ä»äºã§ Linux ã䜿çšãããã®ã§ããã瀟å VPN ã§ã¯äœ¿çšã§ããŸããã? ãã®å Žåã確å®ã§ã¯ãããŸãããããã®èšäºã圹ã«ç«ã€ãããããŸããã äºåã«èŠåããŠãããŸãããç§ã¯ãããã¯ãŒã¯ç®¡çã®åé¡ãããç解ããŠããªãããããã¹ãŠãééã£ãŠããå¯èœæ§ããããŸãã éã«ãäžè¬ã®äººã«ãããããããããã«ã¬ã€ããæžãããšã¯ã§ãããããããªãã®ã§ããã²è©ŠããŠã¿ãããšããå§ãããŸãã
ãã®èšäºã«ã¯äžèŠãªæ å ±ãå€ãå«ãŸããŠããŸããããã®ç¥èããªããã°ãVPN ã®èšå®ã§äºæããçºçããåé¡ã解決ã§ããªãã£ãã§ãããã ãã®ã¬ã€ãã䜿çšããããšãã人ã¯ãç§ã«ã¯ãªãã£ãåé¡ã«çŽé¢ãããšæããŸãããã®è¿œå æ å ±ããããã®åé¡ãèªåã§è§£æ±ºããã®ã«åœ¹ç«ã€ããšãé¡ã£ãŠããŸãã
ãã®ã¬ã€ãã§äœ¿çšãããã³ãã³ãã®ã»ãšãã©ã¯ sudo ãä»ããŠå®è¡ããå¿ èŠããããŸãããç°¡æœã«ããããã«åé€ãããŠããŸãã èŠããŠãããŠãã ããã
ã»ãšãã©ã® IP ã¢ãã¬ã¹ã¯é«åºŠã«é£èªåãããŠããããã435.435.435.435 ã®ãããªã¢ãã¬ã¹ã衚瀺ãããå Žåã¯ããã®ã±ãŒã¹ã«ç¹æã®éåžžã® IP ãããã«ããã¯ãã§ãã
ç§ã¯ Ubuntu 18.04 ãæã£ãŠããŸãããå°ãå€æŽãå ããã°ããã®ã¬ã€ãã¯ä»ã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ã«ãé©çšã§ãããšæããŸãã ãã ããæ¬æã§ã¯ Linux == Ubuntu ãšããŸãã
Cisco Connect
Windows ãŸã㯠MacOS ã䜿çšããŠãããŠãŒã¶ãŒã¯ãCisco Connect çµç±ã§åœç€Ÿã®äŒæ¥ VPN ã«æ¥ç¶ã§ããŸããããã«ã¯ãã²ãŒããŠã§ã€ ã¢ãã¬ã¹ãæå®ããå¿ èŠããããæ¥ç¶ãããã³ã«ãåºå®éšåãš Google Authenticator ã«ãã£ãŠçæãããã³ãŒãã§æ§æããããã¹ã¯ãŒããå ¥åããå¿ èŠããããŸãã
Linux ã®å ŽåãCisco Connect ãå®è¡ããããšã¯ã§ããŸããã§ããããCisco Connect ã眮ãæããããã«ç¹å¥ã«äœæããã openconnect ã®äœ¿çšã«é¢ããæšå¥šäºé ã Google ã§æ€çŽ¢ããããšãã§ããŸããã
ãªãŒãã³ã³ãã¯ã
çè«çã«ã¯ãUbuntu ã«ã¯ openconnect çšã®ç¹å¥ãªã°ã©ãã£ã«ã« ã€ã³ã¿ãŒãã§ã€ã¹ããããŸãããç§ã«ãšã£ãŠã¯æ©èœããŸããã§ããã ããããããããã¯è¯ãæ¹åã«åãããããããªãã
Ubuntu ã§ã¯ãopenconnect ã¯ããã±ãŒãž ãããŒãžã£ãŒããã€ã³ã¹ããŒã«ãããŸãã
apt install openconnect
ã€ã³ã¹ããŒã«åŸããã« VPN ãžã®æ¥ç¶ãè©Šãããšãã§ããŸãã
openconnect --user poxvuibr vpn.evilcorp.com
vpn.evilcorp.com ã¯æ¶ç©ºã® VPN ã®ã¢ãã¬ã¹ã§ã
poxvuibr - æ¶ç©ºã®ãŠãŒã¶ãŒå
openconnect ã¯ãã¹ã¯ãŒãã®å ¥åãæ±ããŸãããã¹ã¯ãŒãã¯åºå®éšåãš Google Authenticator ããã®ã³ãŒãã§æ§æãããŠãããVPN ãžã®æ¥ç¶ãè©Šã¿ãŸãã ãããæ©èœããå Žåã¯ãããã§ãšãããããŸããããªãé¢åãªäžééšåãå®å šã«ã¹ãããããŠãããã¯ã°ã©ãŠã³ãã§å®è¡ãããŠãã openconnect ã«é¢ãããã€ã³ãã«é²ãããšãã§ããŸãã ããŸããããªãå Žåã¯ãç¶è¡ã§ããŸãã ããšãã°ãè·å Žã®ã²ã¹ã Wi-Fi ããæ¥ç¶ãããšãã«æ©èœãããšããŠããåã¶ã®ã¯ææå°æ©ãããããŸãããèªå® ããæé ãç¹°ãè¿ããŠã¿ãŠãã ããã
蚌ææž
äœãéå§ãããªãå¯èœæ§ãé«ããopenconnect ã®åºåã¯æ¬¡ã®ããã«ãªããŸãã
POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found
Certificate from VPN server "vpn.evilcorp.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
--servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress
VPN ã«æ¥ç¶ã§ããªãã£ããããããã¯äžå¿«ãªäžæ¹ã§ããã®åé¡ã解決ããæ¹æ³ã¯ååãšããŠæããã§ãã
ããã§ããµãŒããŒã¯èšŒææžãéä¿¡ããŸãããããã«ãããæ¥ç¶ãéªæªãªè©æ¬ºåž«ã§ã¯ãªãããã€ãã£ãäŒæ¥ã®ãµãŒããŒã«è¡ãããŠããããã®èšŒææžãã·ã¹ãã ã«èªèãããŠããªãããšãããããŸãã ãããã£ãŠããµãŒããŒãæ¬ç©ãã©ããã確èªããããšã¯ã§ããŸããã ãããŠã念ã®ãããåäœãåæ¢ããŸãã
openconnect ããµãŒããŒã«æ¥ç¶ããã«ã¯ã-servercert ããŒã䜿çšããŠãã©ã®èšŒææžã VPN ãµãŒããŒããååŸãããã¹ãããæ瀺çã«æ瀺ããå¿ èŠããããŸãã
ãŸããopenconnect ãåºåããå 容ããããµãŒããŒãã©ã®èšŒææžãçŽæ¥éä¿¡ããããç¥ãããšãã§ããŸãã ãã®äœåããã¯æ¬¡ã®ãšããã§ãã
To trust this server in future, perhaps add this to your command line:
--servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress
ãã®ã³ãã³ãã䜿çšãããšãå床æ¥ç¶ãè©Šã¿ãããšãã§ããŸã
openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com
ããããä»ã¯ããŸããã£ãŠããã®ã§ãæåŸãŸã§é²ãããšãã§ããŸãã ã§ãå人çã«ã¯ããŠãã³ã¿ããããªåœ¢ã®ã€ããžã¯ãèŠããŠãããŸãã
POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.evilcorp.com
XML POST enabled
Please enter your username and password.
POST https://vpn.evilcorp.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 300, Keepalive 30
Set up DTLS failed; using SSL instead
Connected as 192.168.333.222, using SSL
NOSSSSSHHHHHHHDDDDD
3
NOSSSSSHHHHHHHDDDDD
3
RTNETLINK answers: File exists
/etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolvconf/resolv.conf
/etc/resolv.conf
# Generated by NetworkManager
search gst.evilcorpguest.com
nameserver 127.0.0.53
/run/resolvconf/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 192.168.430.534
nameserver 127.0.0.53
search evilcorp.com gst.publicevilcorp.com
habr.com ã¯è§£æ±ºãããŸãããããã«ã¯ã¢ã¯ã»ã¹ã§ããªããªããŸãã jira.evilcorp.com ã®ãããªã¢ãã¬ã¹ã¯ãŸã£ãã解決ãããŸããã
ããã§äœãèµ·ãã£ãã®ãç§ã«ã¯åãããŸããã ããããå®éšã§ã¯ã/etc/resolv.conf ã«è¡ãè¿œå ãããšã
nameserver 192.168.430.534
ããããã°ãVPN å ã®ã¢ãã¬ã¹ãéæ³ã®ããã«è§£æ±ºããå§ãããããããã©ãããšãã§ããŸããã€ãŸããDNS ãã¢ãã¬ã¹ã解決ããããã«æ¢ããŠãããã®ã¯ãä»ã®å Žæã§ã¯ãªããç¹ã« /etc/resolv.conf å ã«ãããŸãã
/etc/resolv.conf ã«å€æŽãå ããããšãªããVPN ãžã®æ¥ç¶ãååšããæ©èœããããšã確èªã§ããŸãããããè¡ãã«ã¯ãVPN ããã®ãªãœãŒã¹ã®ã·ã³ããªãã¯åã§ã¯ãªãããã® IP ã¢ãã¬ã¹ããã©ãŠã¶ã«å ¥åããã ãã§ãã
ãã®çµæãïŒã€ã®åé¡ãçºçããŸãã
- VPN ã«æ¥ç¶ãããšãã«ãDNS ãååŸãããªã
- ãã¹ãŠã®ãã©ãã£ãã¯ã¯ VPN ãçµç±ãããããã€ã³ã¿ãŒããããžã®ã¢ã¯ã»ã¹ã¯èš±å¯ãããŸãã
