Hi,
I am using Ubuntu 22.04 and set up an Ubuntu 22.04 Server virtual machine using virt-manager (QEMU/KVM). The NIC is set up in Bridge and I am able to access the internet from the Guest machine. When the Host is connected to a VPN (e.g. using OpenVPN), the Guest machine uses the same network connection (net.ipv4.ip_forward=1) and therefore has access to resources within the VPN.
My employers recently moved to Cisco AnyConnect VPN which is configured to use SAML. While it works well on the Host machine using the AnyConnect client, the Guest machine does not have access to resources on the VPN.
Was anyone successful with such a setup? I tried using openconnect and openconnect-sso but was unsuccessful - I believe because of SAML configuration. I was also looking at installing AnyConnect on the Guest machine as a last resort, but AnyConnect does not support SAML through the CLI. TIA.
Managed to find a workaround by implementing the following rules in IPTables on the host machine
iptables --insert ciscovpn 102 --protocol all --src 10.0.0.0/8 --dst 192.168.122.0/24 --jump RETURN
iptables --insert ciscovpn 103 --protocol all --src 192.168.122.0/24 --dst 10.0.0.0/8 --jump RETURN
Note that these rules might need adjustment as their positions (102 and 103) are hardcoded (and they need to be hardcoded so as to be in place before the DROP rules.
The issue comes about since the Cisco VPN installs several IPTables rules (in a chain called ‘ciscovpn’ to ensure that only the VPN IP is allowed to communicate across the tunnel. The problem is that Linux/IPTables performs source NAT (from the Guest VM IP to the VPN interface IP) after routing and firewalling has been done (i.e. in the POSTROUTING table). As a result, the packet still has the guest VM IP when the ciscovpn FW rules are processed and hence, dropped as a result.
I was also looking at installing AnyConnect on the Guest machine as a last resort, but AnyConnect does not support SAML through the CLI.
I’m using that in my job as well. It has a gui client (vpnui) which supports SSO and also 2FA.
This was super helpful thank you! I made a quick little script:
LINE=$(iptables --list ciscovpn -v -n --line-numbers | grep 'DROP' | head -n 1 | awk -F ' ' '{print $1}')
COUNT=$(($LINE - 1))
iptables --insert ciscovpn ${COUNT} --protocol all --src 192.168.122.0/24 --dst 0.0.0.0/0 --jump RETURN
iptables --insert ciscovpn ${COUNT} --protocol all --src 10.0.0.0/8 --dst 192.168.122.0/24 --jump RETURN
I also changed the line with the virt subnet as the source’s destination to 0.0.0.0/0 so the VM could ping out to everything.
I understand this would require Ubuntu GUI right?