ProHoster > Blog > Utongi > Maitiro ekubatanidza kune yekambani VPN muLinux uchishandisa openconnect uye vpn-slice

Maitiro ekubatanidza kune yekambani VPN muLinux uchishandisa openconnect uye vpn-slice

Iwe unoda kushandisa Linux kubasa, asi yako yekambani VPN haikubvumire? Zvadaro nyaya ino inogona kubatsira, kunyange zvazvo izvi zvisina chokwadi. Ndinoda kukuyambirai pachine nguva kuti handisi kunzwisisa nyaya dzemanetiweki zvakanaka, saka zvinogoneka kuti ndakatadza zvese. Kune rumwe rutivi, zvinokwanisika kuti ndinogona kunyora mutungamiri nenzira yakadai kuti inonzwisisika kune vanhuwo zvavo, saka ndinokurayira kuti uedze.

Nyaya yacho ine ruzivo rwakawanda rusingakoshi, asi pasina ruzivo urwu ndingadai ndisina kukwanisa kugadzirisa matambudziko akaonekwa kwandiri asingatarisiri nekugadzirisa VPN. Ndinofunga kuti ani naani anoedza kushandisa gwara iri achange aine matambudziko andainge ndisina, uye ndinovimba kuti rumwe ruzivo urwu ruchabatsira kugadzirisa matambudziko aya pachavo.

Mizhinji yemirairo inoshandiswa mugwaro iri inoda kumhanyisa kuburikidza ne sudo, iyo yakabvisirwa kupfupika. Ramba uchifunga.

Makero mazhinji eIP akavharwa zvakanyanyisa, saka kana ukaona kero yakaita se 435.435.435.435, panofanira kunge paine yakajairika IP ipapo, yakanangana nenyaya yako.

Ndine Ubuntu 18.04, asi ini ndinofunga nediki shanduko gwara rinogona kushandiswa kune mamwe magove. Nekudaro, mune ino chinyorwa Linux == Ubuntu.

Cisco Connect

Avo vari paWindows kana MacOS vanogona kubatana neVPN yedu yekambani kuburikidza neCisco Connect, iyo inoda kutsanangura kero yegedhi uye, nguva imwe neimwe yaunosangana, isa password ine chikamu chakagadziriswa uye kodhi yakagadzirwa neGoogle Authenticator.

Panyaya yeLinux, handina kukwanisa kuwana Cisco Connect ichimhanya, asi ndakakwanisa google kurudziro yekushandisa openconnect, yakaitwa chaizvo kutsiva Cisco Connect.

Openconnect

Mune dzidziso, Ubuntu ine yakakosha graphical interface ye openconnect, asi haina kundishandira. Pamwe zviri nani.

PaUbuntu, openconnect inoiswa kubva kumaneja wepakeji.

apt install openconnect

Pakarepo mushure mekuiswa, unogona kuedza kubatana neVPN

openconnect --user poxvuibr vpn.evilcorp.com

vpn.evilcorp.com ikero yeVPN yekunyepedzera
poxvuibr - fictitious username

openconnect ichakukumbira kuti uise password, iyo, rega ndikuyeuchidze, ine chikamu chakagadziriswa uye kodhi kubva kuGoogle Authenticator, uye zvino ichaedza kubatanidza kune vpn. Kana ikashanda, makorokoto, unogona kusvetuka zvakachengeteka pakati, izvo zvinorwadza zvakanyanya, uye kuenderera kune iyo pfungwa ye openconnect ichimhanya kumashure. Kana zvikasashanda, saka unogona kuenderera. Kunyangwe kana yakashanda kana ichibatanidza, semuenzaniso, kubva kune muenzi Wi-Fi kubasa, saka inogona kunge iri yakarebesa kuti ufare; iwe unofanirwa kuyedza kudzokorora maitiro kubva kumba.

Chitupa

Pane mukana wakakura wekuti hapana chinotanga, uye iyo openconnect kubuda inotaridzika seizvi:

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.evilcorp.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Kune rumwe rutivi, izvi hazvifadzi, nokuti kwakanga kusina kubatana kuVPN, asi kune rumwe rutivi, nzira yekugadzirisa dambudziko iri, mumutemo, zvakajeka.

