Losing connection with Unknown DTLS packet

Stuart Luppescu slu at ccsr.uchicago.edu
Tue Nov 29 10:27:23 PST 2016 

On Tue, 2016-11-29 at 09:29 -0800, Daniel Lenski wrote:
> On Mon, Nov 28, 2016 at 7:42 PM, Stuart Luppescu <slu at ccsr.uchicago.e
> du> wrote:
> > 
> > On Mon, 2016-11-28 at 16:34 -0800, Daniel Lenski wrote:
> > > 
> > > Why are you sending all your internet-bound traffic through the
> > > VPN
> > > if it's not necessary to do so? Sounds like you want to do split
> > > tunneling.
> > 
> > I was not aware of this before but it sounds like a good thing to
> > do.
> > Do I just export those environment variables that start with
> > CISCO_SPLIT_INC and start the script as usual?
> 
> Here's a tutorial on how to wrap the default vpnc-script to do split
> tunneling: https://gist.github.com/jagtesh/5531300
> 
> If you only need to access a few hosts behind the VPN, then have a
> look at vpn-slice, which I wrote to make this
> simpler: http://github.com/dlenski/vpn-slice.
> 
> It's a Linux-only drop-in replacement for the vpnc-script. It ignores
> the routing configuration sent by the VPN gateway, and only routes
> traffic to specific hosts or subnets through the VPN, and leaves
> everything else alone. For example:
> 
>     openconnect gateway.company.com \
>       --script 'vpn-slice myhost myotherhost 192.168.0.0/16'
> 
> That will only route traffic to the two named hosts and one subnet
> through the VPN. It will not change your DNS configuration either,
> but
> it will do a DNS lookup for the two hosts using the VPN's DNS
> servers,
> and add them to /etc/hosts, so that you can refer to them by name.

Wow. That's awesome, Dan. Thanks very much. I'll definitely try it.
Apparently, there is some opposition to split tunneling at the
University. Here's what I heard from our departmental IT guy:

I know that the default settings on the Cisco VPN client for Windows, 
Mac or Linux, will enforce a policy which blocks this, but I don't know
whether it works with openconnect. The University does not want people 
relaying through a split connection, so they set that default policy.

We'll see.

Last night, I had to redo my very long analyses (I did it in a screen
this time). I started the VPN with --no-dtls, and the analyses have
been running now for about 20 hours with no disruption. Can't see
anything in the -vvvv log that is a cause for concern. Fingers crossed.
-- 
Stuart Luppescu
Chief Psychometrician (ret.)
UChicago Consortium on School Research
http://consortium.uchicago.edu

More information about the openconnect-devel mailing list