# vpn/ssl, openconnect or openvpn? [solved]

## nordic bro

does it matter which?  I think I have simple requirements (vpn is for my job from a home computer), got an openconnect 3.02 ebuild and can currently get logged onto the vpn.  my concern is that I only want work-related web browser page accesses to go to the vpn with all others and unrelated internet activity to continue using my non-vpn internet access.  I think I can do this with openconnect using dnsmasq and the gentoo vpnc how-to but I'm wondering if starting off by using openvpn would be a better choice? 

thanks.Last edited by nordic bro on Mon Apr 01, 2013 10:00 pm; edited 1 time in total

----------

## depontius

Using dnsmasq to separate work-related dns requests is part of your solution.  The other part is to run "netstat -nr" and see how you're packets are being routed.

I just happen to be logged in to my employer's VPN with openconnect at this very moment, though I'm not interested in separating traffic, as you are.  When I run "netstat-nr" I see that the default route is still through my internet connection, and I only go through the vpn for employer-specific subnets.  This may well depend on your employer's policies - they could set a route to get to their VPN server through your normal connect, and make the default route through the VPN - if they wanted.

I've also used OpenVPN to get to my own LAN, though not lately.  Last time I tried it, I got the connection OK and could get to the system where OpenVPN was running OK, but could not get routed to any of my other systems.  Others suggested bridged mode instead of routed, but I'd rather not do that.

----------

## nordic bro

ok thanks, think I'll stick with openconnect then since it's already set up and seems to do all I need.

would you or anyone else know if I'm understanding the routing?

no vpn:

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
```

logged in to vpn:

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

10.33.56.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0

10.100.79.0     0.0.0.0         255.255.255.240 U     0      0        0 tun0

10.200.202.0    0.0.0.0         255.255.255.0   U     0      0        0 tun0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

192.168.196.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0

192.168.197.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0

192.168.197.3   0.0.0.0         255.255.255.255 UH    0      0        0 tun0

192.168.197.4   0.0.0.0         255.255.255.255 UH    0      0        0 tun0

192.168.198.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0

209.company_IP  192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
```

after reading (mostly in vain  :Embarassed: ) about how to interpret a routing table, I think my company's vpn already has it set up such that only addrs it's interested in actually go to it?  if so that's perfect.

iow if all my traffic was going through the vpn their 209.* addr would be somewhere in the gateway column?  or no?  this is so confusing  :Laughing: 

anyway presuming vpn is only looking for work-related traffic, if I did 'route del 209.company_IP eth0' after being logged into vpn, route -n confirmed all the above were still there w/the exception of 209.*, and my browser still works elsewhere, does that mean the company's vpn path truly is separate from non-work traffic?

----------

## depontius

That first line under "Destination" with "0.0.0.0" is you default gateway, and it is indeed not your VPN.  Default traffic goes out through eth0, as well as the traffic to the VPN server at 192.168.1.0.  Besides the loopback entry, the rest routes through tun0 - your VPN.

----------

## nordic bro

great, thanks so much for the help, think I'm all set.

----------

