Published on 12 Mar 2019 · Filed in Tutorial · 620 words (estimated 3 minutes to read)
I just recently used this shorter article, below. But of course, before that I actually upgraded to Windows 10. Pre-Req, Upgrading to Win 10. I had to uninstall Cisco VPN before upgrading to Windows 10, or else I'd have no networking ability. If you're in Win 10 after upgrade and didn't uninstall Cisco first, you likely have no networking ability. Mar 27, 2021 Windows 10 does a good job of updating your PC's drivers, but third-party tools can help you clean up and optimize your system. Here are the best tools to keep your Windows 10 PC's drivers up to date.
vpnc
is a fairly well-known VPN connectivity package available for most Linux distributions. Although the vpnc
web site describes it as a client for the Cisco VPN Concentrator, it works with a wide variety of IPSec VPN solutions. I’m using it to connect to a Palo Alto Networks-based solution, for example. In this post, I’d like to share how to set up split tunneling for vpnc
.Split tunneling, as explained in this Wikipedia article, allows remote users to access corporate resources over the VPN while still accessing non-corporate resources directly (as opposed to having all traffic routed across the VPN connection). Among other things, split tunneling allows users to access things on their home LAN—like printers—while still having access to corporate resources. For users who work 100% remotely, this can make daily operations much easier.
vpnc
does support split tunneling, but setting it up doesn’t seem to be very well documented. I’m publishing this post in an effort to help spread infomation on how it can be done.First, go ahead and create a configuration file for
vpnc
. For example, here’s a fictional configuration file:All this information, naturally, has to reflect the correct configuration for your particular VPN setup. This is all reasonably well-documented on various
vpnc
tutorials. If you stop here, you’ll have a “regular” vpnc
connection that will route all traffic across the VPN.To do split tunneling, add this line at the end of your configuration file:
You can use whatever filename you want there (and put it wherever you want in the file system, although I prefer keeping it in
/etc/vpnc
). In the file you specified, add these contents:The
CISCO_SPLIT_INC
value specifies how many networks are going to be configured to route across the VPN. In this example, there is only a single network being routed across the VPN. That network is provided by the CISCO_SPLIT_INC_0_ADDR
, CISCO_SPLIT_INC_0_MASK
, and CISCO_SPLIT_INC_0_MASKLEN
entries, and in this case equates to 10.0.0.0/8.If you have multiple/non-contiguous networks, then specify how many networks on the
CISCO_SPLIT_INC
line, and then repeat the lines above for each network, incrementing the number for each section. For two non-contiguous networks, you’d have a series of CISCO_SPLIT_INC_0_*
lines (for the first network) followed by a set of CISCO_SPLIT_INC_1_*
lines (for the second network).The last line is important—this ties back to the script that comes packaged with
vpnc
to set up all the routing and such, as modified/directed by the values specified in your custom script. This allows you to customize the behavior of split tunneling on a per-connection basis.Once you have your custom script in place, you can connect using
sudo vpnc /etc/vpnc/config.conf
(as normal). Once the connection is up, you can use ip route list
to see that only the specified networks are being routed across the VPN. All other traffic still uses your local gateway.Note that this solution does not address custom DNS resolver configurations. If you need to be able to resolve corporate hostnames and a DNS domain on your home LAN, additional steps are needed. I’ll try to document those soon (once I’ve had a chance to do some additional testing).
Find me on Twitter if you have questions, comments, suggestions, or corrections. Thanks!
Update 4 Feb 2021: For systems running
resolvectl
or the equivalent, I’ve found that adding CISCO_SPLIT_DNS=domain1.com,domain2.com,domain3.com
to the custom script will configure the DNS search domains for that connection, which may help address situations where you need to resolve both local hostnames on your LAN as well as corporate hostnames.Metadata and Navigation
Be social and share this post!
Related Posts
- Thinking Out Loud: DIY Network Virtualization?30 Aug 2013
- Technology Short Take 9827 Apr 2018
- Technology Short Take 8722 Sep 2017
OpenConnect is known to work, with both IPv6 and Legacy IP, on Linux(includingAndroid), OpenBSD, FreeBSD (including Debian GNU/kFreeBSD), NetBSD,DragonFly BSD, OpenIndiana/OpenSolaris, Solaris 10/11, Windows and Mac OS X platforms, and should be trivially portable to any other platformsupporting TUN/TAP devicesand on which GnuTLS orOpenSSL runs.
For Solaris support, and for IPv6 on any platform, thevpnc-script shipped with vpnc itself (as of v0.5.3)is not sufficient. It is necessary to use the script from the vpnc-scriptsrepository instead. That repository also contains an updated version ofvpnc-script-win.js which is required for correct IPv6 configurationunder Windows.
OpenConnect is known to work on at least i386, x86_64, PowerPC and MIPSprocessors, and should not have issues with portability to other CPUs.
Note that 'Cisco Secure Desktop' support may require the ability to run Linux/i386 binaries; see the CSD page. CSD is not yetsupported under Windows.
New Ports
Vpn Windows 10 Free
Platform support for new UNIX systems is relatively simple to add— most of the difference is in the TUN/TAP device handling, andthe major variants of that are already supported.
Vpnc Windows Download
OpenConnect builds for Windows using MinGW in 32-bit and 64-bit mode, andworks with the TAP-Windows driver shipped with OpenVPN (driver version9.9 or later).