Ina so in raba gwaninta na haɗa hanyoyin sadarwa a cikin gidaje guda uku masu nisa, kowannensu yana amfani da hanyoyin sadarwa tare da OpenWRT a matsayin ƙofa, zuwa hanyar sadarwa guda ɗaya. Lokacin zabar hanyar da za a haɗa hanyoyin sadarwa tsakanin L3 tare da hanyar sadarwa na subnet da L2 tare da haɗin gwiwa, lokacin da duk nodes na cibiyar sadarwa za su kasance a cikin subnet iri ɗaya, an ba da fifiko ga hanya ta biyu, wacce ta fi wahalar daidaitawa, amma tana ba da ƙarin dama, tunda a bayyane yake. An tsara yin amfani da fasahohi a cikin cibiyar sadarwar Wake-on-Lan da DLNA da aka ƙirƙira.
Kashi na 1: Fage
An fara zabar OpenVPN a matsayin ka’idar aiwatar da wannan aiki, tun da farko, tana iya ƙirƙirar na’urar famfo da za a iya ƙarawa ga gadar ba tare da wata matsala ba, na biyu kuma, OpenVPN yana goyan bayan aiki akan ka’idar TCP, wanda kuma yana da mahimmanci, saboda. Babu ɗayan ɗakunan da ke da adireshin IP mai sadaukarwa, kuma ban iya amfani da STUN ba, saboda wasu dalilai na ISP yana toshe haɗin UDP masu shigowa daga hanyoyin sadarwar su, yayin da ka'idar TCP ta ba ni damar tura tashar sabar uwar garken VPN akan VPS haya ta amfani da SSH. Ee, wannan tsarin yana ba da babban kaya, tun da an ɓoye bayanan sau biyu, amma ban so in gabatar da VPS a cikin hanyar sadarwa ta sirri ba, tun da har yanzu akwai haɗarin wasu kamfanoni na samun iko akan shi, sabili da haka, samun irin wannan na'urar da ke kan hanyar sadarwar gida ba ta da kyau sosai kuma an yanke shawarar biyan kuɗi don tsaro tare da babban sama.
Don tura tashar jiragen ruwa a kan na'ura mai ba da hanya tsakanin hanyoyin sadarwa wanda aka shirya don tura sabar, an yi amfani da shirin sshtunnel. Ba zan bayyana abubuwan da ke tattare da tsarin sa ba - ana yin wannan cikin sauƙi, kawai na lura cewa aikinsa shine tura tashar TCP 1194 daga na'ura mai ba da hanya tsakanin hanyoyin sadarwa zuwa VPS. Bayan haka, an saita uwar garken OpenVPN akan na'urar tap0, wacce aka haɗa da gadar br-lan. Bayan duba dangane da sabuwar halitta uwar garken daga kwamfutar tafi-da-gidanka, ya bayyana a fili cewa ra'ayin na isar da tashar jiragen ruwa ya baratar da kansa da kuma kwamfutar tafi-da-gidanka ya zama memba na na'ura mai ba da hanya tsakanin hanyoyin sadarwa ta hanyar sadarwa, ko da yake ba a cikin jiki ba.
Al'amarin ya kasance karami: ya zama dole a rarraba adiresoshin IP a cikin gidaje daban-daban don kada su yi rikici da daidaita masu amfani da hanyar sadarwa azaman abokan ciniki na OpenVPN.
