Ina so in raba gwaninta na haɗa hanyoyin sadarwa a cikin gidaje guda uku masu nisa, kowannensu yana amfani da hanyoyin sadarwa tare da OpenWRT a matsayin ƙofa, zuwa hanyar sadarwa guda ɗaya. Lokacin zabar hanyar da za a haɗa hanyoyin sadarwa tsakanin L3 tare da hanyar sadarwa na subnet da L2 tare da haɗin gwiwa, lokacin da duk nodes na cibiyar sadarwa za su kasance a cikin subnet iri ɗaya, an ba da fifiko ga hanya ta biyu, wacce ta fi wahalar daidaitawa, amma tana ba da ƙarin dama, tunda a bayyane yake. An tsara yin amfani da fasahohi a cikin cibiyar sadarwar Wake-on-Lan da DLNA da aka ƙirƙira.
Kashi na 1: Fage
An fara amfani da yarjejeniyar da aka zaɓa don aiwatar da wannan aikin OpenVPN, domin, da farko, yana iya ƙirƙirar na'urar famfo wadda za a iya ƙarawa a kan gadar ba tare da wata matsala ba, kuma na biyu, OpenVPN Yana tallafawa TCP, wanda kuma yana da mahimmanci, domin babu ɗayan gidajen da ke da adireshin IP na musamman. Ban iya amfani da STUN ba saboda ISP dina, saboda wani dalili, yana toshe hanyoyin haɗin UDP masu shigowa daga hanyoyin sadarwar sa. TCP ya ba ni damar tura tashar uwar garken VPN zuwa VPS da aka yi haya ta amfani da SSH. Duk da cewa wannan hanyar tana haifar da babban kuɗin shiga, saboda bayanan an ɓoye su sau biyu, ban so in haɗa VPS ɗin cikin hanyar sadarwar sirri ta ba, saboda akwai haɗarin wasu kamfanoni su sami iko a kansa. Saboda haka, samun irin wannan na'urar a hanyar sadarwar gida ta ba shi da kyau sosai, don haka na yanke shawarar biyan kuɗi mai yawa don tsaro.
Don tura tashar jiragen ruwa a kan na'urar sadarwa inda aka shirya tura uwar garken, na yi amfani da shirin sshtunnel. Ba zan shiga cikakkun bayanai game da tsarinsa ba - abu ne mai sauƙi. Zan lura cewa manufarsa ita ce tura tashar TCP 1194 daga na'urar sadarwa zuwa VPS. Na gaba, na saita uwar garken. OpenVPN A kan na'urar tap0, wadda aka haɗa ta da gadar br-lan. Bayan gwada haɗin da aka yi da sabar da aka ƙirƙira daga kwamfutar tafi-da-gidanka ta, sai ya bayyana cewa ra'ayin tura tashar jiragen ruwa ya yi aiki, kuma kwamfutar tafi-da-gidanka ta zama memba na hanyar sadarwa ta na'urar sadarwa, duk da cewa ba ta cikin sa ba.
Abin da ya rage kawai shi ne a rarraba adiresoshin IP a cikin gidaje daban-daban domin kada su yi karo da juna sannan a saita na'urorin sadarwa kamar yadda suke. OpenVPN-abokan ciniki.
