ProHoster > Ibhulogi > Ulawulo > Ungaqhagamshelwa njani kwi-VPN yenkampani kwiLinux usebenzisa i-openconnect kunye ne-vpn-slice

Ungaqhagamshelwa njani kwi-VPN yenkampani kwiLinux usebenzisa i-openconnect kunye ne-vpn-slice

Ngaba uyafuna ukusebenzisa iLinux emsebenzini, kodwa iVPN yakho yeshishini ayikuvumeli? Ngoko eli nqaku linokunceda, nangona oku kungaqinisekanga. Ndingathanda ukukulumkisa kwangaphambili ukuba andiyiqondi kakuhle imiba yolawulo lwenethiwekhi, ngoko ke kunokwenzeka ukuba ndenze yonke into engalunganga. Ngakolunye uhlangothi, kunokwenzeka ukuba ndibhale isikhokelo ngendlela eya kuqondakala kubantu abaqhelekileyo, ngoko ke ndikucebisa ukuba uzame.

Eli nqaku liqulethe ulwazi oluninzi olungadingekile, kodwa ngaphandle kolu lwazi andinakukwazi ukucombulula iingxaki ezibonakala zingalindelekanga kum ngokumisela i-VPN. Ndicinga ukuba nabani na ozama ukusebenzisa esi sikhokelo uya kuba neengxaki endingenazo, kwaye ndiyathemba ukuba olu lwazi olongezelelweyo luya kunceda ukusombulula ezi ngxaki ngokwabo.

Uninzi lwemiyalelo esetyenziswe kwesi sikhokelo kufuneka iqhutywe nge-sudo, esusiweyo ukuba ibe mfutshane. Gcinga ezingqondweni.

Uninzi lweedilesi ze-IP ziye zanyanzeliswa kakhulu, ngoko ke ukuba ubona idilesi efana ne-435.435.435.435, kufuneka kubekho i-IP eqhelekileyo apho, ngokukodwa kwimeko yakho.

Ndine-Ubuntu 18.04, kodwa ndicinga ngotshintsho oluncinci isikhokelo sinokusetyenziswa kwezinye izinikezelo. Nangona kunjalo, kulo mbhalo Linux == Ubuntu.

Cisco Qhagamshela

Abo bakwiWindows okanye kwi-MacOS banokuxhuma kwi-VPN yethu yenkampani ngeCisco Connect, efuna ukucacisa idilesi yesango kwaye, rhoqo xa udibanisa, faka igama eliyimfihlo elibandakanya inxalenye emiselweyo kunye nekhowudi eyenziwe yi-Google Authenticator.

Kwimeko yeLinux, andizange ndikwazi ukufumana iCisco Connect isebenza, kodwa ndikwazile uku-google ingcebiso yokusebenzisa i-openconnect, eyenziwe ngokukodwa ukuba ithathe indawo yeCisco Connect.

Vula uqhagamshelwano

Ngokwethiyori, Ubuntu bunonxibelelwano olukhethekileyo lomzobo wokuvula unxibelelwano, kodwa khange lundisebenzele. Mhlawumbi kungcono.

Ku-Ubuntu, i-openconnect ifakwe kumphathi wephakheji.

apt install openconnect

Ngokukhawuleza emva kokufakela, ungazama ukuxhuma kwiVPN

openconnect --user poxvuibr vpn.evilcorp.com

I-vpn.evilcorp.com yidilesi ye-VPN yenkohliso
poxvuibr - igama lomsebenzisi elingeyonyani

i-openconnect iya kukucela ukuba ufake igama eligqithisiweyo, nto leyo, mandikukhumbuze, iqulethwe inxalenye esisigxina kunye nekhowudi evela kwi-Google Authenticator, kwaye emva koko iya kuzama ukuxhuma kwi-vpn. Ukuba iyasebenza, siyakuhalalisela, unokutsiba ngokukhuselekileyo umbindi, obuhlungu kakhulu, kwaye uqhubele phambili ukuya kwinqanaba malunga ne-openconnect ebaleka ngasemva. Ukuba ayisebenzi, ungaqhubeka. Nangona ukuba isebenze xa uqhagamshelana, umzekelo, kwi-Wi-Fi yeendwendwe emsebenzini, kusenokuba kusasa kakhulu ukuba ujabule; kufuneka uzame ukuphinda inkqubo usekhaya.

