Use Case: OpenConnect Full Tunneling VPN and LAN Access

I have a company IT VPN (Cisco AnyConnect/OpenConnect) which tunnels everything once connected. That means I can't access my LAN once connected. Using netns' per-process routing capability I can easily bypass this limitation.

Firstly we need to config NAT for netns: put the following content in /etc/default/netns-nat-vpn

GATEWAY_IP=10.192.1.1
CLIENT_IP=10.192.1.2
CIDR=30

(Note: don't collide with your own LAN IP range and VPN endpoint IP range.)

Enable IP forwarding: edit /etc/sysctl.d/99-sysctl.conf, find the following 2 lines and uncomment them:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Apply changes using sysctl -p /etc/sysctl.d/99-sysctl.conf.

Set up a different resolv.conf for netns since VPN may mess up with it:

mkdir -p /etc/netns/vpn
echo "nameserver 8.8.8.8" | tee /etc/netns/vpn/resolv.conf

/etc/netns/vpn/resolv.conf will be bind to /etc/resolv.conf in netns vpn. (Systemd v233 and later only)

Then we set up netns:

systemctl start netns-nat@vpn

Enter netns and set up VPN:

pi@raspberrypi:~$ sudo chnetns vpn openconnect vpn.contoso.com
POST https://vpn.contoso.com/
Connected to [VPN server IP address]:443
SSL negotiation with vpn.contoso.com
Connected to HTTPS on vpn.contoso.com
XML POST enabled
Please enter your username.
Username:contoso
POST https://vpn.contoso.com/auth
Please enter your password.
Password:
POST https://vpn.contoso.com/auth
Got CONNECT response: HTTP/1.1 200 CONNECTED
CSTP connected. DPD 90, Keepalive 32400
Connected as [IPv4] + [IPv6], using SSL + lz4

Now VPN is up, but the routing table is limited to that netns.

Verify we can switch between company VPN and local network easily:

pi@raspberrypi:~$ curl ip.sb
[IP address of my local ISP]
pi@raspberrypi:~$ sudo chnetns vpn curl ip.sb
[IP address of my company VPN]