我在 Ubuntu 14.04 上使用 vpnc 客户端连接到客户端网络。然而,由于这个原因,我的所有流量(网络浏览器、流媒体、Skype 等)都通过 VPN 路由,尽管我只需要通过 VPN 访问特定的 URL。
如何配置 vpnc(或其他 VPN 客户端)仅在访问特定 URL 时使用 VPN(例如http://example.com:8080)?
我尝试使用 SSH 隧道,但找不到如何将其与 IPSec 网关一起使用。
答案1
我发现这个教程对我很有用!希望这对你有帮助。
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-February/002990.html
以下引用相关文字。
8.1 Step 1
----------
List all the hosts you need to access in the corporate network.
In the following example we will consider:
- mail server, to read messages: pop3.mycom.com;
- smtp server, to send messages out: smtp.mycom.com;
- ldap server, to search mail accounts: ldap.mycom.com;
- internet proxy, to access internal websites: proxy.mycom.com.
Avoid a long list; keep security in mind and just map what you really need.
8.2 Step 2
----------
Resolve IP address of all the names you listed in Step 1, and put them in your
local file /etc/hosts. We suppose all of them are fixed IP.
Sometimes two or more servers are mapped to the same IP. Practically it is the
same server that implements multiple functions. In the example below, we
suppose that pop3 and smtp services are on the same server.
Example of /etc/hosts:
______________________________________________________________________
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
10.0.0.130 pop3.mycom.com smtp.mycom.com
10.0.14.1 ldap.mycom.com
10.1.0.5 proxy.mycom.com
______________________________________________________________________
8.3 Step 3
----------
Create a copy of your working vpnc config file:
#> cp /etc/vpnc/corp.conf /etc/vpnc/split.conf
8.4 Step 4
----------
Edit the new file "split.conf" and add the following line:
Script /etc/vpnc/vpnc-script-corp-split
It will force this new configuration to use a special script file.
8.5 Step 5
----------
Create the file /etc/vpnc/vpnc-script-corp-split with following content
______________________________________________________________________
#!/bin/sh
# Add one IP to the list of split tunnel
add_ip ()
{
export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_ADDR=$1
export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASK=255.255.255.255
export CISCO_SPLIT_INC_${CISCO_SPLIT_INC}_MASKLEN=32
export CISCO_SPLIT_INC=$(($CISCO_SPLIT_INC + 1))
}
# Initialize empty split tunnel list
export CISCO_SPLIT_INC=0
# Delete DNS info provided by VPN server to use internet DNS
# Comment following line to use DNS beyond VPN tunnel
unset INTERNAL_IP4_DNS
# List of IPs beyond VPN tunnel
add_ip 10.0.0.130 # pop3.mycom.com and smtp
add_ip 10.0.14.1 # ldap.mycom.com
add_ip 10.1.0.5 # proxy.mycom.com
# Execute default script
. /etc/vpnc/vpnc-script
# End of script
______________________________________________________________________
Parameter passed to "add_ip" is used, in /etc/vpnc/vpnc-script, to set routing
table by running either "ip" or "route" command, depending on system
configuration.
While "route" accepts both host names and IP in the command line, "ip"
strictly requires numeric IP.
This is quite annoying, since would be easier using only host names in the
script abobe, keeping numeric IP relations in /etc/hosts only.
Eventually, could be possible improving the script above by resolving names
before running /etc/vpnc/vpnc-script.
The command "gethostip" could be used for name resolution. Does anybody knows
if the command "gethostip" is present in every Linux distro?
8.6 Step 6
----------
At last, provide the proper execution permission:
#> chmod 755 /etc/vpnc/vpnc-script-corp-split
That's all, folks!
You can now run:
#> vpnc split.conf
Reading routing table, you can verify the split is active.
#> route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
proxy.mycom.com * 255.255.255.255 UH 0 0 0 tun0
ldap.mycom.com * 255.255.255.255 UH 0 0 0 tun0
pop3.mycom.com * 255.255.255.255 UH 0 0 0 tun0
vpn.mycom.com 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
10.2.0.0 * 255.255.255.0 U 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0