Isatifikethi

Kukho ithuba eliphezulu lokuba akukho nto iya kuqala, kwaye imveliso evulekileyo iya kujongeka ngolu hlobo:

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.evilcorp.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Ngakolunye uhlangothi, oku akumnandi, kuba kwakungekho uxhumano kwi-VPN, kodwa ngakolunye uhlangothi, indlela yokulungisa le ngxaki, ngokomgaqo, icacile.

Apha umncedisi usithumelele isatifikethi, apho sinokugqiba ukuba uxhulumaniso lwenziwa kwiseva yequmrhu lethu lemveli, kwaye hayi kumkhohlisi okhohlakeleyo, kwaye esi satifikethi asaziwa kwinkqubo. Kwaye ke akakwazi ukujonga ukuba iseva iyinyani na okanye hayi. Kwaye ke, ukuba kunokwenzeka, iyayeka ukusebenza.

Ukuze uvule uqhagamshelwano kwiseva, kufuneka uyixelele ngokucacileyo ukuba sesiphi isatifikethi esisuka kwiseva yeVPN usebenzisa isitshixo se-servercert.

Kwaye ungafumanisa ukuba sesiphi isatifikethi esithunyelwe ngumncedisi ngokuthe ngqo ukusuka kweyiphi i-openconnect eprintiweyo. Nantsi into esuka kwesi siqwenga:

To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Ngalo myalelo ungazama ukudibanisa kwakhona

openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com

Mhlawumbi ngoku iyasebenza, ngoko ungaqhubela phambili ukuya esiphelweni. Kodwa ngokobuqu, u-Ubunta wandibonisa ikhiwane kule fomu

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.evilcorp.com
XML POST enabled
Please enter your username and password.
POST https://vpn.evilcorp.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 300, Keepalive 30
Set up DTLS failed; using SSL instead
Connected as 192.168.333.222, using SSL
NOSSSSSHHHHHHHDDDDD
3
NOSSSSSHHHHHHHDDDDD
3
RTNETLINK answers: File exists
/etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolvconf/resolv.conf

/etc/resolv.conf

# Generated by NetworkManager
search gst.evilcorpguest.com
nameserver 127.0.0.53

/run/resolvconf/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 192.168.430.534
nameserver 127.0.0.53
search evilcorp.com gst.publicevilcorp.com

habr.com iya kusombulula, kodwa awuzukwazi ukuya apho. Iidilesi ezifana ne-jira.evilcorp.com azisonjululwa kwaphela.

Le nto yenzekileyo apha ayicacanga kum. Kodwa uvavanyo lubonisa ukuba wongeza umgca ku /etc/resolv.conf

nameserver 192.168.430.534

emva koko iidilesi ezingaphakathi kwe-VPN ziya kuqala ukusombulula ngomlingo kwaye unokuhamba ngazo, oko kukuthi, yintoni iDNS ekhangela kuyo ukusombulula iidilesi zijonge ngqo kwi /etc/resolv.conf, kwaye hayi kwenye indawo.

Unokuqinisekisa ukuba kukho uxhulumaniso kwi-VPN kwaye isebenza ngaphandle kokwenza naluphi na utshintsho kwi-/etc/resolv.conf; ukwenza oku, faka nje kwisiphequluli kungekhona igama elingumfuziselo lomthombo ovela kwi-VPN, kodwa idilesi ye-IP.

Ngenxa yoko, kukho iingxaki ezimbini

  • Xa uqhagamshela kwi-VPN, i-dns yayo ayithathwa
  • yonke i-traffic ihamba nge-VPN, engavumeli ukufikelela kwi-Intanethi

Ndiza kukuxelela into omawuyenze ngoku, kodwa kuqala i-automation encinci.

