Network routing issue

[Daniel Lenski]

On Fri, Jul 1, 2022 at 6:55 PM Sam <sam.shabake at samic.org> wrote:
> I use the vpnc-script from
> https://gitlab.com/openconnect/vpnc-scripts/raw/master/vpnc-script like
> this:
> sudo openconnect vpn.thecompany.com
> --script=/usr/share/vpnc-scripts/vpnc-script

Cisco AnyConnect protocol, right?

> The only way that I can make it work is to do this manually:
>
> sudo ip route del default via 192.168.0.1
> sudo ip route add default via 10.100.220.210

Hmmm… you're DELETING the default route through your Ethernet
interface enp4s0, and creating a new default route through the tunnel
interface. That's not really necessary: you should be able to simply
do `sudo ip route add default dev tun0` *without* deleting the default
route through the Ethernet interface.

> But then the problem is if the VPN disconnects, I have to restart the
> computer to get the network back!

Why can't you simply recreate the default route through the Ethernet
interface, or otherwise fix up the routing table?

> But network routing doesn't work!

It appears the fundamental issue here is that *you* want a default
route via the VPN (that is, you want ALL of your IPv4 traffic to go
through the VPN), but the VPN server gives you only a specific set of
routes to include (known as "split-include" routes).

OpenConnect + vpnc-script are, as far as I can tell, doing exactly
what the VPN server is asking them to do.

What happens if you connect to this VPN using an official Cisco
client? Does it get assigned a default route, or does it only get
assigned these specific split-include routes.

Dan