ProHoster > Блог > Isakoso > Bii o ṣe le sopọ si VPN ajọ ni Linux ni lilo openconnect ati vpn-slice

Bii o ṣe le sopọ si VPN ajọ ni Linux ni lilo openconnect ati vpn-slice

Ṣe o fẹ lati lo Linux ni iṣẹ, ṣugbọn VPN ile-iṣẹ rẹ kii yoo jẹ ki o jẹ? Lẹhinna nkan yii le ṣe iranlọwọ, botilẹjẹpe eyi ko daju. Emi yoo fẹ lati kilo fun ọ tẹlẹ pe Emi ko loye awọn ọran iṣakoso nẹtiwọọki daradara, nitorinaa o ṣee ṣe pe Mo ṣe ohun gbogbo ti ko tọ. Ni apa keji, o ṣee ṣe pe MO le kọ itọsọna kan ni ọna ti yoo jẹ oye si awọn eniyan lasan, nitorinaa Mo gba ọ niyanju lati gbiyanju rẹ.

Nkan naa ni ọpọlọpọ alaye ti ko wulo, ṣugbọn laisi imọ yii Emi kii yoo ni anfani lati yanju awọn iṣoro ti o han si mi lairotẹlẹ pẹlu eto VPN kan. Mo ro pe ẹnikẹni ti o ba gbiyanju lati lo itọsọna yii yoo ni awọn iṣoro ti Emi ko ni, ati pe Mo nireti pe alaye afikun yii yoo ṣe iranlọwọ lati yanju awọn iṣoro wọnyi funrararẹ.

Pupọ julọ awọn aṣẹ ti a lo ninu itọsọna yii nilo lati ṣiṣẹ nipasẹ sudo, eyiti o ti yọkuro fun kukuru. Ni lokan.

Pupọ julọ awọn adiresi IP ti ni idiwọ pupọ, nitorinaa ti o ba rii adirẹsi bi 435.435.435.435, IP deede gbọdọ wa nibẹ, pato si ọran rẹ.

O jeun Ubuntu Ọjọ́ kejìdínlógún oṣù kẹrin, ṣùgbọ́n mo rò pé a lè lo ìtọ́sọ́nà náà fún àwọn ìpínkiri mìíràn pẹ̀lú àwọn àtúnṣe díẹ̀. Síbẹ̀síbẹ̀, nínú ìwé yìí, Linux == Ubuntu.

Cisco Sopọ

Àwọn tó jókòó Windows tàbí kí MacOS sopọ̀ mọ́ VPN ilé-iṣẹ́ wa nípasẹ̀ Cisco Connect, èyí tí ó nílò kí a ṣàlàyé àdírẹ́sì ẹnu ọ̀nà àti kíkọ ọ̀rọ̀ìpamọ́ tí ó ní ìpín pàtó àti kódì tí Google Authenticator ń ṣẹ̀dá nígbàkúgbà tí a bá sopọ̀ mọ́ra.

Ninu ọran Linux, Emi ko le gba Sisiko Connect ṣiṣẹ, ṣugbọn Mo ṣakoso lati google iṣeduro kan lati lo openconnect, ti a ṣe ni pataki lati rọpo Cisco Connect.

Ṣii asopọ

Ni imọran, Ubuntu ni wiwo ayaworan pataki kan fun ṣiṣii asopọ, ṣugbọn ko ṣiṣẹ fun mi. Boya o jẹ fun awọn dara.

Lori Ubuntu, openconnect ti fi sori ẹrọ lati oluṣakoso package.

apt install openconnect

Lẹsẹkẹsẹ lẹhin fifi sori ẹrọ, o le gbiyanju sopọ si VPN kan

openconnect --user poxvuibr vpn.evilcorp.com

vpn.evilcorp.com jẹ adirẹsi ti VPN airotẹlẹ kan
poxvuibr - fictitious orukọ olumulo

openconnect yoo beere lọwọ rẹ lati tẹ ọrọ igbaniwọle sii, eyiti, jẹ ki n leti rẹ, ni apakan ti o wa titi ati koodu kan lati Google Authenticator, lẹhinna yoo gbiyanju lati sopọ si vpn. Ti o ba ṣiṣẹ, oriire, o le lọ kuro lailewu aarin, eyiti o jẹ irora pupọ, ki o tẹsiwaju si aaye nipa openconnect nṣiṣẹ ni abẹlẹ. Ti ko ba ṣiṣẹ, lẹhinna o le tẹsiwaju. Botilẹjẹpe ti o ba ṣiṣẹ nigbati o ba sopọ, fun apẹẹrẹ, lati ọdọ Wi-Fi alejo ni iṣẹ, lẹhinna o le jẹ kutukutu lati yọ;

