github.com/igoogolx/clash@v1.19.8/docs/advanced-usages/openconnect.md

github.com/igoogolx/clash@v1.19.8/docs/advanced-usages/openconnect.md (about)

     1  ---
     2  sidebarTitle: Rule-based OpenConnect
     3  sidebarOrder: 2
     4  ---
     5  
     6  # Rule-based OpenConnect
     7  
     8  OpenConnect supports Cisco AnyConnect SSL VPN, Juniper Network Connect, Palo Alto Networks (PAN) GlobalProtect SSL VPN, Pulse Connect Secure SSL VPN, F5 BIG-IP SSL VPN, FortiGate SSL VPN and Array Networks SSL VPN.
     9  
    10  For example, there would be a use case where your company uses Cisco AnyConnect for internal network access. Here I'll show you how you can use OpenConnect with policy routing powered by Clash.
    11  
    12  First, [install vpn-slice](https://github.com/dlenski/vpn-slice#requirements). This tool overrides default routing table behaviour of OpenConnect. Simply saying, it stops the VPN from overriding your default routes.
    13  
    14  Next you would have a script (let's say `tun0.sh`) similar to this:
    15  
    16  ```sh
    17  #!/bin/bash
    18  ANYCONNECT_HOST="vpn.example.com"
    19  ANYCONNECT_USER="john"
    20  ANYCONNECT_PASSWORD="foobar"
    21  ROUTING_TABLE_ID="6667"
    22  TUN_INTERFACE="tun0"
    23  
    24  # Add --no-dtls if the server is in mainland China. UDP in China is choppy.
    25  echo "$ANYCONNECT_PASSWORD" | \
    26    openconnect \
    27      --non-inter \
    28      --passwd-on-stdin \
    29      --protocol=anyconnect \
    30      --interface $TUN_INTERFACE \
    31      --script "vpn-slice
    32  if [ \"\$reason\" = 'connect' ]; then
    33    ip rule add from \$INTERNAL_IP4_ADDRESS table $ROUTING_TABLE_ID
    34    ip route add default dev \$TUNDEV scope link table $ROUTING_TABLE_ID
    35  elif [ \"\$reason\" = 'disconnect' ]; then
    36    ip rule del from \$INTERNAL_IP4_ADDRESS table $ROUTING_TABLE_ID
    37    ip route del default dev \$TUNDEV scope link table $ROUTING_TABLE_ID
    38  fi" \
    39      --user $ANYCONNECT_USER \
    40      https://$ANYCONNECT_HOST
    41  ```
    42  
    43  After that, we configure it as a systemd service. Create `/etc/systemd/system/tun0.service`:
    44  
    45  ```ini
    46  [Unit]
    47  Description=Cisco AnyConnect VPN
    48  After=network-online.target
    49  Conflicts=shutdown.target sleep.target
    50  
    51  [Service]
    52  Type=simple
    53  ExecStart=/path/to/tun0.sh
    54  KillSignal=SIGINT
    55  Restart=always
    56  RestartSec=3
    57  StartLimitIntervalSec=0
    58  
    59  [Install]
    60  WantedBy=multi-user.target
    61  ```
    62  
    63  Then we enable & start the service.
    64  
    65  ```shell
    66  chmod +x /path/to/tun0.sh
    67  systemctl daemon-reload
    68  systemctl enable tun0
    69  systemctl start tun0
    70  ```
    71  
    72  From here you can look at the logs to see if it's running properly. Simple way is to look at if `tun0` interface has been created.
    73  
    74  Similar to the Wireguard one, having an outbound to a TUN device is simple as adding a proxy group:
    75  
    76  ```yaml
    77  proxy-groups:
    78    - name: Cisco AnyConnect VPN
    79      type: select
    80      interface-name: tun0
    81      proxies:
    82        - DIRECT
    83  ```
    84  
    85  ... and it's ready to use! Add the desired rules:
    86  
    87  ```yaml
    88  rules:
    89    - DOMAIN-SUFFIX,internal.company.com,Cisco AnyConnect VPN
    90  ```
    91  
    92  You should look at the debug level logs when something does not seem right.
    93