Amicon VPN client is a network filter on interface driver.
If you want to deploy gateway which used by other users to connect to VPN you must forward traffic to user-space and then forward it outside and then filter grab this traffic and sent it to VPN server.
(If you just add route to routing table, linux forward traffic before VPN network filter can grab it.)
We can make it with IPTables and UNATd (thanks to alsterg).
First of all compile unatd and run it
# unatd -p 2002 -n ens192
Change ens192 to your "internet" interface.
Now you can see that unatd listen port 2002
# ss -tulpn | grep 2002
Next step is add IPTables rule for marking interested traffic:
# iptables -t mangle -A PREROUTING -s 10.10.0.2/32 -p tcp -j TPROXY --on-port 2002 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
# iptables -t mangle -N DIVERT
# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
# iptables -t mangle -A DIVERT -j ACCEPT
In this example I forward all TCP from 10.10.0.2, but you can use it for whole network or for specific port.
Then you need to create matching rule for specific mark (in new routing table, aka VRF):
# ip rule add fwmark 1 lookup 100
Add route to new routing table
# ip route add local 0.0.0.0/0 dev lo table 100
Now you can start VPN client and try to connect to hosts behind VPN from 10.10.0.2 PC.
# cd /usr/lib/Amicon_ip-client/
# ./ip-clientstartup-cli start
# ./ip-client CONNECT <PIN>
show logging:
# less log/SrvLog.csv
This is a example systemd unit file for autostart unatd:
[Unit]
Description=Service for user space NAT
After=network
[Service]
ExecStart=/root/unatd/unatd -p 2002 -n ens192
ExecStartPost=/usr/sbin/ip rule add fwmark 1 lookup 100
ExecStartPost=/usr/sbin/ip route add local 0.0.0.0/0 dev lo table 100
TimeoutStopSec=5
[Install]
WantedBy=multi-user.target
This is a example systemd unit file for autostart VPN client:
[Unit]
Description=Ip-client CLI kernel module and daemon startup
[Service]
#Type=forking
RemainAfterExit=yes
ExecStart=/bin/bash -c 'PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin sleep 2; exec /usr/lib/Amicon_ip-client/ip-clientstartup-cli start'
ExecStartPost=/bin/bash -c 'PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin sleep 10; /usr/bin/ip-client CONNECT 6722'
ExecStop=/usr/lib/Amicon_ip-client/ip-clientstartup-cli stop
[Install]
WantedBy=multi-user.target
If you want to deploy gateway which used by other users to connect to VPN you must forward traffic to user-space and then forward it outside and then filter grab this traffic and sent it to VPN server.
(If you just add route to routing table, linux forward traffic before VPN network filter can grab it.)
We can make it with IPTables and UNATd (thanks to alsterg).
First of all compile unatd and run it
# unatd -p 2002 -n ens192
Change ens192 to your "internet" interface.
Now you can see that unatd listen port 2002
# ss -tulpn | grep 2002
Next step is add IPTables rule for marking interested traffic:
# iptables -t mangle -A PREROUTING -s 10.10.0.2/32 -p tcp -j TPROXY --on-port 2002 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
# iptables -t mangle -N DIVERT
# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
# iptables -t mangle -A DIVERT -j ACCEPT
In this example I forward all TCP from 10.10.0.2, but you can use it for whole network or for specific port.
Then you need to create matching rule for specific mark (in new routing table, aka VRF):
# ip rule add fwmark 1 lookup 100
Add route to new routing table
# ip route add local 0.0.0.0/0 dev lo table 100
Now you can start VPN client and try to connect to hosts behind VPN from 10.10.0.2 PC.
# cd /usr/lib/Amicon_ip-client/
# ./ip-clientstartup-cli start
# ./ip-client CONNECT <PIN>
show logging:
# less log/SrvLog.csv
This is a example systemd unit file for autostart unatd:
[Unit]
Description=Service for user space NAT
After=network
[Service]
ExecStart=/root/unatd/unatd -p 2002 -n ens192
ExecStartPost=/usr/sbin/ip rule add fwmark 1 lookup 100
ExecStartPost=/usr/sbin/ip route add local 0.0.0.0/0 dev lo table 100
TimeoutStopSec=5
[Install]
WantedBy=multi-user.target
This is a example systemd unit file for autostart VPN client:
[Unit]
Description=Ip-client CLI kernel module and daemon startup
[Service]
#Type=forking
RemainAfterExit=yes
ExecStart=/bin/bash -c 'PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin sleep 2; exec /usr/lib/Amicon_ip-client/ip-clientstartup-cli start'
ExecStartPost=/bin/bash -c 'PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin sleep 10; /usr/bin/ip-client CONNECT 6722'
ExecStop=/usr/lib/Amicon_ip-client/ip-clientstartup-cli stop
[Install]
WantedBy=multi-user.target
Комментарии
Отправить комментарий