ProHoster > Блог > Gudanarwa > Gina na'ura mai ba da hanya tsakanin hanyoyin sadarwa a SOCKS akan kwamfutar tafi-da-gidanka tare da Debian 10

Gina na'ura mai ba da hanya tsakanin hanyoyin sadarwa a SOCKS akan kwamfutar tafi-da-gidanka tare da Debian 10

Tsawon shekara guda (ko biyu) na dakatar da buga wannan labarin saboda babban dalili - Na riga na buga labarai guda biyu waɗanda a ciki na bayyana tsarin ƙirƙirar na'ura mai ba da hanya tsakanin hanyoyin sadarwa a cikin SOCKS daga kwamfutar tafi-da-gidanka ta yau da kullun tare da Debian.

Koyaya, tun daga wannan lokacin an sabunta sigar Debian ta tsayayye zuwa Buster, isassun mutane sun tuntube ni suna neman taimako tare da saitin, wanda ke nufin cewa labaran da na gabata ba su ƙare ba. Da kyau, ni kaina na yi tsammani cewa hanyoyin da aka zayyana a cikinsu ba su cika bayyana duk ɓarnar da aka kafa na Linux ba don kewayawa a cikin SOCKS. Bugu da ƙari, an rubuta su don Debian Stretch, kuma bayan haɓakawa zuwa Buster, a cikin tsarin init na tsarin, na lura da ƙananan canje-canje a cikin hulɗar ayyuka. Kuma a cikin labaran da kansu, ban yi amfani da tsarin sadarwa na tsarin ba, kodayake ya fi dacewa da saitunan cibiyar sadarwa mai rikitarwa.

Bugu da ƙari ga canje-canjen da ke sama, an ƙara waɗannan ayyuka zuwa tsarina: amintacce - sabis don samun damar hangen nesa, NTP don daidaita lokacin abokan hulɗar cibiyar sadarwar gida, dnscrypt-proxy don ɓoye haɗin kai ta hanyar DNS da kuma kashe talla akan abokan cinikin cibiyar sadarwar gida, haka kuma, kamar yadda na ambata a baya, systemd-cibiyar sadarwa don daidaita hanyoyin sadarwa na cibiyar sadarwa.

Anan akwai zane mai sauƙi na toshe na tsarin ciki na irin wannan na'ura mai ba da hanya tsakanin hanyoyin sadarwa.

Gina na'ura mai ba da hanya tsakanin hanyoyin sadarwa a SOCKS akan kwamfutar tafi-da-gidanka tare da Debian 10

Don haka, bari in tunatar da ku menene manufofin wannan jerin kasidu:

  1. Sanya duk hanyoyin haɗin OS zuwa SOCKS, da kuma haɗin kai daga duk na'urori akan hanyar sadarwa iri ɗaya da kwamfutar tafi-da-gidanka.
  2. Ya kamata kwamfutar tafi-da-gidanka a cikin akwati na ya kasance gaba daya ta hannu. Wato, don ba da damar yin amfani da yanayin tebur kuma kada a ɗaure zuwa wuri na zahiri.
  3. Batu na ƙarshe yana nuna haɗin kai da kai tsaye ta hanyar ginanniyar hanyar sadarwa mara waya.
  4. To, kuma ba shakka, ƙirƙirar cikakken jagora, da kuma nazarin fasahohin da suka dace da mafi kyawun ilimina.

Abin da za a tattauna a wannan labarin:

  1. Git - zazzage wuraren ajiyar aikin tun2 safada ake buƙata don tafiyar da zirga-zirgar TCP zuwa SOCKS, kuma halitta_ap - Rubutun don sarrafa saitin wurin samun damar kama-da-wane ta amfani da shi amintacce.
  2. tun2 safa - ginawa da shigar da sabis na tsarin akan tsarin.
  3. systemd-cibiyar sadarwa - saita musaya mara igiyar waya da kama-da-wane, tebur masu karkatar da kai tsaye da jujjuya fakiti.
  4. halitta_ap - shigar da tsarin tsarin akan tsarin, saita kuma ƙaddamar da wurin samun damar kama-da-wane.

Matakai na zaɓi:

  • NTP - shigar da saita sabar don daidaita lokaci akan abokan ciniki na hanyar samun dama.
  • dnscrypt-proxy - za mu ɓoye buƙatun DNS, mu tura su zuwa SOCKS kuma mu kashe wuraren talla don cibiyar sadarwar gida.

Menene wannan duka don me?

