ProHoster > Блог > Gudanarwa > Yadda ake haɗa VPN na kamfani a cikin Linux ta amfani da openconnect da vpn-slice

Yadda ake haɗa VPN na kamfani a cikin Linux ta amfani da openconnect da vpn-slice

Kuna son amfani da Linux a wurin aiki, amma VPN na kamfani ba zai ƙyale ku ba? Sa'an nan wannan labarin zai iya taimakawa, ko da yake wannan bai tabbata ba. Ina so in yi muku gargaɗi a gaba cewa ban fahimci al'amuran gudanarwar cibiyar sadarwa da kyau ba, don haka yana yiwuwa na yi duk abin da ba daidai ba. A gefe guda kuma, yana yiwuwa in rubuta jagora ta hanyar da za a iya fahimta ga talakawa, don haka ina ba ku shawara ku gwada shi.

Labarin ya ƙunshi bayanai da yawa waɗanda ba dole ba, amma idan ba tare da wannan ilimin ba da ba zan iya magance matsalolin da ba zato ba tsammani suka bayyana gare ni ta hanyar kafa VPN. Ina tsammanin duk wanda yayi ƙoƙari ya yi amfani da wannan jagorar zai sami matsalolin da ban samu ba, kuma ina fata wannan ƙarin bayani zai taimaka wajen magance waɗannan matsalolin da kansu.

Yawancin umarni da aka yi amfani da su a cikin wannan jagorar suna buƙatar gudanar da su ta hanyar sudo, wanda aka cire don taƙaitawa. Ka tuna.

Yawancin adiresoshin IP an toshe su sosai, don haka idan ka ga adireshi kamar 435.435.435.435, dole ne a sami IP na yau da kullun a can, musamman ga batunka.

Ina da Ubuntu 18.04, amma ina tsammanin tare da ƙananan canje-canje za a iya amfani da jagorar zuwa wasu rarrabawa. Koyaya, a cikin wannan rubutu Linux == Ubuntu.

Cisco Connect

Waɗanda ke kan Windows ko MacOS suna iya haɗawa zuwa VPN na kamfani ta hanyar Cisco Connect, wanda ke buƙatar tantance adireshin ƙofar kuma, duk lokacin da kuka haɗa, shigar da kalmar wucewa mai ƙayyadadden sashi da lambar da Google Authenticator ya samar.

A cikin yanayin Linux, ba zan iya samun Cisco Connect yana gudana ba, amma na sami damar yin amfani da shawarar Google don amfani da haɗin budewa, wanda aka yi musamman don maye gurbin Cisco Connect.

Buɗe haɗin kai

A cikin ka'idar, Ubuntu yana da keɓancewar hoto na musamman don buɗe haɗin gwiwa, amma bai yi aiki a gare ni ba. Wataƙila yana da kyau.

A kan Ubuntu, ana shigar da haɗin buɗewa daga mai sarrafa fakitin.

apt install openconnect

Nan da nan bayan shigarwa, zaku iya gwada haɗawa zuwa VPN

openconnect --user poxvuibr vpn.evilcorp.com

vpn.evilcorp.com shine adireshin ƙagaggen VPN
poxvuibr - sunan mai amfani mai ƙima

openconnect zai tambaye ka ka shigar da kalmar sirri, wanda, bari in tunatar da ku, ya ƙunshi wani takamaiman part da code daga Google Authenticator, sannan zai yi ƙoƙarin haɗi zuwa vpn. Idan yana aiki, taya murna, zaku iya tsallake tsakiyar lafiya cikin aminci, wanda ke da zafi sosai, kuma ku matsa kan batun buɗe haɗin gwiwa yana gudana a bango. Idan bai yi aiki ba, to zaku iya ci gaba. Ko da yake idan ya yi aiki lokacin haɗawa, alal misali, daga Wi-Fi baƙo a wurin aiki, to yana iya zama da wuri don farin ciki; ya kamata ku gwada maimaita hanya daga gida.

Takaddun shaida

Akwai babban yuwuwar cewa babu abin da zai fara, kuma fitowar haɗin haɗin gwiwa zai yi kama da wani abu kamar haka:

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.evilcorp.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

A gefe guda, wannan ba shi da kyau, saboda babu wata hanyar haɗi zuwa VPN, amma a gefe guda, yadda za a gyara wannan matsala, bisa manufa, bayyananne.

