Использовать vpnc для конкретного URL и порта

Question 1

Я нахожусь на Ubuntu 14.04 и использую клиент vpnc для подключения к сети клиента. Однако из-за этого весь мой трафик (веб-браузер, потоковая передача, скайп и т. Д.) Маршрутизируется через VPN, хотя мне нужно только получить доступ к определенному URL-адресу через VPN.

Как настроить vpnc (или другой VPN-клиент) на использование VPN только при доступе к определенному URL (например, http://example.com:8080 )?

Я пытался использовать SSH-туннель, но не смог найти, как использовать его со шлюзами IPSec.

Question 2

Я нашел это учебное руководство, которое работает на меня!Надеюсь, это поможет.

http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html

Заключенный в кавычки соответствующий текст ниже.

8.1 Step 1
----------

List all the hosts you need to access in the corporate network.
In the following example we will consider:
- mail server, to read messages: pop3.mycom.com;
- smtp server, to send messages out: smtp.mycom.com;
- ldap server, to search mail accounts: ldap.mycom.com;
- internet proxy, to access internal websites: proxy.mycom.com.
Avoid a long list; keep security in mind and just map what you really need.


8.2 Step 2
----------

Resolve IP address of all the names you listed in Step 1, and put them in your
local file /etc/hosts. We suppose all of them are fixed IP.
Sometimes two or more servers are mapped to the same IP. Practically it is the
same server that implements multiple functions. In the example below, we
suppose that pop3 and smtp services are on the same server.
Example of /etc/hosts:
    ______________________________________________________________________
    127.0.0.1   localhost.localdomain localhost
    ::1     localhost6.localdomain6 localhost6
    10.0.0.130  pop3.mycom.com smtp.mycom.com
    10.0.14.1   ldap.mycom.com
    10.1.0.5    proxy.mycom.com
    ______________________________________________________________________


8.3 Step 3
----------

Create a copy of your working vpnc config file:
#> cp /etc/vpnc/corp.conf /etc/vpnc/split.conf


8.4 Step 4
----------

Edit the new file "split.conf" and add the following line:
    Script /etc/vpnc/vpnc-script-corp-split
It will force this new configuration to use a special script file.


8.5 Step 5
----------

Create the file /etc/vpnc/vpnc-script-corp-split with following content
    ______________________________________________________________________
    #!/bin/sh

    # Add one IP to the list of split tunnel
    add_ip ()
    {
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
            export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.255.255.255
            export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=32
            export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
    }

    # Initialize empty split tunnel list
    export CISCO_SPLIT_INC=0

    # Delete DNS info provided by VPN server to use internet DNS
    # Comment following line to use DNS beyond VPN tunnel
    unset INTERNAL_IP4_DNS

    # List of IPs beyond VPN tunnel
    add_ip 10.0.0.130   # pop3.mycom.com and smtp
    add_ip 10.0.14.1    # ldap.mycom.com
    add_ip 10.1.0.5     # proxy.mycom.com

    # Execute default script
    . /etc/vpnc/vpnc-script

    # End of script
    ______________________________________________________________________

Parameter passed to "add_ip" is used, in /etc/vpnc/vpnc-script, to set routing
table by running either "ip" or "route" command, depending on system
configuration.
While "route" accepts both host names and IP in the command line, "ip"
strictly requires numeric IP.
This is quite annoying, since would be easier using only host names in the
script abobe, keeping numeric IP relations in /etc/hosts only.
Eventually, could be possible improving the script above by resolving names
before running /etc/vpnc/vpnc-script.
The command "gethostip" could be used for name resolution. Does anybody knows
if the command "gethostip" is present in every Linux distro?


8.6 Step 6
----------

At last, provide the proper execution permission:
#> chmod 755 /etc/vpnc/vpnc-script-corp-split

That's all, folks!
You can now run:
#> vpnc split.conf

Reading routing table, you can verify the split is active.
#> route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
proxy.mycom.com *               255.255.255.255 UH    0      0        0 tun0
ldap.mycom.com  *               255.255.255.255 UH    0      0        0 tun0
pop3.mycom.com  *               255.255.255.255 UH    0      0        0 tun0
vpn.mycom.com   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
10.2.0.0        *               255.255.255.0   U     0      0        0 tun0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

Larry Turtis · Answer 1 · 27 April 2016 в 17:50

Я нашел это учебное руководство, которое работает на меня!Надеюсь, это поможет.

http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html

Заключенный в кавычки соответствующий текст ниже.