Wannan yana ɗaya daga cikin hanyoyin kiyaye haɗin TCP akan hanyar sadarwar gida. Babban fa'idar ita ce, ana yin duk haɗin gwiwa a cikin SOCKS, sai dai idan an gina musu hanya madaidaiciya ta ƙofar asali. Wannan yana nufin cewa ba kwa buƙatar saka saitunan uwar garken SOCKS don kowane shirye-shirye ko abokan ciniki a cibiyar sadarwar gida - duk suna zuwa SOCKS ta tsohuwa, tunda ita ce tsohuwar ƙofa har sai mun nuna akasin haka.

Ainihin muna ƙara na'ura mai ɓoyewa ta biyu a matsayin kwamfutar tafi-da-gidanka a gaban ainihin hanyar sadarwa kuma muna amfani da haɗin Intanet na asali don buƙatun SOCKS na kwamfutar tafi-da-gidanka da aka riga aka ɓoye, wanda hakanan yana bin hanyoyi da ɓoye buƙatun daga abokan cinikin LAN.

Daga ra'ayi na mai bayarwa, koyaushe ana haɗa mu zuwa sabar guda ɗaya tare da ɓoyayyen zirga-zirga.

Sabili da haka, duk na'urori suna haɗe zuwa madaidaicin hanyar shiga kwamfutar tafi-da-gidanka.

Sanya tun2socks akan tsarin

Muddin na'urar ku tana da intanet, zazzage duk kayan aikin da ake buƙata.

apt update
apt install git make cmake

Zazzage fakitin badvpn

git clone https://github.com/ambrop72/badvpn

Babban fayil zai bayyana akan tsarin ku badvpn. Ƙirƙiri babban fayil daban don ginin

mkdir badvpn-build

Jeka zuwa gare shi

cd badvpn-build

Tattara tun2socks

cmake ../badvpn -DBUILD_NOTHING_BY_DEFAULT=1 -DBUILD_TUN2SOCKS=1

Shigar a kan tsarin

make install
  • Alamar -DBUILD_NOTHING_BY_DEFAULT=1 yana hana gina duk abubuwan da ke cikin ma'ajiyar badvpn.
  • -DBUILD_TUN2SOCKS=1 ya haɗa da wani sashi a cikin taron tun2 safa.
  • make install - zai shigar da binary tun2socks akan tsarin ku a /usr/local/bin/badvpn-tun2socks.

Shigar da sabis na tun2socks a cikin systemd

Ƙirƙiri fayil /etc/systemd/system/tun2socks.service tare da abun ciki mai zuwa:

[Unit]
Description=SOCKS TCP Relay

[Service]
ExecStart=/usr/local/bin/badvpn-tun2socks --tundev tun2socks --netif-ipaddr 172.16.1.1 --netif-netmask 255.255.255.0 --socks-server-addr 127.0.0.1:9050

[Install]
WantedBy=multi-user.target
  • --tundev - yana ɗaukar sunan ƙaƙƙarfan ƙa'idar da muka fara tare da tsarin tsarin sadarwa.
  • --netif-ipaddr - adireshin cibiyar sadarwa na tun2socks "na'ura mai ba da hanya tsakanin hanyoyin sadarwa" wanda aka haɗa madaidaicin ke dubawa. Yana da kyau a raba shi subnet mai tanadi.
  • --socks-server-addr - yarda soket (адрес:порт Sabbin SOCKS).

Idan uwar garken SOCKS ɗin ku yana buƙatar tantancewa, zaku iya tantance sigogi --username и --password.

Na gaba, yi rajistar sabis ɗin

systemctl daemon-reload

Kuma kunna shi

systemctl enable tun2socks

Kafin fara sabis ɗin, za mu samar da shi tare da hanyar sadarwa mai kama-da-wane.

Canjawa zuwa tsarin sadarwa-tsari

Mun hada systemd-networkd:

systemctl enable systemd-networkd

Kashe ayyukan cibiyar sadarwa na yanzu.

systemctl disable networking NetworkManager NetworkManager-wait-online
  • NetworkManager-jira-kan layi sabis ne da ke jiran haɗin cibiyar sadarwa mai aiki kafin systemd ya ci gaba da fara wasu ayyuka waɗanda suka dogara da kasancewar cibiyar sadarwa. Muna kashe shi yayin da muke canzawa zuwa tsarin tsarin sadarwa na analog.

Bari mu kunna shi nan da nan:

systemctl enable systemd-networkd-wait-online

Saita hanyar sadarwa mara waya

Ƙirƙiri fayil ɗin daidaitawa-tsarin hanyar sadarwa don mahaɗin cibiyar sadarwar mara waya /etc/systemd/network/25-wlp6s0.network.