ããããäœããã¹ããã説æããŸãããæåã«å°ãèªååããŸãã
ãã¹ã¯ãŒãã®åºå®éšåã®èªåå ¥å
ããããããããŸã§ã«å°ãªããšã XNUMX åã¯ãã¹ã¯ãŒããå ¥åããŠããããã®æé ã«ã¯ãã§ã«ããããããŠããã§ãããã XNUMX ã€ç®ã¯ãã¹ã¯ãŒããé·ããããXNUMX ã€ç®ã¯å ¥åæã«äžå®æéå ã«åããå¿ èŠãããããã§ãã
ãã®åé¡ã®æçµçãªè§£æ±ºçã¯èšäºã«ã¯èšèŒãããŠããŸãããããã¹ã¯ãŒãã®åºå®éšåãäœåºŠãå ¥åããå¿ èŠããªãããšã確èªã§ããŸãã
ãã¹ã¯ãŒãã®åºå®éšåã fixPassword ã§ãGoogle Authenticator ããã®éšåã 567 ã§ãããšä»®å®ããŸãããã¹ã¯ãŒãå šäœã¯ã--passwd-on-stdin åŒæ°ã䜿çšããŠæšæºå ¥åçµç±ã§ openconnect ã«æž¡ãããšãã§ããŸãã
echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com --passwd-on-stdin
ããã§ãæåŸã«å ¥åããã³ãã³ãã«åžžã«æ»ã£ãŠããã㧠Google Authenticator ã®äžéšã®ã¿ãå€æŽã§ããããã«ãªããŸãã
äŒæ¥ VPN ã§ã¯ã€ã³ã¿ãŒããããé²èŠ§ã§ããŸããã
äžè¬ã«ãHabr ã«ã¢ã¯ã»ã¹ããããã«å¥ã®ã³ã³ãã¥ãŒã¿ãŒã䜿çšããå¿ èŠãããå Žåã¯ãããã»ã©äžäŸ¿ã§ã¯ãããŸããã stackoverfow ããã³ããŒïŒããŒã¹ãã§ããªããšãäžè¬ã«äœæ¥ã麻çºããå¯èœæ§ããããããäœããã®å¯ŸåŠãå¿ èŠã§ãã
å éšãããã¯ãŒã¯ãããªãœãŒã¹ã«ã¢ã¯ã»ã¹ããå¿ èŠãããå Žå㯠Linux ã VPN ã«ã¢ã¯ã»ã¹ããHabr ã«ã¢ã¯ã»ã¹ããå¿ èŠãããå Žåã¯ã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ããããã«ãäœããã®æ¹æ³ã§æŽçããå¿ èŠããããŸãã
openconnect ã¯ãèµ·åã㊠vpn ãšã®æ¥ç¶ã確ç«ããåŸã/usr/share/vpnc-scripts/vpnc-script ã«ããç¹å¥ãªã¹ã¯ãªãããå®è¡ããŸãã ããã€ãã®å€æ°ãå ¥åãšããŠã¹ã¯ãªããã«æž¡ãããVPN ãæ§æãããŸãã æ®å¿µãªããããã€ãã£ã ã¹ã¯ãªããã䜿çšããŠäŒæ¥ VPN ãšã€ã³ã¿ãŒãããã®æ®ãã®éšåã®éã§ãã©ãã£ã㯠ãããŒãåå²ããæ¹æ³ãç解ã§ããŸããã§ããã
ã©ããããvpn-slice ãŠãŒãã£ãªãã£ã¯ç§ã®ãããªäººã®ããã«ç¹å¥ã«éçºãããããã§ãããã䜿çšãããšãã¿ã³ããªã³ã§èžããã« XNUMX ã€ã®ãã£ãã«ãéããŠãã©ãã£ãã¯ãéä¿¡ã§ããŸãã ã€ãŸããèžããªããã°ãªããŸããããã·ã£ãŒãã³ã§ããå¿ èŠã¯ãããŸããã
vpn-slice ã䜿çšãããã©ãã£ãã¯åé¢
ãŸããvpn-slice ãã€ã³ã¹ããŒã«ããå¿ èŠããããŸããããã¯èªåã§è§£æ±ºããå¿ èŠããããŸãã ã³ã¡ã³ãã«è³ªåãããã°ãããã«ã€ããŠå¥ã®èšäºãæžããŸãã ãã ããããã¯éåžžã® Python ããã°ã©ã ãªã®ã§ãé£ããããšã¯ãããŸããã virtualenvã䜿çšããŠã€ã³ã¹ããŒã«ããŸããã
次ã«ã-script ã¹ã€ããã䜿çšããŠãŠãŒãã£ãªãã£ãé©çšããæšæºã¹ã¯ãªããã®ä»£ããã« vpn-slice ã䜿çšããå¿ èŠãããããšã openconnect ã«ç€ºãå¿ èŠããããŸãã
echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 192.168.430.0/24 " vpn.evilcorp.com
--script ã«ã¯ãã¹ã¯ãªããã®ä»£ããã«åŒã³åºãå¿ èŠãããã³ãã³ããå«ãæååãæž¡ãããŸãã ./bin/vpn-slice - vpn-slice å®è¡å¯èœãã¡ã€ã«ãžã®ãã¹ 192.168.430.0/24 - vpn ã«ç§»åããã¢ãã¬ã¹ã®ãã¹ã¯ã ããã§ãã¢ãã¬ã¹ã 192.168.430 ã§å§ãŸãå Žåããã®ã¢ãã¬ã¹ãæã€ãªãœãŒã¹ã VPN å ã§æ€çŽ¢ããå¿ èŠãããããšãæå³ããŸãã
