Hi,
I have been looking at this for a while, and it seems like it should be simple, but I am clearly failing to get it to work. What I want to do, is to replace my local (on a Windows 10 machine) Cisco AnyConnect client with a "service" that does not cut off local network access. I use Synergy to share my keyboard and mouse etc, but even with the option on the AnyConnect client (Allow local LAN access when using VPN) selected, it cuts off Synergy etc, so it clearly hasn't been configured on the ASA side, and is unlikely to be.
I have a RPI that I have put the current version of OpenWRT on, and installed the OpenConnect client. I have successfully configured this client to connect to the Cisco VPN service instead of using AnyConnect. I can see this connects within ifconfig, I can see a valid IP and I can access resources on the VPN (including DNS lookup), from the RPI.
I can also connect to the RPI on to the wireless nic/AP that I set up, and can access my local network. What I cannot do, is get any traffic to by default, use the VPN. If I try and browse the Internet, it goes via my local connection etc.
Initially, I followed this - https://medium.com/@behroozam/raspberry-pi-openwrt-openconnect-lan-connection-91ce9a17568d and it got me some of the way, as above, but not the whole way.
Also this documentation - https://openwrt.org/docs/guide-user/services/vpn/openconnect/client
My general config is below -
{
"kernel": "4.14.195",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "Raspberry Pi 2 Model B Rev 1.1",
"board_name": "raspberrypi,2-model-b",
"release": {
"distribution": "OpenWrt",
"version": "19.07.4",
"revision": "r11208-ce6496d796",
"target": "brcm2708/bcm2709",
"description": "OpenWrt 19.07.4 r11208-ce6496d796"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdfe:0caf:ca2e::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.2'
list dns '8.8.8.8'
option ifname 'eth0'
config interface 'wlan0'
option proto 'dhcp'
config interface 'AnyConnect'
option proto 'openconnect'
option username 'REMOVED'
option serverhash 'REMOVED'
option authgroup 'REMOVED'
option password 'REMOVED'
option server 'REMOVED'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '0'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wlan0'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'AnyConnect'
option output 'ACCEPT'
list network 'AnyConnect'
option masq '1'
option input 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
config forwarding
option dest 'AnyConnect'
option src 'lan'
config forwarding
option src 'AnyConnect'
option dest 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
package vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list supported_interface ''
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'Default'
option src_addr '0.0.0.0'
option dest_addr '0.0.0.0'
option interface 'AnyConnect'
config policy
option interface 'wlan0'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
73: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
75: vpn-AnyConnect: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1390 qdisc fq_codel state UNKNOWN group default qlen 500
inet 10.254.93.175/32 brd 255.255.255.255 scope REMOVED vpn-AnyConnect
valid_lft forever preferred_lft forever
default via 192.168.1.2 dev br-lan proto static
10.0.0.0/8 dev vpn-AnyConnect proto static scope link
10.254.80.0/20 dev vpn-AnyConnect proto static scope link
100.64.0.0/10 dev vpn-AnyConnect proto static scope link
168.238.65.0/24 dev vpn-AnyConnect proto static scope link
168.238.66.0/24 dev vpn-AnyConnect proto static scope link
168.238.200.0/24 dev vpn-AnyConnect proto static scope link
172.16.0.0/12 dev vpn-AnyConnect proto static scope link
185.41.45.100 via 192.168.1.2 dev br-lan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
local 10.254.93.175 dev vpn-AnyConnect table local proto kernel scope host src 10.254.93.175
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Sep 6 16:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Nov 12 19:03 /tmp/resolv.conf
-rw-r--r-- 1 root root 126 Nov 12 19:20 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface AnyConnect
nameserver REMOVED
nameserver REMOVED
search REMOVED
# Interface lan
nameserver 8.8.8.8
I did play with PBR, but disabled it. Since I just want all traffic to go via the VPN, I didn't think it was necessary? I have removed any identifying company reference.
I don't want to bypass rules, happy for ALL traffic, including internet traffic to go via this, as I said, I just want to keep Synergy working and I happen to have a spare RPI.
What have I done wrong or missed?
Thanks!