I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Ungaxhuma kanjani ku-VPN yebhizinisi ku-Linux usebenzisa i-openconnect kanye ne-vpn-slice

Ungaxhuma kanjani ku-VPN yebhizinisi ku-Linux usebenzisa i-openconnect kanye ne-vpn-slice

Uyafuna ukusebenzisa i-Linux emsebenzini, kodwa i-VPN yakho yenkampani ngeke ikuvumele? Khona-ke lesi sihloko singasiza, nakuba lokhu kungaqiniseki. Ngithanda ukukuxwayisa kusengaphambili ukuthi angiziqondi kahle izindaba zokuphatha inethiwekhi, ngakho-ke kungenzeka ukuthi ngenze konke okungalungile. Ngakolunye uhlangothi, kungenzeka ukuthi ngingabhala umhlahlandlela ngendlela ezoqondakala kubantu abavamile, ngakho-ke ngikweluleka ukuthi uzame.

Lesi sihloko siqukethe ulwazi oluningi olungadingekile, kodwa ngaphandle kwalolu lwazi bengingeke ngikwazi ukuxazulula izinkinga ezivele ngokungalindelekile kimi ngokusetha i-VPN. Ngicabanga ukuthi noma ubani ozama ukusebenzisa lo mhlahlandlela uzoba nezinkinga engingenazo, futhi ngithemba ukuthi lolu lwazi olwengeziwe luzosiza ukuxazulula lezi zinkinga ngokwalo.

Iningi lemiyalo esetshenziswe kulo mhlahlandlela idinga ukuqhutshwa nge-sudo, esuselwe ubufushane. Bese ukhumbula.

Amakheli amaningi e-IP afiphazwe kakhulu, ngakho-ke uma ubona ikheli elifana ne-435.435.435.435, kufanele kube khona i-IP evamile lapho, eqondene necala lakho.

Ngino-Ubuntu 18.04, kodwa ngicabanga ukuthi ngezinguquko ezincane umhlahlandlela ungasetshenziswa kokunye ukusatshalaliswa. Nokho, kulo mbhalo Linux == Ubuntu.

Cisco Xhuma

Labo abaku-Windows noma i-MacOS bangaxhuma ku-VPN yethu yebhizinisi nge-Cisco Connect, edinga ukucacisa ikheli lesango futhi, isikhathi ngasinye uxhuma, faka iphasiwedi ehlanganisa ingxenye engashintshi kanye nekhodi ekhiqizwe i-Google Authenticator.

Endabeni ye-Linux, angikwazanga ukwenza i-Cisco Connect isebenze, kodwa ngikwazile ukusebenzisa i-google isincomo sokusebenzisa i-openconnect, eyenziwe ngokukhethekile ukuze ngithathele i-Cisco Connect.

Vula ukuxhuma

Ngokombono, i-Ubuntu ine-interface yesithombe ekhethekile ye-openconnect, kodwa ayizange ingisebenzele. Mhlawumbe kungcono.

Ku-Ubuntu, i-openconnect ifakiwe kumphathi wephakheji.

apt install openconnect

Ngokushesha ngemva kokufaka, ungazama ukuxhuma ku-VPN

openconnect --user poxvuibr vpn.evilcorp.com

I-vpn.evilcorp.com ikheli le-VPN engelona iqiniso
poxvuibr - igama lomsebenzisi elingelona iqiniso

i-openconnect izokucela ukuthi ufake iphasiwedi, okuthi, ake ngikukhumbuze, iqukethe ingxenye engaguquki kanye nekhodi evela ku-Google Authenticator, bese izozama ukuxhuma ku-vpn. Uma kusebenza, siyakuhalalisela, ungakwazi ukweqa ngokuphephile phakathi nendawo, okubuhlungu kakhulu, bese udlulela endaweni mayelana ne-openconnect egijima ngemuva. Uma kungasebenzi, ungaqhubeka. Noma ngabe isebenze lapho kuxhunywa, ngokwesibonelo, kusivakashi se-Wi-Fi emsebenzini, kungase kube kusesekuseni kakhulu ukujabula; kufanele uzame ukuphinda inqubo usekhaya.