ç¶æ³ã¯ã»ãŒæ£åžžã«ãªã£ãŠããã¯ãã§ãã ã»ãšãã©ã ããã§ãHabr ã«ã¢ã¯ã»ã¹ããIP ã«ãã£ãŠäŒæ¥å ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸãããã·ã³ãã«åã«ãã£ãŠäŒæ¥å ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ããããšã¯ã§ããŸããã ãã¹ãå ã®ã·ã³ããªãã¯åãšã¢ãã¬ã¹ã®äžèŽãæå®ãããšããã¹ãŠãæ©èœããã¯ãã§ãã ãããŠIPãå€ãããŸã§äœæ¥ããŸãã Linux ã¯ãIP ã«å¿ããŠã€ã³ã¿ãŒããããŸãã¯ã€ã³ãã©ãããã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸããã ãã ããã¢ãã¬ã¹ã決å®ããããã«äŒæ¥ä»¥å€ã® DNS ãäŸç¶ãšããŠäœ¿çšãããŠããŸãã
ãã®åé¡ã¯ããã®ãããªåœ¢ã§çŸããããšããããŸããè·å Žã§ã¯ãã¹ãŠåé¡ãããŸããããèªå® ã§ã¯ IP çµç±ã§ã®ã¿ç€Ÿå ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ã§ããŸãã ããã¯ãVPN ã䜿çšããã«ãã®ãããªã¢ãã¬ã¹ã«ã¢ã¯ã»ã¹ããããšã¯äŸç¶ãšããŠäžå¯èœã§ããã«ãããããããäŒæ¥ Wi-Fi ã«æ¥ç¶ããŠããå Žåã¯äŒæ¥ DNS ã䜿çšãããVPN ããã®ã·ã³ããªã㯠ã¢ãã¬ã¹ãããã§è§£æ±ºãããããã§ãã
hostsãã¡ã€ã«ã®èªåå€æŽ
vpn-slice ãäžå¯§ã«èŠæ±ãããå ŽåãVPN ãç«ã¡äžããåŸãDNS ã«ç§»åããããã§å¿ èŠãªãªãœãŒã¹ã® IP ã¢ãã¬ã¹ãèšå·åã§èŠã€ããŠãã¹ãã«å ¥åã§ããŸãã VPN ããªãã«ãããšããããã®ã¢ãã¬ã¹ã¯ãã¹ãããåé€ãããŸãã ãããè¡ãã«ã¯ãã·ã³ããªãã¯åã vpn-slice ã«åŒæ°ãšããŠæž¡ãå¿ èŠããããŸãã ãã®ãããªã
echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 192.168.430.0/24 jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com
ããã§ããªãã£ã¹ã§ãããŒãã§ããã¹ãŠãæ©èœããã¯ãã§ãã
VPN ã«ãã£ãŠæå®ããã DNS å ã®ãã¹ãŠã®ãµããã¡ã€ã³ã®ã¢ãã¬ã¹ãæ€çŽ¢ããŸãã
ãããã¯ãŒã¯å ã«ã¢ãã¬ã¹ãã»ãšãã©ãªãå Žåã¯ãhosts ãã¡ã€ã«ãèªåçã«å€æŽããã¢ãããŒããéåžžã«ããŸãæ©èœããŸãã ãã ãããããã¯ãŒã¯äžã«å€§éã®ãªãœãŒã¹ãããå Žåã¯ãzoidberg.test.evilcorp.com ã®ãããªè¡ãã¹ã¯ãªããã«åžžã«è¿œå ããå¿ èŠããããŸããzoidberg ã¯ãã¹ããã³ãã® XNUMX ã€ã®ååã§ãã
ãããä»ã§ã¯ããªããã®å¿ èŠæ§ãæé€ã§ããã®ããå°ãç解ã§ããŸããã
VPN ãç«ã¡äžããåŸã/etc/hosts ãèŠããšã次ã®è¡ã衚瀺ãããŸãã
192.168.430.534 dns0.tun0 # vpn-slice-tun0 èªåäœæ
ãããŠãresolv.conf ã«æ°ããè¡ãè¿œå ãããŸããã ã€ãŸããvpn-slice ã¯ãvpn ã® DNS ãµãŒããŒãã©ãã«ããããäœããã®æ¹æ³ã§æ±ºå®ããŸããã
ããã§ãevilcorp.com ã§çµãããã¡ã€ã³åã® IP ã¢ãã¬ã¹ãèŠã€ããããã«ãLinux ãäŒæ¥ DNS ã«ã¢ã¯ã»ã¹ããäœãä»ã®ãã®ãå¿ èŠãªå Žåã¯ããã©ã«ãã® DNS ã«ã¢ã¯ã»ã¹ããããšã確èªããå¿ èŠããããŸãã
ããªãé·ãéã°ãŒã°ã«ã§èª¿ã¹ããšãããUbuntuã§ã¯ãã®ãããªæ©èœããã®ãŸãŸå©çšã§ããããšãããããŸããã ããã¯ãããŒã«ã« DNS ãµãŒã㌠dnsmasq ã䜿çšããŠååã解決ã§ããããšãæå³ããŸãã
ã€ãŸããLinux ãåžžã«ããŒã«ã« DNS ãµãŒããŒã«ã¢ã¯ã»ã¹ã㊠IP ã¢ãã¬ã¹ãååŸãããã¡ã€ã³åã«å¿ããŠã察å¿ããå€éš DNS ãµãŒããŒã§ IP ãæ€çŽ¢ããããã«ããããšãã§ããŸãã
