禁用某些本地设备的 VPN,例如我需要 ssh 进入的嵌入式 Linux 板(使用 VPN 时允许本地(LAN)访问)

tag-icon tag-icon networking ssh vpn ip
禁用某些本地设备的 VPN,例如我需要 ssh 进入的嵌入式 Linux 板(使用 VPN 时允许本地(LAN)访问)

我的 Ubuntu 18.04 机器上有 Cisco Annyconnect VPN。我还插入了一块嵌入式 Linux 板,需要通过 ssh 连接。

但是,每当我连接到 VPN 时,我都无法再与本地电路板通信(ping 10.1.2.3连接 VPN 时失败,也是如此)。我如何才能仅为此电路板禁用 VPN,以便与此本地电路板通信的接口不ssh [email protected]不是通过 VPN 吗?

示例信息:

  1. 我的主要 Ubuntu 机器:
    1. 连接本本地Linux板的接口的接口名称(如图所示ifconfig):enxf8e43b9df776
    2. 本地 Linux 板的静态 IP:10.1.2.1
    3. 网络掩码:255.255.255.0
  2. 我需要通过 ssh 进入的本地嵌入式 Linux 板:
    1. 静态 IP 地址:10.1.2.3
    2. 网络掩码:255.255.255.0

这对我不起作用:是否有可能在某些应用程序上停止使用 VPN?

我需要能够使用 VPN 连接到一些远程网络,同时使用我的当地的嵌入式Linux板。

可能有用:

  1. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html
    1. grep -rn 'LocalLanAccess' /opt/cisco
    2. grep -rn '<AnyConnectProfile' /opt/cisco
  2. 我需要尝试一下;这真是个不错的主意!-构建自定义函数、C++ 名称修改等等!-并在库加载时预加载它以通过该名称覆盖内部函数:超级用户:如何在连接到 Cisco VPN 时允许本地 LAN 访问?
  3. OpenConnect - 一个值得尝试的替代方案,显然与 Cisco AnyConnect 兼容
    1. https://gitlab.com/openconnect/openconnect
    2. http://www.infradead.org/openconnect/

以下是我做过的一些事情不是证明可以解决问题或有用(至少现在还不行):

grep -rn 'LocalLanAccess' /opt/cisco


$ grep -rn 'LocalLanAccess' /opt/cisco
/opt/cisco/anyconnect/.anyconnect_global:15:<LocalLanAccess>false</LocalLanAccess></ControllablePreferences>
Binary file /opt/cisco/anyconnect/lib/libvpnapi.so matches
Binary file /opt/cisco/anyconnect/lib/libvpnagentutilities.so matches
/opt/cisco/anyconnect/profile/vpn_profile.xml:15:       <LocalLanAccess UserControllable="true">false</LocalLanAccess>
/opt/cisco/anyconnect/profile/AnyConnectProfile.xsd:325:            <xs:element name="LocalLanAccess" default="false" minOccurs="0">


cp -i /opt/cisco/anyconnect/.anyconnect_global /opt/cisco/anyconnect/.anyconnect_global.bak
cp -i /opt/cisco/anyconnect/profile/vpn_profile.xml /opt/cisco/anyconnect/profile/vpn_profile.xml.bak
cp -i /opt/cisco/anyconnect/profile/AnyConnectProfile.xsd /opt/cisco/anyconnect/profile/AnyConnectProfile.xsd.bak


# manually update all 3 files to true

$ grep -rn 'LocalLanAccess' /opt/cisco
/opt/cisco/anyconnect/.anyconnect_global:15:<LocalLanAccess>true</LocalLanAccess></ControllablePreferences>
Binary file /opt/cisco/anyconnect/lib/libvpnapi.so matches
Binary file /opt/cisco/anyconnect/lib/libvpnagentutilities.so matches
/opt/cisco/anyconnect/profile/vpn_profile.xml:15:       <LocalLanAccess UserControllable="true">true</LocalLanAccess>
/opt/cisco/anyconnect/profile/AnyConnectProfile.xsd:325:            <xs:element name="LocalLanAccess" default="true" minOccurs="0">

答案1

解决了!

openconnect而是通过包装器使用openconnect-sso!Cisco AnyConnect 有意阻止 LAN 访问。

基本用法openconnect-sso

VPN_SERVER_ADDRESS="myvpn.whatever.com"   # example server address to connect to
VPN_SAML_GROUP="whatever-saml-whatever"   # example SAML group name
VPN_USER="[email protected]"      # example username
# or perhaps just this for the username:
# VPN_USER="my.username"

# connect via `openconnect-sso`
# The first time ever, you must specify everything
openconnect-sso --server "${VPN_SERVER_ADDRESS}/${VPN_SAML_GROUP}" --user "${VPN_USER}"
# Subsequent connection attempts can be done with just this, since apparently
# the server address, SAML group, and username are cached after the first usage
openconnect-sso

为了完整详细信息、屏幕截图和安装说明,请参阅我的回答:openconnect-sso如何通过 Okta 单点登录 (SSO)将“openconnect”(通过包装器)与 SAML 和 Duo 双因素身份验证结合使用

相关内容