Routing all traffic via a VPN using openconnect

I recently had to connect to my university’s VPN to get access to statistics by statista. I connected using openconnect, an Open Source Cisco-Anyconnect-Compliant VPN software. However, it turned out that my university’s VPN config only routes university intranet traffic via the VPN, leaving all other traffic to be send via the default interface. Statista, obviously not belonging to my university’s intranet, thus refused to serve me premium statistics.

A simple ip route show revealed that openconnect configured a whole bunch of link local routes, that it makes available through the tun0 interface. Here, scope link means that hosts in the respective (sub-)net are directly addressable, without need for routing. ARP (Adress Resolution Protocol — IPv4) or NDP (Neighbor Discovery Protocol — IPv6) should therefore yield MAC-Address—IP-Address pairs for these hosts.

The following is an (anonymized) excerpt of the entries revealed by ip route show:

default via 192.168.178.1 dev wlan0
xyz.xyz.xyz.xy dev tun0 scope link
xyz.xyz.xyz.xy dev tun0 scope link
xyz.xyz.xyz.xy dev tun0 scope link
xyz.xyz.xyz.xy dev tun0 scope link

Notably, the default route remained at default via 192.168.178.1 dev wlan0.

So how do we route all traffic through tun0. Simple:

ip route del default via 192.168.178.1 dev wlan0
ip route add default via xyz.xyz.xyz.xyz dev tun0

And that’s it. Simply changing the default route forces all traffic to go through the VPN-tunnel, thus unlocking Statista statistics. xyz.xyz.xyz.xyz here refers to the IP-address that we hold on the tun0 interface.