ãããã¯ãŒã¯ãšãããã¯ãŒã¯æ¥ç¶ã«é¢é£ãããã¹ãŠã管çããããã«ãUbuntu 㯠NetworkManager ã䜿çšããŸããããšãã°ãWi-Fi æ¥ç¶ãéžæããããã®ã°ã©ãã£ã«ã« ã€ã³ã¿ãŒãã§ã€ã¹ã¯ãã®ããã³ããšã³ãã«ãããŸããã
ãã®æ§æãç»ãå¿ èŠããããŸãã
- /etc/NetworkManager/dnsmasq.d/evilcorp ã«ãã¡ã€ã«ãäœæããŸã
ã¢ãã¬ã¹=/.evilcorp.com/192.168.430.534
evilcorpã®åã®ãã€ã³ãã«æ³šç®ããŠãã ããã ããã¯ãevilcorp.com ã®ãã¹ãŠã®ãµããã¡ã€ã³ãäŒæ¥ DNS ã§æ€çŽ¢ããå¿ èŠãããããšã dnsmasq ã«éç¥ããŸãã
- åå解決㫠dnsmasq ã䜿çšããããã« NetworkManager ã«æ瀺ããŸã
ãããã¯ãŒã¯ãããŒãžã£ãŒã®èšå®ã¯ /etc/NetworkManager/NetworkManager.conf ã«ãããŸããããã«ä»¥äžãè¿œå ããå¿ èŠããããŸãã
[ã¡ã€ã³] dns=dnsmasq
- ãããã¯ãŒã¯ãããŒãžã£ãŒãåèµ·åããŸã
service network-manager restart
ããã§ãopenconnect ãš vpn-slice ã䜿çšã㊠VPN ã«æ¥ç¶ããåŸãvpnslice ã®åŒæ°ã«ã·ã³ããªã㯠ã¢ãã¬ã¹ãè¿œå ããªããŠããIP ã¯æ£åžžã«æ±ºå®ãããŸãã
VPNçµç±ã§åãµãŒãã¹ã«ã¢ã¯ã»ã¹ããæ¹æ³
VPN ã«æ¥ç¶ã§ããåŸãXNUMX æ¥ééââåžžã«æºè¶³ããŠããŸãããããªãã£ã¹ ãããã¯ãŒã¯ã®å€éšãã VPN ã«æ¥ç¶ãããšã¡ãŒã«ãæ©èœããªãããšãããããŸããã ããªãã¿ã®çç¶ã§ããã
ç§ãã¡ã®ã¡ãŒã«ã¯ mail.publicevilcorp.com ã«ãããŸããã€ãŸããdnsmasq ã®ã«ãŒã«ã«è©²åœãããã¡ãŒã« ãµãŒã㌠ã¢ãã¬ã¹ã¯ãããªã㯠DNS ãéããŠæ€çŽ¢ãããŸãã
ããã§ããããªãã£ã¹ã§ã¯ãŸã ãã®ã¢ãã¬ã¹ãå«ã DNS ã䜿çšããŠããŸãã ããæããŸããã å®éãdnsmasq ã«è¡ãè¿œå ããåŸã
ã¢ãã¬ã¹=/mail.publicevilcorp.com/192.168.430.534
ç¶æ³ã¯ãŸã£ããå€ãã£ãŠããŸããã IPã¯ãã®ãŸãŸã§ããã ä»äºã«è¡ããªããã°ãªããŸããã§ããã
ãããŠãã®åŸãç§ãç¶æ³ãããã«æ·±ãæãäžããŠåé¡ãå°ãç解ãããšããäžäººã®è³¢ã人ãããã解決ããæ¹æ³ãæããŠãããŸããã ãã®ãŸãŸã§ã¯ãªãVPNçµç±ã§ã¡ãŒã«ãµãŒããŒã«æ¥ç¶ããå¿ èŠããããŸãã
vpn-slice ã䜿çšããŠãVPN ãçµç±ã㊠192.168.430 ã§å§ãŸãã¢ãã¬ã¹ã«ã¢ã¯ã»ã¹ããŸãã ãŸããã¡ãŒã« ãµãŒããŒã«ã¯ãevilcorp ã®ãµããã¡ã€ã³ã§ã¯ãªãã·ã³ããªã㯠ã¢ãã¬ã¹ãããã ãã§ãªãã192.168.430 ã§å§ãŸã IP ã¢ãã¬ã¹ããããŸããã ãããŠãã¡ããã圌ã¯äžè¬ã®ãããã¯ãŒã¯ããã®èª°ã圌ã®ãšããã«æ¥ãããšãèš±å¯ããŠããŸããã
Linux ã VPN ãçµç±ããŠã¡ãŒã« ãµãŒããŒã«ã¢ã¯ã»ã¹ã§ããããã«ããã«ã¯ãLinux ã vpn-slice ã«ãè¿œå ããå¿ èŠããããŸãã ã¡ãŒã©ãŒã®ã¢ãã¬ã¹ã 555.555.555.555 ã§ãããšããŸãã
echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 555.555.555.555 192.168.430.0/24" vpn.evilcorp.com
XNUMX ã€ã®åŒæ°ã§ VPN ãèµ·åããã¹ã¯ãªãã
ãã¡ãããããããã¹ãŠã¯ããŸã䟿å©ã§ã¯ãããŸããã ã¯ããããã¹ããæã§å ¥åãã代ããã«ããã¡ã€ã«ã«ä¿åããŠã³ã³ãœãŒã«ã«ã³ããŒïŒããŒã¹ãããããšãã§ããŸãããããã§ãããŸãå¿«é©ã§ã¯ãããŸããã ããã»ã¹ãç°¡åã«ããããã«ãPATH ã«é 眮ãããã¹ã¯ãªããã§ã³ãã³ããã©ããã§ããŸãã ããšã¯ãGoogle Authenticator ããåãåã£ãã³ãŒããå ¥åããã ãã§ãã
