Juniper VPN 强制我的流量通过公司代理 - 可以撤消吗？

Question 1

绝对有可能。我编写了一个脚本，为所有我知道不需要进入公司网络的 IP 范围设置到家庭网关的静态路由。然后它启动网络连接，然后更新文件Instantproxy.pac。（请注意，我的公司网络在 136.xxx）

基本想法如下 - 祝你好运：

%echo off
echo Set up Static routes to home network then launch VPN application

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: Set interfaceID (found using ROUTE PRINT command) to be equal to the       :::
::: number of the interface of your regular network adapter.                   :::
::: Set homegw equal to the IP address of your home network g/w.               ::: 
:::                                                                            :::
:::    Issue the command as:     LaunchVPN Ethernet       or                   :::
:::                              LaunchVPN Wireless       or                   :::
:::                              LaunchVPN Gigabit                            :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

set lookfor=%1
set  VPN_version=Network Connect 7.2.0


:: Look for the interface ID that corresponds with the argument passed. Most wireless
:: NIC cards are identified as "Wireless", Ethernet Cards either as "Ethernet" or "Gigabit"

@For /f "tokens=1" %%* in (
   'route.exe print ^|findstr /C:%lookfor%'
   ) Do @Set "interfaceID=%%*"


:: If we did not find any interface - it could be that we need to look for
:: a Gigabit adapter. (If this still fails - the argument passed will need to be
:: modified to match the specific string that identified your NIC. In a DOS
:: window issue the command "Route Print" to see how your NICs are shown.

if (%interfaceID%)==() (set lookfor=Gigabit)

@For /f "tokens=1 delims=." %%* in (
   'route.exe print ^|findstr /C:%lookfor%'
   ) Do @Set "interfaceID=%%*"


@For /f "tokens=1 delims=." %%* in (
   'route.exe print ^|findstr /C:Juniper'
   ) Do @Set "VPNinterfaceID=%%*"


echo Setting up static routes to %lookfor% interface %interfaceID% using %VPN_version%
echo If you should be using a different version than %VPN_version% then update the batch file.

:: Now we need to find the default home gateway. Often this is 192.168.2.1
:: But we'll also search to see if there is a better value to be used.
:: This is to be used as the first hop for non-VPN traffic

set homegw=192.168.2.1


@For /f "tokens=3" %%* in (
   'route.exe print ^|findstr "\<0.0.0.0\>"'
   ) Do @Set "homegw=%%*"

echo Home Gateway is at IP address %homegw%
echo wait .........
pause

:: The loops below may need to be updated to match your specific network needs.
:: A good way to find this is to launch your VPN the noraml way - and to see
:: which addresses need to go to your corporate net. Also, once the VPN is
:: launched, the instantproxy.pac file (that is created for you and stored in
:: "%USERPROFILE%\Application Data\Juniper Networks\Network Connect 7.0.0"
:: or equivalent location may hold some clues.
:: The objective is to make this loop issue the ROUTE command below only for
:: the range of IP address that do NOT need to go to your corp network.

set /a counter=0
:loop_one
set /a counter=%counter%+1
if %counter% ==127 (goto :done_one) 

route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 21 IF %interfaceID%

goto :loop_one
:done_one
set /a counter=127
:loop_two
set /a counter=%counter%+1
if %counter% ==136 (goto :done_two) 

route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 21 IF %interfaceID%

goto :loop_two
:done_two

set /a counter=136
:loop_three
set /a counter=%counter%+1
if %counter% ==198 (goto :loop_three)
if %counter% ==225 (goto :done_three) 

route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 21 IF %interfaceID%

goto :loop_three
:done_three



set /a counter=225
:loop_five
set /a counter=%counter%+1
if %counter% ==240 (goto :done_five) 


route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 22 IF %interfaceID%

goto :loop_five
:done_five

route add 192.168.2.0 MASK 255.255.255.0 %homegw% METRIC 15 IF %interfaceID%


Start "" "%PROGRAMFILES(x86)%\Juniper Networks\%VPN_version%\dsNetworkConnect.exe"
echo "wait until VPN client is fully launched and you have logged-in then hit any key.............."
pause

:: Once the client is launched, then kill the intantproxy.pac that is created each time
:: or overwrite it with your own version as needed.

copy /Y "%USERPROFILE%\Application Data\Juniper Networks\%VPN_version%\pacmanproxy.pac" "%USERPROFILE%\Application Data\Juniper Networks\%VPN_version%\instantproxy.pac"



@For /f "tokens=3" %%* in (
   'route.exe print ^|findstr "\< 1 \>"'
   ) Do @Set "VPNgw=%%*"

echo The VPN Gateway is at IP address %VPNgw%

:: route add 198.152.0.0 MASK 255.255.0.0 %VPNgw% METRIC 20 IF %VPNinterfaceID%
:: net use \\192.168.2.2 /USER:Bobby


% echo "Done - ready to use now"
pause

Answer

绝对有可能。我编写了一个脚本，为所有我知道不需要进入公司网络的 IP 范围设置到家庭网关的静态路由。然后它启动网络连接，然后更新文件Instantproxy.pac。（请注意，我的公司网络在 136.xxx）

