Start

I’m at home on vacation and I need to use EasyConnect to connect to the school’s intranet. I occasionally need to connect to the school’s server or access intranet pages, so I plan to download it.

But! EasyConnect is a rogue software, which is often referred to as a cancerous software. I then started looking for ways to deal with it.

Under macOS, EasyConnect primarily behaves as follows.

  1. background resident processes EasyMonitor and ECAgentProxy, both running with root privileges.
  2. automatically installs root certificates, including the system root certificate and FireFox root certificate, and reinstalls them after deletion.

ps: Resident processes with root privileges means that these processes can read and write anything; installing root certificates means that they can directly perform man-in-the-middle attacks and tamper with data at will.

Method 1

This method is suitable for computers with EasyConnect already installed, with minimal tossing.

  1. use sudo su to obtain administrator privileges.

  2. Delete (rm)

    /Library/LaunchDaemons/com.sangfor.EasyMonitor.plist.

  3. delete /Library/LaunchAgents/com.sangfor.ECAgentProxy.plist.

  4. reboot the Mac.

  5. Open the keychain and delete the certificate under System Keychain - System - Certificates (keyword sangfor).

Be sure to restart the Mac before deleting the certificate, as the EasyMonitor process in the background will automatically import the certificate after it has been deleted.

This eliminates the problem with EasyConnect. However, so far it causes EasyConnect not to connect, so we need to start EasyConnect in a secure way. Two scripts can be written to achieve start and exit.

startEasyConnect.sh

1
2
3
4

#! /bin/bash

/Applications/EasyConnect.app/Contents/Resources/bin/EasyMonitor > /dev/null 2>&1 &
/Applications/EasyConnect.app/Contents/MacOS/EasyConnect > /dev/null 2>&1 &

killEasyMonitor.sh

1
2
3
4
5

#! /bin/bash

pkill EasyMonitor
pkill ECAgent
pkill ECAgentProxy

Place the above two scripts under the PATH path and grant executable permissions to.

1
2

chmod +x startEasyConnect.sh
chmod +x killEasyMonitor.sh

When you need to use EasyConnect, execute the startEasyConnect command as regular user (the EasyMonitor process will not have permission to import the root certificate). After exiting EasyConnect, run killEasyMonitor to kill the EasyMonitor process in the background.

Method 2

Suitable for those who have not yet installed EasyConnect and have some knowledge of Docker and are not afraid of trouble. (being used)

Installing Docker

Windows

macOS

Installing Clash

Windows

ClashX or ClashX Pro versions can also be installed on macOS

Install VNC Viewer (optional)

If you are using EasyConnect which requires a graphical interface to log in, you need to install VNC Viewer, otherwise you can skip this step.

If you don’t know, you can skip this step and return to it later when you are prompted to run EasyConnect with Docker and cannot finish in the command line interface.

The installation of VNC Viewer is very simple, go to the Download page on the official website, select the appropriate version to download, and then go all the way to the next step to complete.

Installing a text editor

Because it involves editing and modifying yaml files, you may need to install a VSCode, which does not use Notepad because it does not have highlighting, does not spell words, and does not automatically format, which may cause you to have some indentation, spelling, and punctuation errors that are more It is difficult to find.

VSCode is free, but here is another recommended software: Sublime Text (paid).

Running EasyConnect with Docker

First make sure that your Docker is running (try run docker ps -a). Open a terminal and enter different commands depending on whether you need a graphical interface or not.

2022.12.29 Updated

I am an Intel model of MacBook, according to the reminder of the old brother in the comments section, the following tutorial does not apply to Apple’s own M series chips, i.e. arm architecture machines.

Since I don’t have an M-chip machine, please try compiling non-amd64 branch files on your own if needed, see issue167 for details. If you encounter new problems during the compilation process, you can read more issues raised by others.

Pure command line version:

1
2

touch ~/.easyconn
docker run --device /dev/net/tun --cap-add NET_ADMIN -v $HOME/.easyconn:/root/.easyconn -it -p 127.0.0.1:1080:1080 -p 127.0.0.1:8888:8888 -e IPTABLES_LEGACY=1 -e EC_VER=7.6.3 -e CLI_OPTS="-d vpn.xxx.edu.cn -u USERNAME -p PASSWORD" hagb/docker-easyconnect:cli

The commands are explained below.