Pano sevha yatitumira chitupa, chatinogona kuona kuti kubatana kuri kuitwa kune server yekambani yedu yekuzvarwa, uye kwete kune akaipa, uye chitupa ichi hachizivikanwe kune system. Uye saka haakwanise kutarisa kuti sevha ndeyechokwadi here kana kuti kwete. Uye saka, kana zvikaitika, inomira kushanda.

Kuti openconnect ibatane nesevha, unofanirwa kuitaurira pachena kuti ndechipi chitupa chinofanira kubva kuVPN server uchishandisa kiyi ye-servercert.

Uye iwe unogona kuona kuti ndechipi chitupa sevha yatitumira zvakananga kubva kune yakadhindwa openconnect. Heino kubva pachikamu ichi:

To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Nemurairo uyu unogona kuedza kubatanidza zvakare

openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com

Zvichida ikozvino iri kushanda, saka iwe unogona kuenderera mberi kusvika kumagumo. Asi pachangu, Ubunta akandiratidza muonde mune iyi fomu

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.evilcorp.com
XML POST enabled
Please enter your username and password.
POST https://vpn.evilcorp.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 300, Keepalive 30
Set up DTLS failed; using SSL instead
Connected as 192.168.333.222, using SSL
NOSSSSSHHHHHHHDDDDD
3
NOSSSSSHHHHHHHDDDDD
3
RTNETLINK answers: File exists
/etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolvconf/resolv.conf

/etc/resolv.conf

# Generated by NetworkManager
search gst.evilcorpguest.com
nameserver 127.0.0.53

/run/resolvconf/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 192.168.430.534
nameserver 127.0.0.53
search evilcorp.com gst.publicevilcorp.com

habr.com ichagadzirisa, asi haugone kuenda ikoko. Kero dzakadai jira.evilcorp.com hadzina kugadziriswa zvachose.

Zvakaitika pano handizvijeke. Asi kuedza kunoratidza kuti kana ukawedzera mutsara ku /etc/resolv.conf

nameserver 192.168.430.534

ipapo makero ari mukati meVPN achatanga kugadzirisa zvemashiripiti uye iwe unogona kufamba mavari, ndiko kuti, izvo DNS iri kutsvaga kugadzirisa kero inotarisa zvakananga mukati /etc/resolv.conf, uye kwete kumwewo.

Iwe unogona kuona kuti pane chinongedzo kuVPN uye inoshanda pasina kuita chero shanduko ku /etc/resolv.conf; kuti uite izvi, ingo pinda mubrowser kwete zita rekufananidzira resource kubva kuVPN, asi IP kero.

Somugumisiro, kune matambudziko maviri

  • Kana uchibatanidza kuVPN, dns yayo haina kutorwa
  • traffic yese inoenda neVPN, iyo isingabvumire kupinda paInternet

Ini ndichakuudza zvekuita izvozvi, asi kutanga zvishoma otomatiki.

Kupinda otomatiki kwechikamu chakagadziriswa chepassword

Parizvino, unogona kunge watoisa password yako kanokwana kashanu uye maitiro aya atokunetesa. Chekutanga, nekuti password irefu, uye chechipiri, nekuti kana uchipinda iwe unofanirwa kukwana mukati menguva yakatarwa

Mhinduro yekupedzisira yedambudziko haina kuverengerwa muchinyorwa, asi iwe unogona kuve nechokwadi chekuti iyo yakatarwa chikamu chepassword haifanirwe kuiswa kakawanda.

Ngatitorei kuti chikamu chakagadziriswa chepassword chakagadziriswaPassword, uye chikamu chinobva kuGoogle Authenticator i567. Iyo password yese inogona kupfuudzwa kuti openconnect kuburikidza neyakajairwa kuisa uchishandisa --passwd-on-stdin nharo.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com --passwd-on-stdin

Iye zvino unogona kugara uchidzokera kune yekupedzisira yakapinda kuraira uye shandura chete chikamu cheGoogle Authenticator ipapo.

VPN yekambani haikubvumidzi kuti uongorore paInternet.

Kazhinji, hazvina kunyanya kukanganisa kana iwe uchifanira kushandisa imwe komputa kuenda kuHabr. Iko kusakwanisa kukopa-namira kubva ku stackoverfow kunogona kuremadza basa, saka chimwe chinhu chinoda kuitwa.

