ClashOfficial setup guides
Github 中文
Home/Docs/Rule-based OpenConnect

Rule-based OpenConnect

Rule-based OpenConnect explains selected OpenConnect-style routing under Clash rule control and the checks for route conflicts.

Overview

Rule-based OpenConnect routes selected traffic through an OpenConnect-style path while leaving other traffic under normal Clash rule control.

Use cases

This is useful when a specific work, campus or private network requires OpenConnect but the rest of your traffic should remain governed by normal proxy groups.

Configuration notes

Keep authentication, server address and certificate behavior documented outside the main profile. Use specific rules so private-network traffic enters the OpenConnect path only when intended.

Support Checks

Separate authentication support checks from routing support checks. If login succeeds but traffic has a problem, inspect rules and DNS. If login has a problem, inspect server certificates, credentials and network reachability.

Reference examples

These examples mirror the corresponding Chinese documentation page so the English page carries the same configuration material.

#!/bin/bash
ANYCONNECT_HOST="vpn.example.com"
ANYCONNECT_USER="john"
ANYCONNECT_PASSWORD="foobar"
ROUTING_TABLE_ID="6667"
TUN_INTERFACE="tun0"

# reference note
echo "$ANYCONNECT_PASSWORD" | \
  openconnect \
    --non-inter \
    --passwd-on-stdin \
    --protocol=anyconnect \
    --interface $TUN_INTERFACE \
    --script "vpn-slice
if [ \"\$reason\" = 'connect' ]; then
  ip rule add from \$INTERNAL_IP4_ADDRESS table $ROUTING_TABLE_ID
  ip route add default dev \$TUNDEV scope link table $ROUTING_TABLE_ID
elif [ \"\$reason\" = 'disconnect' ]; then
  ip rule del from \$INTERNAL_IP4_ADDRESS table $ROUTING_TABLE_ID
  ip route del default dev \$TUNDEV scope link table $ROUTING_TABLE_ID
fi" \
    --user $ANYCONNECT_USER \
    https://$ANYCONNECT_HOST
[Unit]
Description=Cisco AnyConnect VPN
After=network-online.target
Conflicts=shutdown.target sleep.target

[Service]
Type=simple
ExecStart=/path/to/tun0.sh
KillSignal=SIGINT
Restart=always
RestartSec=3
StartLimitIntervalSec=0

[Install]
WantedBy=multi-user.target
chmod +x /path/to/tun0.sh
systemctl daemon-reload
systemctl enable tun0
systemctl start tun0
proxy-groups:
  - name: Cisco AnyConnect VPN
    type: select
    interface-name: tun0
    proxies:
      - DIRECT
rules:
  - DOMAIN-SUFFIX,internal.company.com,Cisco AnyConnect VPN