Ungeniso oluzenzekelayo lwenxalenye emiselweyo yegama lokugqithisa

Ukuza kuthi ga ngoku, usenokuba sele uyifakile i-password yakho kangangezihlandlo ezihlanu kwaye le nkqubo sele ikudinisile. Okokuqala, ngenxa yokuba igama eligqithisiweyo lide, kwaye okwesibini, kuba xa ufaka kufuneka ulungele ukungena kwixesha elimiselweyo

Isisombululo sokugqibela kwingxaki asizange sibandakanywe kwinqaku, kodwa unokuqinisekisa ukuba inxalenye emiselweyo yegama lokugqitha ayifanele ifakwe ngamaxesha amaninzi.

Makhe sicinge ukuba indawo emiselweyo yegama lokugqitha lilungisiweIgama lokugqitha, kwaye inxalenye esuka kwi Google Authenticator yi 567. Lonke igama lokugqithisa lingagqithiswa ukuvula uqhagamshelwano ngegalelo eliqhelekileyo usebenzisa i --passwd-on-stdin ingxabano.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com --passwd-on-stdin

Ngoku ungabuyela rhoqo kumyalelo wokugqibela ongenisiweyo kwaye utshintshe inxalenye kuphela ye-Google Authenticator apho.

I-VPN yenkampani ayikuvumeli ukuba ungene kwi-Intanethi.

Ngokubanzi, ayisiyongxaki kakhulu xa kufuneka usebenzise ikhompyuter eyahlukileyo ukuya kuHabr. Ukungakwazi ukukopa-uncamathisele kwi-stackoverfow kunokukhubaza umsebenzi ngokubanzi, ngoko kukho into ekufuneka yenziwe.

Sidinga ukuyiququzelela ngandlela-thile ukuze xa ufuna ukufikelela kwi-resource kwinethiwekhi yangaphakathi, i-Linux iya kwi-VPN, kwaye xa ufuna ukuya kwi-Habr, iya kwi-Intanethi.

i-openconnect, emva kokuqalisa kunye nokuseka uxhulumaniso kunye ne-vpn, yenza iskripthi esikhethekileyo, esiku /usr/share/vpnc-scripts/vpnc-script. Ezinye iinguqu zigqithiselwa kwiskripthi njengegalelo, kwaye iqwalasela iVPN. Ngelishwa, andikwazanga ukuqonda indlela yokwahlula ukuhamba kwetrafikhi phakathi kwe-VPN yeshishini kunye nayo yonke i-Intanethi usebenzisa iskripthi somthonyama.

Kuyabonakala ukuba, i-vpn-slice utility yaphuhliswa ngokukodwa kubantu abafana nam, ekuvumela ukuba uthumele i-traffic ngokusebenzisa iziteshi ezimbini ngaphandle kokudansa ngentambula. Ewe, oko kukuthi, kuya kufuneka udanise, kodwa akufuneki ube yi-shaman.

Ukwahlulwa kwetrafikhi usebenzisa i-vpn-slice

Okokuqala, kuya kufuneka ufake i-vpn-slice, kuya kufuneka uzibonele ngokwakho. Ukuba kukho imibuzo kumazwana, ndiya kubhala isithuba esahlukileyo malunga nale nto. Kodwa le yinkqubo yePython eqhelekileyo, ke akufuneki kubekho nabuphi na ubunzima. Ndifake usebenzisa i-virtualenv.

Kwaye ke into eluncedo kufuneka isetyenziswe, kusetyenziswa i -script switch, ebonisa ukuvula uqhagamshelwano endaweni yescript esisezantsi, kufuneka usebenzise i-vpn-slice.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  " vpn.evilcorp.com

--iscript sigqithiselwe umtya kunye nomyalelo ekufuneka ubizwe endaweni yescript. ./bin/vpn-slice - indlela eya kwi-vpn-slice ifayile ephunyeziweyo 192.168.430.0/24 - imaski yeedilesi ukuya kwi-vpn. Apha, sithetha ukuba ukuba idilesi iqala ngo-192.168.430, ke isibonelelo esi nale dilesi kufuneka sikhangelwe ngaphakathi VPN.