[Match]
Name=wlp6s0

[Network]
Address=192.168.1.2/24
IPForward=yes
  • sunan shine sunan cibiyar sadarwa mara waya ta ku. Gane shi tare da umarni ip a.
  • IPForward - umarnin da ke ba da damar juyar da fakiti akan hanyar sadarwa.
  • Adireshin ke da alhakin sanya adireshin IP zuwa mahaɗin mara waya. Mun saka shi a tsaye saboda tare da daidai umarnin DHCP=yes, systemd-networkd yana haifar da tsohuwar ƙofa akan tsarin. Sa'an nan duk zirga-zirga za su bi ta asalin ƙofar, kuma ba ta hanyar kama-da-wane na gaba a kan wani gidan yanar gizo na daban ba. Kuna iya duba tsohuwar ƙofa ta yanzu tare da umarnin ip r

Ƙirƙiri madaidaiciyar hanya don uwar garken SOCKS mai nisa

Idan uwar garken SOCKS ɗin ku ba na gida ba ne, amma mai nisa, to kuna buƙatar ƙirƙirar matattarar hanya. Don yin wannan, ƙara sashe Route zuwa ƙarshen fayil ɗin daidaitawar mu'amala mara waya da kuka ƙirƙira tare da abun ciki mai zuwa:

[Route]
Gateway=192.168.1.1
Destination=0.0.0.0
  • Gateway - wannan ita ce tsohuwar ƙofa ko adireshin wurin shiga na asali.
  • Destination - Adireshin uwar garken SOCKS.

Sanya wpa_supplicant don tsarin sadarwa na tsarin

systemd-networkd yana amfani da wpa_supplicant don haɗawa zuwa amintacciyar hanyar shiga. Lokacin ƙoƙarin "ɗaga" ƙirar mara waya, systemd-networkd yana fara sabis ɗin wpa_supplicant@имяinda имя shine sunan cibiyar sadarwa mara waya. Idan baku yi amfani da tsarin sadarwa na systemd kafin wannan batu ba, to tabbas wannan sabis ɗin ya ɓace akan tsarin ku.

Don haka ƙirƙira shi da umarni:

systemctl enable wpa_supplicant@wlp6s0

na yi amfani wlp6s0 a matsayin sunan cibiyar sadarwa mara waya. Sunan ku na iya bambanta. Kuna iya gane shi tare da umarnin ip l.

Yanzu sabis ɗin da aka ƙirƙira wpa_supplicant@wlp6s0 za a kaddamar da shi lokacin da aka "taso" mara waya, duk da haka, shi, bi da bi, zai nemi SSID da saitunan kalmar sirri na wurin shiga cikin fayil ɗin. /etc/wpa_supplicant/wpa_supplicant-wlp6s0. Don haka, kuna buƙatar ƙirƙirar ta ta amfani da mai amfani wpa_passphrase.

Don yin wannan, gudanar da umarni:

wpa_passphrase SSID password>/etc/wpa_supplicant/wpa_supplicant-wlp6s0.conf

inda SSID shine sunan wurin shiga ku, kalmar sirri shine kalmar sirri, kuma wlp6s0 — sunan cibiyar sadarwa mara waya ta ku.

Ƙaddamar da ƙayataccen mahallin don tun2socks

Ƙirƙiri fayil don fara sabon ƙirar ƙira a cikin tsarin/etc/systemd/network/25-tun2socks.netdev

[NetDev]
Name=tun2socks
Kind=tun
  • sunan shine sunan da systemd-networkd zai sanya wa mai gani na gaba lokacin da aka fara shi.
  • tausayi wani nau'in dubawa ne na kama-da-wane. Daga sunan sabis na tun2socks, zaku iya tsammani yana amfani da hanyar sadarwa kamar tun.
  • yanar gizo shine tsawo na fayilolin da systemd-networkd Yana amfani don fara mu'amalar hanyar sadarwa ta kama-da-wane. Adireshin da sauran saitunan cibiyar sadarwa na waɗannan musaya an ƙayyade a ciki .cibiyar sadarwa- fayiloli.

Ƙirƙiri fayil kamar wannan /etc/systemd/network/25-tun2socks.network tare da abun ciki mai zuwa:

[Match]
Name=tun2socks

[Network]
Address=172.16.1.2/24
Gateway=172.16.1.1
  • Name - sunan kama-da-wane da ka ayyana a ciki yanar gizo- fayil.
  • Address - Adireshin IP wanda za'a sanya shi zuwa mahallin mahaɗa. Dole ne ya kasance kan hanyar sadarwa iri ɗaya da adireshin da kuka ayyana a cikin sabis na tun2socks
  • Gateway - Adireshin IP na "Router" tun2 safa, wanda kuka ayyana lokacin ƙirƙirar sabis ɗin tsarin.