An zaɓi adiresoshin IP masu zuwa da sabar uwar garken DHCP:
- 192.168.10.1 tare da iyaka 192.168.10.2 - 192.168.10.80 don uwar garken
- 192.168.10.100 tare da iyaka 192.168.10.101 - 192.168.10.149 don na'ura mai ba da hanya tsakanin hanyoyin sadarwa a Apartment No. 2
- 192.168.10.150 tare da iyaka 192.168.10.151 - 192.168.10.199 don na'ura mai ba da hanya tsakanin hanyoyin sadarwa a Apartment No. 3
Hakanan ya zama dole a sanya ainihin waɗannan adireshi ga masu amfani da hanyoyin sadarwa na uwar garken OpenVPN ta ƙara layin zuwa tsarin sa:
ifconfig-pool-persist /etc/openvpn/ipp.txt 0kuma ƙara waɗannan layikan zuwa fayil ɗin /etc/openvpn/ipp.txt:
flat1_id 192.168.10.100
flat2_id 192.168.10.150
inda flat1_id da flat2_id sune sunayen na'urorin da aka kayyade lokacin samar da takaddun shaida don haɗawa zuwa OpenVPN
Bayan haka, an saita abokan ciniki na OpenVPN akan hanyoyin sadarwa, na'urorin tap0 akan duka an ƙara su zuwa gadar br-lan. A wannan matakin, komai ya zama kamar tsari, tunda dukkanin hanyoyin sadarwa guda uku suna ganin juna kuma suna aiki gaba ɗaya. Koyaya, daki-daki ba su da daɗi sosai ya fito: wani lokacin na'urori na iya samun adireshin IP ba daga na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba, tare da duk sakamakon da ya biyo baya. Don wasu dalilai, na'ura mai ba da hanya tsakanin hanyoyin sadarwa a ɗayan ɗakunan ba su da lokacin amsawa ga DHCPDISCOVER a cikin lokaci kuma na'urar ta karɓi adireshin da ba daidai ba. Na gane cewa ina buƙatar tace irin waɗannan buƙatun a cikin famfo0 akan kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa, amma kamar yadda ya bayyana, iptables ba zai iya aiki da na'ura ba idan wani ɓangare na gada ne kuma ya kamata ebtables su zo cetona. Don nadama, ba a cikin firmware na ba kuma dole ne in sake gina hotuna don kowace na'ura. Ta hanyar yin wannan da ƙara waɗannan layin zuwa /etc/rc.local na kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa, an warware matsalar:
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
Wannan tsari ya ɗauki shekaru uku.
Sashe na 2: Gabatar da WireGuard
Kwanan nan, Intanet yana ƙara magana game da WireGuard, yana sha'awar sauƙi na tsarin sa, babban saurin canja wuri, ƙananan ping tare da tsaro mai kama. Neman ƙarin bayani game da shi ya bayyana a sarari cewa babu wani aiki a matsayin memba na gada ko aiki akan ka'idar TCP da ke goyan bayansa, wanda ya sa na yi tunanin cewa har yanzu babu wasu hanyoyin da za a bi don OpenVPN a gare ni. Don haka na daina sanin WireGuard.
Bayan 'yan kwanaki da suka gabata, labarai sun bazu ta hanyar albarkatu wata hanya ko wata alaƙa da IT cewa WireGuard za a haɗa shi a cikin kwaya ta Linux, farawa da sigar 5.6. Labaran labarai, kamar koyaushe, sun yaba WireGuard. Na sake shiga cikin neman hanyoyin da za a maye gurbin tsohuwar OpenVPN. Wannan karon na ci karo . Yayi magana game da ƙirƙirar rami na Ethernet akan L3 ta amfani da GRE. Wannan labarin ya ba ni bege. Har yanzu ba a san abin da za a yi da yarjejeniyar UDP ba. Binciken ya kai ni ga labarai game da amfani da socat tare da haɗin SSH don tura tashar tashar UDP, duk da haka, sun lura cewa wannan hanya tana aiki ne kawai a yanayin haɗin kai guda ɗaya, wanda ke nufin cewa abokan ciniki na VPN da yawa ba za su yiwu ba. Na zo da ra'ayin don kafa uwar garken VPN akan VPS, kuma na kafa GRE ga abokan ciniki, amma kamar yadda ya faru, GRE ba ya goyan bayan ɓoyewa, wanda zai haifar da gaskiyar cewa idan wasu na uku sun sami damar shiga uwar garken. , duk zirga-zirgar da ke tsakanin hanyoyin sadarwa na yana hannunsu wanda bai dace da ni ba ko kadan.
