pushing split-exclude routes such as "192.168.0.0/16" to let clients access e.g. printers on the LAN. It might work better for cases where the client is behind a firewall (such as GFW) and doesn't want to tunnel "internal WAN" traffic through the VPN. It may run into trouble on multi-homed systems, or systems that have to deal with network changes. I have had some luck using a dedicated routing table with RTN_THROW routes to implement split include + exclude, although plumbing that into vpnc-script could be a challenge. > Please note that IPv6 variant is completely untested as I have no > access to according testbeds. Should be able to set up a $5/mo Linode VM to run ocserv and request a /56 prefix. It won't exercise the Pulse code paths, but for routing that probably doesn't matter.