Don haka dubawa tun2 safa yana da adireshin 172.16.1.2, da sabis tun2 safa - 172.16.1.1, ma'ana, ita ce ƙofa ga duk haɗin gwiwa daga ma'amalar kama-da-wane.

Saita wurin samun damar kama-da-wane

Sanya abubuwan dogaro:

apt install util-linux procps hostapd iw haveged

Zazzage ma'ajiyar ƙirƙirar_ap zuwa motar ku:

git clone https://github.com/oblique/create_ap

Jeka babban fayil ɗin ajiya akan injin ku:

cd create_ap

Shigar akan tsarin:

make install

Saitin zai bayyana akan tsarin ku /etc/create_ap.conf. Ga manyan zaɓuɓɓukan gyarawa:

  • GATEWAY=10.0.0.1 - yana da kyau a sanya shi keɓantaccen tsarin subnet.
  • NO_DNS=1 - musaki, tunda wannan sigar za a sarrafa ta ta hanyar tsarin sadarwa na tsarin sadarwa.
  • NO_DNSMASQ=1 - kashe shi saboda wannan dalili.
  • WIFI_IFACE=wlp6s0 - kwamfutar tafi-da-gidanka mara igiyar waya.
  • INTERNET_IFACE=tun2socks - ƙirar ƙirar ƙira don tun2socks.
  • SSID=hostapd - sunan madaidaicin hanyar shiga.
  • PASSPHRASE=12345678 - kalmar sirri.

Kar a manta kunna sabis ɗin:

systemctl enable create_ap

Kunna uwar garken DHCP a cikin tsarin tsarin sadarwa

Sabis create_ap ya fara fara dubawa mai kama-da-wane a cikin tsarin ap0. A ka'idar, dnsmasq yana rataye akan wannan keɓancewa, amma me yasa za a shigar da ƙarin ayyuka idan tsarin tsarin sadarwa ya ƙunshi sabar DHCP da aka gina a ciki?

Don kunna shi, za mu ayyana saitunan cibiyar sadarwar don ma'anar kama-da-wane. Don yin wannan, ƙirƙirar fayil /etc/systemd/network/25-ap0.network tare da abun ciki mai zuwa:

[Match]
Name=ap0

[Network]
Address=10.0.0.1/24
DHCPServer=yes

[DHCPServer]
EmitDNS=yes
DNS=10.0.0.1
EmitNTP=yes
NTP=10.0.0.1

Bayan sabis ɗin create_ap yana ƙaddamar da ƙirar kama-da-wane ap0, systemd-networkd zai sanya masa adireshin IP ta atomatik kuma ya ba da damar uwar garken DHCP.

igiyoyi EmitDNS=yes и DNS=10.0.0.1 aika saitunan uwar garken DNS zuwa na'urorin da aka haɗa zuwa wurin shiga.

Idan baku shirya amfani da uwar garken DNS na gida ba - a cikin akwati na dnscrypt-proxy ne - zaku iya shigarwa. DNS=10.0.0.1 в DNS=192.168.1.1inda 192.168.1.1 - adireshin ƙofa na asali. Sannan buƙatun DNS na mai gidan ku da cibiyar sadarwar gida ba za su ɓoye ta cikin sabar mai bayarwa ba.

EmitNTP=yes и NTP=192.168.1.1 canja wurin saitunan NTP.

Haka ma layin NTP=10.0.0.1.

Shigar kuma saita uwar garken NTP

Shigar akan tsarin:

apt install ntp

Shirya saitin /etc/ntp.conf. Sharhi adreshin madaidaitan wuraren waha:

#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst

Ƙara adiresoshin uwar garken jama'a, misali Google Public NTP:

server time1.google.com ibrust
server time2.google.com ibrust
server time3.google.com ibrust
server time4.google.com ibrust

Bayar da damar zuwa uwar garken ga abokan ciniki akan hanyar sadarwar ku:

restrict 10.0.0.0 mask 255.255.255.0

Kunna watsa shirye-shirye zuwa cibiyar sadarwar ku:

broadcast 10.0.0.255

A ƙarshe, ƙara adiresoshin waɗannan sabobin zuwa ga madaidaicin tebirin tuƙi. Don yin wannan, buɗe fayil ɗin daidaitawar mu'amala mara waya /etc/systemd/network/25-wlp6s0.network kuma ƙara zuwa ƙarshen sashe Route.