Isitifiketi

Maningi amathuba okuthi akukho okuzoqala, futhi ukuphuma kwe-openconnect kuzobukeka kanje:

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.evilcorp.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Ngakolunye uhlangothi, lokhu akujabulisi, ngoba kwakungekho uxhumano ku-VPN, kodwa ngakolunye uhlangothi, indlela yokulungisa le nkinga, ngokuyisisekelo, icacile.

Lapha iseva isithumelele isitifiketi, esinganquma ngaso ukuthi uxhumo lwenziwa kuseva yenkampani yethu yomdabu, futhi hhayi kumkhohlisi omubi, futhi lesi sitifiketi asaziwa ohlelweni. Ngakho-ke akakwazi ukubheka ukuthi iseva ingokoqobo noma cha. Futhi ngakho, uma kwenzeka, iyeka ukusebenza.

Ukuze i-openconnect ixhume kuseva, udinga ukuyitshela ngokucacile ukuthi yisiphi isitifiketi okufanele siphume kuseva ye-VPN usebenzisa ukhiye we--servercert

Futhi ungathola ukuthi yisiphi isitifiketi iseva esithumele sona ngokuqondile kusukela kulokho okuphrintiwe yi-openconnect. Nakhu okuvela kulesi siqeshana:

To trust this server in future, perhaps add this to your command line:
    --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Ngalo myalo ungazama ukuxhuma futhi

openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com

Mhlawumbe manje iyasebenza, khona-ke ungadlulela ekugcineni. Kodwa ngokwami, Ubunta wangibonisa ikhiwane kuleli fomu

POST https://vpn.evilcorp.com/
Connected to 777.777.777.777:443
SSL negotiation with vpn.evilcorp.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.evilcorp.com
XML POST enabled
Please enter your username and password.
POST https://vpn.evilcorp.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 300, Keepalive 30
Set up DTLS failed; using SSL instead
Connected as 192.168.333.222, using SSL
NOSSSSSHHHHHHHDDDDD
3
NOSSSSSHHHHHHHDDDDD
3
RTNETLINK answers: File exists
/etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolvconf/resolv.conf

/etc/resolv.conf

# Generated by NetworkManager
search gst.evilcorpguest.com
nameserver 127.0.0.53

/run/resolvconf/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 192.168.430.534
nameserver 127.0.0.53
search evilcorp.com gst.publicevilcorp.com

I-habr.com izoxazulula, kodwa ngeke ukwazi ukuya lapho. Amakheli afana ne-jira.evilcorp.com awaxazululwa nhlobo.

Okwenzeka lapha angikuqondi. Kodwa ukuhlola kubonisa ukuthi uma wengeza umugqa kokuthi /etc/resolv.conf

nameserver 192.168.430.534

khona-ke amakheli angaphakathi kwe-VPN azoqala ukuxazulula ngomlingo futhi ungakwazi ukuhamba kuwo, okungukuthi, lokho i-DNS efuna ukuxazulula amakheli kubukeka ngokuqondile /etc/resolv.conf, hhayi kwenye indawo.

Ungaqinisekisa ukuthi kukhona ukuxhumana ku-VPN futhi isebenza ngaphandle kokwenza izinguquko ku-/etc/resolv.conf; ukwenza lokhu, vele ufake esipheqululini hhayi igama elingokomfanekiso lensiza evela ku-VPN, kodwa ikheli layo le-IP.

Ngenxa yalokho, kunezinkinga ezimbili

  • Uma uxhuma ku-VPN, i-dns yayo ayithathwa
  • yonke ithrafikhi ihamba nge-VPN, engavumeli ukufinyelela ku-inthanethi

Ngizokutshela ukuthi wenzeni manje, kodwa okokuqala ngokuzenzakalela.

Ukufaka okuzenzakalelayo kwengxenye engashintshi yephasiwedi

Okwamanje, kungenzeka ukuthi usuyifakile iphasiwedi yakho okungenani izikhathi ezinhlanu futhi le nqubo isivele ikhathele. Okokuqala, ngoba iphasiwedi yinde, futhi okwesibili, ngoba lapho ufaka udinga ukulingana phakathi nesikhathi esinqunyiwe

Isixazululo sokugcina senkinga asizange sifakwe esihlokweni, kodwa ungaqiniseka ukuthi ingxenye egxilile yephasiwedi akudingeki ukuthi ifakwe izikhathi eziningi.

