ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Sida loogu xidho VPN-shirkadeed gudaha Linux iyadoo la isticmaalayo openconnect iyo vpn-slice

Sida loogu xidho VPN-shirkadeed gudaha Linux iyadoo la isticmaalayo openconnect iyo vpn-slice

Ma doonaysaa inaad Linux ku isticmaasho shaqada, laakiin shirkaddaada VPN kuma oggolaan doonto? Markaa maqaalkan ayaa laga yaabaa inuu ku caawiyo, inkasta oo tani aysan ahayn mid la hubo. Waxaan jeclaan lahaa in aan horay kaaga digayo in aanan si fiican u fahmin arrimaha maamulka shabakada, markaa waxaa suurtagal ah in aan wax walba khalad sameeyay. Dhanka kale, waxaa suurtagal ah in aan qoro hage si ay u fahmaan dadka caadiga ah, markaa waxaan kugula talinayaa inaad tijaabiso.

Maqaalku wuxuu ka kooban yahay macluumaad badan oo aan loo baahnayn, laakiin aqoontan la'aanteed ma awoodin inaan xalliyo dhibaatooyinka si lama filaan ah iigu soo baxay samaynta VPN. Waxaan u maleynayaa in qof kasta oo isku daya inuu isticmaalo hagahan ay la kulmi doonaan dhibaatooyin aanan qabin, waxaana rajeynayaa in macluumaadkan dheeraadka ah ay gacan ka geysan doonaan xallinta dhibaatooyinkan keligood.

Inta badan amarrada lagu isticmaalo hagahan waxay u baahan yihiin in lagu socodsiiyo sudo, kaas oo meesha laga saaray si kooban. Maskaxda Ku hay.

Inta badan ciwaanka IP-ga si xun ayaa loo qariyey, marka haddii aad aragto ciwaan sida 435.435.435.435, waa in uu jiraa xoogaa IP caadi ah, gaar ahaan kiiskaaga.

Waxaan haystaa Ubuntu 18.04, laakiin waxaan u maleynayaa isbeddellada yaryar hagaha waxaa lagu dabaqi karaa qaybinta kale. Si kastaba ha ahaatee, qoraalkan Linux == Ubuntu.

Cisco Connect

Kuwa ku jira Windows ama MacOS waxay ku xidhi karaan shirkaddeena VPN iyada oo loo sii marayo Cisco Connect, kaas oo u baahan inuu caddeeyo ciwaanka albaabka iyo, mar kasta oo aad ku xidho, gali furaha sirta ah ee ka kooban qayb go'an iyo kood uu soo saaray Google Authenticator.

Marka laga hadlayo Linux, ma heli karo Cisco Connect oo ordaya, laakiin waxaan ku guuleystey inaan google talo bixiyo si aan u isticmaalo isku xirka furan, oo si gaar ah loo sameeyay si loogu beddelo Cisco Connect.

Isku xidhka furan

Aragti ahaan, Ubuntu waxay leedahay interface garaaf gaar ah oo loogu talagalay isku xirka furitaanka, laakiin aniga iimay shaqayn. Waxaa laga yaabaa inay u wanaagsan tahay.

On Ubuntu, openconnect waxa lagu rakibay maamulaha xirmada.

apt install openconnect

Isla markiiba ka dib rakibidda, waxaad isku dayi kartaa inaad ku xirto VPN

openconnect --user poxvuibr vpn.evilcorp.com

vpn.evilcorp.com waa ciwaanka VPN khiyaaliga ah
poxvuibr - username khayaali ah

openconnect waxay ku weydiin doontaa inaad geliso furaha sirta ah, aan ku xasuusiyo, ka kooban qayb go'an iyo code Google Authenticator ah, ka dibna waxay isku dayi doontaa inay ku xirto vpn-ka. Haddii ay shaqeyso, hambalyo, waxaad si badbaado leh uga boodi kartaa bartamaha, taas oo ah xanuun badan, oo aad u gudubto barta ku saabsan xiriirka furan ee ku ordaya gadaasha. Haddii ay shaqayn waydo, markaa waad sii wadan kartaa. In kasta oo haddii ay ka shaqeysay marka la isku xirayo, tusaale ahaan, Wi-Fi-ga martida ee shaqada, markaa waxaa laga yaabaa inay goor hore tahay inaad ku faraxdo; waa inaad isku daydaa inaad ku celiso nidaamka guriga.