Iwe-ẹri

Iṣeeṣe giga wa pe ko si ohunkan ti yoo bẹrẹ, ati iṣẹjade ti o ṣii yoo dabi iru eyi:

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.evilcorp.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Ni apa kan, eyi ko dun, nitori ko si asopọ si VPN, ṣugbọn ni apa keji, bi o ṣe le ṣatunṣe iṣoro yii jẹ, ni opo, ko o.

Nibi olupin ti fi iwe-ẹri ranṣẹ si wa, nipasẹ eyiti a le pinnu pe asopọ naa n ṣe si olupin ti ile-iṣẹ abinibi wa, kii ṣe si scammer buburu, ati pe ijẹrisi yii jẹ aimọ si eto naa. Ati nitorinaa ko le ṣayẹwo boya olupin naa jẹ gidi tabi rara. Ati nitorinaa, o kan ni ọran, o da iṣẹ duro.

Lati le sopọ mọ olupin naa, o nilo lati sọ ni gbangba iru ijẹrisi ti o yẹ ki o wa lati olupin VPN ni lilo bọtini — olupin

Ati pe o le rii iru ijẹrisi ti olupin naa firanṣẹ taara lati kini openconnect tejede. Eyi ni lati nkan yii:

To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Pẹlu aṣẹ yii o le gbiyanju lati sopọ lẹẹkansi

openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com

Boya bayi o n ṣiṣẹ, lẹhinna o le lọ si opin. Ṣugbọn tikalararẹ, Ubuntu fihan mi ọpọtọ ni fọọmu yii

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.evilcorp.com
XML POST enabled
Please enter your username and password.
POST https://vpn.evilcorp.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 300, Keepalive 30
Set up DTLS failed; using SSL instead
Connected as 192.168.333.222, using SSL
NOSSSSSHHHHHHHDDDDD
3
NOSSSSSHHHHHHHDDDDD
3
RTNETLINK answers: File exists
/etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolvconf/resolv.conf

/etc/resolv.conf

# Generated by NetworkManager
search gst.evilcorpguest.com
nameserver 127.0.0.53

/run/resolvconf/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 192.168.430.534
nameserver 127.0.0.53
search evilcorp.com gst.publicevilcorp.com

habr.com yoo yanju, ṣugbọn iwọ kii yoo ni anfani lati lọ sibẹ. Awọn adirẹsi bii jira.evilcorp.com ko ni ipinnu rara.

Ohun to sele nibi ko han mi. Ṣugbọn ṣàdánwò fihan wipe ti o ba ti o ba fi ila to /etc/resolv.conf

nameserver 192.168.430.534

lẹhinna awọn adirẹsi inu VPN yoo bẹrẹ lati yanju idan ati pe o le rin nipasẹ wọn, iyẹn ni, kini DNS n wa lati yanju awọn adirẹsi wo ni pataki ni /etc/resolv.conf, kii ṣe ibomiiran.

O le rii daju pe asopọ kan wa si VPN ati pe o ṣiṣẹ laisi awọn ayipada eyikeyi si /etc/resolv.conf;

Bi abajade, awọn iṣoro meji wa

  • Nigbati o ba n ṣopọ si VPN kan, awọn dns rẹ ko gba
  • gbogbo awọn ijabọ lọ nipasẹ VPN, eyi ti ko gba laaye wiwọle si awọn ayelujara

Emi yoo sọ fun ọ kini lati ṣe ni bayi, ṣugbọn akọkọ adaṣe kekere kan.

Titẹ sii aifọwọyi ti apakan ti o wa titi ti ọrọ igbaniwọle

Ni bayi, o ṣee ṣe tẹlẹ ti tẹ ọrọ igbaniwọle rẹ sii o kere ju igba marun ati pe ilana yii ti rẹ ọ tẹlẹ. Ni akọkọ, nitori ọrọ igbaniwọle gun, ati keji, nitori nigbati titẹ sii o nilo lati baamu laarin akoko ti o wa titi

Ojutu ikẹhin si iṣoro naa ko si ninu nkan naa, ṣugbọn o le rii daju pe apakan ti o wa titi ti ọrọ igbaniwọle ko ni lati tẹ sii ni ọpọlọpọ igba.

