[PATCH v3 1/3] Support split-exclude rules from Pulse gateway

Kevin Cernekee cernekee at gmail.com
Wed Feb 21 09:19:06 PST 2018


On Wed, Feb 21, 2018 at 8:46 AM, Gernot Hillier
<gernot.hillier at siemens.com> wrote:
> The vpnc-script used by OpenConnect only supports "split include" rules (default
> route unchanged, specific VPN routes added). We add support for Pulse's "split
> exclude" rules (default route to VPN, exclude rules for targets to be connected
> via normal uplink).
>
> For targets specified as split-exclude by the gateway, we add additional routes
> which keep traffic as-is (i.e. separate from tunnel). On platforms only
> providing /sbin/route, we guess that those are reached via default gateway.

This might not work if the VPN gateway is pushing split-exclude routes
such as "192.168.0.0/16" to let clients access e.g. printers on the
LAN.

It might work better for cases where the client is behind a firewall
(such as GFW) and doesn't want to tunnel "internal WAN" traffic
through the VPN.

It may run into trouble on multi-homed systems, or systems that have
to deal with network changes.

I have had some luck using a dedicated routing table with RTN_THROW
routes to implement split include + exclude, although plumbing that
into vpnc-script could be a challenge.

> Please note that IPv6 variant is completely untested as I have no
> access to according testbeds.

Should be able to set up a $5/mo Linode VM to run ocserv and request a
/56 prefix.  It won't exercise the Pulse code paths, but for routing
that probably doesn't matter.



More information about the openconnect-devel mailing list