#!/bin/sh
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 192.168.430.0/24 jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com
ã¹ã¯ãªããã connect~evilcorp~ ã«çœ®ããšãã³ã³ãœãŒã«ã«ç°¡åã«æžãããšãã§ããŸãã
connect_evil_corp 567987
ãã ããäœããã®çç±ã§ãopenconnect ãå®è¡ãããŠããã³ã³ãœãŒã«ãéãããŸãŸã«ããå¿ èŠããããŸãã
ããã¯ã°ã©ãŠã³ãã§ã® openconnect ã®å®è¡
幞ããªããšã«ãopenconnect ã®äœæè ãç§ãã¡ã®äžè©±ãããŠãããŠãããã°ã©ã -background ã«ç¹å¥ãªããŒãè¿œå ããŸãããããã«ãããããã°ã©ã ã¯èµ·ååŸã«ããã¯ã°ã©ãŠã³ãã§åäœããããã«ãªããŸãã ãã®ããã«å®è¡ãããšãèµ·ååŸã«ã³ã³ãœãŒã«ãéããããšãã§ããŸã
#!/bin/sh
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
--user poxvuibr
--passwd-on-stdin
--background
--script "./bin/vpn-slice 192.168.430.0/24 jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com
çŸåšããã°ãã©ãã«è¡ãã®ãã¯æããã§ã¯ãããŸããã äžè¬ã«ããã°ã¯å®éã«ã¯å¿ èŠãããŸããããããã¯ããããŸããã openconnect ã¯ãããã syslog ã«ãªãã€ã¬ã¯ãããããã§å®å šã«ä¿ç®¡ãããŸãã ã³ãã³ãã« âsyslog ã¹ã€ãããè¿œå ããå¿ èŠããããŸã
#!/bin/sh
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
--user poxvuibr
--passwd-on-stdin
--background
--syslog
--script "./bin/vpn-slice 192.168.430.0/24 jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com
ãã®ãããopenconnect ãããã¯ã°ã©ãŠã³ãã§åäœããŠããã誰ã«ãè¿·æããããŠããªãããšãããããŸãããããããåæ¢ããæ¹æ³ã¯äžæã§ãã ã€ãŸãããã¡ãããgrep ã䜿çšã㊠ps åºåããã£ã«ã¿ãªã³ã°ããååã« openconnect ãå«ãŸããããã»ã¹ãæ¢ãããšãã§ããŸãããããã¯ã©ããããããé¢åã§ãã ãããèããŠãããäœè ããã«æè¬ã§ãã Openconnect ã«ã¯ã㌠-pid-file ããããããã䜿çšã㊠openconnect ã«ããã»ã¹èå¥åããã¡ã€ã«ã«æžã蟌ãããã«æ瀺ã§ããŸãã
#!/bin/sh
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
--user poxvuibr
--passwd-on-stdin
--background
--syslog
--script "./bin/vpn-slice 192.168.430.0/24 jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com
--pid-file ~/vpn-pid
ã³ãã³ãã§ãã€ã§ãããã»ã¹ã匷å¶çµäºã§ããããã«ãªããŸããã
kill $(cat ~/vpn-pid)
ããã»ã¹ããªãå Žåãkill ã¯åªããŸããããšã©ãŒã¯ã¹ããŒããŸããã ãã¡ã€ã«ãååšããªãå Žåã§ããæªãããšã¯äœãèµ·ãããªããããã¹ã¯ãªããã®æåã®è¡ã§ããã»ã¹ãå®å šã«åŒ·å¶çµäºã§ããŸãã
kill $(cat ~/vpn-pid)
#!/bin/sh
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
--user poxvuibr
--passwd-on-stdin
--background
--syslog
--script "./bin/vpn-slice 192.168.430.0/24 jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com
--pid-file ~/vpn-pid
