如何通过雇主的 VPN 远程工作，同时使用 NordVPN 保护其他一切？

Question

我发现对我有用的是这个初始设置：

暂时断开与 NordVPN 的连接。
全面建立雇主VPN。
请参阅ip route包含via关键字和tun/tap设备的行。
- 并提取雇主的子网列表
nordvpn whitelist add subnet CIDR_NOTATION为每个子网提交。
- 请注意，所有单个IP地址必须转换为带有/32后缀的CIDR 表示法
再次连接到 NordVPN。

之后，我在两个 VPN 之间实现了完全有效的分割隧道。请注意，我不必负责设置，除非雇主更改推送的路线。在这种情况下，再次进行初始设置应该可以解决问题。

请注意，某些雇主的子网可能会与 NordVPN 的子网发生冲突，但 NordVPN 似乎会故障转移到其他不发生冲突的节点，因为我的雇主基本上使用 10.0.0.0/8。

这是适合我的 shell 脚本：

#!/bin/bash
set -eo pipefail

function user_can_modify_nordvpn {
    groups | grep -qE "nordvpn|root"
}

echo "First thing to do, is that you need to be disconnected from the NordVPN temporarily."
echo " - the reason is to first establish full connection to your office VPN and fetch all the routes provided by it"
echo " - once we know all the office VPN routes, we will whitelist the involved subnets to NordVPN and start it"
echo " - in that point, both VPNs should work fine - office traffic should be routed through office VPN and everything else through the NordVPN"
echo
read -n 1 -r -p "Now, I need you to prepare for a manual action. I will first disconnect you from NordVPN, so be prepared to spin up your office VPN. Are you ready? (Y/n)"
echo
[[ "$REPLY" =~ ^(Nn)$ ]] && exit 1 || true

if user_can_modify_nordvpn; then
    nordvpn d
else
    sudo nordvpn d
fi

read -n 1 -r -p "NordVPN disconnected. Please spin up your office VPN now. Press any key after you verified successfull connection."

OFFICE_SUBNETS=$(ip route | grep -E "tun|tap" | grep via | awk '{print $1}' | sed 's:^\([^/]\+\)$:\0/32:g' | tee /tmp/office_subnets.txt)

if test "$(echo "$OFFICE_SUBNETS" | wc -l)" -eq 0; then
    echo "ERROR: No 'tun'|'tap' devices found in 'ip route'! So no subnets to add for NordVPN whitelisting." >&2
    exit 1
fi

for subnet in $OFFICE_SUBNETS; do
    if user_can_modify_nordvpn; then
        nordvpn whitelist add subnet "$subnet"
    else
        sudo nordvpn whitelist add subnet "$subnet"
    fi
done

if user_can_modify_nordvpn; then
    nordvpn c
else
    sudo nordvpn c
fi

Answer 1

我发现对我有用的是这个初始设置：

暂时断开与 NordVPN 的连接。
全面建立雇主VPN。
请参阅ip route包含via关键字和tun/tap设备的行。
- 并提取雇主的子网列表
nordvpn whitelist add subnet CIDR_NOTATION为每个子网提交。
- 请注意，所有单个IP地址必须转换为带有/32后缀的CIDR 表示法
再次连接到 NordVPN。

之后，我在两个 VPN 之间实现了完全有效的分割隧道。请注意，我不必负责设置，除非雇主更改推送的路线。在这种情况下，再次进行初始设置应该可以解决问题。

请注意，某些雇主的子网可能会与 NordVPN 的子网发生冲突，但 NordVPN 似乎会故障转移到其他不发生冲突的节点，因为我的雇主基本上使用 10.0.0.0/8。

这是适合我的 shell 脚本：

#!/bin/bash
set -eo pipefail

function user_can_modify_nordvpn {
    groups | grep -qE "nordvpn|root"
}

echo "First thing to do, is that you need to be disconnected from the NordVPN temporarily."
echo " - the reason is to first establish full connection to your office VPN and fetch all the routes provided by it"
echo " - once we know all the office VPN routes, we will whitelist the involved subnets to NordVPN and start it"
echo " - in that point, both VPNs should work fine - office traffic should be routed through office VPN and everything else through the NordVPN"
echo
read -n 1 -r -p "Now, I need you to prepare for a manual action. I will first disconnect you from NordVPN, so be prepared to spin up your office VPN. Are you ready? (Y/n)"
echo
[[ "$REPLY" =~ ^(Nn)$ ]] && exit 1 || true

if user_can_modify_nordvpn; then
    nordvpn d
else
    sudo nordvpn d
fi

read -n 1 -r -p "NordVPN disconnected. Please spin up your office VPN now. Press any key after you verified successfull connection."

OFFICE_SUBNETS=$(ip route | grep -E "tun|tap" | grep via | awk '{print $1}' | sed 's:^\([^/]\+\)$:\0/32:g' | tee /tmp/office_subnets.txt)

if test "$(echo "$OFFICE_SUBNETS" | wc -l)" -eq 0; then
    echo "ERROR: No 'tun'|'tap' devices found in 'ip route'! So no subnets to add for NordVPN whitelisting." >&2
    exit 1
fi

for subnet in $OFFICE_SUBNETS; do
    if user_can_modify_nordvpn; then
        nordvpn whitelist add subnet "$subnet"
    else
        sudo nordvpn whitelist add subnet "$subnet"
    fi
done

if user_can_modify_nordvpn; then
    nordvpn c
else
    sudo nordvpn c
fi

如何通过雇主的 VPN 远程工作，同时使用 NordVPN 保护其他一切？

答案1

相关内容