Jẹ ki a ro pe apakan ti o wa titi ti ọrọ igbaniwọle jẹ Ọrọigbaniwọle ti o wa titi, ati apakan lati Google Authenticator jẹ 567 Gbogbo ọrọ igbaniwọle le ṣee kọja lati ṣii asopọ nipasẹ titẹ sii boṣewa nipa lilo ariyanjiyan -passwd-on-stdin.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com --passwd-on-stdin

Bayi o le pada nigbagbogbo si aṣẹ ti o tẹ kẹhin ki o yipada apakan nikan ti Google Authenticator nibẹ.

VPN ile-iṣẹ ko gba ọ laaye lati lọ kiri lori Intanẹẹti.

Ni gbogbogbo, kii ṣe inira pupọ nigbati o ni lati lo kọnputa lọtọ lati lọ si Habr. Ailagbara lati daakọ-lẹẹmọ lati stackoverfow le paralyse iṣẹ ni gbogbogbo, nitorinaa ohun kan nilo lati ṣee.

A nilo lati bakan ṣeto rẹ pe nigbati o nilo lati wọle si orisun kan lati inu nẹtiwọọki inu, Linux lọ si VPN, ati nigbati o nilo lati lọ si Habr, o lọ si Intanẹẹti.

openconnect, lẹhin ifilọlẹ ati iṣeto asopọ pẹlu vpn, ṣiṣe iwe afọwọkọ pataki kan, eyiti o wa ni /usr/share/vpnc-scripts/vpnc-script. Diẹ ninu awọn oniyipada ti kọja si iwe afọwọkọ bi titẹ sii, ati pe o tunto VPN. Laanu, Emi ko le ṣawari bi o ṣe le pin awọn ṣiṣan ijabọ laarin VPN ajọ kan ati iyoku Intanẹẹti nipa lilo iwe afọwọkọ abinibi.

Nkqwe, ohun elo vpn-slice ti ni idagbasoke ni pataki fun awọn eniyan bii mi, eyiti o fun ọ laaye lati firanṣẹ ijabọ nipasẹ awọn ikanni meji laisi ijó pẹlu tambourin. O dara, iyẹn ni, iwọ yoo ni lati jo, ṣugbọn iwọ ko ni lati jẹ shaman.

Iyapa ijabọ nipa lilo vpn-bibẹ

Ni akọkọ, iwọ yoo ni lati fi vpn-slice sori ẹrọ, iwọ yoo ni lati ro ero eyi funrararẹ. Ti awọn ibeere ba wa ninu awọn asọye, Emi yoo kọ ifiweranṣẹ lọtọ nipa eyi. Ṣugbọn eyi jẹ eto Python deede, nitorinaa ko yẹ ki o jẹ awọn iṣoro eyikeyi. Mo ti fi sori ẹrọ nipa lilo virtualenv.

Ati lẹhinna ohun elo naa gbọdọ lo, ni lilo iyipada -script, nfihan lati ṣii asopọ pe dipo iwe afọwọkọ boṣewa, o nilo lati lo vpn-slice

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  " vpn.evilcorp.com

--akosile ti kọja okun kan pẹlu aṣẹ ti o nilo lati pe dipo iwe afọwọkọ. ./bin/vpn-slice - ọna si vpn-bibẹ executable faili 192.168.430.0/24 - boju ti awọn adirẹsi lati lọ si ni vpn. Nibi, a tumọ si pe ti adirẹsi ba bẹrẹ pẹlu 192.168.430, lẹhinna awọn orisun pẹlu adirẹsi yii nilo lati wa ninu VPN

Ipo naa yẹ ki o fẹrẹ jẹ deede. Fere. Bayi o le lọ si Habr ati pe o le lọ si orisun intra-corporate nipasẹ ip, ṣugbọn o ko le lọ si orisun intra-corporate nipasẹ orukọ aami. Ti o ba pato baramu laarin orukọ aami ati adirẹsi ni awọn ọmọ-ogun, ohun gbogbo yẹ ki o ṣiṣẹ. Ati ṣiṣẹ titi ip yoo fi yipada. Lainos le wọle si Intanẹẹti bayi tabi intranet, da lori IP. Ṣugbọn DNS ti kii ṣe ajọṣe tun lo lati pinnu adirẹsi naa.

