Use Case: OpenConnect Full Tunneling VPN and LAN Access

Note: This will implicitly enable forwarding (routing) on both IPv4 and IPv6 which might be a security risk for you. You might need to adjust your firewall.

I have a company IT VPN (Cisco AnyConnect/OpenConnect) which tunnels everything. That means I can't access my LAN once connected. Using netns' per-process routing capability I can easily bypass this limitation.

Firstly we need to config NAT for netns: put the following content in /etc/default/netns-nat-vpn

IPADDR_OUTSIDE=10.192.1.1/30
IPADDR=10.192.1.2/30
GATEWAY=10.192.1.1/30

(Note: don't collide with your own LAN IP range and VPN endpoint IP range.)

Set up a different resolv.conf for netns since VPN may mess up with it:

mkdir -p /etc/netns/vpn
echo "nameserver 8.8.8.8" | tee /etc/netns/vpn/resolv.conf

/etc/netns/vpn/resolv.conf will be bind to /etc/resolv.conf in netns vpn.

Then we set up netns:

systemctl start netns-nat@vpn

Enter netns and set up VPN:

pi@raspberrypi:~$ sudo chnetns vpn openconnect vpn.contoso.com
POST https://vpn.contoso.com/
Connected to [VPN server IP address]:443
SSL negotiation with vpn.contoso.com
Connected to HTTPS on vpn.contoso.com
XML POST enabled
Please enter your username.
Username:contoso
POST https://vpn.contoso.com/auth
Please enter your password.
Password:
POST https://vpn.contoso.com/auth
Got CONNECT response: HTTP/1.1 200 CONNECTED
CSTP connected. DPD 90, Keepalive 32400
Connected as [IPv4] + [IPv6], using SSL + lz4

Now VPN is up, but the routing table is limited to that netns.

Verify we can switch between company VPN and local network easily:

pi@raspberrypi:~$ curl ip.sb
[IP address of my local ISP]
pi@raspberrypi:~$ sudo chnetns vpn curl ip.sb
[IP address of my company VPN]

Note: If you can't connect to Internet from outside netns when connected to VPN, check /etc/resolv.conf again and remove entries added by VPN. Older systemd may not be aware of it.