8.1 Step 1
----------

List all the hosts you need to access in the corporate network.
In the following example we will consider:
- mail server, to read messages: pop3.mycom.com;
- smtp server, to send messages out: smtp.mycom.com;
- ldap server, to search mail accounts: ldap.mycom.com;
- internet proxy, to access internal websites: proxy.mycom.com.
Avoid a long list; keep security in mind and just map what you really need.


8.2 Step 2
----------

Resolve IP address of all the names you listed in Step 1, and put them in your
local file /etc/hosts. We suppose all of them are fixed IP.
Sometimes two or more servers are mapped to the same IP. Practically it is the
same server that implements multiple functions. In the example below, we
suppose that pop3 and smtp services are on the same server.
Example of /etc/hosts:
    ______________________________________________________________________
    127.0.0.1   localhost.localdomain localhost
    ::1     localhost6.localdomain6 localhost6
    10.0.0.130  pop3.mycom.com smtp.mycom.com
    10.0.14.1   ldap.mycom.com
    10.1.0.5    proxy.mycom.com
    ______________________________________________________________________


8.3 Step 3
----------

Create a copy of your working vpnc config file:
#> cp /etc/vpnc/corp.conf /etc/vpnc/split.conf


8.4 Step 4
----------

Edit the new file "split.conf" and add the following line:
    Script /etc/vpnc/vpnc-script-corp-split
It will force this new configuration to use a special script file.


8.5 Step 5
----------

Create the file /etc/vpnc/vpnc-script-corp-split with following content
    ______________________________________________________________________
    #!/bin/sh

    # Add one IP to the list of split tunnel
    add_ip ()
    {
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
            export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.255.255.255
            export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=32
            export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
    }

    # Initialize empty split tunnel list
    export CISCO_SPLIT_INC=0

    # Delete DNS info provided by VPN server to use internet DNS
    # Comment following line to use DNS beyond VPN tunnel
    unset INTERNAL_IP4_DNS

    # List of IPs beyond VPN tunnel
    add_ip 10.0.0.130   # pop3.mycom.com and smtp
    add_ip 10.0.14.1    # ldap.mycom.com
    add_ip 10.1.0.5     # proxy.mycom.com

    # Execute default script
    . /etc/vpnc/vpnc-script

    # End of script
    ______________________________________________________________________

Parameter passed to "add_ip" is used, in /etc/vpnc/vpnc-script, to set routing
table by running either "ip" or "route" command, depending on system
configuration.
While "route" accepts both host names and IP in the command line, "ip"
strictly requires numeric IP.
This is quite annoying, since would be easier using only host names in the
script abobe, keeping numeric IP relations in /etc/hosts only.
Eventually, could be possible improving the script above by resolving names
before running /etc/vpnc/vpnc-script.
The command "gethostip" could be used for name resolution. Does anybody knows
if the command "gethostip" is present in every Linux distro?


8.6 Step 6
----------

At last, provide the proper execution permission:
#> chmod 755 /etc/vpnc/vpnc-script-corp-split

That's all, folks!
You can now run:
#> vpnc split.conf

Reading routing table, you can verify the split is active.
#> route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
proxy.mycom.com *               255.255.255.255 UH    0      0        0 tun0
ldap.mycom.com  *               255.255.255.255 UH    0      0        0 tun0
pop3.mycom.com  *               255.255.255.255 UH    0      0        0 tun0
vpn.mycom.com   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
10.2.0.0        *               255.255.255.0   U     0      0        0 tun0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

Привет я пробую только don' t выполненный. Когда я не перезапускаю runnig! Почему?! helpme — Kristiyan Veselinov, 25 September 2017 в 16:42

Использовать vpnc для конкретного URL и порта

1 ответ

Другие вопросы по тегам:

Похожие вопросы: