Use vpnc para URL e porta específicos

1

Estou no Ubuntu 14.04 e uso o cliente vpnc para conectar-me à rede de um cliente. No entanto, devido a isso todo o meu tráfego (navegador da web, streaming, skype, etc) é roteado através da VPN, embora eu só precise acessar uma URL específica através da VPN.

Como posso configurar o vpnc (ou outro cliente VPN) para usar somente a VPN ao acessar um URL específico (digamos link )?

Eu tentei usar um túnel SSH, mas não consegui encontrar como usá-lo com gateways IPSec.

    
por Harshil Sharma 27.04.2016 / 06:50

1 resposta

0

Eu encontrei este tutorial que está funcionando para mim! Espero que isto ajude.

link

Texto relevante citado abaixo.

8.1 Step 1
----------

List all the hosts you need to access in the corporate network.
In the following example we will consider:
- mail server, to read messages: pop3.mycom.com;
- smtp server, to send messages out: smtp.mycom.com;
- ldap server, to search mail accounts: ldap.mycom.com;
- internet proxy, to access internal websites: proxy.mycom.com.
Avoid a long list; keep security in mind and just map what you really need.


8.2 Step 2
----------

Resolve IP address of all the names you listed in Step 1, and put them in your
local file /etc/hosts. We suppose all of them are fixed IP.
Sometimes two or more servers are mapped to the same IP. Practically it is the
same server that implements multiple functions. In the example below, we
suppose that pop3 and smtp services are on the same server.
Example of /etc/hosts:
    ______________________________________________________________________
    127.0.0.1   localhost.localdomain localhost
    ::1     localhost6.localdomain6 localhost6
    10.0.0.130  pop3.mycom.com smtp.mycom.com
    10.0.14.1   ldap.mycom.com
    10.1.0.5    proxy.mycom.com
    ______________________________________________________________________


8.3 Step 3
----------

Create a copy of your working vpnc config file:
#> cp /etc/vpnc/corp.conf /etc/vpnc/split.conf


8.4 Step 4
----------

Edit the new file "split.conf" and add the following line:
    Script /etc/vpnc/vpnc-script-corp-split
It will force this new configuration to use a special script file.


8.5 Step 5
----------

Create the file /etc/vpnc/vpnc-script-corp-split with following content
    ______________________________________________________________________
    #!/bin/sh

    # Add one IP to the list of split tunnel
    add_ip ()
    {
        export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
            export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.255.255.255
            export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=32
            export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
    }

    # Initialize empty split tunnel list
    export CISCO_SPLIT_INC=0

    # Delete DNS info provided by VPN server to use internet DNS
    # Comment following line to use DNS beyond VPN tunnel
    unset INTERNAL_IP4_DNS

    # List of IPs beyond VPN tunnel
    add_ip 10.0.0.130   # pop3.mycom.com and smtp
    add_ip 10.0.14.1    # ldap.mycom.com
    add_ip 10.1.0.5     # proxy.mycom.com

    # Execute default script
    . /etc/vpnc/vpnc-script

    # End of script
    ______________________________________________________________________

Parameter passed to "add_ip" is used, in /etc/vpnc/vpnc-script, to set routing
table by running either "ip" or "route" command, depending on system
configuration.
While "route" accepts both host names and IP in the command line, "ip"
strictly requires numeric IP.
This is quite annoying, since would be easier using only host names in the
script abobe, keeping numeric IP relations in /etc/hosts only.
Eventually, could be possible improving the script above by resolving names
before running /etc/vpnc/vpnc-script.
The command "gethostip" could be used for name resolution. Does anybody knows
if the command "gethostip" is present in every Linux distro?


8.6 Step 6
----------

At last, provide the proper execution permission:
#> chmod 755 /etc/vpnc/vpnc-script-corp-split

That's all, folks!
You can now run:
#> vpnc split.conf

Reading routing table, you can verify the split is active.
#> route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
proxy.mycom.com *               255.255.255.255 UH    0      0        0 tun0
ldap.mycom.com  *               255.255.255.255 UH    0      0        0 tun0
pop3.mycom.com  *               255.255.255.255 UH    0      0        0 tun0
vpn.mycom.com   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
10.2.0.0        *               255.255.255.0   U     0      0        0 tun0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
    
por Larry Turtis 25.10.2016 / 18:02

Tags