The VPN provider of Nanjing University has recently been changed to Sangfor, which is one of the biggest company who provides the corporate SDN, VPN and other enterprise network solutions in China. Although, the SSL VPN client from Sangfor is extremely hard to use - Changing the default DNS server without any notification, hijacking all UDP packet that dport is 53, even removing all the default route generated from the CIDR of interfaces which prevents the client connect to any LAN devices except
**.**.**.1. These issues have been described as “features” of their products from a training manual that I found in Baidu Wenku.
By digging into the VPN client for several days, I finally give up with trying to add some kind of plugins or extensions, because they don’t allow to. The client binary comes with a daemon, which will watch the route table and DNS settings. Even when I use
chattr to avoid any changes of
/etc/resolv.conf, both the daemon and VPN client won’t work but only print an error.
As their perspective, I totally understand they could always facing unusual environment from the clients. But for me, These all whatever issues or features are obstruction and messing up my development configuration.
So I ended this up by launching a independent VM in my home cluster with V2Ray and Sangfor SSL VPN client installed. The V2Ray is running under serving mode, accept and handle incoming traffic from the real client as well as my Mac, then relay the traffic from the VM which is also in the VPN. Thus, when I ever need the campus network, all I have to do is connecting to the proxy provided by V2Ray, using SwitchyOmega, Surge or any other SOCKS5 compatible tool - without this terrible client.
Here are the scripts that I use.
# Install gnome and GUI in order to run VPN client.
Here is a example V2Ray configration of it. Please pay attention to
outbounds.streamSettings.sockopt.mark was set to 254, which is the same value from routing policies described ahead.