Shahaado

Waxaa jirta suurtogalnimo sare oo ah in aanay waxba bilaabmin, wax soo saarka isku xidhka furanna waxa uu u ekaan doonaa sidan:

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.evilcorp.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Dhinaca kale, tani waa wax aan fiicneyn, sababtoo ah ma jirin xiriir la leh VPN, laakiin dhinaca kale, sida loo xalliyo dhibaatadan waa, mabda'a, cad.

Halkan Server-ku waxa uu noo soo diray shahaado, taas oo aanu ku ogaan karno in xidhiidhka laga samaynayo server-ka shirkadda aanu u dhalanay, ee aanu ahayn mid wax khiyaameeya, shahaadadaasna aan la garanayn nidaamka. Sidaas darteed ma hubin karto in server-ku run yahay iyo in kale. Oo sidaas daraaddeed, kaliya haddii ay dhacdo, waxay joojisaa shaqada.

Si xiriir furan loogu xiro server-ka, waxaad u baahan tahay inaad si cad u sheegto shahaadada ka imanaysa server-ka VPN adoo isticmaalaya furaha-servert

Oo waxaad ogaan kartaa shahaadada server-ku si toos ah nooga soo diray waxa openconnect daabacay. Waa kan gabalkan:

To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Amarkan waxaad isku dayi kartaa inaad mar kale ku xidho

openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com

Waxaa laga yaabaa in hadda ay shaqeyneyso, ka dibna waxaad u gudbi kartaa dhammaadka. Laakiin shakhsi ahaan, Ubuntu waxay i tustay berde qaabkan ah

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.evilcorp.com
XML POST enabled
Please enter your username and password.
POST https://vpn.evilcorp.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 300, Keepalive 30
Set up DTLS failed; using SSL instead
Connected as 192.168.333.222, using SSL
NOSSSSSHHHHHHHDDDDD
3
NOSSSSSHHHHHHHDDDDD
3
RTNETLINK answers: File exists
/etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolvconf/resolv.conf

/etc/resolv.conf

# Generated by NetworkManager
search gst.evilcorpguest.com
nameserver 127.0.0.53

/run/resolvconf/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 192.168.430.534
nameserver 127.0.0.53
search evilcorp.com gst.publicevilcorp.com

habr.com ayaa xalin doonta, laakiin ma awoodid inaad halkaas aado. Ciwaanada sida jira.evilcorp.com gabi ahaanba lama xaliyo.

Waxa halkan ka dhacay iima cadda. Laakiin tijaabadu waxay muujinaysaa haddii aad ku darto khadka /etc/resolv.conf

nameserver 192.168.430.534

ka dib ciwaanada ku dhex jira VPN-ka waxay bilaabi doonaan inay si sixir ah u xalliyaan oo aad dhex mari karto iyaga, taas oo ah, waxa DNS ay raadinayso si loo xaliyo ciwaanadu waxay si gaar ah ugu muuqdaan /etc/resolv.conf, ee maaha meel kale.

Waxaad xaqiijin kartaa in uu jiro xiriir VPN-ka oo uu shaqeeyo iyada oo aan wax isbeddel ah lagu samayn /etc/resolv.conf; si tan loo sameeyo, kaliya geli browserka ma aha magaca astaanta ah ee ilaha VPN, laakiin ciwaanka IP-ga

Natiijo ahaan, waxaa jira laba dhibaato

  • Marka lagu xidho VPN, dns-kiisa lama soo qaado
  • dhammaan taraafikada waxay maraan VPN, taas oo aan u oggolaan gelitaanka internetka

Waxaan kuu sheegi doonaa waxa la sameeyo hadda, laakiin marka hore in yar oo otomaatig ah.

Gelida tooska ah ee qaybta go'an ee erayga sirta ah

Hadda, waxay u badan tahay inaad mar hore gelisay eraygaaga sirta ah ugu yaraan shan jeer nidaamkanina mar hore ayuu ku daalay. Marka hore, sababtoo ah erayga sirta ah wuu dheer yahay, marka labaadna, sababtoo ah markaad gelayso waxaad u baahan tahay inaad ku haboonaato wakhti go'an

Xalka ugu dambeeya ee dhibaatada laguma darin maqaalka, laakiin waxaad hubin kartaa in qaybta go'an ee erayga sirta ah aan la gelin marar badan.