  • In the first line, we create a configuration file in the $HOME directory of the current user to save login information.
  • On the second line, we start an EasyConnect command-line version of the Docker container.
    • --device /dev/net/tun --cap-add NET_ADMIN creates the virtual network device.
    • -it returns an interactive terminal to display information.
    • -v specifies the mount volume, where we map the configuration file in the $HOME$ directory of the current user to the container, enabling the persistence of login information.
    • -p specifies the port mapping of the container, you can change the port number according to the actual situation. where 1080 is the Socks5 proxy port and 8888 is the HTTP proxy port.
    • -e EC_VER Set the value of the environment variable EC_VER in the container, specifying the version of Sangfor, preferably the same as the server side.
    • -e CLI_OPTS sets the value of the environment variable CLI_OPTS in the container, specifying the parameters when running Sangfor. Here -d specifies the VPN address, -u specifies the user name, and -p specifies the user’s password. Please modify these information yourself correctly!
    • -e IPTABLES_LEGACY=1 uses the old iptables command, mainly to maintain compatibility with WSL. On some distributions of WSL, the absence of this environment variable will prevent the VPN from functioning properly. (Optional)

Please refer to: usage.md for specific parameter settings

GUI version:

1

docker run --device /dev/net/tun --cap-add NET_ADMIN -ti -e PASSWORD=xxxx -v $HOME/.ecdata:/root -p 127.0.0.1:5901:5901 -p 127.0.0.1:1080:1080 hagb/docker-easyconnect:7.6.3

Where hagb/docker-easyconnect:7.6.3 means use 7.6.3 version of EasyConnect, please change the version number according to the actual situation.

PS: When your port 5901 or 1080 is occupied by other services, you can change the port of EasyConnect that we run with docker above by using the following command (for example, the command line version is pure, the GUI version is the same);

127.0.0.1:15901:5901 and 127.0.0.1:10180:1080. You can change the 15901 and 10180 in 127.0.0.1:15901:1080 to your own unoccupied ports.

1

docker run --device /dev/net/tun --cap-add NET_ADMIN -ti -e PASSWORD=xxxx -v $HOME/.ecdata:/root -p 127.0.0.1:15901:5901 -p 127.0.0.1:10180:1080 hagb/docker-easyconnect:7.6.3

Graphical VNC Viewer connection

After typing, open VNC Viewer, click File -> New connection in the upper left corner, or right click -> New connection in the blank space, or use the shortcut key Ctrl + N to create a new link, and fill in the VNC Server in the pop-up dialog box 127.0.0.1:5901 , Name can be left out.

VNC Viewer

After clicking OK, double-click the link we just created, enter the password XXXX, and you’re ready to connect.

It’s much easier to run EasyConnect in Docker without having to enter a captcha.

It is more convenient.

Also, the project itself remembers the server address you entered, so you only need to click the login button when you use it in the future.

At this point, you’ll have a socks5 proxy running on 1080 port on your computer, and the next step is to configure Clash to forward when we need it.

Configuring Clash

This section describes how you can use EasyConnect’s VPN service when you need it.

First run Clash, click Profiles in the left navigation bar and you will see a default config.yaml, or you can edit other profiles if you have them. Click on the button shaped like < > to the right of the profile you want to edit, meaning edit the profile in a text editor, and add at the end.

1
2
3
4
5
6
7

# Add a sock5 proxy with the name vpn
proxies:
	- {"name": "vpn", "type": "socks5", "server": "127.0.0.1", "port": "1080"}

# Add rules for ip-cidr
rules:
	- IP-CIDR,222.192.6.0/24,vpn

Caution.

The 222.192.6.0/24 filled in here means that only the traffic accessing 222.192.6.xxx will go through the proxy configured above, which needs to be changed according to your actual situation.

Of course, if you are editing your own airport configuration file, you need to add the above content under the original proxies and rules, and * cannot add these two attributes*.

At this point, in Clash’s General page, turn System Proxy on and you will have access to the school’s intranet, but not to remote desktops and other features, which will require further configuration if you need to use them.

Configure ClashX

Similar to the above.

1
2
3
4
5

proxies:
	- { name: 'vpn', type: socks5, server: 127.0.0.1, port: 1080 }

rules:
	- 'IP-CIDR,172.20.2.0/24,vpn'

Configuring TUN mode

For TUN mode, the official documentation describes it as follows.

For software that does not follow the system proxy, TUN mode can take over its traffic and leave it to CFW. In Windows, TUN mode performs better than TAP mode.

Applications such as browsers use the system agent, and some non-system agent applications can be set up to be handled by CFW. In short, after configuring TUN mode, our requirements are ready to be implemented. To start TUN mode, you need to do the following (MacOS users skip the first two steps):