Isu tinofanirwa kuronga neimwe nzira kuitira kuti kana iwe uchida kuwana sosi kubva kune yemukati network, Linux inoenda kuVPN, uye kana iwe uchida kuenda kuHabr, inoenda kuInternet.

openconnect, mushure mekutangisa uye kumisikidza kubatana nevpn, inoita chinyorwa chakakosha, chiri mukati /usr/share/vpnc-scripts/vpnc-script. Zvimwe zvinosiyana zvinopfuudzwa kune script sekuisa, uye inogadzirisa VPN. Nehurombo, handina kukwanisa kufunga kuti ndingapatsanura sei kuyerera kwetraffic pakati pekambani VPN neInternet yese ndichishandisa chinyorwa chekuzvarwa.

Sezviri pachena, vpn-slice utility yakagadzirwa kunyanya kune vanhu vakaita seni, iyo inokubvumira kutumira traffic kuburikidza nematanho maviri pasina kutamba netamborini. Zvakanaka, ndiko kuti, iwe uchafanirwa kutamba, asi iwe haufanirwe kunge uri shaman.

Kuparadzaniswa kwemigwagwa uchishandisa vpn-slice

Chekutanga, iwe uchafanirwa kuisa vpn-slice, iwe uchafanirwa kuzviongorora iwe pachako. Kana pane mibvunzo mumashoko, ini ndichanyora yakaparadzana positi pamusoro peizvi. Asi ichi chirongwa chePython chenguva dzose, saka hapafanirwe kunge paine matambudziko. Ndakaisa kushandisa virtualenv.

Uye ipapo zvinoshandiswa zvinofanirwa kuiswa, uchishandisa -script switch, zvichiratidza kuvhuraconnect kuti panzvimbo yeyakajairwa script, unofanirwa kushandisa vpn-slice.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  " vpn.evilcorp.com

--script inopfuudzwa tambo ine murairo inoda kudaidzwa panzvimbo yescript. ... Pano, isu tinoreva kuti kana kero ikatanga ne 192.168.430.0, saka sosi ine kero iyi inoda kutsvaga mukati VPN.

Mamiriro acho anofanira kunge ari akajairika. Kunenge. Iye zvino unogona kuenda kuHabr uye unogona kuenda kune intra-corporate sosi ne ip, asi haugone kuenda kune intra-corporate sosi nezita rekufananidzira. Kana iwe ukatsanangura mutambo pakati pezita rechiratidzo nekero mumasiti, zvese zvinofanirwa kushanda. Uye shanda kusvika ip yachinja. Linux yava kukwanisa kuwana Internet kana intranet, zvichienderana neIP. Asi isiri-yekambani DNS ichiri kushandiswa kuona kero.

Dambudziko rinogonawo kuzviratidza mune iyi fomu - kubasa zvinhu zvese zvakanaka, asi kumba unogona kungowana zviwanikwa zvemukati zvekambani kuburikidza neIP. Izvi ndezvokuti kana iwe wakabatanidzwa nekambani yeWi-Fi, iyo DNS yekambani inoshandiswawo, uye kero dzekufananidzira kubva kuVPN dzinogadziriswa mairi, pasinei nokuti hazvibviri kuenda kune imwe kero pasina kushandisa VPN.

Kugadzirisa otomatiki kwemafaira evaenzi

Kana vpn-slice ikabvunzwa zvine ruremekedzo, zvino mushure mekusimudza VPN, inogona kuenda kuDNS yayo, tsvaga ipapo IP kero dzezviwanikwa zvinodiwa nemazita avo ekufananidzira uye pinda mairi mune mauto. Mushure mekudzima VPN, kero idzi dzichabviswa kubva kune vanogamuchira. Kuti uite izvi, unofanirwa kupfuudza mazita ekufananidzira kuvpn-slice senharo. Sezvizvi.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Iye zvino zvinhu zvose zvinofanira kushanda zvose muhofisi uye pamhenderekedzo yegungwa.

Tsvaga kero dzeese subdomain muDNS yakapihwa neVPN

Kana paine mashoma kero mukati metiweki, saka maitiro ekugadzirisa otomatiki iyo faira faira inoshanda chaizvo. Asi kana pane zviwanikwa zvakawanda panetiweki, saka iwe uchagara uchida kuwedzera mitsetse sezoidberg.test.evilcorp.com kune script zoidberg izita reimwe yemabhenji ekuedzwa.

Asi iye zvino zvatinonzwisisa zvishoma kuti nei ichi chido chinogona kubviswa.