Bugu da ƙari, an yanke shawarar ne don goyon bayan ɓoyayyen ɓoyayyen, ta amfani da VPN akan VPN bisa ga makirci mai zuwa:
Layer XNUMX VPN:
VPS shi ne uwar garken tare da adireshin ciki 192.168.30.1
MC shi ne abokin ciniki VPS tare da adireshin ciki 192.168.30.2
MK2 shi ne abokin ciniki VPS tare da adireshin ciki 192.168.30.3
MK3 shi ne abokin ciniki VPS tare da adireshin ciki 192.168.30.4
Layer XNUMX VPN:
MC shi ne uwar garken tare da adireshin waje 192.168.30.2 da na ciki 192.168.31.1
MK2 shi ne abokin ciniki MC tare da adireshin 192.168.30.2 kuma yana da IP na ciki na 192.168.31.2
MK3 shi ne abokin ciniki MC tare da adireshin 192.168.30.2 kuma yana da IP na ciki na 192.168.31.3
* MC - na'ura mai ba da hanya tsakanin hanyoyin sadarwa a Apartment 1. MK2 - na'ura mai ba da hanya tsakanin hanyoyin sadarwa 2, MK3 - Router a cikin Apartment 3
* Ana buga saitunan na'ura a cikin ɓarna a ƙarshen labarin.
Don haka, pings tsakanin nodes na cibiyar sadarwa 192.168.31.0/24 tafi, lokaci yayi da za a ci gaba da kafa ramin GRE. Kafin haka, don kada ku rasa damar yin amfani da hanyoyin sadarwa, yana da daraja kafa SSH tunnels don tura tashar jiragen ruwa 22 zuwa VPS, don haka, alal misali, na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga Apartment 10022 zai kasance a tashar jiragen ruwa 2 na VPS, kuma na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga Apartment 11122 zai kasance a kan tashar jiragen ruwa 3 na VPS. na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga Apartment XNUMX. Zai fi dacewa don saita ƙaddamarwa tare da sshtunnel iri ɗaya, tun da zai mayar da rami idan ya fadi.
An saita rami, zaku iya haɗawa zuwa SSH ta tashar da aka tura:
ssh root@МОЙ_VPS -p 10022Na gaba, kashe OpenVPN:
/etc/init.d/openvpn stopYanzu bari mu kafa ramin GRE akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga Apartment 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set grelan0 up
Kuma ƙara ƙirar da aka ƙirƙira zuwa gada:
brctl addif br-lan grelan0
Bari mu yi irin wannan hanya akan uwar garken na'ura mai ba da hanya tsakanin hanyoyin sadarwa:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set grelan0 up
Kuma, kuma, ƙara ƙirar da aka ƙirƙira zuwa gada:
brctl addif br-lan grelan0
farawa daga wannan lokacin, pings sun fara samun nasarar zuwa sabuwar hanyar sadarwa kuma ni, tare da gamsuwa, je shan kofi. Bayan haka, don ganin yadda hanyar sadarwar da ke ɗayan ƙarshen waya ke aiki, Ina ƙoƙarin shigar da SSH cikin ɗayan kwamfutoci a cikin Apartment 2, amma abokin ciniki ssh ya daskare ba tare da sa ni neman kalmar sirri ba. Ina ƙoƙarin haɗawa da wannan kwamfutar ta hanyar telnet akan tashar jiragen ruwa 22 kuma in ga layin da za ku iya fahimtar cewa an kafa haɗin, uwar garken SSH yana amsawa, amma saboda wasu dalilai bai ba ni damar shiga ba.