An zaɓi adiresoshin IP masu zuwa da sabar uwar garken DHCP:
- 192.168.10.1 tare da iyaka 192.168.10.2 - 192.168.10.80 don uwar garken
- 192.168.10.100 tare da iyaka 192.168.10.101 - 192.168.10.149 don na'ura mai ba da hanya tsakanin hanyoyin sadarwa a Apartment No. 2
- 192.168.10.150 tare da iyaka 192.168.10.151 - 192.168.10.199 don na'ura mai ba da hanya tsakanin hanyoyin sadarwa a Apartment No. 3
Haka kuma ya zama dole a sanya waɗannan adiresoshin ga na'urorin sadarwa na abokin ciniki. OpenVPN-server, ta hanyar ƙara layin da ke ƙasa zuwa tsarin sa:
ifconfig-pool-persist /etc/openvpn/ipp.txt 0kuma ƙara waɗannan layikan zuwa fayil ɗin /etc/openvpn/ipp.txt:
flat1_id 192.168.10.100
flat2_id 192.168.10.150
inda flat1_id da flat2_id sune sunayen na'urar da aka ƙayyade lokacin ƙirƙirar takaddun shaida don haɗawa zuwa OpenVPN
Bayan haka, an saita na'urorin router ɗin OpenVPN- abokan ciniki, na'urorin tap0 a duka biyun an ƙara su a gadar br-lan. A wannan lokacin, komai ya yi kyau, domin dukkan hanyoyin sadarwa guda uku suna iya ganin juna kuma suna aiki a matsayin naúrar guda ɗaya. Duk da haka, wani bayani mara daɗi ya bayyana: wani lokacin na'urori suna karɓar adireshin IP daga na'urar da ba ta dace ba, tare da duk sakamakon da ya biyo baya. Saboda wani dalili, na'urar da ke cikin ɗayan gidajen ta kasa amsawa ga DHCPDISCOVER akan lokaci, kuma na'urar ta sami adireshin da ba daidai ba. Na fahimci cewa ina buƙatar tace irin waɗannan buƙatun a cikin tap0 akan kowace na'urar, amma kamar yadda ya juya, iptables ba za su iya aiki da na'ura ba idan ɓangare ne na gada, don haka ina buƙatar amfani da ebtables. Abin takaici, firmware dina bai haɗa da shi ba, don haka dole ne in sake gina hotunan ga kowace na'ura. Bayan yin wannan kuma na ƙara layuka masu zuwa zuwa /etc/rc.local akan kowace na'ura, an warware matsalar:
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
Wannan tsari ya ɗauki shekaru uku.
Kashi na 2: Sanin WireGuard
Kwanan nan, ana ta ƙara yin magana a Intanet game da WireGuard, ina yaba da sauƙin saitinsa, saurin canja wurinsa mai girma, ƙarancin ping, da kuma tsaro makamancin haka. Neman ƙarin bayani game da shi ya nuna cewa baya goyon bayan tallafin bridge member ko TCP protocol, wanda ya sa na yi imani babu wani madadin. OpenVPN a gare ni har yanzu bai nan. Don haka na jinkirta sanin WireGuard.
Kwanaki kaɗan da suka wuce, labarai sun bazu ta hanyar albarkatun da suka shafi IT ta wata hanya ko wata wacce WireGuard za a haɗa shi a cikin kwaya a ƙarshe Linux, farawa da sigar 5.6. An yaba wa labaran labarai, kamar koyaushe WireGuardNa sake shiga neman hanyoyin maye gurbin tsofaffin da suka dace da ni OpenVPNA wannan karon na ci karo da . Yayi magana game da ƙirƙirar rami na Ethernet akan L3 ta amfani da GRE. Wannan labarin ya ba ni bege. Har yanzu ba a san abin da za a yi da yarjejeniyar UDP ba. Binciken ya kai ni ga labarai game da amfani da socat tare da haɗin SSH don tura tashar tashar UDP, duk da haka, sun lura cewa wannan hanya tana aiki ne kawai a yanayin haɗin kai guda ɗaya, wanda ke nufin cewa abokan ciniki na VPN da yawa ba za su yiwu ba. Na zo da ra'ayin don kafa uwar garken VPN akan VPS, kuma na kafa GRE ga abokan ciniki, amma kamar yadda ya faru, GRE ba ya goyan bayan ɓoyewa, wanda zai haifar da gaskiyar cewa idan wasu na uku sun sami damar shiga uwar garken. , duk zirga-zirgar da ke tsakanin hanyoyin sadarwa na yana hannunsu wanda bai dace da ni ba ko kadan.