  1. open the General page of Clash, find Home Directory, click Open Folder on the right to open the Home Directory folder.
  2. Go to the website Wintun and click Download Wintun xxx in the interface to download the zip package. Copy wintun.dll from the directory corresponding to wintun-x.xx/wintun/bin to the Home Directory directory according to the system version. Use the amd64 version for 64 based processors for 64 bit operating systems, and choose the arm64 version for M1 Macs.
  3. Click Manage on the right side of Service Mode in General, and install Service Mode in the window that opens, the application will restart automatically when the installation is finished, and the Earth icon on the right side of Service Mode turns green.
  4. Click settings -> Profile Mixin -> YAML, click Edit on the right side of YAML, enter the following content, and click the button at the bottom right to save.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

mixin: 
  hosts:
    'mtalk.google.com': 108.177.125.188
    'services.googleapis.cn': 74.125.203.94
    'raw.githubusercontent.com': 151.101.76.133
  dns:
    enable: true
    default-nameserver:
      - 223.5.5.5
      - 1.0.0.1
    ipv6: false
    enhanced-mode: redir-host #fake-ip
    nameserver:
      - https://dns.rubyfish.cn/dns-query
      - https://223.5.5.5/dns-query
      - https://dns.pub/dns-query
    fallback:
      - https://1.0.0.1/dns-query
      - https://public.dns.iij.jp/dns-query
      - https://dns.twnic.tw/dns-query
    fallback-filter:
      geoip: true
      ipcidr:
      - 240.0.0.0/4
      - 0.0.0.0/32
      - 127.0.0.1/32
    domain:
      - +.google.com
      - +.facebook.com
      - +.twitter.com
      - +.youtube.com
      - +.xn--ngstr-lra8j.com
      - +.google.cn
      - +.googleapis.cn
      - +.gvt1.com
  tun: 
    enable: true
    stack: gvisor
    dns-hijack:
      - 198.18.0.2:53
    macOS-auto-route: true
    macOS-auto-detect-interface: true # 自动检测出口网卡
  1. Return to the general page to turn on Mixin, and then click connections to find that all connections are in TUN mode, at which point we have completed all configurations.

For more detailed configuration, please refer to the TUN mode page of the official documentation.

Filtering applications

Related rules can be found in.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

proxies:
  - name: "officeVpnProxy"
type: "socks5"
server: "127.0.0.1"
port: "10180"
proxy-groups:
# programs
  - name: "programs"
type: select
proxies:
  - "DIRECT"
  - "PROXY"
rules:
# programs
  - PROCESS-NAME,vpnkit.exe,programs
  - PROCESS-NAME,vpnkit-bridge.exe,programs
  - PROCESS-NAME,com.docker.dev-envs.exe,programs
  - PROCESS-NAME,com.docker.backend.exe,programs
  - PROCESS-NAME,com.docker.extensions.exe,programs
  - PROCESS-NAME,com.docker.proxy.exe,programs
  - PROCESS-NAME,com.docker.service,programs
  - PROCESS-NAME,com.docker.wsl-distro-proxy.exe,programs
  - PROCESS-NAME,Docker Desktop.exe,programs
  - PROCESS-NAME,docker.exe,programs
  - PROCESS-NAME,wsl.exe,programs
  - PROCESS-NAME,wslhost.exe,programs

Note: The ports should correspond to the ports you configured in the previous docker configuration.

Rebooting

When you close the terminal window or reboot your computer and want to start Docker again, we just need to start the appropriate container and click Login in VNC Viewer (if you don’t use the graphical interface, you only need to start the container).

To start the container, you don’t need to type the command above to create the container, because the command means create the container, download the image, start and enter the container, we have already created the container, we just need to start it later. So, we first need to know what containers we have, and then start the corresponding containers on it.

First, look at the containers we already have

1

docker ps -a

You should get similar output, and if this is your first time using Docker, you should only have one container

docker container

When you want to turn it on again after the computer has restarted, just type.

1

docker start 81f

The 81f is the ID of the container I want to start, which is the value of the first column, it’s a long value, usually you only need to enter the first few digits, or you can change it with the docker rename command.

1

docker rename OLDNAME NEWNAME

Uninstalling EasyConnect

As I said before, one of the rogue things about EasyConnect is that it is very difficult to uninstall, but I have come up with a method based on information from the Internet and my own experience.

First, find the EasyConnect installation directory and double-click it to run the uninstaller, then you will see that the directory is not completely deleted, there are still a lot of files, so let’s perform the following steps.

  1. select all Shift + Delete, if you encounter the one that does not give the deletion will be skipped, then there will still be many files left.
  2. Disconnect and restart the computer, come to the installation directory, change the names of all the folders, change them to whatever you want, restart again
  3. Select all the folders that have just been renamed Shift + Delete, if this time still can not delete the folder cut to another place and then delete
  4. restart the computer, administrator privileges to open the command line (if you do not have the usual command line tools can Win + X select Windows PowerShell (Administrator))
  5. enter the command netsh winsock reset and enter

The last two steps to reset winsock are very important, if not performed will likely be a variety of clients can not connect to the network situation.

If you still have the sanfor service after uninstallation, you can refer to this article to try to solve it.

Thanks

docker-easyconnect

Soulike

Jortana

Nativus