基本想法如下 - 祝你好运：

%echo off
echo Set up Static routes to home network then launch VPN application

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: Set interfaceID (found using ROUTE PRINT command) to be equal to the       :::
::: number of the interface of your regular network adapter.                   :::
::: Set homegw equal to the IP address of your home network g/w.               ::: 
:::                                                                            :::
:::    Issue the command as:     LaunchVPN Ethernet       or                   :::
:::                              LaunchVPN Wireless       or                   :::
:::                              LaunchVPN Gigabit                            :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

set lookfor=%1
set  VPN_version=Network Connect 7.2.0


:: Look for the interface ID that corresponds with the argument passed. Most wireless
:: NIC cards are identified as "Wireless", Ethernet Cards either as "Ethernet" or "Gigabit"

@For /f "tokens=1" %%* in (
   'route.exe print ^|findstr /C:%lookfor%'
   ) Do @Set "interfaceID=%%*"


:: If we did not find any interface - it could be that we need to look for
:: a Gigabit adapter. (If this still fails - the argument passed will need to be
:: modified to match the specific string that identified your NIC. In a DOS
:: window issue the command "Route Print" to see how your NICs are shown.

if (%interfaceID%)==() (set lookfor=Gigabit)

@For /f "tokens=1 delims=." %%* in (
   'route.exe print ^|findstr /C:%lookfor%'
   ) Do @Set "interfaceID=%%*"


@For /f "tokens=1 delims=." %%* in (
   'route.exe print ^|findstr /C:Juniper'
   ) Do @Set "VPNinterfaceID=%%*"


echo Setting up static routes to %lookfor% interface %interfaceID% using %VPN_version%
echo If you should be using a different version than %VPN_version% then update the batch file.

:: Now we need to find the default home gateway. Often this is 192.168.2.1
:: But we'll also search to see if there is a better value to be used.
:: This is to be used as the first hop for non-VPN traffic

set homegw=192.168.2.1


@For /f "tokens=3" %%* in (
   'route.exe print ^|findstr "\<0.0.0.0\>"'
   ) Do @Set "homegw=%%*"

echo Home Gateway is at IP address %homegw%
echo wait .........
pause

:: The loops below may need to be updated to match your specific network needs.
:: A good way to find this is to launch your VPN the noraml way - and to see
:: which addresses need to go to your corporate net. Also, once the VPN is
:: launched, the instantproxy.pac file (that is created for you and stored in
:: "%USERPROFILE%\Application Data\Juniper Networks\Network Connect 7.0.0"
:: or equivalent location may hold some clues.
:: The objective is to make this loop issue the ROUTE command below only for
:: the range of IP address that do NOT need to go to your corp network.

set /a counter=0
:loop_one
set /a counter=%counter%+1
if %counter% ==127 (goto :done_one) 

route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 21 IF %interfaceID%

goto :loop_one
:done_one
set /a counter=127
:loop_two
set /a counter=%counter%+1
if %counter% ==136 (goto :done_two) 

route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 21 IF %interfaceID%

goto :loop_two
:done_two

set /a counter=136
:loop_three
set /a counter=%counter%+1
if %counter% ==198 (goto :loop_three)
if %counter% ==225 (goto :done_three) 

route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 21 IF %interfaceID%

goto :loop_three
:done_three



set /a counter=225
:loop_five
set /a counter=%counter%+1
if %counter% ==240 (goto :done_five) 


route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 22 IF %interfaceID%

goto :loop_five
:done_five

route add 192.168.2.0 MASK 255.255.255.0 %homegw% METRIC 15 IF %interfaceID%


Start "" "%PROGRAMFILES(x86)%\Juniper Networks\%VPN_version%\dsNetworkConnect.exe"
echo "wait until VPN client is fully launched and you have logged-in then hit any key.............."
pause

:: Once the client is launched, then kill the intantproxy.pac that is created each time
:: or overwrite it with your own version as needed.

copy /Y "%USERPROFILE%\Application Data\Juniper Networks\%VPN_version%\pacmanproxy.pac" "%USERPROFILE%\Application Data\Juniper Networks\%VPN_version%\instantproxy.pac"



@For /f "tokens=3" %%* in (
   'route.exe print ^|findstr "\< 1 \>"'
   ) Do @Set "VPNgw=%%*"

echo The VPN Gateway is at IP address %VPNgw%

:: route add 198.152.0.0 MASK 255.255.0.0 %VPNgw% METRIC 20 IF %VPNinterfaceID%
:: net use \\192.168.2.2 /USER:Bobby


% echo "Done - ready to use now"
pause

Question 2

可能吧。信息量不够，无法给出全面而具体的答案。

随着接口（物理或逻辑）的激活和停用，路由被添加和删除。接口激活操作会添加路由，并且（通常）优先使用最近添加的路由。当您登录 VPN 时可能发生的情况是创建/激活了新的逻辑网络接口，并且路由表被更新为默认使用它。假设 Juniper 客户端创建了一个隧道接口，并且没有添加本地主机防火墙（并且您没有违反公司政策——这可能是故意的），您应该能够

替换默认路由（通过以太网/wifi 接口将其设置回您的家庭路由器），
通过隧道接口添加至公司网络的具体路由。

这知识库 140859您链接的问题提供了许多理论，但提供实践的却不多。

如果您理解了理论，那么运行netsh interface show interface以及route print连接前后应该会很有用。

Answer