Iṣoro naa tun le ṣafihan ararẹ ni fọọmu yii - ni iṣẹ ohun gbogbo dara, ṣugbọn ni ile o le wọle si awọn orisun ile-iṣẹ ti inu nikan nipasẹ IP. Eyi jẹ nitori nigbati o ba sopọ si Wi-Fi ile-iṣẹ, a tun lo DNS ti ile-iṣẹ, ati pe awọn adirẹsi aami lati VPN ni ipinnu ninu rẹ, botilẹjẹpe ko ṣee ṣe lati lọ si iru adirẹsi laisi lilo VPN kan.

Iyipada aifọwọyi ti faili ogun

Ti a ba beere vpn-slice pẹlu itọda, lẹhinna lẹhin igbega VPN, o le lọ si DNS rẹ, wa nibẹ awọn adirẹsi IP ti awọn orisun pataki nipasẹ awọn orukọ aami wọn ki o tẹ wọn sinu awọn ọmọ-ogun. Lẹhin pipa VPN, awọn adirẹsi wọnyi yoo yọkuro kuro ninu awọn agbalejo. Lati ṣe eyi, o nilo lati kọja awọn orukọ aami si vpn-slice bi awọn ariyanjiyan. Bi eleyi.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Bayi ohun gbogbo yẹ ki o ṣiṣẹ mejeeji ni ọfiisi ati ni eti okun.

Wa awọn adirẹsi ti gbogbo awọn subdomains ninu DNS ti a fun nipasẹ VPN

Ti awọn adirẹsi diẹ ba wa laarin nẹtiwọọki, lẹhinna ọna ti iyipada laifọwọyi faili awọn ọmọ-ogun ṣiṣẹ daradara daradara. Ṣugbọn ti ọpọlọpọ awọn orisun ba wa lori nẹtiwọọki, lẹhinna o yoo nilo nigbagbogbo lati ṣafikun awọn laini bii zoidberg.test.evilcorp.com si iwe afọwọkọ zoidberg jẹ orukọ ọkan ninu awọn ijoko idanwo.

Ṣugbọn ni bayi pe a loye diẹ idi ti iwulo yii ṣe le parẹ.

Ti, lẹhin igbega VPN, o wo ni /etc/hosts, o le rii laini yii

192.168.430.534 dns0.tun0 # vpn-slice-tun0 AUTOCREATED

Ati ki o kan titun ila ti a fi kun resolv.conf. Ni kukuru, vpn-slice pinnu bakan nibiti olupin dns fun vpn wa.

Bayi a nilo lati rii daju pe lati wa adiresi IP ti orukọ ìkápá kan ti o pari ni evilcorp.com, Lainos lọ si DNS ajọ, ati pe ti nkan miiran ba nilo, lẹhinna si aiyipada.

Mo Googled fun igba diẹ ati rii pe iru iṣẹ ṣiṣe wa ni Ubuntu lati inu apoti. Eyi tumọ si agbara lati lo olupin DNS agbegbe dnsmasq lati yanju awọn orukọ.

Iyẹn ni, o le rii daju pe Linux nigbagbogbo lọ si olupin DNS agbegbe fun awọn adirẹsi IP, eyiti o da lori orukọ ìkápá naa, yoo wa IP lori olupin DNS ita ti o baamu.

Lati ṣakoso ohun gbogbo ti o ni ibatan si awọn nẹtiwọọki ati awọn asopọ nẹtiwọọki, Ubuntu nlo NetworkManager, ati wiwo ayaworan fun yiyan, fun apẹẹrẹ, awọn asopọ Wi-Fi jẹ opin iwaju si rẹ.

A yoo nilo lati ngun ni iṣeto rẹ.

  1. Ṣẹda faili ni /etc/NetworkManager/dnsmasq.d/evilcorp

adirẹsi = /.evilcorp.com/192.168.430.534

San ifojusi si ojuami ni iwaju ti evilcorp. O ṣe ifihan dnsmasq pe gbogbo awọn subdomains ti evilcorp.com yẹ ki o wa ni dns ajọ.