Masithi ingxenye egxilile yephasiwedi yi-fixedPassword, futhi ingxenye evela ku-Google Authenticator ithi 567 987. Lonke igama-mfihlo lingadluliswa ukuze uvule ukuxhuma ngokufaka okujwayelekile kusetshenziswa i-agumenti --passwd-on-stdin .

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr vpn.evilcorp.com --passwd-on-stdin

Manje ungabuyela njalo kumyalo wokugcina owufakile futhi uguqule ingxenye kuphela ye-Google Authenticator lapho.

I-VPN yebhizinisi ayikuvumeli ukuthi usebenzise i-inthanethi.

Ngokuvamile, akunzima kakhulu uma kufanele usebenzise ikhompuyutha ehlukile ukuya ku-Habr. Ukungakwazi ukukopisha-ukunamathisela kusuka ku-stackoverfow ngokuvamile kungakhubaza umsebenzi, ngakho-ke kukhona okumele kwenziwe.

Sidinga ukuyihlela ngandlela-thile ukuze uma udinga ukufinyelela insiza evela kunethiwekhi yangaphakathi, i-Linux iya ku-VPN, futhi uma udinga ukuya ku-Habr, iya ku-Inthanethi.

i-openconnect, ngemva kokwethula nokusungula uxhumano ne-vpn, yenza iskripthi esikhethekile, esitholakala ku-/usr/share/vpnc-scripts/vpnc-script. Okunye okuguquguqukayo kudluliswa kuskripthi njengokufakiwe, futhi ilungiselela i-VPN. Ngeshwa, angikwazanga ukuthola ukuthi ngingahlukanisa kanjani ukugeleza kwethrafikhi phakathi kwe-VPN yebhizinisi nayo yonke i-inthanethi ngisebenzisa umbhalo wendabuko.

Ngokusobala, insiza ye-vpn-slice yathuthukiswa ikakhulukazi kubantu abanjengami, okuvumela ukuthi uthumele ithrafikhi ngeziteshi ezimbili ngaphandle kokudansa ngethamborini. Hhayi-ke, okuwukuthi, kuzodingeka udanse, kodwa akudingeki ube shaman.

Ukuhlukaniswa kwethrafikhi kusetshenziswa i-vpn-slice

Okokuqala, kuzodingeka ufake i-vpn-slice, kuzodingeka ukuthi uzitholele lokhu ngokwakho. Uma kunemibuzo kumazwana, ngizobhala okuthunyelwe okuhlukile ngalokhu. Kepha lolu wuhlelo olujwayelekile lwePython, ngakho-ke akumele kube nobunzima. Ngifake ngisebenzisa i-virtualenv.

Futhi-ke insiza kufanele isetshenziswe, kusetshenziswa inkinobho -script, ekhombisa ukuvula ukuxhuma ukuthi esikhundleni sombhalo ojwayelekile, udinga ukusebenzisa i-vpn-slice.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  " vpn.evilcorp.com

--script kudluliswa iyunithi yezinhlamvu enomyalo odinga ukubizwa esikhundleni sombhalo. ./bin/vpn-slice - indlela eya kufayela elisebenzisekayo le-vpn-slice 192.168.430.0/24 - imaski yamakheli ongaya kuwo ku-vpn. Lapha, sisho ukuthi uma ikheli liqala ngo-192.168.430, khona-ke insiza enaleli kheli idinga ukuseshwa ngaphakathi kwe-VPN.

Isimo kufanele manje sicishe sibe ngokwejwayelekile. Cishe. Manje ungaya ku-Habr futhi ungaya kusisetshenziswa se-intra-corporate nge-ip, kodwa awukwazi ukuya esisetshenziswa senkampani yangaphakathi ngegama elingokomfanekiso. Uma ucacisa ukufana phakathi kwegama elingokomfanekiso nekheli kubasingathi, yonke into kufanele isebenze. Bese usebenza kuze kube yilapho i-ip ishintsha. I-Linux manje isingakwazi ukufinyelela i-inthanethi noma i-intranet, kuye nge-IP. Kodwa i-DNS engeyona eyenkampani isasetshenziswa ukucacisa ikheli.

