some traffic not being routed over VPN

Tue Jun 30 14:27:37 PDT 2015

Hi all,

Having a very strange issue with openconnect on Mac OS X Yosemite.  In
short, some DNS requests are going out over the wrong interface.

I've got a vpnc script set up for split mode.  I've added a bunch of
netblocks that should be routed through the tunnel like so:

---
#!/bin/sh

# debug
#set -x

add_ip()
{
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=$2
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=32
        export CISCO_SPLIT_INC=$((CISCO_SPLIT_INC + 1))
}

# Initialize empty split tunnel list
export CISCO_SPLIT_INC=0

# Delete DNS info provided by VPN server to use internet DNS
# Comment following line to use DNS beyond VPN tunnel
#unset INTERNAL_IP4_DNS

# List of IP ranges beyond VPN tunnel
add_ip 10.0.0.0 255.0.0.0.0 # /8 corporate internal network
add_ip x.x.x.x 255.255.240.0 # /20 corporate network
add_ip x.x.x.x 255.255.248.0 # /21 corporate network
....

# Execute default script
. /usr/local/etc/vpnc-script
---

>From an OS perspective everything looks great.  If I test out the
routing ('route get') it looks like things should be routed correctly
(through en0 or utun0.)

The VPN provides two corporate DNS servers (a.a.a.a and b.b.b.b) which
openconnect dutifully puts at the top of the list in /etc/resolv.conf.
If I run nslookup/dig/host while watching traffic on both the default
and VPN interfaces, I see it properly resolving using the first
corporate DNS server via the VPN interface (utun0).

However, in browsers like Chrome and Firefox, I see a very strange
behavoir.  Most URLs resolve correctly, including some non-public
corporate hostnames.  However, for some hostnames (both corporate and
public) I see the DNS request go out to the corporate DNS server
a.a.a.a *but on the non-VPN interface* (en0.)  I can't for the life of
me figure out why this should be happening.  I have disabled proxy at
the OS level.

For example, even though my default DNS server is a.a.a.a and I have a
specific routing table entry that should send traffic to a.a.a.a out
over the VPN interface like so:
#  netstat -rn | grep a.a.a.a
a.a.a.a/32    10.154.144.146    UGSc   1   0   utun0

I still see requests go out over en0 sometimes, like so:
# tcpdump -i en0 port 53
...
16:39:27.690084 IP 192.168.1.12.56892 > a.a.a.a.domain: 29289+ A?
corporateserver.corporation.com. (54)
16:39:28.776604 IP 192.168.1.12.56892 > a.a.a.a.domain: 29289+ A?
corporateserver.corporation.com. (54)
16:39:29.776873 IP 192.168.1.12.56892 >
wireless_broadband_router.home.domain: 29289+ A?
corporateserver.corporation.com. (54)
16:39:29.889740 IP wireless_broadband_router.home.domain >
192.168.1.12.56892: 29289 NXDomain 0/1/0 (127)
...
16:37:34.567376 IP 192.168.1.12.51937 > a.a.a.a.domain: 32596+ A?
init-p01st.push.apple.com. (43)
16:37:48.913744 IP 192.168.1.12.51937 > a.a.a.a.domain: 32596+ A?
init-p01st.push.apple.com. (43)
16:38:03.254285 IP 192.168.1.12.51937 > b.b.b.b.domain: 32596+ A?
init-p01st.push.apple.com. (43)
16:38:17.505229 IP 192.168.1.12.51937 > b.b.b.b.domain: 32596+ A?
init-p01st.push.apple.com. (43)
16:38:31.839505 IP 192.168.1.12.51937 >
wireless_broadband_router.home.domain: 32596+ A?
init-p01st.push.apple.com. (43)
16:38:32.307175 IP wireless_broadband_router.home.domain >
192.168.1.12.51937: 32596 4/0/0 CNAME
init-p01st.push.apple.com.edgesuite.net., CNAME a1441.g4.akamai.net.,
A 63.130.78.130, A 63.130.78.136 (158)

I'm out of ideas... any thoughts?  Note that I haven't tested other
kinds of traffic to see if it's going the wrong place as well, just
DNS.

Thanks,
Pat