  1. Sọ fun NetworkManager lati lo dnsmasq fun ipinnu orukọ

Iṣeto ni oluṣakoso nẹtiwọki wa ni /etc/NetworkManager/NetworkManager.conf O nilo lati fi kun sibẹ:

[akọkọ]
dns=dnsmasq

  1. Tun NetworkManager bẹrẹ

service network-manager restart

Ni bayi, lẹhin ti o sopọ si VPN kan nipa lilo openconnect ati vpn-slice, ip yoo pinnu ni deede, paapaa ti o ko ba ṣafikun awọn adirẹsi aami si awọn ariyanjiyan si vpnslice.

Bii o ṣe le wọle si awọn iṣẹ kọọkan nipasẹ VPN

Lẹhin ti Mo ṣakoso lati sopọ si VPN, inu mi dun pupọ fun ọjọ meji, lẹhinna o wa ni pe ti MO ba sopọ si VPN lati ita nẹtiwọki ọfiisi, lẹhinna meeli ko ṣiṣẹ. Awọn aami aisan jẹ faramọ, ṣe kii ṣe bẹ?

Imeeli wa wa ni mail.publicevilcorp.com, eyiti o tumọ si pe ko ṣubu labẹ ofin ni dnsmasq ati pe adirẹsi olupin meeli ti wa nipasẹ DNS ti gbogbo eniyan.

O dara, ọfiisi tun nlo DNS, eyiti o ni adirẹsi yii ninu. Ohun ti mo ro niyen. Ni otitọ, lẹhin fifi laini kun si dnsmasq

adirẹsi =/mail.publicevilcorp.com/192.168.430.534

ipo naa ko yipada rara. ip wa kanna. Mo ni lati lọ si ibi iṣẹ.

Ati pe lẹhinna, nigbati mo jinlẹ jinlẹ si ipo naa ati loye iṣoro naa diẹ, eniyan ọlọgbọn kan sọ fun mi bi o ṣe le yanju rẹ. O jẹ dandan lati sopọ si olupin meeli kii ṣe bii iyẹn, ṣugbọn nipasẹ VPN

Mo lo vpn-slice lati lọ nipasẹ VPN si awọn adirẹsi ti o bẹrẹ pẹlu 192.168.430. Ati pe olupin meeli ko ni adirẹsi aami nikan ti kii ṣe subdomain ti evilcorp, ko tun ni adiresi IP ti o bẹrẹ pẹlu 192.168.430. Ati pe dajudaju ko gba ẹnikẹni laaye lati inu nẹtiwọki gbogbogbo lati wa si ọdọ rẹ.

Ni ibere fun Lainos lati lọ nipasẹ VPN ati si olupin meeli, o nilo lati ṣafikun si vpn-slice daradara. Jẹ ki a sọ pe adirẹsi imeeli jẹ 555.555.555.555

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 555.555.555.555 192.168.430.0/24" vpn.evilcorp.com

Iwe afọwọkọ fun igbega VPN pẹlu ariyanjiyan kan

Gbogbo eyi, dajudaju, ko rọrun pupọ. Bẹẹni, o le fi ọrọ pamọ si faili kan ki o daakọ-lẹẹmọ sinu console dipo titẹ pẹlu ọwọ, ṣugbọn ko tun dun pupọ. Lati jẹ ki ilana naa rọrun, o le fi ipari si aṣẹ ni iwe afọwọkọ ti yoo wa ni PATH. Ati lẹhinna iwọ yoo nilo lati tẹ koodu ti o gba lati ọdọ Google Authenticator sii

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Ti o ba fi iwe afọwọkọ sinu asopọ ~evilcorp ~ o le kan kọ sinu console

connect_evil_corp 567987

Ṣugbọn ni bayi o tun ni lati tọju console ninu eyiti openconnect jẹ ṣiṣi silẹ fun idi kan

Ṣiṣe openconnect ni abẹlẹ

O da, awọn onkọwe ti openconnect ṣe abojuto wa ati ṣafikun bọtini pataki kan si eto naa - abẹlẹ, eyiti o jẹ ki eto naa ṣiṣẹ ni abẹlẹ lẹhin ifilọlẹ. Ti o ba ṣiṣẹ bii eyi, o le pa console naa lẹhin ifilọlẹ

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Bayi o kan ko han ibiti awọn akọọlẹ lọ. Ni gbogbogbo, a ko nilo awọn akọọlẹ gaan, ṣugbọn iwọ ko mọ. openconnect le darí wọn si syslog, nibiti wọn yoo wa ni aabo ati aabo. o nilo lati ṣafikun –syslog yipada si aṣẹ naa