Anan uwar garken ta aiko mana da satifiket, ta inda za mu iya tantance cewa ana yin haɗin kai da uwar garken na kamfaninmu na ƙasarmu, ba ga wani ɗan damfara ba, kuma wannan satifiket ɗin ba a san tsarin ba. Don haka ba za ta iya bincika ko uwar garken na gaske ba ne ko a'a. Sabili da haka, kawai idan akwai, ya daina aiki.

Domin buɗe haɗin kai don haɗawa da uwar garken, kuna buƙatar fayyace shi a sarari wace takaddun shaida ya kamata ta fito daga uwar garken VPN ta amfani da maɓallin — uwar garken.

Kuma za ku iya gano wace takardar shaidar uwar garken ta aiko mana kai tsaye daga abin da openconnect ya buga. Ga daga wannan yanki:

To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Tare da wannan umarni zaka iya gwada sake haɗawa

openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com

Wataƙila yanzu yana aiki, to, zaku iya ci gaba zuwa ƙarshe. Amma da kaina, Ubuntu ya nuna mani fig a cikin wannan sigar

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.evilcorp.com
XML POST enabled
Please enter your username and password.
POST https://vpn.evilcorp.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 300, Keepalive 30
Set up DTLS failed; using SSL instead
Connected as 192.168.333.222, using SSL
NOSSSSSHHHHHHHDDDDD
3
NOSSSSSHHHHHHHDDDDD
3
RTNETLINK answers: File exists
/etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolvconf/resolv.conf

/etc/resolv.conf

# Generated by NetworkManager
search gst.evilcorpguest.com
nameserver 127.0.0.53

/run/resolvconf/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 192.168.430.534
nameserver 127.0.0.53
search evilcorp.com gst.publicevilcorp.com

habr.com zai warware, amma ba za ku iya zuwa wurin ba. Adireshi kamar jira.evilcorp.com ba a warware su kwata-kwata.

Abin da ya faru a nan bai bayyana a gare ni ba. Amma gwaji ya nuna cewa idan kun ƙara layin zuwa /etc/resolv.conf

nameserver 192.168.430.534

sannan adiresoshin da ke cikin VPN za su fara warwarewa ta hanyar sihiri kuma za ku iya tafiya ta cikin su, wato, abin da DNS ke nema don warware adireshin ya dubi musamman a /etc/resolv.conf, ba wani wuri ba.

Kuna iya tabbatar da cewa akwai haɗin kai zuwa VPN kuma yana aiki ba tare da yin wani canje-canje zuwa /etc/resolv.conf ba; don yin wannan, kawai shigar da mai binciken ba sunan alama na albarkatun daga VPN ba, amma adireshin IP ɗin sa.

A sakamakon haka, akwai matsaloli guda biyu

  • Lokacin haɗi zuwa VPN, dns ɗin sa ba a ɗauka
  • duk zirga-zirga yana tafiya ta hanyar VPN, wanda baya ba da izinin shiga Intanet

Zan gaya muku abin da za ku yi yanzu, amma da farko ɗan ƙaramin aiki.

Shigarwa ta atomatik na ƙayyadadden ɓangaren kalmar sirri

Ya zuwa yanzu, da alama kun riga kun shigar da kalmar wucewar ku aƙalla sau biyar kuma wannan hanya ta riga ta gajiyar da ku. Na farko, saboda kalmar sirri tana da tsawo, na biyu kuma, saboda lokacin shigar da shi yana buƙatar dacewa cikin ƙayyadaddun lokaci

Ba a haɗa mafita ta ƙarshe ga matsalar a cikin labarin ba, amma kuna iya tabbatar da cewa ƙayyadadden ɓangaren kalmar sirri ba dole ba ne a shigar da shi sau da yawa.

Bari mu ce kafaffen ɓangaren kalmar sirri yana gyaraPassword, kuma ɓangaren Google Authenticator shine 567 987. Ana iya wucewa gabaɗayan kalmar sirri don buɗe haɗin yanar gizo ta hanyar shigar da daidaitattun bayanai ta amfani da hujja --passwd-on-stdin .

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com --passwd-on-stdin

Yanzu zaku iya komawa koyaushe zuwa umarnin da aka shigar na ƙarshe kuma canza kawai ɓangaren Google Authenticator a can.

VPN na kamfani ba ya ƙyale ka ka shiga Intanet.

Gabaɗaya, ba shi da daɗi sosai lokacin da za ku yi amfani da kwamfuta daban don zuwa Habr. Rashin iya kwafin-manna daga stackoverfow na iya gurgunta aikin gabaɗaya, don haka akwai buƙatar yin wani abu.