Kana, mushure mekusimudza VPN, iwe unotarisa mukati /etc/hosts, unogona kuona iyi mutsara

192.168.430.534 dns0.tun0 # vpn-slice-tun0 AUTOCREATED

Uye mutsara mutsva wakawedzerwa ku resolv.conf. Muchidimbu, vpn-slice neimwe nzira yakatemwa kuti dns server yevpn iripi.

Zvino isu tinofanirwa kuve nechokwadi chekuti kuti tiwane iyo IP kero yezita rezita rinopera mu evilcorp.com, Linux inoenda kukambani DNS, uye kana chimwe chinhu chiri kudiwa, ipapo kune iyo yakasarudzika.

Ini ndakaGoogle kwenguva yakati rebei uye ndakaona kuti kuita kwakadaro kunowanikwa muUbuntu kunze kwebhokisi. Izvi zvinoreva kugona kushandisa yemuno DNS server dnsmasq kugadzirisa mazita.

Ndokunge, iwe unogona kuve nechokwadi chekuti Linux inogara ichienda kune yemuno DNS server yeIP kero, iyo zvakare, zvichienderana nezita rezita, ichatsvaga iyo IP pane inoenderana yekunze DNS server.

Kugadzirisa zvese zvine chekuita netiweki uye netiweki yekubatanidza, Ubuntu inoshandisa NetworkManager, uye iyo graphical interface yekusarudza, semuenzaniso, Wi-Fi yekubatanidza inongova kumberi kwayo.

Tichada kukwira mukugadzirisa kwayo.

  1. Gadzira faira mukati /etc/NetworkManager/dnsmasq.d/evilcorp

address=/.evilcorp.com/192.168.430.534

Chenjerera kune nzvimbo iri pamberi peyakaipa. Zvinoratidza dnsmasq kuti ese madomain e evilcorp.com anofanirwa kutsvagwa mumakambani dns.

  1. Udza NetworkManager kushandisa dnsmasq kugadzirisa zita

Iyo network-maneja kumisikidzwa iri mukati /etc/NetworkManager/NetworkManager.conf Unoda kuwedzera ipapo:

[main] dns=dnsmasq

  1. Restart NetworkManager

service network-manager restart

Iye zvino, mushure mekubatana neVPN uchishandisa openconnect uye vpn-slice, iyo ip inozotemerwa zvakajairika, kunyangwe ukasawedzera kero dzekufananidzira kune nharo kune vpnslice.

Maitiro ekuwana masevhisi ega ega kuburikidza neVPN

Mushure mekunge ndakwanisa kubatana neVPN, ndakafara kwemazuva maviri, uye zvakazoitika kuti kana ndikabatanidza kuVPN kubva kunze kwehofisi network, tsamba haishande. Chiratidzo chacho chakajairika, handizvo here?

Tsamba yedu iri mu mail.publicevilcorp.com, zvinoreva kuti haiwire pasi pemutemo mu dnsmasq uye kero ye server inotsvakwa kuburikidza neruzhinji DNS.

Zvakanaka, hofisi ichiri kushandisa DNS, iyo ine kero iyi. Ndizvo zvandaifunga. Muchokwadi, mushure mekuwedzera mutsara kune dnsmasq

address=/mail.publicevilcorp.com/192.168.430.534

mamiriro acho haana kuchinja zvachose. ip yakaramba yakafanana. Ndaifanira kuenda kubasa.

Uye chete gare gare, pandakapinda zvakadzama mumamiriro ezvinhu uye ndikanzwisisa dambudziko racho zvishoma, mumwe munhu akangwara akandiudza nzira yekurigadzirisa. Zvaive zvakakodzera kuti ubatanidze kune mail server kwete kungodaro, asi kuburikidza neVPN

Ini ndinoshandisa vpn-slice kuenda kuburikidza neVPN kumakero anotanga ne192.168.430. Uye iyo mail server haina kungoita kero yekufananidzira iyo isiri subdomain ye evilcorp, zvakare haina IP kero inotanga ne 192.168.430. Uye zvechokwadi haabvumiri chero munhu kubva kune network network kuti auye kwaari.