Inkinga ingase futhi ibonakale kuleli fomu - emsebenzini konke kuhamba kahle, kodwa ekhaya ungakwazi ukufinyelela izinsiza zangaphakathi zenkampani nge-IP. Lokhu kungenxa yokuthi uma uxhumeke ku-Wi-Fi yenkampani, i-DNS yenkampani iphinde isetshenziswe, futhi amakheli angokomfanekiso avela ku-VPN axazululwa kuwo, naphezu kokuthi kusengenakwenzeka ukuya ekhelini elinjalo ngaphandle kokusebenzisa i-VPN.

Ukuguqulwa okuzenzakalelayo kwefayela labasingathi

Uma i-vpn-slice ibuzwa ngokuzithoba, khona-ke ngemva kokukhulisa i-VPN, ingaya ku-DNS yayo, ithole lapho amakheli e-IP wezinsiza ezidingekayo ngamagama abo angokomfanekiso bese uwafaka kubabungazi. Ngemva kokuvala i-VPN, lawa makheli azokhishwa kubasingathi. Ukuze wenze lokhu, udinga ukudlulisa amagama angokomfanekiso ku-vpn-slice njengezingxabano. Kanje.

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Manje konke kufanele kusebenze kokubili ehhovisi kanye ogwini.

Sesha amakheli azo zonke izizinda ezingaphansi kwe-DNS enikezwe i-VPN

Uma kukhona amakheli ambalwa ngaphakathi kwenethiwekhi, indlela yokulungisa ngokuzenzakalelayo ifayela labasingathi isebenza kahle kakhulu. Kodwa uma kunezinsiza eziningi kunethiwekhi, uzodinga njalo ukungeza imigqa efana ne-zoidberg.test.evilcorp.com ku-script zoidberg igama lelinye lamabhentshi okuhlola.

Kodwa manje njengoba sesiqonda kancane ukuthi kungani lesi sidingo singaqedwa.

Uma, ngemva kokukhulisa i-VPN, ubheka ku-/etc/hosts, ungabona lo mugqa

192.168.430.534 dns0.tun0 # vpn-slice-tun0 OKUZENZAKALELAYO

Futhi umugqa omusha wengeziwe ku-resolv.conf. Ngamafuphi, i-vpn-slice ngandlela thize inqume ukuthi iseva ye-dns ye-vpn ikuphi.

Manje sidinga ukwenza isiqiniseko sokuthi ukuze sithole ikheli le-IP legama lesizinda eligcina ngokuthi evilcorp.com, i-Linux iya ku-DNS yebhizinisi, futhi uma kukhona okunye okudingekayo, bese kuya kwezenzakalelayo.

Ngisebenzise iGoogle isikhathi eside futhi ngathola ukuthi ukusebenza okunjalo kuyatholakala ku-Ubuntu ngaphandle kwebhokisi. Lokhu kusho amandla okusebenzisa iseva yendawo ye-DNS dnsmasq ukuxazulula amagama.

Okusho ukuthi, ungaqiniseka ukuthi i-Linux ihlala iya kuseva yendawo ye-DNS yamakheli e-IP, yona, ngokuya ngegama lesizinda, izobheka i-IP kuseva ye-DNS yangaphandle ehambisanayo.

Ukuphatha yonke into ehlobene namanethiwekhi nokuxhumana kwenethiwekhi, Ubuntu isebenzisa i-NetworkManager, kanye nesixhumi esibonakalayo sokukhetha, ngokwesibonelo, ukuxhumana kwe-Wi-Fi kumane nje kungaphambili kukho.

Kuzodingeka sikhuphuke ekucushweni kwayo.

  1. Dala ifayela kokuthi /etc/NetworkManager/dnsmasq.d/evilcorp

ikheli=/.evilcorp.com/192.168.430.534

Naka iphuzu eliphambi kwe- evilcorp. Kubonisa i-dnsmasq ukuthi zonke izizinda ezingaphansi kwe- evilcorp.com kufanele ziseshwe ku-dns yebhizinisi.