Muna buƙatar ko ta yaya za mu tsara shi ta yadda lokacin da kake buƙatar samun damar samun dama daga cibiyar sadarwar ciki, Linux yana zuwa VPN, kuma lokacin da kake buƙatar zuwa Habr, yana zuwa Intanet.

openconnect, bayan ƙaddamar da kuma kulla alaka da vpn, yana aiwatar da rubutun na musamman, wanda ke cikin /usr/share/vpnc-scripts/vpnc-script. Ana wuce wasu masu canji zuwa rubutun azaman shigarwa, kuma yana daidaita VPN. Abin takaici, na kasa gano yadda ake raba zirga-zirgar ababen hawa tsakanin VPN na kamfani da sauran Intanet ta amfani da rubutun asali.

A bayyane yake, an samar da utility na vpn-slice musamman ga mutane kamar ni, wanda ke ba ku damar aika zirga-zirga ta tashoshi biyu ba tare da rawa da tambourin ba. To, wato, dole ne ka yi rawa, amma ba dole ba ne ka zama shaman.

Rabewar zirga-zirga ta amfani da vpn-slice

Da farko, dole ne ka shigar da vpn-slice, dole ne ka gano wannan da kanka. Idan akwai tambayoyi a cikin sharhi, zan rubuta wani rubutu daban game da wannan. Amma wannan shiri ne na Python na yau da kullun, don haka bai kamata a sami wasu matsaloli ba. Na shigar ta amfani da virtualenv.

Sannan dole ne a yi amfani da mai amfani, ta amfani da maɓallin -script, yana nuna buɗe haɗin kai cewa maimakon daidaitaccen rubutun, kuna buƙatar amfani da vpn-slice.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  " vpn.evilcorp.com

--script an wuce kirtani tare da umarni da ake buƙatar kira maimakon rubutun. ./bin/vpn-slice - hanyar zuwa fayil ɗin vpn-slice mai aiwatarwa 192.168.430.0/24 - mashin adireshi don zuwa cikin vpn. Anan, muna nufin cewa idan adireshin ya fara da 192.168.430, to ana buƙatar albarkatun da wannan adireshin a cikin VPN.

Ya kamata a yanzu lamarin ya zama kusan al'ada. Kusan Yanzu za ku iya zuwa Habr kuma kuna iya zuwa albarkatun intra-corporate ta ip, amma ba za ku iya zuwa albarkatun haɗin gwiwar da sunan alama ba. Idan kun saka wasa tsakanin sunan alama da adireshin a cikin runduna, komai ya kamata yayi aiki. Kuma aiki har sai ip ya canza. Linux yanzu yana iya shiga Intanet ko intranet, ya danganta da IP. Amma DNS maras kamfani har yanzu ana amfani dashi don tantance adireshin.

Har ila yau, matsalar na iya bayyana kanta a cikin wannan nau'i - a wurin aiki duk abin da ke da kyau, amma a gida kawai za ku iya samun dama ga albarkatun kamfanoni na ciki ta hanyar IP. Wannan shi ne saboda lokacin da aka haɗa ku da Wi-Fi na kamfani, ana amfani da DNS na kamfani, kuma ana warware adiresoshin alama daga VPN a ciki, duk da cewa har yanzu ba zai yiwu a je irin wannan adireshin ba tare da amfani da VPN ba.

Gyara ta atomatik na fayil ɗin runduna

Idan aka tambayi vpn-slice cikin ladabi, to, bayan tada VPN, za ta iya zuwa DNS dinta, ta sami adireshin IP na abubuwan da ake buƙata ta sunayensu na alama kuma shigar da su cikin runduna. Bayan kashe VPN, waɗannan adiresoshin za a cire su daga runduna. Don yin wannan, kuna buƙatar shigar da sunaye na alama zuwa vpn-slice azaman muhawara. Kamar wannan.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Yanzu duk abin da ya kamata ya yi aiki duka a ofis da kuma a bakin teku.

Nemo adiresoshin duk yankin yanki a cikin DNS da VPN ya ba

Idan akwai ƴan adireshi a cikin hanyar sadarwar, to tsarin gyara fayil ɗin runduna ta atomatik yana aiki sosai. Amma idan akwai albarkatu da yawa akan hanyar sadarwar, to koyaushe zaku buƙaci ƙara layi kamar zoidberg.test.evilcorp.com zuwa rubutun zoidberg shine sunan ɗayan benci na gwaji.

