fix: v0.2.5 — stop residual openconnect on handshake failure + route-delete safety gate

Hotfix for v0.2.3 / v0.2.4: a failed openconnect handshake could leave a
zombie child behind with vpnc-script's DNS and route mutations applied
but never reverted, stranding the entire machine's networking until the
user quit the app. The connect() failure branch now always SIGTERMs any
residual child so vpnc-script's disconnect phase restores DNS/routes.

Also: the pre-connect host-route flush now only deletes when `route get`
returns a concrete IPv4 destination. Previously, if no dedicated host
route existed, the fall-through destination "default" was passed to
`route delete`, wiping the system default route.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: demo

VPNMenuBar-0.2.5.zip

@@ -23,13 +23,13 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>0.2.4</string>
+	<string>0.2.5</string>
 	<key>CFBundleSupportedPlatforms</key>
 	<array>
 		<string>MacOSX</string>
 	</array>
 	<key>CFBundleVersion</key>
-	<string>6</string>
+	<string>7</string>
 	<key>DTCompiler</key>
 	<string>com.apple.compilers.llvm.clang.1_0</string>
 	<key>DTPlatformBuild</key>

VPNMenuBar.app/Contents/Info.plist

@@ -212,14 +212,18 @@ final class OpenConnectProcess: OpenConnectProcessRunning {
 
     // MARK: - pre-connect host-route cleanup
 
-    /// Unconditionally delete any cached host route to the VPN gateway before
-    /// spawning openconnect. Called at the top of `start()` — at that point no
-    /// active tunnel exists, so deleting is always safe: if the route was
-    /// correct the kernel rebuilds it on the next packet via the default
-    /// gateway; if it was stale (left over from a different network after a
-    /// SIGKILL/WiFi-switch without disconnect-phase), this is what unblocks
-    /// the connect. Best-effort — any failure is logged and openconnect
-    /// proceeds to surface its native error.
+    /// Delete the cached host route to the VPN gateway before spawning
+    /// openconnect — ONLY when a dedicated host route actually exists. If no
+    /// such route is present `/sbin/route get` falls through to the default
+    /// route and reports `destination: default`; in that case we MUST NOT
+    /// run a delete (that would wipe the system default route and kill all
+    /// networking). A dedicated host route always has a concrete IPv4 as its
+    /// destination, so we gate the delete on that.
+    ///
+    /// Called at the top of `start()` — no active tunnel exists at that
+    /// point, so deleting a concrete host route is safe: a correct one is
+    /// rebuilt by the kernel on the next packet; a stale one is what we want
+    /// gone. Best-effort — failures are logged and openconnect proceeds.
     private func cleanupStaleHostRoute(forGateway gateway: String) {
         let host = Self.extractHost(from: gateway)
         guard !host.isEmpty else { return }
@@ -234,8 +238,17 @@ final class OpenConnectProcess: OpenConnectProcessRunning {
               let destinationIP = Self.parseRouteField("destination", from: hostRoute.stdout) else {
             return
         }
-        let currentGateway = Self.parseRouteField("gateway", from: hostRoute.stdout) ?? "?"
 
+        // Critical safety guard: only delete when destination is a concrete
+        // IPv4 address. If it's "default" (or any other non-IP literal) we
+        // hit fall-through to the default route and deleting would kill the
+        // box's entire network.
+        guard Self.isConcreteIPv4(destinationIP) else {
+            AppLogger.shared.info("pre-connect: no dedicated host route for \(host) (got destination=\(destinationIP)) — skipping flush")
+            return
+        }
+
+        let currentGateway = Self.parseRouteField("gateway", from: hostRoute.stdout) ?? "?"
         AppLogger.shared.info("pre-connect: flushing cached route to \(destinationIP) (was via \(currentGateway))")
 
         let result = (try? processRunner.run(
@@ -248,6 +261,18 @@ final class OpenConnectProcess: OpenConnectProcessRunning {
         }
     }
 