ããã§ãã³ã³ãã¥ãŒã¿ã®é»æºãå ¥ããã³ã³ãœãŒã«ãéããŠã³ãã³ããå®è¡ããGoogle Authenticator ããã®ã³ãŒããæž¡ããŸãã ãã®åŸãã³ã³ãœãŒã«ãéã§åºå®ããããšãã§ããŸãã
VPN ã¹ã©ã€ã¹ãªãã ããšããã®ä»£ããã«
VPN ã¹ã©ã€ã¹ãªãã§ã©ããã£ãŠçããŠããããç解ããã®ã¯éåžžã«é£ããããšãããããŸããã ããããæ¬ãèªãã ããã°ãŒã°ã«ãããããå¿ èŠããããŸããã 幞ããªããšã«ãåé¡ã«å€ãã®æéãè²»ãããåŸã§ã¯ãæè¡ããã¥ã¢ã«ã OpenConnect ãããåºæ¿çãªå°èª¬ã®ããã«èªããŸãã
ãã®çµæãvpn-slice ã¯ãã€ãã£ã ã¹ã¯ãªãããšåæ§ã«ãã«ãŒãã£ã³ã° ããŒãã«ãå¥ã®ãããã¯ãŒã¯ã«å€æŽããããšãããããŸããã
ã«ãŒãã£ã³ã°ããŒãã«
ç°¡åã«èšããšãããã¯æåã®åã« Linux ãçµç±ããã¢ãã¬ã¹ã®å é ã瀺ããXNUMX çªç®ã®åã«ãã®ã¢ãã¬ã¹ã§ã©ã®ãããã¯ãŒã¯ ã¢ããã¿ãŒãçµç±ãããã瀺ãè¡šã§ãã å®éã«ã¯ãã£ãšå€ãã®çºèšè ãããŸãããæ¬è³ªã¯å€ãããŸããã
ã«ãŒãã£ã³ã° ããŒãã«ã衚瀺ããã«ã¯ãip Route ã³ãã³ããå®è¡ããå¿ èŠããããŸãã
default via 192.168.1.1 dev wlp3s0 proto dhcp metric 600
192.168.430.0/24 dev tun0 scope link
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.534 metric 600
192.168.430.534 dev tun0 scope link
ããã§ãåè¡ã¯ãããã¢ãã¬ã¹ã«ã¡ãã»ãŒãžãéä¿¡ããããã«ã©ãã«è¡ãå¿ èŠãããããæ åœããŸãã 192.168.0.0 ã€ç®ã¯ãã¢ãã¬ã¹ãã©ãããéå§ãããã®èª¬æã§ãã 16/192.168 ãã¢ãã¬ã¹ã XNUMX ã§å§ãŸãããšãæå³ããããšãå€æããæ¹æ³ãç解ããã«ã¯ãIP ã¢ãã¬ã¹ ãã¹ã¯ãšã¯äœããã°ãŒã°ã«ã§æ€çŽ¢ããå¿ èŠããããŸãã dev ã®åŸã«ã¯ãã¡ãã»ãŒãžã®éä¿¡å ãšãªãã¢ããã¿ãŒã®ååããããŸãã
VPN çšã«ãLinux ã¯ä»®æ³ã¢ããã¿ãŒ tun0 ãäœæããŸããã ãã®åç·ã«ããã192.168 ã§å§ãŸããã¹ãŠã®ã¢ãã¬ã¹ã®ãã©ãã£ãã¯ã確å®ã«ééããŸãã
192.168.0.0/16 dev tun0 scope link
次ã®ã³ãã³ãã䜿çšããŠãã«ãŒãã£ã³ã° ããŒãã«ã®çŸåšã®ç¶æ ã確èªããããšãã§ããŸãã ã«ãŒã-n (IP ã¢ãã¬ã¹ã¯å·§åŠã«å¿ååãããŸã) ãã®ã³ãã³ãã¯å¥ã®åœ¢åŒã§çµæãçæãããããäžè¬ã«éæšå¥šã§ããããã®åºåã¯ã€ã³ã¿ãŒãããäžã®ããã¥ã¢ã«ã«ããæ²èŒãããŠããããããèªããå¿ èŠããããŸãã
ã«ãŒãã® IP ã¢ãã¬ã¹ãã©ãããéå§ãããã¹ããã¯ãDestination åãš Genmask åã®çµã¿åããããç解ã§ããŸãã Genmask ã®æ°å€ 255 ã«å¯Ÿå¿ãã IP ã¢ãã¬ã¹ã®éšåã¯èæ ®ãããŸããã0 ãããéšåã¯èæ ®ãããŸããã ã€ãŸããå®å 192.168.0.0 ãšãžã§ã³ãã¹ã¯ 255.255.255.0 ã®çµã¿åããã¯ãã¢ãã¬ã¹ã 192.168.0 ã§å§ãŸãå Žåããã®ã¢ãã¬ã¹ãžã®ãªã¯ãšã¹ãã¯ãã®ã«ãŒãã«æ²¿ã£ãŠéä¿¡ãããããšãæå³ããŸãã å®å ã 192.168.0.0 ã§ãGenmask ã 255.255.0.0 ã®å Žåã192.168 ã§å§ãŸãã¢ãã¬ã¹ãžã®ãªã¯ãšã¹ãã¯ãã®ã«ãŒãã«æ²¿ã£ãŠéä¿¡ãããŸãã
vpn-slice ãå®éã«äœãããŠããã®ããç解ããããã«ãååŸã®ããŒãã«ã®ç¶æ ã確èªããããšã«ããŸããã
VPNããªã³ã«ããåã¯ãããªæãã§ãã
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 222.222.222.1 0.0.0.0 UG 600 0 0 wlp3s0
222.222.222.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp3s0