Amma yanzu da muka fahimci kadan dalilin da yasa za a iya kawar da wannan bukata.

Idan, bayan haɓaka VPN, kun duba /etc/hosts, zaku iya ganin wannan layin

192.168.430.534 dns0.tun0 # vpn-slice-tun0 AUTOCREATED

Kuma an ƙara sabon layi zuwa resolv.conf. A takaice, vpn-slice ko ta yaya ya ƙayyade inda uwar garken DNS na vpn yake.

Yanzu muna buƙatar tabbatar da cewa don gano adireshin IP na sunan yankin da ke ƙarewa a cikin evilcorp.com, Linux yana zuwa DNS na kamfani, kuma idan ana buƙatar wani abu, to zuwa tsoho.

Na Googled na ɗan lokaci kaɗan kuma na gano cewa ana samun irin wannan aikin a cikin Ubuntu daga cikin akwatin. Wannan yana nufin ikon amfani da uwar garken DNS na gida dnsmasq don warware sunaye.

Wato, zaku iya tabbatar da cewa Linux koyaushe yana zuwa uwar garken DNS na gida don adiresoshin IP, wanda kuma, dangane da sunan yankin, zai nemi IP akan uwar garken DNS na waje.

Don sarrafa duk abin da ke da alaƙa da hanyoyin sadarwa da haɗin yanar gizo, Ubuntu yana amfani da NetworkManager, da kuma ƙirar hoto don zaɓar, alal misali, haɗin Wi-Fi shine ƙarshen gaba gare shi.

Za mu buƙaci hawa cikin tsarin sa.

  1. Ƙirƙiri fayil a /etc/NetworkManager/dnsmasq.d/evilcorp

adireshin =/.evilcorp.com/192.168.430.534

Kula da batu a gaban muguntacorp. Yana sigina dnsmasq cewa ya kamata a bincika duk yanki na evilcorp.com a cikin dns na kamfani.

  1. Fada NetworkManager don amfani da dnsmasq don ƙudurin suna

Saitin mai sarrafa cibiyar sadarwa yana cikin /etc/NetworkManager/NetworkManager.conf Kuna buƙatar ƙarawa a wurin:

[main] dns = dnsmasq

  1. Sake kunna NetworkManager

service network-manager restart

Yanzu, bayan haɗa zuwa VPN ta amfani da openconnect da vpn-slice, za a ƙayyade ip ɗin kullum, koda kuwa ba ka ƙara adireshi na alama a cikin gardama zuwa vpnslice ba.

Yadda ake samun damar sabis na mutum ɗaya ta hanyar VPN

Bayan da na sami damar haɗi zuwa VPN, na yi farin ciki sosai na kwana biyu, sa'an nan kuma ya zama cewa idan na haɗa zuwa VPN daga wajen cibiyar sadarwar ofishin, sa'an nan mail ba ya aiki. Alamar ta saba, ko ba haka ba?

Wasikunmu yana cikin mail.publicevilcorp.com, wanda ke nufin baya faɗuwa ƙarƙashin ƙa'idar dnsmasq kuma ana bincika adireshin sabar saƙon ta hanyar DNS na jama'a.

To, har yanzu ofishin yana amfani da DNS, wanda ya ƙunshi wannan adireshin. Abin da na yi tunani ke nan. A zahiri, bayan ƙara layin zuwa dnsmasq

adireshin =/mail.publicevilcorp.com/192.168.430.534

lamarin bai canza ko kadan ba. ip ya kasance iri daya. Dole ne in tafi aiki.

Kuma daga baya, lokacin da na zurfafa cikin lamarin kuma na fahimci matsalar kadan, wani mai hankali ya gaya mini yadda zan magance shi. Ya zama dole don haɗawa zuwa uwar garken mail ba kawai irin wannan ba, amma ta hanyar VPN

Ina amfani da vpn-slice don bi ta VPN zuwa adiresoshin da suka fara da 192.168.430. Kuma uwar garken wasiku ba wai kawai yana da adireshin alama ba ne wanda ba yanki na mugunta ba ne, kuma ba shi da adireshin IP wanda ya fara da 192.168.430. Kuma ba shakka ba ya ƙyale kowa daga babban hanyar sadarwa ya zo wurinsa.