Bugu da ƙari, an yanke shawarar ne don goyon bayan ɓoyayyen ɓoyayyen, ta amfani da VPN akan VPN bisa ga makirci mai zuwa:
Layer XNUMX VPN:
VPS shi ne uwar garken tare da adireshin ciki 192.168.30.1
MC shi ne abokin ciniki VPS tare da adireshin ciki 192.168.30.2
MK2 shi ne abokin ciniki VPS tare da adireshin ciki 192.168.30.3
MK3 shi ne abokin ciniki VPS tare da adireshin ciki 192.168.30.4
Layer XNUMX VPN:
MC shi ne uwar garken tare da adireshin waje 192.168.30.2 da na ciki 192.168.31.1
MK2 shi ne abokin ciniki MC tare da adireshin 192.168.30.2 kuma yana da IP na ciki na 192.168.31.2
MK3 shi ne abokin ciniki MC tare da adireshin 192.168.30.2 kuma yana da IP na ciki na 192.168.31.3
* MC - na'ura mai ba da hanya tsakanin hanyoyin sadarwa a Apartment 1. MK2 - na'ura mai ba da hanya tsakanin hanyoyin sadarwa 2, MK3 - Router a cikin Apartment 3
* Ana buga saitunan na'ura a cikin ɓarna a ƙarshen labarin.
Don haka, pings tsakanin nodes na cibiyar sadarwa 192.168.31.0/24 tafi, lokaci yayi da za a ci gaba da kafa ramin GRE. Kafin haka, don kada ku rasa damar yin amfani da hanyoyin sadarwa, yana da daraja kafa SSH tunnels don tura tashar jiragen ruwa 22 zuwa VPS, don haka, alal misali, na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga Apartment 10022 zai kasance a tashar jiragen ruwa 2 na VPS, kuma na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga Apartment 11122 zai kasance a kan tashar jiragen ruwa 3 na VPS. na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga Apartment XNUMX. Zai fi dacewa don saita ƙaddamarwa tare da sshtunnel iri ɗaya, tun da zai mayar da rami idan ya fadi.
An saita rami, zaku iya haɗawa zuwa SSH ta tashar da aka tura:
ssh root@МОЙ_VPS -p 10022Na gaba ya kamata ka kashe OpenVPN:
/etc/init.d/openvpn stopYanzu bari mu kafa ramin GRE akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga Apartment 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set grelan0 up
Kuma ƙara ƙirar da aka ƙirƙira zuwa gada:
brctl addif br-lan grelan0
Bari mu yi irin wannan hanya akan uwar garken na'ura mai ba da hanya tsakanin hanyoyin sadarwa:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set grelan0 up
Kuma, kuma, ƙara ƙirar da aka ƙirƙira zuwa gada:
brctl addif br-lan grelan0
farawa daga wannan lokacin, pings sun fara samun nasarar zuwa sabuwar hanyar sadarwa kuma ni, tare da gamsuwa, je shan kofi. Bayan haka, don ganin yadda hanyar sadarwar da ke ɗayan ƙarshen waya ke aiki, Ina ƙoƙarin shigar da SSH cikin ɗayan kwamfutoci a cikin Apartment 2, amma abokin ciniki ssh ya daskare ba tare da sa ni neman kalmar sirri ba. Ina ƙoƙarin haɗawa da wannan kwamfutar ta hanyar telnet akan tashar jiragen ruwa 22 kuma in ga layin da za ku iya fahimtar cewa an kafa haɗin, uwar garken SSH yana amsawa, amma saboda wasu dalilai bai ba ni damar shiga ba.
$ telnet 192.168.10.110 22
SSH-2.0-OpenSSH_8.1
Ina ƙoƙarin haɗa shi ta hanyar VNC kuma na ga baƙar fata. Na shawo kan kaina cewa al'amarin yana cikin kwamfuta mai nisa, saboda ina iya haɗawa da na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga wannan ɗakin ta amfani da adireshin ciki. Koyaya, na yanke shawarar shigar da SSH cikin wannan kwamfutar ta hanyar na'ura mai ba da hanya tsakanin hanyoyin sadarwa kuma na yi mamakin ganin cewa haɗin ya yi nasara kuma kwamfutar mai nisa tana aiki lafiya amma ta kasa haɗi zuwa kwamfutar ta ko dai.