333.333.333.333 222.222.222.1 255.255.255.255 UGH 0 0 0 wlp3s0
vpn-slice ãªã㧠openconnect ãåŒã³åºããåŸã次ã®ããã«ãªããŸãã
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0
0.0.0.0 222.222.222.1 0.0.0.0 UG 600 0 0 wlp3s0
222.222.222.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp3s0
333.333.333.333 222.222.222.1 255.255.255.255 UGH 0 0 0 wlp3s0
192.168.430.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.430.534 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
ãããŠããã®ããã«vpn-sliceãšçµã¿åãããŠopenconnectãåŒã³åºããåŸ
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 222.222.222.1 0.0.0.0 UG 600 0 0 wlp3s0
222.222.222.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp3s0
333.333.333.333 222.222.222.1 255.255.255.255 UGH 0 0 0 wlp3s0
192.168.430.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.430.534 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
vpn-slice ã䜿çšããªãå Žåãopenconnect ã¯ãç¹ã«æå®ããããã®ãé€ããã¹ãŠã®ã¢ãã¬ã¹ã vpn çµç±ã§ã¢ã¯ã»ã¹ããå¿ èŠãããããšãæ瀺çã«æžã蟌ãããšãããããŸãã
ããã¯ããã§ãïŒ
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0
ãã®é£ã«å¥ã®ãã¹ãããã«ç€ºãããŸããLinux ãééããããšããŠããã¢ãã¬ã¹ãããŒãã«ã®ã©ã®ãã¹ã¯ã«ãäžèŽããªãå Žåã¯ããã®ãã¹ã䜿çšããå¿ èŠããããŸãã
0.0.0.0 222.222.222.1 0.0.0.0 UG 600 0 0 wlp3s0
ãã®å Žåãæšæºã® Wi-Fi ã¢ããã¿ãŒã䜿çšããå¿ èŠãããããšã¯ããã§ã«ããã«æžãããŠããŸãã
VPN ãã¹ã¯ã«ãŒãã£ã³ã° ããŒãã«ã®æåã®ãã¹ã§ããããã䜿çšãããŠãããšæããŸãã
ãããŠçè«çã«ã¯ããã®ããã©ã«ã ãã¹ãã«ãŒãã£ã³ã° ããŒãã«ããåé€ãããšãdnsmasq openconnect ãšäœµçšããããšã§éåžžã®åäœã確ä¿ãããã¯ãã§ãã
ç§ã¯è©Šãã
route del default
ãããŠãã¹ãŠãããŸããããŸããã
vpn-slice ã䜿çšããªãã¡ãŒã«ãµãŒããŒãžã®ãªã¯ãšã¹ãã®ã«ãŒãã£ã³ã°
ãã ããã¢ãã¬ã¹ 555.555.555.555 ã®ã¡ãŒã« ãµãŒããŒããããããã«ã VPN çµç±ã§ã¢ã¯ã»ã¹ããå¿ èŠããããŸãã ãããžã®ã«ãŒããæåã§è¿œå ããå¿ èŠããããŸãã
ip route add 555.555.555.555 via dev tun0
ãããŠä»ã¯ãã¹ãŠé 調ã§ãã ãããã£ãŠãvpn-slice ããªããŠãå®è¡ã§ããŸãããäœãããŠããã®ããããç解ããå¿ èŠããããŸãã çŸåšããã€ãã£ãã® openconnect ã¹ã¯ãªããã®æåŸã®è¡ã«ããã©ã«ã ã«ãŒãã®åé€ãšãVPN æ¥ç¶åŸã®ã¡ãŒã©ãŒã®ã«ãŒããè¿œå ããŠãèªè»¢è»ã®å¯åéšåãæžããããšãæ€èšããŠããŸãã
ãããããVPN ã®èšå®æ¹æ³ãç解ããã«ã¯ããã®ããšããã ãã§ååã§ãããã ããããäœãã©ã®ããã«ããã°ããããç解ããããšããŠããéãèè ã«ãšã£ãŠã¯åœ¹ã«ç«ã¡ãŸãããäœããã®çç±ã§ç§ã«ãšã£ãŠã¯åœ¹ã«ç«ããªããã®ãããªã¬ã€ããããªãããããèªã¿ãŸãããããã§ãèŠã€ãããã¹ãŠã®éšåãããã«è¿œå ããããšã«ããŸããã ãã®ãããªããšã¯ãšãŠãå¬ããã§ãã
åºæïŒ habr.com