Imeko ngoku kufanele ukuba phantse ibe yesiqhelo. Phantse. Ngoku ungaya ku-Habr kwaye ungaya kwisixhobo se-intra-corporate nge-ip, kodwa awukwazi ukuya kwisixhobo se-intra-corporate ngegama lomfuziselo. Ukuba ukhankanya umdlalo phakathi kwegama lokomfuziselo kunye nedilesi kwiinginginya, yonke into kufuneka isebenze. Kwaye usebenze de ip itshintshe. I-Linux ngoku inokufikelela kwi-Intanethi okanye kwi-intranet, ngokuxhomekeke kwi-IP. Kodwa i-DNS engeyiyo eyenkampani isasetyenziswa ukumisela idilesi.

Ingxaki inokuzibonakalisa kwakhona kule fom - emsebenzini yonke into ilungile, kodwa ekhaya unokufikelela kuphela kwimithombo yangaphakathi yenkampani nge-IP. Oku kungenxa yokuba xa uqhagamshelwe kwi-Wi-Fi ye-corporate, i-DNS yenkampani isetyenziswa kwakhona, kwaye iidilesi ezingokomfanekiso ezivela kwi-VPN zixazululwa kuyo, nangona kunjalo ukuba kusengenakwenzeka ukuya kwidilesi enjalo ngaphandle kokusebenzisa i-VPN.

Ulungiso oluzenzekelayo lwefayile yenginginya

Ukuba i-vpn-slice ibuzwa ngokuzithoba, ngoko emva kokuphakamisa i-VPN, inokuya kwi-DNS yayo, ifumane khona iidilesi ze-IP zemithombo efunekayo ngamagama abo omfuziselo kwaye ingene kwimikhosi. Emva kokucima iVPN, ezi dilesi ziya kususwa kubabungathi. Ukwenza oku, kufuneka udlulise amagama omfuziselo kwi-vpn-slice njengeengxabano. Ndiyayithanda lento.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Ngoku yonke into kufuneka isebenze zombini eofisini naselunxwemeni.

Khangela iidilesi zazo zonke ii-subdomains kwi-DNS enikwe yi-VPN

Ukuba kukho iidilesi ezimbalwa ngaphakathi kwenethiwekhi, ngoko indlela yokuguqula ngokuzenzekelayo ifayile yenginginya isebenza kakuhle. Kodwa ukuba kukho izibonelelo ezininzi kwinethiwekhi, ngoko uya kufuna rhoqo imigca efana ne-zoidberg.test.evilcorp.com kwi-script zoidberg ligama lelinye leebhentshi zokuvavanya.

Kodwa ngoku siyaqonda kancinci ukuba kutheni le mfuno inokupheliswa.

Ukuba, emva kokuphakamisa i-VPN, ujonge kwi /etc/hosts, unokubona lo mgca

192.168.430.534 dns0.tun0 # vpn-isilayi-tun0 EZENZAKALELAYO

Kwaye umgca omtsha wongezwa kwi-resolv.conf. Ngamafutshane, i-vpn-isilayi ngandlel 'ithile izimisele ukuba iphi iseva ye-dns ye-vpn.

Ngoku kufuneka siqinisekise ukuba ukuze sifumane idilesi ye-IP yegama lesizinda eliphela kwi- evilcorp.com, i-Linux iya kwi-DNS yequmrhu, kwaye ukuba kukho enye into efunekayo, ngoko kwi-default.

Ndikhe ndaGoogle ixesha elide kwaye ndafumanisa ukuba ukusebenza okunjalo kuyafumaneka ku-Ubuntu ngaphandle kwebhokisi. Oku kuthetha amandla okusebenzisa iseva ye-DNS yendawo ye-dnsmasq ukusombulula amagama.

Oko kukuthi, unokuqinisekisa ukuba i-Linux ihlala isiya kwiseva ye-DNS yendawo yeedilesi ze-IP, yona, ngokuxhomekeke kwigama lesizinda, iya kukhangela i-IP kwiseva ehambelanayo ye-DNS yangaphandle.

Ukulawula yonke into enxulumene nothungelwano kunye noqhagamshelo lwenethiwekhi, Ubuntu isebenzisa i-NetworkManager, kunye nojongano lomzobo wokukhetha, umzekelo, ukuqhagamshelwa kwe-Wi-Fi kukuphela kwayo.

Kuya kufuneka sinyuke kubume bayo.

