some traffic not being routed over VPN

Patrick O'Brien pdobrien at
Tue Jun 30 14:27:37 PDT 2015

Hi all,

Having a very strange issue with openconnect on Mac OS X Yosemite.  In
short, some DNS requests are going out over the wrong interface.

I've got a vpnc script set up for split mode.  I've added a bunch of
netblocks that should be routed through the tunnel like so:


# debug
#set -x

        export CISCO_SPLIT_INC=$((CISCO_SPLIT_INC + 1))

# Initialize empty split tunnel list

# Delete DNS info provided by VPN server to use internet DNS
# Comment following line to use DNS beyond VPN tunnel

# List of IP ranges beyond VPN tunnel
add_ip # /8 corporate internal network
add_ip x.x.x.x # /20 corporate network
add_ip x.x.x.x # /21 corporate network

# Execute default script
. /usr/local/etc/vpnc-script

>From an OS perspective everything looks great.  If I test out the
routing ('route get') it looks like things should be routed correctly
(through en0 or utun0.)

The VPN provides two corporate DNS servers (a.a.a.a and b.b.b.b) which
openconnect dutifully puts at the top of the list in /etc/resolv.conf.
If I run nslookup/dig/host while watching traffic on both the default
and VPN interfaces, I see it properly resolving using the first
corporate DNS server via the VPN interface (utun0).

However, in browsers like Chrome and Firefox, I see a very strange
behavoir.  Most URLs resolve correctly, including some non-public
corporate hostnames.  However, for some hostnames (both corporate and
public) I see the DNS request go out to the corporate DNS server
a.a.a.a *but on the non-VPN interface* (en0.)  I can't for the life of
me figure out why this should be happening.  I have disabled proxy at
the OS level.

For example, even though my default DNS server is a.a.a.a and I have a
specific routing table entry that should send traffic to a.a.a.a out
over the VPN interface like so:
#  netstat -rn | grep a.a.a.a
a.a.a.a/32    UGSc   1   0   utun0

I still see requests go out over en0 sometimes, like so:
# tcpdump -i en0 port 53
16:39:27.690084 IP > a.a.a.a.domain: 29289+ A? (54)
16:39:28.776604 IP > a.a.a.a.domain: 29289+ A? (54)
16:39:29.776873 IP >
wireless_broadband_router.home.domain: 29289+ A? (54)
16:39:29.889740 IP wireless_broadband_router.home.domain > 29289 NXDomain 0/1/0 (127)
16:37:34.567376 IP > a.a.a.a.domain: 32596+ A? (43)
16:37:48.913744 IP > a.a.a.a.domain: 32596+ A? (43)
16:38:03.254285 IP > b.b.b.b.domain: 32596+ A? (43)
16:38:17.505229 IP > b.b.b.b.domain: 32596+ A? (43)
16:38:31.839505 IP >
wireless_broadband_router.home.domain: 32596+ A? (43)
16:38:32.307175 IP wireless_broadband_router.home.domain > 32596 4/0/0 CNAME, CNAME,
A, A (158)

I'm out of ideas... any thoughts?  Note that I haven't tested other
kinds of traffic to see if it's going the wrong place as well, just


More information about the openconnect-devel mailing list