fix: v0.2.3 — unconditional pre-connect route flush

The pre-connect cleanup previously only deleted the cached host route to
the VPN gateway when it looked obviously stale (nexthop differed from the
current default gateway). That skipped the failure mode a colleague hit:
after the gateway's IP rotated during a VPN upgrade, the cached route
pointed at the new IP via the current default gateway (so it "looked
correct"), yet traffic still failed with "HTTPS connection failed" 260ms
after openconnect spawn.

Since this cleanup runs before start() — when no active tunnel exists —
deleting is always safe: a healthy route is rebuilt by the kernel on the
next packet via the default gateway. Always flushing closes the gap.

Each connect now logs the flush outcome so "stuck" connections are
diagnosable from ~/Library/Logs/VPNMenuBar/vpnmenubar.log without
command-line tools.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: demo

VPNMenuBar-0.2.3.zip

@@ -23,13 +23,13 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>0.2.2</string>
+	<string>0.2.3</string>
 	<key>CFBundleSupportedPlatforms</key>
 	<array>
 		<string>MacOSX</string>
 	</array>
 	<key>CFBundleVersion</key>
-	<string>4</string>
+	<string>5</string>
 	<key>DTCompiler</key>
 	<string>com.apple.compilers.llvm.clang.1_0</string>
 	<key>DTPlatformBuild</key>

VPNMenuBar.app/Contents/Info.plist

@@ -210,54 +210,41 @@ final class OpenConnectProcess: OpenConnectProcessRunning {
         }
     }
 
-    // MARK: - stale host-route cleanup
-
-    /// Inspect the kernel routing table for a host route to the VPN gateway
-    /// whose nexthop is no longer reachable (typical after switching WiFi
-    /// while openconnect was killed without running vpnc-script's disconnect
-    /// phase) and delete it. Best-effort and silent: any failure here just
-    /// lets openconnect proceed and surface its native error.
+    // MARK: - pre-connect host-route cleanup
+
+    /// Unconditionally delete any cached host route to the VPN gateway before
+    /// spawning openconnect. Called at the top of `start()` — at that point no
+    /// active tunnel exists, so deleting is always safe: if the route was
+    /// correct the kernel rebuilds it on the next packet via the default
+    /// gateway; if it was stale (left over from a different network after a
+    /// SIGKILL/WiFi-switch without disconnect-phase), this is what unblocks
+    /// the connect. Best-effort — any failure is logged and openconnect
+    /// proceeds to surface its native error.
     private func cleanupStaleHostRoute(forGateway gateway: String) {
         let host = Self.extractHost(from: gateway)
         guard !host.isEmpty else { return }
 
-        // Current default route's nexthop — what a freshly-added host route
-        // *should* point at on this network.
-        let defaultRoute = (try? processRunner.run(
-            executable: "/sbin/route",
-            arguments: ["-n", "get", "default"],
-            timeoutSeconds: 2
-        )) ?? ProcessResult(exitCode: -1, stdout: "", stderr: "")
-        guard defaultRoute.succeeded,
-              let defaultGateway = Self.parseRouteField("gateway", from: defaultRoute.stdout) else {
-            return
-        }
-
-        // Existing route to the VPN host (does its own DNS resolution).
+        // Route lookup (does its own DNS resolution).
         let hostRoute = (try? processRunner.run(
             executable: "/sbin/route",
             arguments: ["-n", "get", host],
             timeoutSeconds: 2
         )) ?? ProcessResult(exitCode: -1, stdout: "", stderr: "")
         guard hostRoute.succeeded,
-              let routeGateway = Self.parseRouteField("gateway", from: hostRoute.stdout),
               let destinationIP = Self.parseRouteField("destination", from: hostRoute.stdout) else {
             return
         }
+        let currentGateway = Self.parseRouteField("gateway", from: hostRoute.stdout) ?? "?"
 
-        // If the route falls through to the current default gateway, it's
-        // already correct — touching it would break a healthy connection.
-        guard routeGateway != defaultGateway else { return }
-
-        AppLogger.shared.warn("stale host route to \(destinationIP) via \(routeGateway) detected (default gw \(defaultGateway)) — deleting")
+        AppLogger.shared.info("pre-connect: flushing cached route to \(destinationIP) (was via \(currentGateway))")
 
         let result = (try? processRunner.run(
             executable: "/usr/bin/sudo",
             arguments: ["-n", "/sbin/route", "-n", "delete", destinationIP],
             timeoutSeconds: 3
         )) ?? ProcessResult(exitCode: -1, stdout: "", stderr: "")
         if !result.succeeded {
-            AppLogger.shared.error("route delete failed (sudoers may be missing /sbin/route — re-run install-deps.sh): \(result.stderr)")
+            AppLogger.shared.error("pre-connect route flush failed (sudoers may be missing /sbin/route — re-run install-deps.sh): \(result.stderr)")
         }
     }
 

VPNMenuBar.app/Contents/MacOS/VPNMenuBar

@@ -17,9 +17,9 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>0.2.2</string>
+	<string>0.2.3</string>
 	<key>CFBundleVersion</key>
-	<string>4</string>
+	<string>5</string>
 	<key>LSMinimumSystemVersion</key>
 	<string>13.0</string>
 	<key>LSUIElement</key>

VPNMenuBar/Core/OpenConnectProcess.swift

@@ -5,6 +5,26 @@
     <link>https://github.com/CoderZCC/VPNMenuBar</link>
     <description>VPN MenuBar update feed</description>
     <language>en</language>
+    <item>
+      <title>Version 0.2.3</title>
+      <sparkle:version>5</sparkle:version>
+      <sparkle:shortVersionString>0.2.3</sparkle:shortVersionString>
+      <sparkle:minimumSystemVersion>13.0</sparkle:minimumSystemVersion>
+      <description><![CDATA[
+        <ul>
+          <li>Pre-connect route flush is now unconditional — fixes the case where a cached host route to the VPN gateway looks "correct" (matches the default gateway) but traffic still fails to route after a WiFi/network change</li>
+          <li>Previously the cleanup only deleted routes that looked obviously stale; now it always flushes before spawning openconnect, because at that moment no active tunnel exists and the kernel rebuilds the route on the next packet</li>
+          <li>Each connect attempt now logs the pre-connect flush result (route IP, previous gateway, delete success/failure) so "stuck" connections are diagnosable from the log</li>
+        </ul>
+      ]]></description>
+      <pubDate>Fri, 24 Apr 2026 17:05:00 +0800</pubDate>
+      <enclosure
+        url="https://github.com/CoderZCC/VPNMenuBar/releases/download/v0.2.3/VPNMenuBar-0.2.3.zip"
+        type="application/octet-stream"
+        sparkle:edSignature="oxb55TSmBF/M0nCgr76OpA0n2/s1Qn2lH/iAwGFfzgnlieaYm4jDNNVKBWO80dB9iZFDRtyY6et1Rhyy2BBuDw=="
+        length="1773592"
+      />
+    </item>
     <item>
       <title>Version 0.2.2</title>
       <sparkle:version>4</sparkle:version>

VPNMenuBar/Info.plist

@@ -36,8 +36,8 @@ targets:
       properties:
         CFBundleName: VPNMenuBar
         CFBundleDisplayName: VPN MenuBar
-        CFBundleShortVersionString: "0.2.2"
-        CFBundleVersion: "4"
+        CFBundleShortVersionString: "0.2.3"
+        CFBundleVersion: "5"
         LSMinimumSystemVersion: "13.0"
         LSUIElement: true
         NSUserNotificationAlertStyle: alert