Getting past the VPN or how I watch TV at work — Part 1 (The Problem)
I am currently working on my Thesis and a lot of work right now involves reading papers and analysing data. After reading a few or starting an analysis on the university’s compute cluster, I kick back and watch a video on Youtube or Netflix to refresh myself. Often I work from home and accessing papers from ACM or IEEE conferences through the universitiy’s subscription requires connecting to the university network using Cisco AnyConnect VPN software. The same goes for accessing the universitiy’s compute cluster. The university VPN software is provisioned with limited bandwidth and I do not want to hog all the resources watching HD videos while others might want to use the same thing for work. And my university doesn’t support split-tunneling where only sites on the university network would be accessed via VPN and everything else normally.
This situation is faced by many at school or at work and I chose to spend a weekend finding a solution to this problem. In the end, I found a couple of solutions which I will present here.
- Run the VPN in a virtual machine tunnel through it.
- Modify the VPN application binary so that it allows split tunneling.
The problem
The VPN software used by my university is Cisco AnyConnect. It seems to be popular software that universities and companies use. The first step was to figure out how the software actually made the VPN connection possible. I suspected that it had something to do with virtual network adapters and using the ifconfig command to find out if that was the case. As expected, whenever I ran the software it created a virtual network adapter by the name utun1. But, that is not enough is route all my internet traffic through the VPN. I remembered that VPN software in general modify the routing table to getb work done. So, I checked the routing table using netstat -nr. As expected my default route was changed to the IP address of the new virtual network interface that has been created by the VPN software. This bit actually required a bit of searching around as I discovered shortly that the command to list routes on Linux route -n could not be used on macOS and I has to use netstat.
So, I figured out that the VPN software was changing my default route. I figured it would be simple to just revert back to my own default route and add custom routes for sites I want to visit through the VPN (and I would be done before lunch. Oh, the folly!). I used the command sudo route delete default to delete the default route. To my utter confusion, I was unable to delete the route. A bit of searching revealed that apparently the AnyConnect software monitored the routing table and rolled back any changes I manually made which were not in confirmation its policy.
During all my searching, I was made aware of an open source alternative to AnyConnect called OpenConnect. I quickly installed it using Homebrew using the command brew install openconnect. I tried connecting to the university VPN server using the OpenConnect client (the command for which i won’t reveal). Then, I tried changing the routes again using sudo route delete default and sudo route add default [original gateway IP address]. While OpenConnect doesn’t prevent me from changing the routing table, the result was a non-functional internet connection. This was resolved by adding back the default route back to the interface created by AnyConnect using sudo route add default [IP address of utun1]. I have spent hours trying to diagnose why changing the route doesn’t work and I haven’t found a satisfactory solution. This method might actually work on Linux, but I haven;t tried that as of yet.
So, the problem to solve is this. Send almost all internet traffic over my home internet. Send traffic to some specific sites and servers over the VPN. The official Cisco software and the open source alternative both don’t allow me to do this (Atleast on macOS). In further posts, I’ll describe the different ways I solved the problem.