Aynu ka soo qaadno in qaybta go'an ee erayga sirta ah ay tahay Password-ka go'an, qaybta Google Authenticator-na ay tahay 567. Dhammaan erayga sirta ah waxa loo gudbin karaa in lagu furo xidhidhiyaha iyada oo la adeegsanayo gelinta caadiga ah iyada oo la adeegsanayo doodda -passwd-on-stdin.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com --passwd-on-stdin

Hadda waxaad si joogto ah ugu noqon kartaa amarkii ugu dambeeyay ee la galiyay oo waxaad ku bedeli kartaa qayb ka mid ah Google Authenticator halkaas.

VPN shirkadu kuma ogola inaad dhex gasho internetka.

Guud ahaan, maahan mid aad u dhib badan marka ay tahay inaad isticmaasho kombiyuutar gaar ah si aad Habr u aado. Awood la'aanta in lagu koobi karo stackoverfow waxay guud ahaan curyaami kartaa shaqada, markaa wax ayaa loo baahan yahay in la qabto.

Waxaan u baahanahay inaan si uun u habaynno si marka aad u baahan tahay inaad ka hesho kheyraadka shabakadda gudaha, Linux waxay aadaysaa VPN, marka aad u baahan tahay inaad tagto Habr, waxay aadaysaa internetka.

openconnect, ka dib marka la furo oo la sameeyo xiriirinta vpn, waxay fuliya qoraal gaar ah, kaas oo ku yaala /usr/share/vpnc-scripts/vpnc-script. Doorsoomayaasha qaarkood ayaa loo gudbiyaa qoraalka si la gelin ah, oo waxay dejisaa VPN-ka. Nasiib darro, waan garan waayay sida loo kala qaybiyo socodka taraafikada ee u dhexeeya VPN shirkadaha iyo inta ka hartay intarneedka iyadoo la isticmaalayo qoraal asal ah.

Sida muuqata, utility vpn-slice waxaa loo sameeyay gaar ahaan dadka aniga oo kale ah, kaas oo kuu ogolaanaya inaad u dirto taraafikada laba kanaal adigoon qoob ka ciyaareynin dambourin. Waa hagaag, taasi waa, waa inaad dheeshaa, laakiin maaha inaad noqoto shaman.

Kala soocida gaadiidka iyadoo la adeegsanayo vpn-slice

Marka hore, waa inaad ku rakibtaa vpn-slice, waa inaad ogaataa tan naftaada. Haddii ay jiraan su'aalo ku jira faallooyinka, waxaan ku qori doonaa qoraal gooni ah oo arrintan ku saabsan. Laakiin kani waa barnaamij Python ah oo joogto ah, markaa waa inaysan jirin wax dhib ah. Waxaan ku rakibay anigoo isticmaalaya virtualenv.

Ka dibna utility waa in lagu dabaqaa, iyadoo la adeegsanayo -script switch, taasoo muujinaysa in la furo isku xirka in bedelkii qoraalka caadiga ah, aad u baahan tahay inaad isticmaasho vpn-slice.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  " vpn.evilcorp.com

--script waxa la mariyaa xadhig leh amar u baahan in loo yeedho halkii qoraalka. ./bin/vpn-slice - dariiqa loo maro vpn-slice faylka la fulin karo 192.168.430.0/24 - maaskaro ciwaanka si loo galo vpn. Halkan, waxaan ula jeednaa in haddii ciwaanka uu ka bilowdo 192.168.430, markaa kheyraadka cinwaankan wuxuu u baahan yahay in laga baadho gudaha VPN.

Xaaladdu hadda waa inay noqotaa mid caadi ah. Ku dhawaad Hadda waxaad aadi kartaa Habr oo waxaad aadi kartaa ilaha-shirkadeed ee ip, laakiin ma aadi kartid ilaha-shirkadaha magac calaamad ah. Haddii aad qeexdo ciyaar u dhaxaysa magaca iyo ciwaanka calaamada ah ee martida loo yahay, wax walba waa inay shaqeeyaan. Oo shaqee ilaa ip beddelo. Linux hadda waxay geli kartaa internetka ama intranetka, iyadoo ku xiran IP-ga. Laakiin DNS-ka aan-shirkadeed ahayn ayaa wali loo isticmaalaa si loo go'aamiyo ciwaanka.