$ telnet 192.168.10.110 22
SSH-2.0-OpenSSH_8.1
Ina ƙoƙarin haɗa shi ta hanyar VNC kuma na ga baƙar fata. Na shawo kan kaina cewa al'amarin yana cikin kwamfuta mai nisa, saboda ina iya haɗawa da na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga wannan ɗakin ta amfani da adireshin ciki. Koyaya, na yanke shawarar shigar da SSH cikin wannan kwamfutar ta hanyar na'ura mai ba da hanya tsakanin hanyoyin sadarwa kuma na yi mamakin ganin cewa haɗin ya yi nasara kuma kwamfutar mai nisa tana aiki lafiya amma ta kasa haɗi zuwa kwamfutar ta ko dai.
Na fitar da na'urar grelan0 daga gada kuma na fara OpenVPN akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa a cikin Apartment 2 kuma tabbatar da cewa hanyar sadarwar tana sake aiki da kyau kuma haɗin gwiwa ba ya raguwa. Bincike na ci karo da tarurrukan da mutane ke korafi game da matsalolin iri ɗaya, inda ake ba su shawarar haɓaka MTU. Da zaran an fada sai aka yi. Koyaya, har sai an saita MTU zuwa babban isasshiyar ƙimar 7000 don na'urorin gretap, ko dai an watsar da haɗin TCP ko jinkirin watsawa. Saboda babban MTU don gretap, MTUs don haɗin WireGuard na matakan farko da na biyu an saita su zuwa 8000 da 7500, bi da bi.
Na yi irin wannan saitin akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga Apartment 3, tare da kawai bambanci shi ne cewa an ƙara gretap interface na biyu mai suna grelan1 a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa, wanda kuma aka ƙara zuwa gadar br-lan.
Komai yana aiki. Yanzu zaku iya sanya taro na gretap cikin atomatik. Don wannan:
Sanya waɗannan layin a /etc/rc.local akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa a cikin Apartment 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Ƙara wannan zuwa /etc/rc.local akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa a cikin Apartment 3:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Kuma a kan uwar garke na'ura mai ba da hanya tsakanin hanyoyin sadarwa:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
ip link add grelan1 type gretap remote 192.168.31.3 local 192.168.31.1
ip link set dev grelan1 mtu 7000
ip link set grelan1 up
brctl addif br-lan grelan1
Bayan sake kunna hanyoyin sadarwa na abokin ciniki, na gano cewa saboda wasu dalilai ba su haɗa zuwa uwar garken ba. Haɗa zuwa SSH ɗin su (abin farin ciki, na riga na saita sshtunnel don wannan), an gano cewa WireGuard saboda wasu dalilai yana haifar da hanya don ƙarshen ƙarshen, yayin da ba daidai ba. Don haka, don 192.168.30.2, an ƙayyade teburin hanya a cikin teburin hanya ta hanyar haɗin pppoe-wan, wato, ta hanyar Intanet, kodayake hanyar zuwa gare shi yakamata ta kasance ta hanyar haɗin wg0. Bayan an share wannan hanyar, haɗin ya dawo. Ba zan iya samun umarni a ko'ina kan yadda ake tilasta WireGuard don ƙirƙirar waɗannan hanyoyin ba. Haka kuma, ban ma gane ko wannan sifa ce ta OpenWRT, ko ta WireGuard kanta ba. Ba tare da na magance wannan matsala na dogon lokaci ba, kawai na ƙara zuwa duka hanyoyin sadarwa biyu a cikin rubutun da mai ƙidayar lokaci ya yi, layin da ya share wannan hanya:
route del 192.168.30.2
Girgawa sama
Har yanzu ban sami cikakkiyar kin amincewa da OpenVPN ba, tunda wasu lokuta ina buƙatar haɗawa da sabuwar hanyar sadarwa daga kwamfutar tafi-da-gidanka ko waya, kuma saita na'urar gretap akan su gabaɗaya ba zai yiwu ba, amma duk da wannan, na sami fa'ida wajen canja wurin bayanai. gudun tsakanin gidaje da, alal misali, amfani da VNC ba shi da daɗi. Ping ya ragu kaɗan, amma ya zama mafi kwanciyar hankali:
Lokacin amfani da OpenVPN:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=133 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=125 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19006ms
rtt min/avg/max/mdev = 124.722/126.152/136.907/3.065 ms
Lokacin amfani da WireGuard:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=124 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=124 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19003ms
rtt min/avg/max/mdev = 123.954/124.423/126.708/0.675 ms
Ya fi shafar babban ping zuwa VPS wanda shine kusan 61.5ms
Koyaya, saurin ya karu sosai. Don haka, a cikin ɗaki tare da uwar garken na'ura mai ba da hanya tsakanin hanyoyin sadarwa, Ina da saurin haɗin Intanet na 30 Mbps, kuma a cikin sauran gidaje, 5 Mbps. A lokaci guda, yayin amfani da OpenVPN, Ba zan iya cimma ƙimar canja wurin bayanai tsakanin cibiyoyin sadarwa sama da 3,8 Mbps bisa ga iperf, yayin da WireGuard ya “zuba” shi har zuwa 5 Mbps iri ɗaya.