Kuti Linux iende kuburikidza neVPN uye kune mail server, unofanirwa kuiwedzera kune vpn-slice zvakare. Ngatitii kero yemutumiri ndeye 555.555.555.555

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 555.555.555.555 192.168.430.0/24" vpn.evilcorp.com

Script yekusimudza VPN nekupokana kumwe

Zvose izvi, hongu, hazvina kunyanya kunaka. Ehe, iwe unogona kuchengetedza iwo mameseji kufaira uye kukopa-kuisa mune iyo koni pane kuinyora neruoko, asi haisati yanyanya kunakidza. Kuita kuti maitiro ave nyore, unogona kuputira rairo mune script ichave iri muPATH. Uye ipapo iwe unongoda kuisa kodhi yakagamuchirwa kubva kuGoogle Authenticator

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Kana iwe ukaisa iyo script mu connect~evilcorp~ unogona kungonyora muconsole

connect_evil_corp 567987

Asi ikozvino iwe uchiri kuchengetedza iyo console umo openconnect iri kuvhurika nekuda kwechimwe chikonzero

Kumhanya openconnect kumashure

Neraki, vanyori ve openconnect vakatitarisira uye vakawedzera kiyi yakakosha kuchirongwa -background, izvo zvinoita kuti chirongwa chishande kumashure mushure mekutangwa. Kana iwe ukaimhanyisa seizvi, unogona kuvhara iyo koni mushure mekutanga

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Ikozvino hazvina kujeka kuti matanda anoenda kupi. Kazhinji, isu hatidi chaizvo matanda, asi haumboziva. openconnect inogona kuvaendesa kune syslog, kwavanozochengetwa vakachengeteka uye vakachengeteka. iwe unofanirwa kuwedzera iyo -syslog chinja kune rairo

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Uye saka, zvinozoitika kuti openconnect iri kushanda kumwe kuseri uye hainetsi chero munhu, asi hazvina kujeka nzira yekuimisa. Ndokunge, iwe unogona, hongu, kusefa iyo ps inobuda uchishandisa grep uye tsvaga maitiro ane zita rine openconnect, asi izvi zvinonetesa. Kutenda kune vanyori vakafunga nezvazvo zvakare. Openconnect ine kiyi -pid-faira, iyo iwe yaunogona kuraira openconnect kunyora maitiro ayo identifier kufaira.

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background  
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Iye zvino unogona kugara uchiuraya maitiro nemirairo

kill $(cat ~/vpn-pid)

Kana pasina maitiro, kuuraya kunotuka, asi hakuzorase kukanganisa. Kana iyo faira isipo, saka hapana chakaipa chichaitika kana, saka unogona kuuraya zvakachengeteka maitiro mumutsara wekutanga wescript.

kill $(cat ~/vpn-pid)
#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Iye zvino unogona kubatidza komputa yako, vhura iyo koni uye womhanya murairo, uchipfuudza iyo kodhi kubva kuGoogle Authenticator. Iyo console inogona kubva yakarovererwa pasi.

Pasina VPN-chidimbu. Panzvimbo pechirevo

Zvakava zvakaoma zvikuru kunzwisisa mararamiro asina VPN-slice. Ndaifanira kuverenga uye google zvakanyanya. Neraki, mushure mekupedza nguva yakawanda nedambudziko, zvinyorwa zvehunyanzvi uye kunyange murume openconnect akaverenga semanovhero anonakidza.

Nekuda kweizvozvo, ndakaona kuti vpn-slice, senge script yemuno, inogadzirisa tafura yenzira kuti iparadzanise network.

Tafura yekufambisa

Kuzvitaura zviri nyore, iyi tafura iri mukoramu yekutanga iyo ine iyo kero iyo Linux inoda kupinda nayo inofanira kutanga, uye muchikamu chechipiri iyo network adapta inopfuura nepakero iyi. Muchokwadi, kune vakawanda vatauri, asi izvi hazvichinje essence.

Kuti uone iyo routing tafura, unofanirwa kumhanya iyo ip nzira yekuraira

default via 192.168.1.1 dev wlp3s0 proto dhcp metric 600 
192.168.430.0/24 dev tun0 scope link 
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.534 metric 600 
192.168.430.534 dev tun0 scope link

Pano, mutsara wega wega une basa rekwaunoda kuenda kuti utumire meseji kune imwe kero. Chekutanga irondedzero yekuti kero inofanira kutangira papi. Kuti unzwisise kuti ungaziva sei kuti 192.168.0.0/16 zvinoreva kuti kero inofanira kutanga ne 192.168, unoda google kuti IP kero mask chii. Mushure me dev pane zita readapter iyo meseji inofanira kutumirwa.