  1. Tshela i-NetworkManager ukuthi isebenzise i-dnsmasq ukuze kulungiswe igama

Ukucushwa komphathi wenethiwekhi kutholakala ku-/etc/NetworkManager/NetworkManager.conf Udinga ukungeza lapho:

[okuyinhloko] dns=dnsmasq

  1. Qala kabusha i-NetworkManager

service network-manager restart

Manje, ngemva kokuxhuma ku-VPN usebenzisa i-openconnect ne-vpn-slice, i-ip izonqunywa ngokujwayelekile, ngisho noma ungangezi amakheli angokomfanekiso ezimpikiswaneni ku-vpnslice.

Ungafinyelela kanjani kumasevisi angawodwana nge-VPN

Ngemuva kokuthi ngikwazi ukuxhuma ku-VPN, ngijabule kakhulu izinsuku ezimbili, futhi kwavela ukuthi uma ngixhuma ku-VPN ngaphandle kwenethiwekhi yehhovisi, i-imeyili ayisebenzi. Uphawu lujwayelekile, akunjalo?

Imeyili yethu iku-mail.publicevilcorp.com, okusho ukuthi ayiweli ngaphansi komthetho ku-dnsmasq futhi ikheli leseva yemeyili liseshwa nge-DNS yomphakathi.

Nokho, ihhovisi lisasebenzisa i-DNS, equkethe leli kheli. Yilokho engangikucabanga. Eqinisweni, ngemuva kokungeza umugqa ku-dnsmasq

ikheli=/mail.publicevilcorp.com/192.168.430.534

isimo asikashintshi nakancane. ip yahlala injalo. Kwadingeka ngiye emsebenzini.

Futhi kamuva nje, lapho ngijula ​​kulesi simo futhi ngiqonda inkinga kancane, umuntu oyedwa ohlakaniphile wangitshela ukuthi ngingayixazulula kanjani. Kwakudingeka ukuxhuma kuseva yemeyili hhayi nje kanjalo, kodwa nge-VPN

Ngisebenzisa i-vpn-slice ukuze ngidlule ku-VPN kumakheli aqala ngo-192.168.430. Futhi iseva yemeyili ayinalo ikheli elingokomfanekiso kuphela elingesona isizinda se- evilcorp, futhi ayinalo ikheli le-IP eliqala ngo-192.168.430. Futhi-ke akavumeli noma ubani ovela kunethiwekhi jikelele ukuba eze kuye.

Ukuze i-Linux idlule ku-VPN nakuseva yemeyili, udinga ukuyingeza naku-vpn-slice. Ake sithi ikheli lomthumeli 555.555.555.555

echo "fixedPassword567987" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin
--script "./bin/vpn-slice 555.555.555.555 192.168.430.0/24" vpn.evilcorp.com

Iskripthi sokukhulisa i-VPN ngengxabano eyodwa

Konke lokhu, kunjalo, akulula kakhulu. Yebo, ungagcina umbhalo efayeleni futhi uwukopishe-unamathisele kukhonsoli esikhundleni sokuwuthayipha ngesandla, kodwa akusajabulisi neze. Ukwenza inqubo ibe lula, ungakwazi ukugoqa umyalo kuskripthi esizotholakala ku-PATH. Bese uzodinga kuphela ukufaka ikhodi etholwe ku-Google Authenticator

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 --user poxvuibr --passwd-on-stdin 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Uma ufaka umbhalo ku-connect~evilcorp~ ungavele ubhale kukhonsoli

connect_evil_corp 567987

Kepha manje kusafanele ugcine ikhonsoli lapho i-openconnect ivuleka khona ngesizathu esithile

Isebenzisa i-openconnect ngemuva

Ngenhlanhla, ababhali be-openconnect basinakekele futhi bengeza ukhiye okhethekile ohlelweni -isizinda, okwenza uhlelo lusebenze ngemuva ngemuva kokwethulwa. Uma uyisebenzisa kanje, ungavala ikhonsoli ngemuva kokwethulwa

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Manje akucaci nje ukuthi amalogi ashonaphi. Ngokuvamile, asiwadingi ngempela izingodo, kodwa awukwazi. i-openconnect ingabaqondisa kabusha ku-syslog, lapho izogcinwa iphephile futhi ivikelekile. udinga ukwengeza inkinobho -syslog kumyalo

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com

Futhi ngakho-ke, kuvela ukuthi i-openconnect isebenza endaweni ethile ngemuva futhi ayikhathazi muntu, kodwa akucaci ukuthi ungayimisa kanjani. Okusho ukuthi, ungakwazi, vele, ukuhlunga okukhiphayo kwe-ps usebenzisa i-grep futhi ubheke inqubo egama layo liqukethe i-openconnect, kodwa lokhu ngandlela thile kuyakhathaza. Ngibonga ababhali abacabange ngalokhu nabo. I-Openconnect inokhiye -pid-file, ongayalela ngayo i-openconnect ukuthi ibhale isihlonzi senqubo yayo efayeleni.