Domin Linux ya bi ta hanyar VPN da zuwa uwar garken mail, kuna buƙatar ƙara shi zuwa vpn-slice shima. Bari mu ce adireshin mai aikawa shine 555.555.555.555

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 555.555.555.555 192.168.430.0/24" vpn.evilcorp.com

Rubutun don haɓaka VPN tare da hujja ɗaya

Duk wannan, ba shakka, bai dace sosai ba. Ee, zaku iya ajiye rubutun zuwa fayil kuma ku kwafa shi cikin na'ura mai kwakwalwa maimakon buga shi da hannu, amma har yanzu ba ta da daɗi sosai. Don sauƙaƙe tsarin, zaku iya kunsa umarnin a cikin rubutun da zai kasance a cikin PATH. Sannan kawai kuna buƙatar shigar da lambar da aka karɓa daga Google Authenticator

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Idan kun sanya rubutun a cikin connect~evilcorp~ za ku iya rubuta kawai a cikin na'ura mai kwakwalwa

connect_evil_corp 567987

Amma yanzu har yanzu dole ne ku kiyaye na'ura mai kwakwalwa wanda openconnect ke gudana a buɗe saboda wasu dalilai

Ana gudanar da haɗin haɗin gwiwa a bango

Abin farin ciki, mawallafa na openconnect sun kula da mu kuma sun kara maɓalli na musamman ga shirin - bayanan, wanda ya sa shirin yayi aiki a baya bayan ƙaddamarwa. Idan kuna gudanar da shi kamar wannan, zaku iya rufe na'ura mai kwakwalwa bayan ƙaddamarwa

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Yanzu dai ba a bayyana inda rajistan ayyukan ke tafiya ba. Gabaɗaya, ba ma buƙatar gasken rajistan ayyukan, amma ba ku sani ba. openconnect na iya tura su zuwa syslog, inda za a kiyaye su da aminci. kuna buƙatar ƙara canjin –syslog zuwa umarni

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Sabili da haka, ya bayyana cewa bude haɗin yana aiki a wani wuri a baya kuma baya damun kowa, amma ba a san yadda za a dakatar da shi ba. Wato, zaku iya, ba shakka, tace kayan aikin ps ta amfani da grep kuma ku nemo tsari wanda sunansa ya ƙunshi buɗe haɗin gwiwa, amma wannan yana da ban tsoro. Godiya ga marubutan da suka yi tunani game da wannan kuma. Openconnect yana da maɓalli -pid-file, wanda da shi za ka iya ba da umarni bude haɗin kai don rubuta mai gano tsarin sa zuwa fayil.

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background  
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Yanzu koyaushe zaka iya kashe tsari tare da umarnin

kill $(cat ~/vpn-pid)

Idan babu tsari, kisa zai la'anta, amma ba zai jefa kuskure ba. Idan fayil ɗin ba ya nan, to, babu wani mummunan abu da zai faru ko dai, don haka za ku iya kashe tsarin a cikin layin farko na rubutun.

kill $(cat ~/vpn-pid)
#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Yanzu zaku iya kunna kwamfutarka, buɗe na'ura wasan bidiyo kuma gudanar da umarni, ƙaddamar da lambar daga Google Authenticator. Ana iya ƙusa na'urar wasan bidiyo.

Ba tare da yanki na VPN ba. Maimakon kalma ta gaba

Ya zama mai wahala sosai don fahimtar yadda ake rayuwa ba tare da yanki na VPN ba. Dole ne in karanta da google da yawa. An yi sa'a, bayan shafe lokaci mai yawa tare da matsala, littattafan fasaha har ma da buɗe haɗin mutum suna karanta kamar litattafai masu ban sha'awa.

A sakamakon haka, na gano cewa vpn-slice, kamar rubutun asali, yana canza tebur na kewaya don raba hanyoyin sadarwa.

Teburin kewayawa

A takaice dai, wannan tebur ne a shafi na farko wanda ke dauke da abin da adireshin da Linux ke son shiga ya kamata a fara da shi, sannan a shafi na biyu wanda adaftar hanyar sadarwa zai shiga a wannan adireshin. A gaskiya ma, akwai ƙarin masu magana, amma wannan ba ya canza ainihin.

Don duba tebur mai tuƙi, kuna buƙatar gudanar da umarnin hanyar ip

default via 192.168.1.1 dev wlp3s0 proto dhcp metric 600 
192.168.430.0/24 dev tun0 scope link 
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.534 metric 600 
192.168.430.534 dev tun0 scope link

Anan, kowane layi yana da alhakin inda kake buƙatar zuwa don aika sako zuwa wani adireshin. Na farko shine bayanin inda adireshin ya kamata ya fara. Don fahimtar yadda ake tantance cewa 192.168.0.0/16 yana nufin cewa adireshin yakamata ya fara da 192.168, kuna buƙatar google menene mashin adireshin IP. Bayan dev akwai sunan adaftar da yakamata a aika da sakon.