Na cire na'urar grelan0 daga gadar na kuma kunna ta OpenVPN A kan na'urar sadarwa ta gida mai lamba 2, na tabbatar da cewa hanyar sadarwa tana aiki yadda ya kamata kuma hanyoyin sadarwa ba sa raguwa. Ina bincike, na ci karo da dandali inda mutane ke korafi game da irin waɗannan matsalolin, kuma inda aka shawarce su da su ƙara MTU. Ba da daɗewa ba sai na yi. Duk da haka, har sai da aka saita MTU mai yawa—7000 don na'urorin gretap—na fuskanci raguwar haɗin TCP ko ƙarancin saurin canja wuri. Saboda yawan MTU don gretap, MTU don haɗi WireGuard An saita matakan farko da na biyu a 8000 da 7500 bi da bi.
Na yi irin wannan saitin akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga Apartment 3, tare da kawai bambanci shi ne cewa an ƙara gretap interface na biyu mai suna grelan1 a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa, wanda kuma aka ƙara zuwa gadar br-lan.
Komai yana aiki. Yanzu zaku iya sanya taro na gretap cikin atomatik. Don wannan:
Sanya waɗannan layin a /etc/rc.local akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa a cikin Apartment 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Ƙara wannan zuwa /etc/rc.local akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa a cikin Apartment 3:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Kuma a kan uwar garke na'ura mai ba da hanya tsakanin hanyoyin sadarwa:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
ip link add grelan1 type gretap remote 192.168.31.3 local 192.168.31.1
ip link set dev grelan1 mtu 7000
ip link set grelan1 up
brctl addif br-lan grelan1
Bayan na sake kunna na'urorin sadarwa na abokin ciniki, na gano cewa saboda wani dalili ba sa haɗawa da sabar. Bayan na haɗa zuwa SSH ɗinsu (abin godiya, na riga na saita sshtunnel don wannan), na gano hakan WireGuard Saboda wani dalili, yana ƙirƙirar hanya don ƙarshen maƙasudi, amma ba daidai ba ne. Misali, don 192.168.30.2, teburin hanya ya ƙayyade hanya ta hanyar hanyar haɗin pppoe-wan, wato, ta intanet, kodayake hanyar zuwa gare ta ya kamata a nuna ta ta hanyar hanyar haɗin wg0. Bayan share wannan hanyar, an dawo da haɗin. Zan iya samun umarni a ko'ina kan yadda ake tilastawa WireGuard Ban iya guje wa ƙirƙirar waɗannan hanyoyin ba. Bugu da ƙari, ban ma fahimci ko wannan fasalin OpenWRT ne ko na WireGuardBa tare da ɓata lokaci mai tsawo wajen gano matsalar ba, sai kawai na ƙara layi a rubutun da ke dogara da lokaci a kan na'urorin sadarwa guda biyu da suka goge wannan hanyar:
route del 192.168.30.2
Girgawa sama
ƙin amincewa gaba ɗaya OpenVPN Ban cimma wannan ba tukuna, domin lokaci-lokaci ina buƙatar haɗawa da sabuwar hanyar sadarwa daga kwamfutar tafi-da-gidanka ko waya, kuma kafa na'urar gretap a kansu ba abu ne mai yiwuwa ba. Duk da haka, duk da haka, na sami fa'ida a cikin saurin canja wurin bayanai tsakanin gidaje, kuma amfani da VNC, misali, yanzu ba shi da matsala. Ping ya ragu kaɗan amma ya zama mafi daidaito:
Lokacin amfani OpenVPN:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=133 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=125 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19006ms
rtt min/avg/max/mdev = 124.722/126.152/136.907/3.065 ms
Lokacin amfani WireGuard:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=124 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=124 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19003ms
rtt min/avg/max/mdev = 123.954/124.423/126.708/0.675 ms
Ya fi shafar babban ping zuwa VPS wanda shine kusan 61.5ms
Duk da haka, saurin ya ƙaru sosai. Don haka, a cikin gidan da ke da na'urar sadarwa ta hanyar sadarwa, ina da saurin haɗin intanet na 30 Mbps, kuma a sauran gidajen yana da 5 Mbps. Bugu da ƙari, yayin amfani OpenVPN Ban sami damar cimma saurin canja wurin bayanai tsakanin hanyoyin sadarwa sama da 3,8 Mbps ba bisa ga karatun iperf, yayin da WireGuard "na kunna" shi har zuwa 5 Mbit/sec ɗaya.