Tsarin WireGuard akan VPS[Interface]
Address = 192.168.30.1/24
ListenPort = 51820
PrivateKey = <ЗАКРЫТЫЙ_КЛЮЧ_ДЛЯ_VPS>
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_1_МС>
AllowedIPs = 192.168.30.2/32
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2>
AllowedIPs = 192.168.30.3/32
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3>
AllowedIPs = 192.168.30.4/32
Tsarin WireGuard akan MS (an ƙara zuwa /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.2/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МС'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - сервер
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option listen_port '51821'
list addresses '192.168.31.1/24'
option auto '1'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list allowed_ips '192.168.31.2'
config wireguard_wg1ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list allowed_ips '192.168.31.3'
Tsarin WireGuard akan MK2 (an ƙara zuwa /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.3/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК2'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list addresses '192.168.31.2/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Tsarin WireGuard akan MK3 (an ƙara zuwa /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.4/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК3'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list addresses '192.168.31.3/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
A cikin saitunan da aka kwatanta don matakin na biyu na VPN, na ƙayyade tashar jiragen ruwa 51821 zuwa abokan ciniki na WireGuard. A ka'idar, wannan ba lallai ba ne, tun da abokin ciniki zai kafa haɗin kai daga kowane tashar jiragen ruwa maras kyau, amma na sanya shi don duk haɗin da ke shigowa. ana iya hana su akan musaya na wg0 na duk masu amfani da hanyar sadarwa, ban da haɗin UDP masu shigowa akan tashar jiragen ruwa 51821.
Ina fatan labarin zai zama da amfani ga wani.
PS Har ila yau, ina so in raba rubutuna wanda ke aiko mani sanarwar PUSH zuwa wayata a cikin aikace-aikacen WirePusher lokacin da sabuwar na'ura ta bayyana akan hanyar sadarwa ta. Ga hanyar haɗi zuwa rubutun: .
UPDATE: OpenVPN uwar garken da daidaitawar abokan ciniki
OpenVPN uwar garken
client-to-client
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn-server.crt
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/vpn-server.key
dev tap
ifconfig-pool-persist /etc/openvpn/ipp.txt 0
keepalive 10 60
proto tcp4
server-bridge 192.168.10.1 255.255.255.0 192.168.10.80 192.168.10.254
status /var/log/openvpn-status.log
verb 3
comp-lzoOpenVPN abokin ciniki
client
tls-client
dev tap
proto tcp
remote VPS_IP 1194 # Change to your router's External IP
resolv-retry infinite
nobind
ca client/ca.crt
cert client/client.crt
key client/client.key
dh client/dh.pem
comp-lzo
persist-tun
persist-key
verb 3
Na yi amfani da Easy-rsa don samar da takaddun shaida.
source: www.habr.com