+    /// Strict dotted-quad IPv4 check (0-255 per octet). Used as a safety gate
+    /// so `route get` fall-through sentinels like "default" never reach the
+    /// delete path.
+    private static func isConcreteIPv4(_ s: String) -> Bool {
+        let parts = s.split(separator: ".")
+        guard parts.count == 4 else { return false }
+        return parts.allSatisfy { part in
+            guard let n = Int(part), n >= 0, n <= 255 else { return false }
+            return true
+        }
+    }
+
     /// Strip optional `https://` scheme and any `:port` / `/path` suffix
     /// from a gateway string, leaving just the host.
     private static func extractHost(from gateway: String) -> String {

VPNMenuBar.app/Contents/MacOS/VPNMenuBar

@@ -142,6 +142,18 @@ final class VPNController: ObservableObject {
             startMonitoring()
         case .failed(let reason):
             AppLogger.shared.error("handshake failed: \(reason)")
+            // CRITICAL: on handshake failure openconnect may have left a
+            // zombie child that already ran vpnc-script's connect phase
+            // (DNS and route table mutated) without ever reaching the
+            // disconnect phase. Without a SIGTERM here those mutations
+            // strand the whole machine's networking until the user quits
+            // the app. Send the kill now so vpnc-script's disconnect phase
+            // restores DNS and routes.
+            let proc = openConnectProcess
+            _ = await Task.detached(priority: .userInitiated) {
+                try? proc.stop()
+            }.value
+            AppLogger.shared.info("post-failure cleanup: sent SIGTERM to any residual openconnect")
             state = .failed(reason: reason)
             // Don't auto-reconnect on failed initial connects (wrong creds, missing deps).
         }

VPNMenuBar/Core/OpenConnectProcess.swift

@@ -17,9 +17,9 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>0.2.4</string>
+	<string>0.2.5</string>
 	<key>CFBundleVersion</key>
-	<string>6</string>
+	<string>7</string>
 	<key>LSMinimumSystemVersion</key>
 	<string>13.0</string>
 	<key>LSUIElement</key>

VPNMenuBar/Core/VPNController.swift

@@ -5,6 +5,26 @@
     <link>https://github.com/CoderZCC/VPNMenuBar</link>
     <description>VPN MenuBar update feed</description>
     <language>en</language>
+    <item>
+      <title>Version 0.2.5</title>
+      <sparkle:version>7</sparkle:version>
+      <sparkle:shortVersionString>0.2.5</sparkle:shortVersionString>
+      <sparkle:minimumSystemVersion>13.0</sparkle:minimumSystemVersion>
+      <description><![CDATA[
+        <p><strong>Hotfix — strongly recommended for v0.2.3 / v0.2.4 users.</strong></p>
+        <ul>
+          <li>Fixed a case where a failed openconnect handshake could leave a zombie child behind, with vpnc-script's DNS and route mutations applied but never reverted — symptom: "WiFi connected but nothing has network access" until the user quit the app. connect() now always SIGTERMs any residual child on failure so vpnc-script's disconnect phase runs and restores DNS/routes.</li>
+          <li>Pre-connect route flush now only deletes when the kernel returns a concrete IPv4 destination. Previously, when no dedicated host route existed, `route get` fell through to the default route (destination="default") and the subsequent delete wiped the system default route.</li>
+        </ul>
+      ]]></description>
+      <pubDate>Fri, 24 Apr 2026 17:25:00 +0800</pubDate>
+      <enclosure
+        url="https://github.com/CoderZCC/VPNMenuBar/releases/download/v0.2.5/VPNMenuBar-0.2.5.zip"
+        type="application/octet-stream"
+        sparkle:edSignature="TT2i8OAe43EVJVf4bO6bf/gftOEKEXW/DG9HmPRoU95TZaYxU1A+7Q8XW+woboWJaRCCAQwLSK+dYHnFXSRADQ=="
+        length="1784270"
+      />
+    </item>
     <item>
       <title>Version 0.2.4</title>
       <sparkle:version>6</sparkle:version>

VPNMenuBar/Info.plist

@@ -36,8 +36,8 @@ targets:
       properties:
         CFBundleName: VPNMenuBar
         CFBundleDisplayName: VPN MenuBar
-        CFBundleShortVersionString: "0.2.4"
-        CFBundleVersion: "6"
+        CFBundleShortVersionString: "0.2.5"
+        CFBundleVersion: "7"
         LSMinimumSystemVersion: "13.0"
         LSUIElement: true
         NSUserNotificationAlertStyle: alert