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Ati nitorinaa, o wa ni pe openconnect n ṣiṣẹ ni ibikan ni abẹlẹ ati pe ko ṣe wahala ẹnikẹni, ṣugbọn ko han bi o ṣe le da duro. Iyẹn ni, o le, nitorinaa, ṣe àlẹmọ iṣelọpọ ps nipa lilo grep ki o wa ilana kan ti orukọ rẹ ni openconnect, ṣugbọn eyi jẹ alailagbara. Ṣeun si awọn onkọwe ti o ronu nipa eyi paapaa. Openconnect ni bọtini -pid-file, pẹlu eyiti o le kọ ọna asopọ ṣiṣi silẹ lati kọ idamo ilana rẹ si faili kan.

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background  
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Bayi o le pa ilana nigbagbogbo pẹlu aṣẹ

kill $(cat ~/vpn-pid)

Ti ko ba si ilana, pa yoo bú, sugbon yoo ko jabọ ohun ašiše. Ti faili ko ba wa nibẹ, lẹhinna ko si ohun buburu yoo ṣẹlẹ boya, nitorina o le pa ilana naa lailewu ni laini akọkọ ti iwe afọwọkọ naa.

kill $(cat ~/vpn-pid)
#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Bayi o le tan-an kọmputa rẹ, ṣii console ati ṣiṣe aṣẹ naa, fifi koodu naa ranṣẹ lati Google Authenticator. Awọn console le lẹhinna ti wa ni mọ si isalẹ.

Laisi VPN-bibẹ. Dipo ti ohun afterword

O wa ni jade lati jẹ gidigidi soro lati ni oye bi o ṣe le gbe laisi VPN-bibẹ. Mo ni lati ka ati google pupọ. O da, lẹhin lilo akoko pupọ pẹlu iṣoro kan, awọn iwe afọwọkọ imọ-ẹrọ ati paapaa eniyan ṣii asopọ ka bi awọn aramada moriwu.

Bi abajade, Mo rii pe vpn-slice, bii iwe afọwọkọ abinibi, ṣe atunṣe tabili ipa-ọna lati ya awọn nẹtiwọọki lọtọ.

tabili afisona

Lati sọ ni ṣoki, eyi jẹ tabili ni iwe akọkọ ti o ni ohun ti adirẹsi ti Linux fẹ lati lọ nipasẹ yẹ ki o bẹrẹ pẹlu, ati ninu iwe keji kini ohun ti nmu badọgba nẹtiwọọki lati lọ nipasẹ ni adirẹsi yii. Ni otitọ, awọn agbohunsoke diẹ sii wa, ṣugbọn eyi ko yi itumọ naa pada.

Lati le wo tabili afisona, o nilo lati ṣiṣẹ pipaṣẹ ipa ọna ip

default via 192.168.1.1 dev wlp3s0 proto dhcp metric 600 
192.168.430.0/24 dev tun0 scope link 
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.534 metric 600 
192.168.430.534 dev tun0 scope link

Nibi, laini kọọkan jẹ iduro fun ibiti o nilo lati lọ lati fi ifiranṣẹ ranṣẹ si adirẹsi kan. Akọkọ jẹ apejuwe ibi ti adirẹsi yẹ ki o bẹrẹ. Lati le ni oye bi o ṣe le pinnu pe 192.168.0.0/16 tumọ si pe adirẹsi yẹ ki o bẹrẹ pẹlu 192.168, o nilo lati google kini iboju-boju IP jẹ. Lẹhin dev orukọ ohun ti nmu badọgba wa si eyiti o yẹ ki o firanṣẹ ifiranṣẹ naa.

Fun VPN, Lainos ṣe ohun ti nmu badọgba foju - tun0. Laini ṣe idaniloju pe ijabọ fun gbogbo awọn adirẹsi ti o bẹrẹ pẹlu 192.168 lọ nipasẹ rẹ

192.168.0.0/16 dev tun0 scope link

O tun le wo ipo lọwọlọwọ ti tabili afisona nipa lilo aṣẹ naa ipa -n (Awọn adiresi IP jẹ ailorukọ ailorukọ) Aṣẹ yii n ṣe awọn abajade ni ọna ti o yatọ ati pe a ti parẹ ni gbogbogbo, ṣugbọn iṣelọpọ rẹ nigbagbogbo ni a rii ninu awọn iwe afọwọkọ lori Intanẹẹti ati pe o nilo lati ni anfani lati ka.