#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background  
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Manje ungahlala ubulala inqubo ngomyalo

kill $(cat ~/vpn-pid)

Uma ingekho inqubo, ukubulala kuzoqalekisa, kodwa ngeke kuphonse iphutha. Uma ifayela lingekho, akukho okubi okuzokwenzeka noma, ukuze ukwazi ukubulala ngokuphepha inqubo emgqeni wokuqala weskripthi.

kill $(cat ~/vpn-pid)
#!/bin/sh  
echo "fixedPassword$1" | openconnect --servercert sha256:4444444444444444444444444444444444444444444444444444444444444444 
--user poxvuibr 
--passwd-on-stdin 
--background 
--syslog 
--script "./bin/vpn-slice 192.168.430.0/24  jira.vpn.evilcorp.com git.vpn.evilcorp.com " vpn.evilcorp.com  
--pid-file ~/vpn-pid

Manje usungakwazi ukuvula ikhompuyutha yakho, uvule ikhonsoli bese uqhuba umyalo, uyidlulisele ikhodi esuka ku-Google Authenticator. I-console ingabethelwa phansi.

Ngaphandle kwe-VPN-ucezu. Esikhundleni segama langemuva

Kwaba nzima kakhulu ukuqonda ukuthi ungaphila kanjani ngaphandle kwe-VPN-slice. Kwadingeka ngifunde futhi ngi-google kakhulu. Ngenhlanhla, ngemva kokuchitha isikhathi esiningi nenkinga, izincwadi zobuchwepheshe kanye ne-openconnect yendoda ifundeka njengamanoveli ajabulisayo.

Ngenxa yalokho, ngithole ukuthi i-vpn-slice, njengesikripthi somdabu, ilungisa ithebula lomzila ukuze lihlukanise amanethiwekhi.

Ithebula lomzila

Ukuyibeka kalula nje, leli yithebula elikukholamu yokuqala eliqukethe ukuthi ikheli iLinux efuna ukudlula kuzo kufanele liqale ngalo, futhi kukholamu yesibili ukuthi iyiphi i-adaptha yenethiwekhi okufanele idlule kuleli kheli. Eqinisweni, kunezikhulumi eziningi, kodwa lokhu akuwushintshi umqondo.

Ukuze ubuke ithebula lomzila, udinga ukusebenzisa umyalo we-ip womzila

default via 192.168.1.1 dev wlp3s0 proto dhcp metric 600 
192.168.430.0/24 dev tun0 scope link 
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.534 metric 600 
192.168.430.534 dev tun0 scope link

Lapha, ulayini ngamunye unesibopho salapho udinga ukuya khona ukuze uthumele umlayezo kwelinye ikheli. Esokuqala yincazelo yokuthi ikheli kufanele liqale kuphi. Ukuze uqonde ukuthi unquma kanjani ukuthi 192.168.0.0/16 kusho ukuthi ikheli kufanele liqale ngo-192.168, udinga ku-google ukuthi iyini imaski yekheli le-IP. Ngemva kwe-dev kunegama le-adaptha okufanele umlayezo uthunyelwe kuyo.

Nge-VPN, i-Linux yenza i-adaptha ebonakalayo - tun0. Ulayini uqinisekisa ukuthi ithrafikhi yawo wonke amakheli aqala ngo-192.168 idlula kuwo

192.168.0.0/16 dev tun0 scope link

Ungaphinda ubheke isimo samanje setafula lomzila usebenzisa umyalo umzila -n (Amakheli e-IP awaziwa ngobuqili) Lo myalo ukhiqiza imiphumela ngendlela ehlukile futhi ngokuvamile uyehliswa, kodwa okukhiphayo ngokuvamile kutholakala kumamanyuwali ku-inthanethi futhi udinga ukwazi ukuyifunda.