Dhibaatadu waxay sidoo kale isku muujin kartaa qaabkan - shaqada wax walbaa way fiican yihiin, laakiin guriga waxaad kaliya ka heli kartaa ilaha gudaha ee gudaha IP. Tani waa sababta oo ah marka aad ku xiran tahay Wi-Fi-ga shirkadda, DNS-ka shirkadda ayaa sidoo kale la isticmaalaa, iyo cinwaannada astaanta ah ee VPN ayaa lagu xalliyaa dhexdeeda, inkastoo xaqiiqda ah in aysan weli suurtagal ahayn in la aado cinwaankan iyada oo aan la isticmaalin VPN.

Wax ka beddel toos ah oo lagu sameeyo faylka martida loo yahay

Haddii vpn-slice si xushmad leh loo weydiiyo, ka dib markii kor loo qaado VPN, waxay aadi kartaa DNS-keeda, ka hel cinwaannada IP-yada ee agabyada lagama maarmaanka ah magacyadooda astaanta ah oo geli martigeliyayaasha. Ka dib marka la damiyo VPN-ka, ciwaanadan waxa laga saarayaa dadka martida loo yahay. Si tan loo sameeyo, waxaad u baahan tahay inaad u gudbiso magacyada astaanta vpn-slice dood ahaan. Sidan oo kale.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Hadda wax walba waa inay ka shaqeeyaan labadaba xafiiska iyo xeebta.

Ka raadi ciwaannada dhammaan subdomains-ka DNS ee ay bixiso VPN

Haddii ay jiraan cinwaano dhowr ah oo shabakada dhexdeeda ah, markaa habka si toos ah wax looga beddelo faylka martida loo yahay ayaa si fiican u shaqeeya. Laakiin haddii ay jiraan kheyraad badan oo shabakadda ah, markaa waxaad si joogto ah u baahan doontaa inaad ku darto khadadka sida zoidberg.test.evilcorp.com qoraalka zoidberg waa magaca mid ka mid ah kuraasta imtixaanka.

Laakiin hadda oo aan fahamnay in yar sababta baahidan loo tirtiri karo.

Haddii, ka dib markaad kor u qaaddo VPN, aad eegto /etc/hosts, waxaad arki kartaa khadkan

192.168.430.534 dns0.tun0 # vpn-slice-tun0 AUTOCREATED

Oo khad cusub ayaa lagu daray resolv.conf. Marka la soo koobo, vpn-slice ayaa si uun loo go'aamiyay halka uu ku yaalo server-ka DNS ee vpn.

Hadda waxaan u baahanahay inaan hubinno in si aan u ogaano cinwaanka IP-ga ee magac domain ku dhamaanaya xumaancorp.com, Linux wuxuu aadaa DNS shirkadda, iyo haddii wax kale loo baahan yahay, ka dibna midka caadiga ah.

In muddo ah ayaan Googled-ka-dhigay oo waxaan ogaaday in shaqadan oo kale laga heli karo Ubuntu meel ka baxsan sanduuqa. Tani waxay ka dhigan tahay awoodda lagu isticmaalo server-ka DNS ee dnsmasq si loo xalliyo magacyada.

Taasi waa, waxaad hubin kartaa in Linux had iyo jeer aado server-ka DNS ee degaanka ee cinwaannada IP, taas oo markaa, ku xiran magaca domainka, waxay ka raadin doontaa IP-ga server-ka DNS ee dibadda ah.

Si loo maareeyo wax kasta oo la xiriira shabakadaha iyo isku xirka shabakada, Ubuntu waxay isticmaashaa NetworkManager, iyo interface-ka garaafyada xulashada, tusaale ahaan, isku xirka Wi-Fi waa dhamaadka hore.

Waxaan u baahan doonaa inaan kor u qaadno qaabeynta.

  1. Ku samee fayl gudaha /etc/NetworkManager/dnsmasq.d/evilcorp

ciwaanka=/.evilcorp.com/192.168.430.534

Fiiro gaar ah u yeelo barta ka horeysa xumaancorp. Waxay muujinaysaa dnsmasq in dhammaan subdomains of evilcorp.com waa in laga baadho dns shirkadda.