Nibo ni adiresi IP fun ipa-ọna yẹ ki o bẹrẹ ni a le loye lati apapo ti Nlo ati awọn ọwọn Genmask. Awọn apakan ti adiresi IP ti o baamu awọn nọmba 255 ni Genmask ni a gba sinu akọọlẹ, ṣugbọn awọn ibiti 0 wa kii ṣe. Iyẹn ni, apapo ti Destination 192.168.0.0 ati Genmask 255.255.255.0 tumọ si pe ti adirẹsi naa ba bẹrẹ pẹlu 192.168.0, lẹhinna ibeere naa yoo lọ ni ọna yii. Ati pe ti Destination 192.168.0.0 ṣugbọn Genmask 255.255.0.0, lẹhinna awọn ibeere si awọn adirẹsi ti o bẹrẹ pẹlu 192.168 yoo lọ ni ọna yii

Lati le mọ kini vpn-slice ṣe ni otitọ, Mo pinnu lati wo awọn ipinlẹ ti awọn tabili ṣaaju ati lẹhin

Ṣaaju ki o to tan VPN o dabi eyi

route -n 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0

Lẹhin pipe openconnect laisi vpn-slice o di bi eleyi

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Ati lẹhin pipe openconnect ni apapo pẹlu vpn-bibẹ bi eyi

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

O le rii pe ti o ko ba lo vpn-slice, lẹhinna openconnect kọwe ni gbangba pe gbogbo awọn adirẹsi, ayafi awọn ti o tọka si, gbọdọ wọle nipasẹ vpn.

Nibi gangan:

0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0

Nibẹ, lẹgbẹẹ rẹ, ọna miiran jẹ itọkasi lẹsẹkẹsẹ, eyiti o gbọdọ lo ti adirẹsi ti Linux n gbiyanju lati kọja ko baamu eyikeyi iboju-boju lati tabili.

0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0

O ti kọ tẹlẹ nibi pe ninu ọran yii o nilo lati lo ohun ti nmu badọgba Wi-Fi boṣewa kan.

Mo gbagbọ pe ọna VPN ni a lo nitori pe o jẹ akọkọ ninu tabili lilọ kiri.

Ati ni imọ-jinlẹ, ti o ba yọ ọna aiyipada yii kuro ni tabili afisona, lẹhinna ni apapo pẹlu dnsmasq openconnect yẹ ki o rii daju iṣẹ ṣiṣe deede.

Mo gbiyanju

route del default

Ati ohun gbogbo ṣiṣẹ.

Awọn ibeere ipa-ọna si olupin meeli laisi vpn-bibẹ

Ṣugbọn Mo tun ni olupin meeli pẹlu adirẹsi 555.555.555.555, eyiti o tun nilo lati wọle nipasẹ VPN. Awọn ipa ọna si o tun nilo lati fi kun pẹlu ọwọ.

ip route add 555.555.555.555 via dev tun0

Ati nisisiyi ohun gbogbo dara. Nitorina o le ṣe laisi vpn-slice, ṣugbọn o nilo lati mọ ohun ti o n ṣe daradara. Mo n ronu bayi nipa fifi kun si laini ikẹhin ti iwe afọwọkọ ìmọ asopọ abinibi yiyọkuro ti ipa ọna aiyipada ati fifi ọna kan kun fun olufiranṣẹ lẹhin asopọ si vpn, nitori pe awọn apakan gbigbe diẹ wa ninu keke mi.

Boya, ọrọ igbehin yii yoo to fun ẹnikan lati loye bi o ṣe le ṣeto VPN kan. Ṣugbọn lakoko ti Mo n gbiyanju lati loye kini ati bii o ṣe le ṣe, Mo ka ọpọlọpọ iru awọn itọsọna ti o ṣiṣẹ fun onkọwe, ṣugbọn fun idi kan ko ṣiṣẹ fun mi, ati pe Mo pinnu lati ṣafikun gbogbo awọn ege ti Mo rii nibi. Inu mi yoo dun pupọ nipa iru nkan bẹẹ.

orisun: www.habr.com

Ra alejo gbigba igbẹkẹle fun awọn aaye pẹlu aabo DDoS, awọn olupin VPS VDS 🔥 Ra gbigbalejo oju opo wẹẹbu ti o gbẹkẹle pẹlu aabo DDoS, awọn olupin VPS VDS | ProHoster