Lapho ikheli lasesizindeni se-inthanethi lomzila kufanele liqale khona lingaqondwa kusukela ekuhlanganisweni kwamakholomu Indawo okuyiwa kuyo kanye ne-Genmask. Lezo zingxenye zekheli le-IP ezihambisana nezinombolo ezingu-255 ku-Genmask ziyacatshangelwa, kodwa lezo lapho kukhona u-0 azikho. Okusho ukuthi, inhlanganisela ye-Destination 192.168.0.0 kanye ne-Genmask 255.255.255.0 isho ukuthi uma ikheli liqala ngo-192.168.0, isicelo kuzo sizohambisana nalo mzila. Futhi uma i-Destination 192.168.0.0 kodwa i-Genmask 255.255.0.0, bese icela amakheli aqala ngo-192.168 azohambisana nalo mzila.

Ukuze ngithole ukuthi i-vpn-slice empeleni yenzani, nginqume ukubheka izifunda zamatafula ngaphambi nangemva kwalokho.

Ngaphambi kokuvula i-VPN bekunje

route -n 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0

Ngemuva kokubiza i-openconnect ngaphandle kwe-vpn-slice kwaba kanje

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Futhi ngemuva kokubiza i-openconnect ngokuhlanganiswa ne-vpn-slice kanje

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0
222.222.222.0   0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
333.333.333.333 222.222.222.1   255.255.255.255 UGH   0      0        0 wlp3s0
192.168.430.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.430.534 0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Kungabonakala ukuthi uma ungasebenzisi i-vpn-slice, i-openconnect ibhala ngokucacile ukuthi wonke amakheli, ngaphandle kwalawo aboniswe ngokuqondile, kufanele afinyelelwe nge-vpn.

Lapho ke:

0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0

Lapho, eduze kwayo, kukhonjiswa enye indlela ngokushesha, okufanele isetshenziswe uma ikheli i-Linux ezama ukudlula kulo lingahambisani nanoma iyiphi imaski evela etafuleni.

0.0.0.0         222.222.222.1   0.0.0.0         UG    600    0        0 wlp3s0

Sekuvele kubhaliwe lapha ukuthi kulokhu udinga ukusebenzisa i-adaptha ye-Wi-Fi evamile.

Ngikholelwa ukuthi indlela ye-VPN isetshenziswa ngoba ingeyokuqala etafuleni lomzila.

Futhi ngokwethiyori, uma ususa le ndlela ezenzakalelayo kuthebula lomzila, lapho-ke ngokuhlangana ne-dnsmasq openconnect kufanele iqinisekise ukusebenza okuvamile.

Ngizamile

route del default

Futhi konke kwasebenza.

Ukudlulisela izicelo kuseva yemeyili ngaphandle kwe-vpn-slice

Kodwa futhi ngineseva yeposi enekheli elithi 555.555.555.555, elidinga ukufinyelelwa nge-VPN. Umzila oya kuyo nawo udinga ukungezwa mathupha.

ip route add 555.555.555.555 via dev tun0

Futhi manje konke kuhamba kahle. Ngakho ungenza ngaphandle kwe-vpn-slice, kodwa udinga ukwazi kahle ukuthi wenzani. Manje ngicabanga ngokungeza kulayini wokugcina weskripthi se-openconnect yomdabu ukususwa komzila ozenzakalelayo nokwengeza umzila womthumeli ngemva kokuxhuma ku-vpn, ukuze nje kube nezingxenye ezihambayo ezimbalwa ebhayisikilini lami.

Mhlawumbe, leli gama langemuva linganele ukuthi othile aqonde indlela yokumisa i-VPN. Kodwa ngenkathi ngizama ukuqonda ukuthi ngenzeni nokuthi ngenzenjani, ngafunda iziqondiso eziningi ezinjalo ezisebenzela umbhali, kodwa ngesizathu esithile azingisebenzeli, futhi nganquma ukungeza lapha zonke izingcezu engizitholile. Ngingajabula kakhulu ngento efana naleyo.

Source: www.habr.com

Engeza amazwana