  1. Yenza ifayile kwi/etc/NetworkManager/dnsmasq.d/evilcorp

idilesi=/.evilcorp.com/192.168.430.534

Nika ingqalelo kwindawo ephambi kobubi. Inika umqondiso ku-dnsmasq ukuba zonke ii-subdomains ze-evilcorp.com kufuneka zikhangelwe kwi-dns yeshishini.

  1. Xelela NetworkManager ukuba isebenzise i-dnsmasq yesisombululo segama

Uqwalaselo lomphathi womnatha lubekwe kwi/etc/NetworkManager/NetworkManager.conf Kufuneka udibanise apho:

[main] dns=dnsmasq

  1. Qala kwakhona uMlawuli weNethiwekhi

service network-manager restart

Ngoku, emva kokuxhuma kwi-VPN usebenzisa i-openconnect kunye ne-vpn-slice, i-ip iya kumiselwa ngokuqhelekileyo, nokuba awufaki iidilesi ezingokomfanekiso kwiingxabano kwi-vpnslice.

Ufikelela njani kwiinkonzo zomntu ngamnye ngeVPN

Emva kokuba ndikwazi ukuxhuma kwi-VPN, ndonwabile kakhulu iintsuku ezimbini, kwaye emva koko kwavela ukuba ukuba ndidibanisa ne-VPN ngaphandle kwenethiwekhi yeofisi, i-imeyile ayisebenzi. Uphawu luqhelekile, akunjalo?

Imeyile yethu ikwi-mail.publicevilcorp.com, okuthetha ukuba ayiweli phantsi komgaqo kwi-dnsmasq kwaye idilesi yeseva yemeyile ikhangelwa nge-DNS yoluntu.

Ewe, iofisi isasebenzisa i-DNS, equlathe le dilesi. Yiloo nto endiyicingayo. Ngapha koko, emva kokongeza umgca kwi-dnsmasq

idilesi=/mail.publicevilcorp.com/192.168.430.534

imeko ayikatshintshi tu. ip yahlala injalo. Kwafuneka ndiye emsebenzini.

Kwaye kuphela emva koko, xa ndandingena nzulu kwimeko kwaye ndayiqonda ingxaki encinci, umntu ohlakaniphile wandixelela indlela yokusombulula ngayo. Kwakuyimfuneko ukudibanisa kwiseva yeposi kungekhona nje ngolo hlobo, kodwa ngeVPN

Ndisebenzisa i-vpn-slice ukuhamba nge-VPN kwiidilesi eziqala nge-192.168.430. Kwaye umncedisi weposi akanalo kuphela idilesi yesimboli engeyiyo i-subdomain ye- evilcorp, nayo ayinayo idilesi ye-IP eqala ngo-192.168.430. Kwaye ngokuqinisekileyo akavumeli nabani na ovela kumnatha jikelele ukuba eze kuye.

Ukuze iLinux ihambe ngeVPN nakwiseva yeposi, kufuneka uyongeze kwi-vpn-slice ngokunjalo. Masithi idilesi yomthumeli ngu-555.555.555.555

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 555.555.555.555 192.168.430.0/24" vpn.evilcorp.com

Iskripthi sokunyusa i-VPN ngengxabano enye

Konke oku, ngokuqinisekileyo, akulula kakhulu. Ewe, ungagcina isicatshulwa kwifayile kwaye uyikopishe-uncamathisele kwikhonsoli endaweni yokuchwetheza ngesandla, kodwa ayisenandi kakhulu. Ukwenza inkqubo ibe lula, ungasonga umyalelo kwiscript esiza kufumaneka ku- PATH. Kwaye ke kuya kufuneka ufake kuphela ikhowudi efunyenwe kwi-Google Authenticator

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Ukuba ubeka iscript ku connect~evilcorp~ ungabhala ngokulula kwiconsole

connect_evil_corp 567987

Kodwa ngoku kusafuneka ugcine ikhonsoli apho i-openconnect ivula khona ngesizathu esithile

Ukuqhuba i-openconnect ngasemva

Ngethamsanqa, ababhali be-openconnect basikhathalele kwaye bongeza isitshixo esikhethekileyo kwinkqubo-imvelaphi, eyenza inkqubo isebenze ngasemva emva kokusungulwa. Ukuba uyayiqhuba ngolu hlobo, unokuvala ikhonsoli emva kokusungulwa

