A mafi yawan lokuta, haɗa na'ura mai ba da hanya tsakanin hanyoyin sadarwa zuwa VPN ba shi da wahala, amma idan kuna son kare duk hanyar sadarwar kuma a lokaci guda ku kula da mafi kyawun haɗin haɗin gwiwa, to, mafi kyawun mafita shine amfani da rami na VPN.
Masu ba da hanya tsakanin hanyoyin sadarwa Mikrotik ya tabbatar da zama abin dogaro kuma yana da sauƙin warwarewa, amma rashin alheri
Amma a yanzu, abin takaici, don saita WireGuard akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa na Mikrotik, kuna buƙatar canza firmware.
Mikrotik mai walƙiya, shigarwa da daidaitawa OpenWrt
Da farko kuna buƙatar tabbatar da cewa OpenWrt yana goyan bayan ƙirar ku. Duba idan samfurin ya dace da sunan tallan sa da hoton sa
Je zuwa openwrt.com
Don wannan na'urar, muna buƙatar fayiloli 2:
Kuna buƙatar sauke fayiloli biyu: shigar и inganci.
1. Saitin hanyar sadarwa, zazzagewa da saita uwar garken PXE
Zazzagewa
Cire zip zuwa babban fayil daban. A cikin fayil config.ini ƙara siga rfc951=1 sashe [dhcp]. Wannan siga iri ɗaya ce ga duk samfuran Mikrotik.
Bari mu matsa zuwa saitunan cibiyar sadarwa: kuna buƙatar yin rajistar adreshin IP na tsaye akan ɗayan hanyoyin sadarwa na kwamfutarka.
Adireshin IP: 192.168.1.10
Netmask: 255.255.255.0
Gudu Karamin uwar garken PXE a madadin Mai Gudanarwa kuma zaɓi cikin filin DHCP Server uwar garken mai adireshin 192.168.1.10
A wasu nau'ikan Windows, wannan haɗin gwiwar na iya bayyana bayan haɗin Ethernet kawai. Ina ba da shawarar haɗa na'ura mai ba da hanya tsakanin hanyoyin sadarwa kuma nan da nan canza na'ura mai ba da hanya tsakanin hanyoyin sadarwa da PC ta amfani da igiyar faci.
Danna maɓallin "..." (a ƙasa dama) kuma saka babban fayil inda kuka zazzage fayilolin firmware na Mikrotik.
Zaɓi fayil ɗin wanda sunansa ya ƙare da "initramfs-kernel.bin ko elf"
2. Booting da na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga uwar garken PXE
Muna haɗa PC tare da waya da tashar farko (wan, internet, poe in, ...) na na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Bayan haka, muna ɗaukar ɗan haƙori, sanya shi cikin rami tare da rubutun "Sake saitin".
Mun kunna ikon na'ura mai ba da hanya tsakanin hanyoyin sadarwa kuma jira 20 seconds, sa'an nan kuma saki hakori.
A cikin minti na gaba, saƙonnin masu zuwa yakamata su bayyana a cikin Tiny PXE Server taga:
Idan sakon ya bayyana, to kuna kan hanya madaidaiciya!
Mayar da saituna akan adaftar cibiyar sadarwa kuma saita don karɓar adireshin a hankali (ta DHCP).
Haɗa zuwa tashoshin LAN na Mikrotik na'ura mai ba da hanya tsakanin hanyoyin sadarwa (2…5 a cikin yanayinmu) ta amfani da igiyar faci iri ɗaya. Kawai canza shi daga tashar ta 1 zuwa tashar ta 2. Bude adireshin
Shiga cikin tsarin gudanarwa na OpenWRT kuma je zuwa sashin menu na "System -> Ajiyayyen/Flash Firmware"
A cikin sashin "Flash sabon hoton firmware", danna maɓallin "Zaɓi fayil (Bincike)".
Ƙayyade hanyar zuwa fayil ɗin wanda sunansa ya ƙare da "-squashfs-sysupgrade.bin".
Sannan danna maballin "Flash Image".
A cikin taga na gaba, danna maɓallin "Ci gaba". Firmware zai fara saukewa zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
!!! BABU WANI FARKO KAR AKA KASHE WUTAR RUTTER A LOKACIN TSARIN FIRMWARE !!!
Bayan walƙiya da sake kunna na'ura mai ba da hanya tsakanin hanyoyin sadarwa, zaku karɓi Mikrotik tare da firmware OpenWRT.
Matsaloli masu yiwuwa da mafita
Yawancin na'urorin Mikrotik da aka saki a cikin 2019 suna amfani da guntun ƙwaƙwalwar FLASH-NOR na nau'in GD25Q15 / Q16. Matsalar ita ce lokacin da walƙiya, bayanai game da samfurin na'urar ba a adana su ba.
Idan kun ga kuskuren "Fayil ɗin hoton da aka ɗora baya ƙunshe da tsari mai goyan baya. Tabbatar cewa kun zaɓi tsarin hoto na gabaɗaya don dandalin ku." to tabbas matsalar tana cikin walƙiya.
Duba wannan abu ne mai sauƙi: gudanar da umarni don duba samfurin ID a cikin tashar na'urar
root@OpenWrt: cat /tmp/sysinfo/board_name
Kuma idan kun sami amsar "ba a sani ba", to kuna buƙatar ƙayyade samfurin na'urar da hannu a cikin nau'in "rb-951-2nd"
Don samun samfurin na'urar, gudanar da umarni
root@OpenWrt: cat /tmp/sysinfo/model
MikroTik RouterBOARD RB951-2nd
Bayan karɓar samfurin na'urar, shigar da shi da hannu:
echo 'rb-951-2nd' > /tmp/sysinfo/board_name
Bayan haka, kuna iya kunna na'urar ta hanyar haɗin yanar gizo ko amfani da umarnin "sysupgrade".
Ƙirƙiri uwar garken VPN tare da WireGuard
Idan kun riga kuna da sabar tare da saita WireGuard, zaku iya tsallake wannan matakin.
Zan yi amfani da aikace-aikacen don saita sabar VPN na sirri
Yana daidaita abokin ciniki na WireGuard akan OpenWRT
Haɗa zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa ta hanyar SSH yarjejeniya:
ssh [email protected]
Sanya WireGuard:
opkg update
opkg install wireguard
Shirya saitin (kwafi lambar da ke ƙasa zuwa fayil, maye gurbin ƙayyadaddun ƙimar da naku kuma ku yi aiki a cikin tashar).
Idan kuna amfani da MyVPN, to a cikin tsarin da ke ƙasa kawai kuna buƙatar canzawa WG_SERV - Sabar IP WG_KEY - maɓalli na sirri daga fayil ɗin sanyi na waya da kuma WG_PUB - maɓallin jama'a.
WG_IF="wg0"
WG_SERV="100.0.0.0" # ip адрес сервера
WG_PORT="51820" # порт wireguard
WG_ADDR="10.8.0.2/32" # диапазон адресов wireguard
WG_KEY="xxxxx" # приватный ключ
WG_PUB="xxxxx" # публичный ключ
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key=""
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/1"
uci add_list network.wgserver.allowed_ips="128.0.0.0/1"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart
Wannan yana kammala saitin WireGuard! Yanzu duk zirga-zirga akan duk na'urorin da aka haɗa ana kiyaye su ta hanyar haɗin VPN.
nassoshi
source: www.habr.com