Assalamu alaikum, kwanan nan na karanta game da yadda zaku iya hanzarta OpenVPN akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa ta hanyar canja wurin boye-boye zuwa wani yanki na daban, wanda aka sayar a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa da kanta. Ina da irin wannan shari'ar ga marubucin - TP-Link WDR3500 tare da 128 megabytes na RAM da matalauta mai sarrafawa wanda gaba ɗaya ya kasa jurewa ɓoyayyen rami. Duk da haka, ba na so in shiga cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa tare da ironing iron. Da ke ƙasa akwai ƙwarewar motsa OpenVPN zuwa wani yanki na kayan aiki daban tare da madadin akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa idan wani hatsari ya faru.
Manufar
Akwai na'ura mai ba da hanya tsakanin hanyoyin sadarwa TP-Link WDR3500 da Orange Pi Zero H2. Muna son Orange Pi ya ɓoye ramukan kamar yadda aka saba, kuma idan wani abu ya faru da shi, aikin VPN zai dawo zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Duk saitunan Firewall akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa yakamata suyi aiki kamar da. Kuma gabaɗaya, ƙara ƙarin kayan aikin ya kamata ya zama bayyananne kuma ba a san shi ga kowa ba. OpenVPN yana aiki akan TCP, adaftar TAP yana cikin yanayin gada (server-bridge).
yanke shawara
Maimakon haɗawa ta USB, na yanke shawarar yin amfani da tashar jiragen ruwa guda ɗaya na na'ura mai ba da hanya tsakanin hanyoyin sadarwa kuma in haɗa duk hanyoyin sadarwa waɗanda ke da gadar VPN zuwa Orange Pi. Ya bayyana cewa kayan aikin za su rataye a cikin cibiyoyin sadarwa iri ɗaya kamar sabar VPN akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Bayan haka, muna shigar da sabobin iri ɗaya akan Orange Pi, kuma akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa mun saita wasu nau'ikan wakili don aika duk haɗin da ke shigowa zuwa uwar garken waje, kuma idan Orange Pi ya mutu ko babu, to ga na ciki fallback uwar garken. Na ɗauki HAProxy.
Ya kasance kamar haka:
- Abokin ciniki ya zo
- Idan babu uwar garken waje, kamar da, haɗin yana zuwa uwar garken ciki
- Idan akwai, Orange Pi yana karɓar abokin ciniki
- VPN akan Orange Pi yana yanke fakiti kuma ya sake tofa su cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa
- Na'ura mai ba da hanya tsakanin hanyoyin sadarwa ta bi su zuwa wani wuri
Misalin aiwatarwa
Don haka, bari mu ce muna da cibiyoyin sadarwa guda biyu akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa - main (1) da baƙo (2), ga kowannensu akwai sabar OpenVPN don haɗawa waje.
Tsarin hanyar sadarwa
Muna buƙatar tafiyar da hanyoyin sadarwa guda biyu ta tashar jiragen ruwa ɗaya, don haka muna ƙirƙirar 2 VLANs.
A kan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, a cikin Network/Switch sashe, ƙirƙiri VLANs (misali 1 da 2) kuma kunna su a yanayin da aka yiwa alama akan tashar da ake so, ƙara sabon eth0.1 da eth0.2 zuwa cibiyoyin sadarwar da suka dace (misali, ƙara su zuwa brigde).
A kan Orange Pi mun ƙirƙiri musaya na VLAN guda biyu (Ina da Archlinux ARM + netctl):
/etc/netctl/vlan-main
Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no
/etc/netctl/vlan-guest
Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no
Kuma nan take Muka halitta musu gadoji biyu.
/etc/netctl/br-main
Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp
/etc/netctl/br-guest
Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp
Kunna autostart don duk bayanan martaba guda 4 (kunna netctl). Yanzu bayan sake kunnawa, Orange Pi zai rataya akan hanyoyin sadarwa guda biyu da ake buƙata. Muna saita adireshin mu'amala a kan Orange Pi a cikin Leases Static akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
ip addr show
4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
valid_lft 29379sec preferred_lft 21439sec
inet6 fe80::50c7:fff:fe89:716e/64 scope link
valid_lft forever preferred_lft forever
7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
valid_lft forever preferred_lft forever
inet6 fe80::ecea:19ff:fe31:3432/64 scope link
valid_lft forever preferred_lft forever
Saita VPN
Na gaba, kwafi saitunan don OpenVPN da maɓallan daga na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Ana iya samun saitunan yawanci a ciki /tmp/etc/openvpn*.conf
Ta hanyar tsoho, openvpn yana gudana a cikin yanayin TAP kuma gadar uwar garken yana kiyaye aikin sa. Don komai ya yi aiki, kuna buƙatar ƙara rubutun da ke gudana lokacin da aka kunna haɗin.
/etc/openvpn/main.conf
dev vpn-main
dev-type tap
client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3
setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh
/etc/openvpn/vpn-up.sh
#!/bin/sh
ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}
Sakamakon haka, da zaran haɗin ya faru, za a ƙara ma'anar vpn-main zuwa br-main. Ga grid ɗin baƙo - haka nan, har zuwa sunan dubawa da adireshi a gada uwar garken.
Buƙatun buƙatun waje da wakili
A wannan matakin, Orange Pi ya riga ya sami damar karɓar haɗi da haɗa abokan ciniki zuwa cibiyoyin sadarwar da ake buƙata. Abin da ya rage shi ne saita proxying na haɗin kai masu shigowa akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
Muna canja wurin sabar VPN na na'ura mai ba da hanya tsakanin hanyoyin sadarwa zuwa wasu tashoshin jiragen ruwa, shigar da HAProxy akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa kuma saita:
/etc/haproxy.cfg
global
maxconn 256
uid 0
gid 0
daemon
defaults
retries 1
contimeout 1000
option splice-auto
listen guest_vpn
bind :444
mode tcp
server 0-orange 192.168.2.3:444 check
server 1-local 127.0.0.1:4444 check backup
listen main_vpn
bind :443
mode tcp
server 0-orange 192.168.1.3:443 check
server 1-local 127.0.0.1:4443 check backup
Ji dadin
Idan komai ya tafi daidai da tsari, abokan ciniki za su canza zuwa Orange Pi kuma mai sarrafa na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba zai ƙara zafi ba, kuma saurin VPN zai ƙaru sosai. A lokaci guda, duk dokokin hanyar sadarwa waɗanda aka yiwa rajista akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa za su kasance masu dacewa. A cikin yanayin haɗari akan Orange Pi, zai faɗi kuma HAProxy zai canja wurin abokan ciniki zuwa sabar gida.
Na gode da kulawarku, shawarwari da gyara suna maraba.
source: www.habr.com