YeVPN, Linux yakagadzira chaiyo adapta - tun0. Mutsara unovimbisa kuti traffic yemakero ese kutanga ne 192.168 inoenda nayo

192.168.0.0/16 dev tun0 scope link

Iwe unogona zvakare kutarisa ikozvino mamiriro eiyo routing tafura uchishandisa rairo nzira -n (Makero eIP ane hungwaru haazivikanwe) Uyu murairo unoburitsa mhedzisiro mune imwe fomu uye kazhinji inoraswa, asi iyo inobuda inowanzo kuwanikwa muzvinyorwa zvepaInternet uye unofanirwa kukwanisa kuiverenga.

Iko iyo IP kero yenzira inofanirwa kutanga inogona kunzwisiswa kubva musanganiswa weKuenda uye Genmask makoramu. Izvo zvikamu zvekero yeIP inoenderana nenhamba 255 muGenmask inotariswa, asi izvo pane 0 hazvisi. Ndiko kuti, musanganiswa weKuenda 192.168.0.0 uye Genmask 255.255.255.0 zvinoreva kuti kana kero inotanga ne 192.168.0, ipapo chikumbiro kwairi chichaenda nenzira iyi. Uye kana Destination 192.168.0.0 asi Genmask 255.255.0.0, zvino zvikumbiro kumakero anotanga na 192.168 achaenda nenzira iyi.

Kuti ndione kuti vpn-slice inoita sei chaizvo, ndakafunga kutarisa nyika dzematafura pamberi uye mushure.

Usati wabatidza VPN zvaive zvakaita seizvi

route -n 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0

Mushure mekufona openconnect isina vpn-slice zvakava seizvi

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Uye mushure mekufona openconnect musanganiswa nevpn-slice seizvi

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Zvinogona kuonekwa kuti kana ukasashandisa vpn-slice, ipapo openconnect inonyora zvakajeka kuti kero dzose, kunze kweiyo yakanyatsoratidzwa, inofanira kuwanikwa kuburikidza nevpn.

Pano chaipo:

0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0

Ikoko, pedyo nayo, imwe nzira inoratidzwa pakarepo, iyo inofanira kushandiswa kana kero iyo Linux iri kuedza kupfuura nayo isingaenderani nemasiki kubva patafura.

0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0

Zvakatonyorwa pano kuti munyaya iyi unoda kushandisa chiyero che Wi-Fi adapter.

Ini ndinotenda kuti nzira yeVPN inoshandiswa nekuti ndiyo yekutanga patafura yekufambisa.

Uye ne theoretically, kana iwe ukabvisa iyi yakasarudzika nzira kubva patafura yenzira, ipapo mukubatana ne dnsmasq openconnect inofanirwa kuve nechokwadi chekushanda kwakajairika.

Ndakaedza

route del default

Uye zvose zvakashanda.

Kuendesa zvikumbiro kune mail server isina vpn-slice

Asi ini ndinewo mail server ine kero 555.555.555.555, iyo inodawo kuwanikwa kuburikidza neVPN. Nzira yekuenda nayo inodawo kuwedzerwa nemaoko.

ip route add 555.555.555.555 via dev tun0

Uye zvino zvinhu zvose zvakanaka. Saka iwe unogona kuita pasina vpn-slice, asi iwe unofanirwa kuziva zvakanaka zvauri kuita. Ini zvino ndiri kufunga nezve kuwedzera kumutsara wekupedzisira weiyo yekuzvarwa openconnect script kubviswa kweiyo nzira yekusarudzika uye nekuwedzera nzira yekutumira mailer mushure mekubatanidza kune vpn, kuitira kuti pane zvishoma zvinofamba zvikamu mubhasikoro rangu.

Zvichida, izwi rinotevera rinogona kukwana kuti mumwe munhu anzwisise nzira yekumisikidza VPN. Asi pandakanga ndichiedza kunzwisisa kuti chii uye kuita sei, ndakaverenga akawanda madhairekitori akadaro anoshanda kumunyori, asi nekuda kwechimwe chikonzero haandishandire, uye ndakafunga kuwedzera pano zvidimbu zvese zvandakawana. Ndingafara zvikuru pamusoro pechinhu chakadaro.

Source: www.habr.com

Voeg