  1. U sheeg NetworkManager inuu isticmaalo dnsmasq xallinta magaca

Isku xidhka maamulaha qaabaynta waxa uu ku yaalaa /etc/NetworkManager/NetworkManager.conf Waxaad u baahan tahay inaad halkaas ku darto:

[main] dns=dnsmasq

  1. Dib u billow NetworkMaareeyaha

service network-manager restart

Hadda, ka dib markii lagu xidho VPN adoo isticmaalaya openconnect iyo vpn-slice, ip-ka waxaa loo go'aamin doonaa si caadi ah, xitaa haddii aadan cinwaanno calaamad ah ku darin doodaha vpnslice.

Sida loogu galo adeegyada gaarka ah VPN

Ka dib markii aan ku guulaystey in aan ku xidho VPN, aad ayaan ugu faraxsanahay laba maalmood, ka dibna waxa soo baxday in haddii aan ku xidho VPN ka baxsan shabakada xafiiska, ka dibna boostada ma shaqaynayso. Calaamaduhu waa la yaqaan, miyaanay ahayn?

Boostadayadu waxay ku taal mail.publicevilcorp.com, taas oo macnaheedu yahay kuma hoos dhacayso xeerka dnsmasq oo ciwaanka boostada waxa laga baadhaa DNS-ka dadweynaha.

Hagaag, xafiisku wali wuxuu isticmaalaa DNS, kaas oo ka kooban ciwaankan. Taasi waa waxa aan u maleeyay. Dhab ahaantii, ka dib markii lagu daro khadka dnsmasq

ciwaanka=/mail.publicevilcorp.com/192.168.430.534

xaaladdu waxba iskamay beddelin. ip sidiisii ​​ayuu ahaan jiray. Waxaan ku khasbanaaday in aan shaqada aado.

Mar dambe oo aan xaaladda u dhuuxay oo aan in yar fahmay dhibka, ayaa qof caqli badan ii sheegay sidii aan u xallin lahaa. Waxay ahayd lagama maarmaan in lagu xiro server-ka boostada ma aha oo kaliya, laakiin iyada oo loo marayo VPN

Waxaan isticmaalaa vpn-slice si aan ugu maro VPN si aan cinwaan uga dhigo 192.168.430. Server-ku ma laha oo kaliya ciwaanka calaamada ah ee aan ahayn subdomain evilcorp, sidoo kale ma laha ciwaanka IP-ga oo ka bilaabma 192.168.430. Dabcan ma ogola in qof ka tirsan shabakadda guud uu u yimaado isaga.

Si Linux u soo maro VPN iyo server-ka boostada, waxaad u baahan tahay inaad ku darto vpn-slice sidoo kale. Aynu nidhaahno ciwaanka boostada waa 555.555.555.555

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 555.555.555.555 192.168.430.0/24" vpn.evilcorp.com

Qoraalka kor loogu qaadayo VPN hal dood

Waxaas oo dhan, dabcan, maaha mid aad u habboon. Haa, waxaad ku kaydin kartaa qoraalka fayl oo koobi ku dheji konsole halkii aad gacanta ku qori lahayd, laakiin wali aad uma wacna. Si hawsha loo fududeeyo, waxaad ku duubi kartaa amarka qoraal ku yaal PATH. Kadibna waxaad u baahan doontaa oo kaliya inaad geliso koodka laga helay Google Authenticator

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Haddii aad geliso qoraalka Connect~evilcorp~ waxaad si fudud ugu qori kartaa console-ka

connect_evil_corp 567987

Laakin hadda waa inaad sii haysaa konsole-ka kaas oo xidhiidh furku u furan yahay sabab qaar ka mid ah

Xidhiidhka furan ee ku shaqeeya gadaasha

Nasiib wanaag, qorayaasha 'openconnection' ayaa na daryeelay oo ku daray fure gaar ah barnaamijka -background, kaas oo ka dhigaya barnaamijku inuu shaqeeyo gadaasha ka dib markii la bilaabay. Haddii aad sidan u maamusho, waxaad xidhi kartaa konsole ka dib marka la furo

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Hadda ma cadda halka ay diiwaanadu aadaan. Guud ahaan, dhab ahaantii uma baahnid diiwaannada, laakiin ma ogid. openconnect waxay u wareejin kartaa syslog, halkaas oo lagu ilaalin doono ammaan iyo ammaan. Waxaad u baahan tahay inaad ku darto -syslog beddelka amarka

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Oo sidaas daraaddeed, waxay soo baxday in isku xidhka furan uu ka shaqeynayo meel ka mid ah asalka oo aan cidna dhibin, laakiin ma cadda sida loo joojiyo. Taasi waa, dabcan, waad shaandheyn kartaa wax soo saarka ps adigoo isticmaalaya grep oo raadi hab magaciisu ka kooban yahay xiriir furan, laakiin tani si uun waa caajis. Waad ku mahadsan tahay qorayaasha ka fikiray sidoo kale. Openconnect waxay leedahay furaha -pid-file, kaas oo aad ku bari karto isku xirka furaha si uu ugu qoro habka aqoonsiga faylka.

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background  
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Hadda waxaad had iyo jeer ku dili kartaa nidaamka amarka

kill $(cat ~/vpn-pid)

Haddi aanay jirin nidaam, dilku wuu habaarayaa, laakiin ma tuuri doono khalad. Haddii feylku aanu jirin, markaa wax xun midkoodna ma dhici doono, markaa waxaad si ammaan ah u dili kartaa habka safka hore ee qoraalka.

kill $(cat ~/vpn-pid)
#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Hadda waxaad shidi kartaa kombuyuutarkaaga, fur console oo socodsiiya amarka, adigoo ka gudbiya koodka Google Authenticator. Koonsole-ka ayaa markaa la ciribtiri karaa

La'aanta VPN-goob. Halkii hadal dambe

Waxaa soo baxday inay aad u adag tahay in la fahmo sida loo noolaado iyada oo aan la helin VPN-jeex. Waxay ahayd inaan wax badan akhriyo oo google-ka galo. Nasiib wanaag, ka dib markii aad waqti badan ku qaadatay dhibaato, buug-gacmeedyo farsamo iyo xitaa nin furfuran ayaa u akhriya sidii sheeko-abuuro xiiso leh.

Natiijo ahaan, waxaan ogaaday in vpn-slice, sida qoraalka asalka ah, uu wax ka beddelo miiska dajinta si uu u kala saaro shabakadaha.

Miiska marinka

Haddaan si fudud u idhaahdo, kani waa shax ku yaalla tiirka koowaad oo ka kooban ciwaanka Linux uu rabo inuu ku bilaabo, tiirka labaadna waa kee adapter-ka uu marayo ciwaanka. Dhab ahaantii, waxaa jira dad badan oo ku hadla, laakiin tani ma beddeleyso nuxurka.

Si aad u aragto miiska dariiqa, waxaad u baahan tahay inaad socodsiiso amarka wadada ip

default via 192.168.1.1 dev wlp3s0 proto dhcp metric 600 
192.168.430.0/24 dev tun0 scope link 
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.534 metric 600 
192.168.430.534 dev tun0 scope link

Halkan, khad kastaa wuxuu mas'uul ka yahay meesha aad u baahan tahay inaad tagto si aad farriin ugu dirto ciwaanka qaarkood. Midda kowaad waa tilmaanta halka ciwaanka laga bilaabayo. Si loo fahmo sida loo go'aamiyo in 192.168.0.0/16 ay la macno tahay in ciwaanka laga bilaabo 192.168, waxaad u baahan tahay inaad google ka gasho waa maxay ciwaanka IP-ga. Dev ka dib waxaa jira magaca adabtarada oo fariinta loo dirayo.

VPN-ka, Linux wuxuu sameeyay adabtarada farsamada - tun0. Khadku wuxuu hubinayaa in taraafikada dhammaan ciwaannada laga bilaabo 192.168 ay maraan

192.168.0.0/16 dev tun0 scope link

Waxaad sidoo kale eegi kartaa xaaladda hadda ee miiska dajinta adoo isticmaalaya amarka wadada -n (Cinwaanada IP-ga ayaa si xariif ah loo qariyay) Amarkani wuxuu soo saaraa natiijooyin qaab kale duwan oo guud ahaan waa la baabi'iyay, laakiin wax soo saarkiisa waxaa badanaa laga helaa buug-gacmeedyada internetka oo aad u baahan tahay inaad akhrido.

Meesha uu ciwaanka IP-ga ee dariiqu ka bilaabmayo waxa laga fahmi karaa isku dhafka Meesha iyo tiirarka Genmask. Qaybaha ciwaanka IP-ga ee u dhigma tirooyinka 255 ee Genmask waa lagu xisaabtamayaa, laakiin kuwa ay 0 ku jiraan maaha. Taasi waa, isku darka Destination 192.168.0.0 iyo Genmask 255.255.255.0 macnaheedu waa in haddii ciwaanku ka bilaabmo 192.168.0, markaa codsigu wuxuu mari doonaa jidkan. Iyo haddii Destination 192.168.0.0 laakiin Genmask 255.255.0.0, markaas codsiyada ciwaanada ka bilaabma 192.168 ayaa mari doona jidkan

Si loo ogaado waxa vpn-slice dhab ahaantii sameeyo, waxaan go'aansaday inaan eego xaaladaha miisaska ka hor iyo ka dib.

Kahor intaadan shidin VPN-ka waxay ahayd sidan

route -n 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0

Ka dib markii la wacay openconnect aan lahayn vpn-slice waxay noqotay sidan

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Iyo ka dib markaad wacdo openconnect oo ay weheliso vpn-slice sidan oo kale ah

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Waxaa la arki karaa in haddii aadan isticmaalin vpn-slice, markaas Openconnect waxay si cad u qoraysaa in dhammaan ciwaannada, marka laga reebo kuwa si gaar ah loo tilmaamay, ay tahay in laga galo vpn.

Isla halkan:

0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0

Halkaa, ku xigta, waddo kale ayaa isla markiiba la tilmaamayaa, taas oo ay tahay in la isticmaalo haddii cinwaanka Linux uu isku dayayo inuu dhex maro uusan u dhigmin maaskaro miiska.

0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0

Horeba halkan ayey ugu qoran tahay in kiiskan aad u baahan tahay inaad isticmaasho adabtarada caadiga ah ee Wi-Fi.

Waxaan aaminsanahay in dariiqa VPN loo isticmaalo sababtoo ah waa kan ugu horreeya ee miiska dajinta.

Iyo aragti ahaan, haddii aad ka saartid dariiqan caadiga ah miiska dajinta, ka dibna iyada oo lala kaashanayo dnsmasq openconnect waa inay hubisaa hawlgalka caadiga ah.

waan isku dayay

route del default

Wax walbana way shaqeeyeen.

Codsiyada soo gudbinta ee server-ka boostada oo aan lahayn vpn-slice

Laakiin sidoo kale waxaan haystaa server-ka boostada oo leh ciwaanka 555.555.555.555, kaas oo sidoo kale u baahan in laga galo VPN. Waddada loo marayo sidoo kale waxay u baahan tahay in lagu daro gacanta.

ip route add 555.555.555.555 via dev tun0

Oo hadda wax walba waa hagaagsan yihiin. Markaa waxaad samayn kartaa la'aanteed vpn-slice, laakiin waxaad u baahan tahay inaad si fiican u ogaato waxaad samaynayso. Waxaan hadda ka fekerayaa inaan ku daro xariiqda ugu dambeysa ee qoraalka isku xirka asalka ah ee ka saarista dariiqa caadiga ah oo aan ku daro dariiqa boostada ka dib marka lagu xiro vpn, kaliya si ay u jiraan qaybo dhaqdhaqaaq yar oo baaskiilkayga ah.

Malaha, ereyga dambe ayaa ku filnaan lahaa qof inuu fahmo sida loo sameeyo VPN. Laakiin markii aan isku dayay in aan fahmo waxa iyo sida loo sameeyo, waxaan akhriyay wax badan oo ka mid ah hagayaasha noocaan ah ee u shaqeeya qoraaga, laakiin sababo jira awgeed iima shaqeeyaan, waxaanan go'aansaday inaan halkan ku daro dhammaan qaybaha aan helay. Aad ayaan ugu farxi lahaa wax la mid ah.

Source: www.habr.com

Add a comment