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Ngoku akukacaci ukuba ziya phi iinkuni. Ngokubanzi, asifuni zigodo, kodwa awusoze wazi. i-openconnect ingabathumela kwakhona kwi-syslog, apho baya kugcinwa bekhuselekile kwaye bekhuselekile. kufuneka udibanise i -syslog switch kumyalelo

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Kwaye ke, kuvela ukuba i-openconnect isebenza kwindawo yangasemva kwaye ayikhathazi nabani na, kodwa akucaci ukuba ungayimisa njani. Oko kukuthi, unokwenza, ewe, ukucoca imveliso ye-ps usebenzisa i-grep kwaye ujonge inkqubo egama layo liqulethe i-openconnect, kodwa oku kuyadida ngandlela thile. Enkosi kubabhali abacinge ngale nto nabo. I-Openconnect ineqhosha-pid-fayile, onokuthi ngalo ufundise i-openconnect ukuba ibhale isichongi senkqubo yayo kwifayile.

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background  
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Ngoku ungasoloko ubulala inkqubo ngomyalelo

kill $(cat ~/vpn-pid)

Ukuba akukho nkqubo, ukubulala kuya kuqalekisa, kodwa akuyi kuphosa impazamo. Ukuba ifayile ayikho, ngoko akukho nto imbi iya kwenzeka nokuba, ngoko unokubulala ngokukhuselekileyo inkqubo kumgca wokuqala weskripthi.

kill $(cat ~/vpn-pid)
#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Ngoku ungavula ikhompyuter yakho, uvule ikhonsoli kwaye uqhube umyalelo, ugqithise ikhowudi evela kwi-Google Authenticator. I-console inokubethelelwa phantsi.

Ngaphandle kwe-VPN-iqhekeza. Endaweni yegama lamva

Kwaba nzima kakhulu ukuqonda indlela yokuphila ngaphandle VPN-isilayi. Kwafuneka ndifunde kwaye ndiGoogle kakhulu. Ngethamsanqa, emva kokuchitha ixesha elininzi nengxaki, iincwadana zobugcisa kunye ne-openconnect yendoda ifundeka njengeenoveli ezinomdla.

Ngenxa yoko, ndiye ndafumanisa ukuba i-vpn-isilayi, njengeskripthi somthonyama, silungisa itafile yomzila ukwahlula amanethiwekhi.

Itafile yomzila

Ukuyibeka ngokulula, le yitafile ekwikholamu yokuqala equlathe ukuba idilesi iLinux efuna ukuya kuyo kufuneka iqale ngayo, kwaye kwikholamu yesibini yeyiphi iadaptha yothungelwano emayidlule kule dilesi. Enyanisweni, kukho izithethi ezininzi, kodwa oku akutshintshi undoqo.

Ukuze ujonge itafile yomzila, kufuneka usebenzise umyalelo we-ip umzila

default via 192.168.1.1 dev wlp3s0 proto dhcp metric 600 
192.168.430.0/24 dev tun0 scope link 
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.534 metric 600 
192.168.430.534 dev tun0 scope link

Apha, umgca ngamnye unoxanduva apho kufuneka uye khona ukuze uthumele umyalezo kwenye idilesi. Eyokuqala yinkcazo apho idilesi kufuneka iqale khona. Ukuze uqonde indlela yokumisela ukuba i-192.168.0.0/16 ithetha ukuba idilesi kufuneka iqale ngo-192.168, kufuneka u-google ukuba yintoni idilesi ye-IP imaski. Emva kwe-dev kukho igama le-adapter apho umyalezo kufuneka uthunyelwe.

KwiVPN, iLinux yenza iadaptha ebonakalayo - tun0. Umgca uqinisekisa ukuba i-traffic yazo zonke iidilesi eziqala nge-192.168 ihamba ngayo

192.168.0.0/16 dev tun0 scope link

Ungajonga kwakhona imeko yangoku yetafile yomzila usebenzisa umyalelo indlela -n (Iidilesi ze-IP azichazwanga ngobuchule) Lo myalelo uvelisa iziphumo kwifomu eyahlukileyo kwaye ihoxisiwe ngokubanzi, kodwa imveliso yayo ifumaneka rhoqo kwiincwadana kwi-Intanethi kwaye kufuneka ukwazi ukuyifunda.