Don VPN, Linux ya yi adaftar kama-da-wane - tun0. Layin yana tabbatar da cewa zirga-zirga don duk adiresoshin da suka fara da 192.168 suna wucewa ta cikinsa

192.168.0.0/16 dev tun0 scope link

Hakanan zaka iya duba yanayin halin yanzu na tebur mai tuƙi ta amfani da umarnin hanya -n (An ɓoye adiresoshin IP da wayo) Wannan umarni yana haifar da sakamako ta wani nau'i na daban kuma gabaɗaya ba a yanke shi ba, amma galibi ana samun fitar da shi a cikin littattafai akan Intanet kuma kuna buƙatar iya karanta shi.

Inda adireshin IP na hanya ya kamata ya fara za'a iya fahimtar shi daga haɗuwa da ginshiƙan Manufa da Genmask. Waɗannan sassan adireshin IP ɗin da suka yi daidai da lambobi 255 a cikin Genmask ana la'akari da su, amma waɗanda ke da 0 ba sa. Wato haɗin Destination 192.168.0.0 da Genmask 255.255.255.0 yana nufin cewa idan adireshin ya fara da 192.168.0, to buƙatarsa ​​za ta bi ta wannan hanya. Kuma idan Destination 192.168.0.0 amma Genmask 255.255.0.0, to buƙatun ga adiresoshin da suka fara da 192.168 za su bi ta wannan hanya.

Don gano abin da vpn-slice yake yi, na yanke shawarar duba jihohin teburin kafin da bayan.

Kafin kunna VPN ya kasance kamar haka

route -n 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0

Bayan kiran openconnect ba tare da vpn-slice ba ya zama kamar haka

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Kuma bayan kiran openconnect a hade tare da vpn-slice kamar wannan

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Ana iya ganin cewa idan ba ka yi amfani da vpn-slice ba, to openconnect ya rubuta a sarari cewa duk adiresoshin, sai waɗanda aka nuna musamman, dole ne a shiga ta hanyar vpn.

A nan:

0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0

A can, kusa da shi, an nuna wata hanya nan da nan, wanda dole ne a yi amfani da shi idan adireshin da Linux ke ƙoƙarin wucewa bai dace da kowane abin rufe fuska daga tebur ba.

0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0

An riga an rubuta a nan cewa a cikin wannan yanayin kana buƙatar amfani da adaftar Wi-Fi daidai.

Na yi imani cewa ana amfani da hanyar VPN saboda ita ce ta farko a cikin tebur mai tuƙi.

Kuma bisa ka'ida, idan kun cire wannan tsohuwar hanyar daga tebur mai tuƙi, to tare da haɗin gwiwar dnsmasq openconnect yakamata tabbatar da aiki na yau da kullun.

na gwada

route del default

Kuma komai yayi aiki.

Buƙatun turawa zuwa uwar garken wasiku ba tare da vpn-slice ba

Amma kuma ina da uwar garken wasiku mai adireshin 555.555.555.555, wanda kuma yana buƙatar shiga ta hanyar VPN. Hanyar zuwa gare shi kuma yana buƙatar ƙara da hannu.

ip route add 555.555.555.555 via dev tun0

Kuma yanzu komai yayi kyau. Don haka kuna iya yin ba tare da vpn-slice ba, amma kuna buƙatar sanin da kyau abin da kuke yi. Yanzu ina tunanin ƙara zuwa layin ƙarshe na rubutun buɗe haɗin yanar gizo na kawar da tsohuwar hanyar da ƙara hanya ga mai aikawa bayan haɗawa da vpn, don kawai a sami ƙarancin motsi a cikin keke na.

Wataƙila, wannan bayan bayanan zai isa ga wani ya fahimci yadda ake saita VPN. Amma yayin da nake ƙoƙarin fahimtar abin da kuma yadda zan yi, na karanta yawancin jagororin irin waɗannan jagororin waɗanda ke aiki ga marubucin, amma saboda wasu dalilai ba sa aiki a gare ni, kuma na yanke shawarar ƙara a nan duk guntuwar da na samo. Zan yi matukar farin ciki da wani abu makamancin haka.

source: www.habr.com

Add a comment