[Route]
Gateway=192.168.1.1
Destination=216.239.35.0

[Route]
Gateway=192.168.1.1
Destination=216.239.35.4

[Route]
Gateway=192.168.1.1
Destination=216.239.35.8

[Route]
Gateway=192.168.1.1
Destination=216.239.35.12

Kuna iya nemo adiresoshin sabar NTP ta amfani da mai amfani host kamar haka:

host time1.google.com

Shigar da dnscrypt-proxy, cire tallace-tallace da ɓoye zirga-zirgar DNS daga mai bada ku

apt install dnscrypt-proxy

Don bawa mai masaukin baki da tambayoyin DNS na cibiyar sadarwar gida, shirya soket /lib/systemd/system/dnscrypt-proxy.socket. Canza layin masu zuwa:

ListenStream=0.0.0.0:53
ListenDatagram=0.0.0.0:53

Sake kunnawa systemd:

systemctl daemon-reload

Shirya saitin /etc/dnscrypt-proxy/dnscrypt-proxy.toml:

server_names = ['adguard-dns']

Don hanyar haɗin haɗin dnscrypt-proxy ta hanyar tun2socks, ƙara ƙasa:

force_tcp = true

Shirya saitin /etc/resolv.conf, wanda ke gaya wa uwar garken DNS ga mai watsa shiri.

nameserver 127.0.0.1
nameserver 192.168.1.1

Layin farko yana ba da damar amfani da dnscrypt-proxy, layi na biyu yana amfani da ƙofa ta asali idan ba a samu uwar garken dnscrypt-proxy ba.

Anyi!

Sake yi ko dakatar da gudanar da ayyukan cibiyar sadarwa:

systemctl stop networking NetworkManager NetworkManager-wait-online

Kuma zata sake farawa duk abin da ake bukata:

systemctl restart systemd-networkd tun2socks create_ap dnscrypt-proxy ntp

Bayan sake kunnawa ko sake kunnawa, zaku sami wurin shiga na biyu wanda ke tura mai watsa shiri da na'urorin LAN zuwa SOCKS.

Wannan shi ne abin da fitarwa ya yi kama ip a kwamfutar tafi-da-gidanka na yau da kullun:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: tun2socks: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 500
    link/none 
    inet 172.16.1.2/24 brd 172.16.1.255 scope global tun2socks
       valid_lft forever preferred_lft forever
    inet6 fe80::122b:260:6590:1b0e/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
3: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether e8:11:32:0e:01:50 brd ff:ff:ff:ff:ff:ff
4: wlp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 4c:ed:de:cb:cf:85 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global wlp6s0
       valid_lft forever preferred_lft forever
    inet6 fe80::4eed:deff:fecb:cf85/64 scope link 
       valid_lft forever preferred_lft forever
5: ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 4c:ed:de:cb:cf:86 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global ap0
       valid_lft forever preferred_lft forever
    inet6 fe80::4eed:deff:fecb:cf86/64 scope link 
       valid_lft forever preferred_lft forever

A ƙarshe

  1. Mai badawa yana ganin rufaffen haɗin kai zuwa uwar garken SOCKS ɗin ku, wanda ke nufin ba sa ganin komai.
  2. Kuma duk da haka yana ganin buƙatun ku na NTP, don hana hakan, cire tsayayyen hanyoyi don sabar NTP. Koyaya, ba ta da tabbas cewa uwar garken SOCKS ɗin ku yana ba da izinin ka'idar NTP.

An hango Crutch akan Debain 10

Idan kayi ƙoƙarin sake kunna sabis na cibiyar sadarwa daga na'ura wasan bidiyo, zai gaza tare da kuskure. Wannan shi ne saboda gaskiyar cewa wani ɓangare na shi a cikin nau'i mai mahimmanci yana da alaƙa da sabis na tun2socks, wanda ke nufin ana amfani da shi. Don sake kunna sabis na cibiyar sadarwa, dole ne ka fara dakatar da sabis na tun2socks. Amma, ina tsammanin, idan kun karanta har zuwa ƙarshe, wannan ba shakka ba matsala gare ku ba!

nassoshi

  1. A tsaye a kan Linux - IBM
  2. systemd-networkd.service - Freedesktop.org
  3. Tun2socks · ambrop72/badvpn Wiki · GitHub
  4. oblique/create_ap: Wannan rubutun yana ƙirƙirar NATed ko Gadadden Wurin shiga WiFi.
  5. dnscrypt-proxy 2 - Wakilin DNS mai sassauci, tare da goyan bayan ka'idojin DNS masu rufaffiyar.

source: www.habr.com