Использовать vpnc для конкретного URL и порта
Я нахожусь на Ubuntu 14.04 и использую клиент vpnc для подключения к клиентской сети. Однако из-за этого весь мой трафик (веб-браузер, потоковая передача, скайп и т. Д.) Маршрутизируется через VPN, хотя мне нужно только получить доступ к определенному URL-адресу через VPN.
Как я могу настроить vpnc (или другой VPN-клиент) на использование VPN только при доступе к определенному URL (скажем, http://example.com:8080/)?
Я попытался использовать туннель SSH, но не смог найти, как использовать его со шлюзами IPSec.
1 ответ
Я нашел этот урок, который работает для меня! Надеюсь это поможет.
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html
Цитируется соответствующий текст ниже.
8.1 Step 1
----------
List all the hosts you need to access in the corporate network.
In the following example we will consider:
- mail server, to read messages: pop3.mycom.com;
- smtp server, to send messages out: smtp.mycom.com;
- ldap server, to search mail accounts: ldap.mycom.com;
- internet proxy, to access internal websites: proxy.mycom.com.
Avoid a long list; keep security in mind and just map what you really need.
8.2 Step 2
----------
Resolve IP address of all the names you listed in Step 1, and put them in your
local file /etc/hosts. We suppose all of them are fixed IP.
Sometimes two or more servers are mapped to the same IP. Practically it is the
same server that implements multiple functions. In the example below, we
suppose that pop3 and smtp services are on the same server.
Example of /etc/hosts:
______________________________________________________________________
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
10.0.0.130 pop3.mycom.com smtp.mycom.com
10.0.14.1 ldap.mycom.com
10.1.0.5 proxy.mycom.com
______________________________________________________________________
8.3 Step 3
----------
Create a copy of your working vpnc config file:
#> cp /etc/vpnc/corp.conf /etc/vpnc/split.conf
8.4 Step 4
----------
Edit the new file "split.conf" and add the following line:
Script /etc/vpnc/vpnc-script-corp-split
It will force this new configuration to use a special script file.
8.5 Step 5
----------
Create the file /etc/vpnc/vpnc-script-corp-split with following content
______________________________________________________________________
#!/bin/sh
# Add one IP to the list of split tunnel
add_ip ()
{
export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.255.255.255
export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=32
export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
}
# Initialize empty split tunnel list
export CISCO_SPLIT_INC=0
# Delete DNS info provided by VPN server to use internet DNS
# Comment following line to use DNS beyond VPN tunnel
unset INTERNAL_IP4_DNS
# List of IPs beyond VPN tunnel
add_ip 10.0.0.130 # pop3.mycom.com and smtp
add_ip 10.0.14.1 # ldap.mycom.com
add_ip 10.1.0.5 # proxy.mycom.com
# Execute default script
. /etc/vpnc/vpnc-script
# End of script
______________________________________________________________________
Parameter passed to "add_ip" is used, in /etc/vpnc/vpnc-script, to set routing
table by running either "ip" or "route" command, depending on system
configuration.
While "route" accepts both host names and IP in the command line, "ip"
strictly requires numeric IP.
This is quite annoying, since would be easier using only host names in the
script abobe, keeping numeric IP relations in /etc/hosts only.
Eventually, could be possible improving the script above by resolving names
before running /etc/vpnc/vpnc-script.
The command "gethostip" could be used for name resolution. Does anybody knows
if the command "gethostip" is present in every Linux distro?
8.6 Step 6
----------
At last, provide the proper execution permission:
#> chmod 755 /etc/vpnc/vpnc-script-corp-split
That's all, folks!
You can now run:
#> vpnc split.conf
Reading routing table, you can verify the split is active.
#> route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
proxy.mycom.com * 255.255.255.255 UH 0 0 0 tun0
ldap.mycom.com * 255.255.255.255 UH 0 0 0 tun0
pop3.mycom.com * 255.255.255.255 UH 0 0 0 tun0
vpn.mycom.com 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
10.2.0.0 * 255.255.255.0 U 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0