Apho idilesi ye-IP yomzila kufuneka iqale inokuqondwa kwindibaniselwano yeNdawo yokuFikela kunye neekholamu zeGenmask. Ezo nxalenye zedilesi ye-IP ehambelana neenombolo ze-255 kwi-Genmask zithathelwa ingqalelo, kodwa ezo apho kukho i-0 ayikho. Oko kukuthi, ukudibanisa kweNdawo 192.168.0.0 kunye neGenmask 255.255.255.0 kuthetha ukuba ukuba idilesi iqala ngo-192.168.0, ngoko isicelo kuyo siya kuhamba ngale ndlela. Kwaye ukuba iDestination 192.168.0.0 kodwa iGenmask 255.255.0.0, ke icela iidilesi eziqala ngo-192.168 ziya kuhamba ngale ndlela.

Ukuze ndifumanise ukuba yintoni kanye kanye eyenziwa yi-vpn-slice, ndithathe isigqibo sokujonga iimeko zeetafile ngaphambi nasemva.

Ngaphambi kokuba uvule iVPN kwakunje

route -n 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0

Emva kokufowunela i-openconnect ngaphandle kwe-vpn-slice yaba ngolu hlobo

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Kwaye emva kokufowunela i-openconnect ngokudityaniswa ne-vpn-isilayi esinje

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Ingabonwa ukuba awusebenzisi i-vpn-slice, emva koko i-openconnect ibhala ngokucacileyo ukuba zonke iidilesi, ngaphandle kwezo zibonisiwe ngokukodwa, kufuneka zifikelelwe nge-vpn.

Apha:

0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0

Apho, ecaleni kwayo, enye indlela iboniswa ngokukhawuleza, ekufuneka isetyenziswe ukuba idilesi iLinux ezama ukudlula kuyo ayihambelani nayo nayiphi imaski ekwitafile.

0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0

Sele kubhaliwe apha ukuba kule meko kufuneka usebenzise i-adapter ye-Wi-Fi eqhelekileyo.

Ndiyakholelwa ukuba indlela ye-VPN isetyenzisiwe kuba ngowokuqala kwitafile yomzila.

Kwaye ngokwethiyori, ukuba ususa le ndlela engagqibekanga kwitafile yomzila, ngoko ngokudibeneyo ne-dnsmasq openconnect kufuneka iqinisekise ukusebenza okuqhelekileyo.

Ndizamile

route del default

Kwaye yonke into yasebenza.

Ukuhambisa izicelo kwiseva yeposi ngaphandle kwe-vpn-isilayi

Kodwa ndinayo iseva yeposi enedilesi 555.555.555.555, nayo kufuneka ifumaneke ngeVPN. Indlela eya kuyo nayo kufuneka yongezwe ngesandla.

ip route add 555.555.555.555 via dev tun0

Kwaye ngoku yonke into ilungile. Ke unokwenza ngaphandle kwe-vpn-slice, kodwa kufuneka uyazi kakuhle into oyenzayo. Ngoku ndicinga ukongeza kumgca wokugqibela weskripthi esivulekileyo somthonyama ukususwa kwendlela engagqibekanga kunye nokongeza indlela yomeyili emva kokuxhuma kwi-vpn, ukuze kubekho iindawo ezimbalwa ezihambayo kwibhayisekile yam.

Mhlawumbi, eli gama lasemva liya kwanela ukuba umntu aqonde indlela yokuseta iVPN. Kodwa ngelixa bendizama ukuqonda ukuba ndenze ntoni kwaye ndenze ntoni, ndifunde uninzi lwezikhokelo ezisebenza kumbhali, kodwa ngesizathu esithile azindisebenzeli, kwaye ndigqibe kwelokuba ndongeze apha zonke iziqwenga endizifumeneyo. Ndingavuya kakhulu ngento enjalo.

umthombo: www.habr.com

Yongeza izimvo