When working with Cisco AnyConnect VPN (particularly versions 4.10+), administrators often enforce strict split-tunnel routing policies that route all traffic through the corporate network except specific private subnets. This becomes problematic when you only need to access a few specific services (like web ports 80/443 or SSH on port 22) in a particular Class C subnet.
The default configuration typically looks like this in the routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.10.1.1 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth0 10.0.0.0 192.168.1.1 255.0.0.0 UG 0 0 0 eth0 172.0.0.0 192.168.1.1 255.0.0.0 UG 0 0 0 eth0
Here are three effective approaches to customize the routing behavior:
1. Post-Connection Route Modification (Linux/Mac)
Create a script that runs after VPN connection to modify routes:
#!/bin/bash
# Wait for VPN interface to be up
while ! ip a show tun0 up > /dev/null 2>&1; do
sleep 1
done
# Delete default route through VPN
sudo ip route del default via 10.10.1.1 dev tun0
# Add specific routes for corporate resources
sudo ip route add 192.168.100.0/24 via 10.10.1.1 dev tun0
2. Proxy Server Approach
Set up a minimal Squid proxy in a VM:
docker run -d --name vpn-proxy \ -p 3128:3128 \ -e SQUID_ALLOW_CORPORATE_NET=192.168.100.0/24 \ sameersbn/squid:3.5.27-2
Configure browser or applications to use this proxy only for corporate resources.
3. SSHuttle for Selective Tunneling
This Python-based tool creates a VPN-like experience over SSH:
sshuttle -r user@corporate-gateway 192.168.100.0/24 --dns
For Windows systems, you can use PowerShell to modify routes post-connection:
Start-Process -Verb RunAs -FilePath "netsh" -ArgumentList "interface ip delete route 0.0.0.0/0 interface=tun0" Start-Process -Verb RunAs -FilePath "netsh" -ArgumentList "interface ip add route 192.168.100.0/24 interface=tun0 nexthop=10.10.1.1"
Before implementing any workaround:
- Review corporate security policies
- Ensure you're not bypassing important security controls
- Maintain endpoint protection when using split-tunnel configurations
- Consider using the corporate-approved client with proper exception requests
These techniques work with AnyConnect versions 4.10.x through 5.x. The exact implementation may vary slightly depending on your OS and network configuration.
When working remotely with Cisco AnyConnect VPN, many developers encounter the frustrating default routing behavior where all traffic except 10.0.0.0/8 and 172.0.0.0/8 gets routed through the VPN tunnel. This creates unnecessary latency for non-work traffic while preventing fine-grained control over which specific resources should use the tunnel.
Here are three practical approaches I've tested across different OS environments:
1. Network Namespace Isolation (Linux)
Create a dedicated network namespace for VPN traffic:
sudo ip netns add vpnspace
sudo ip netns exec vpnspace sudo openconnect vpn.company.com
# Then add specific routes
sudo ip netns exec vpnspace ip route add 192.168.100.0/24 dev tun02. Proxy Server Configuration
Set up a Squid proxy on a Linux VM with selective routing:
# In /etc/squid/squid.conf
acl vpn_subnet src 192.168.100.0/24
http_access allow vpn_subnet
tcp_outgoing_address 192.168.100.1 vpn_subnet3. Policy-Based Routing (Windows)
Using PowerShell to override AnyConnect routes:
# Remove unwanted routes
Remove-NetRoute -DestinationPrefix "0.0.0.0/0" -Confirm:$false
# Add specific routes
New-NetRoute -DestinationPrefix "192.168.100.0/24" -InterfaceAlias "Cisco AnyConnect"For developers needing just SSH access, consider this SOCKS proxy approach:
ssh -D 1080 -p 22 user@vpn-gateway.company.com -o "ProxyCommand=nc -X connect -x localhost:8080 %h %p"Remember that bypassing corporate VPN policies may violate acceptable use agreements. These methods should only be used:
- When explicitly permitted by IT policies
- For performance optimization of approved services
- Without compromising network security controls