Kanfigareshan WireGuard akan VPS[Interface]
Address = 192.168.30.1/24
ListenPort = 51820
PrivateKey = <ЗАКРЫТЫЙ_КЛЮЧ_ДЛЯ_VPS>
[Tsara]
Maɓallin Jama'a = <VPN_1_MS_PUBLIC_KEY>
Izinin Izala = 192.168.30.2/32
[Tsara]
Maɓallin Jama'a = <VPN_2_MK2_PUBLIC_KEY>
Izinin Izala = 192.168.30.3/32
[Tsara]
Maɓallin Jama'a = <VPN_2_MK3_PUBLIC_KEY>
Izinin Izala = 192.168.30.4/32
Kanfigareshan WireGuard akan MS (an ƙara shi zuwa /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.2/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МС'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - сервер
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option listen_port '51821'
list addresses '192.168.31.1/24'
option auto '1'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list allowed_ips '192.168.31.2'
config wireguard_wg1ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list allowed_ips '192.168.31.3'
Kanfigareshan WireGuard akan MK2 (an ƙara shi zuwa /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.3/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК2'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list addresses '192.168.31.2/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Kanfigareshan WireGuard akan MK3 (an ƙara shi zuwa /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.4/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК3'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list addresses '192.168.31.3/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
A cikin saitunan da aka bayyana don VPN na mataki na biyu, na nuna wa abokan ciniki WireGuard Tashar Jiragen Ruwa ta 51821. Bai kamata wannan ya zama dole ba, domin abokin ciniki zai kafa haɗi daga kowace tashar jiragen ruwa kyauta, mara gata, amma na yi ta wannan hanyar ne domin in hana duk haɗin da ke shigowa akan hanyoyin haɗin wg0 na duk na'urorin sadarwa, sai dai haɗin UDP mai shigowa zuwa tashar jiragen ruwa ta 51821.
Ina fatan labarin zai zama da amfani ga wani.
PS Har ila yau, ina so in raba rubutuna wanda ke aiko mani sanarwar PUSH zuwa wayata a cikin aikace-aikacen WirePusher lokacin da sabuwar na'ura ta bayyana akan hanyar sadarwa ta. Ga hanyar haɗi zuwa rubutun: .
UPDATE: Kanfigareshan OpenVPN- sabobin da abokan ciniki
OpenVPN- uwar garken
client-to-client
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn-server.crt
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/vpn-server.key
dev tap
ifconfig-pool-persist /etc/openvpn/ipp.txt 0
keepalive 10 60
proto tcp4
server-bridge 192.168.10.1 255.255.255.0 192.168.10.80 192.168.10.254
status /var/log/openvpn-status.log
verb 3
comp-lzoOpenVPN-abokin ciniki
client
tls-client
dev tap
proto tcp
remote VPS_IP 1194 # Change to your router's External IP
resolv-retry infinite
nobind
ca client/ca.crt
cert client/client.crt
key client/client.key
dh client/dh.pem
comp-lzo
persist-tun
persist-key
verb 3 Na yi amfani da Easy-rsa don samar da takaddun shaida.
source: www.habr.com
