TL, DR: Na shigar da Wireguard a kan VPS, haɗa shi daga na'ura mai ba da hanya tsakanin hanyoyin sadarwa na gida a kan OpenWRT, kuma na shiga gidan yanar gizo na gida daga waya ta.
Idan kun ci gaba da kayan aikin ku na sirri akan sabar gida ko kuna da na'urori masu sarrafa IP da yawa a gida, to tabbas kuna son samun damar yin amfani da su daga aiki, daga bas, jirgin ƙasa da metro. Mafi sau da yawa, don irin wannan ayyuka, ana siyan IP daga mai badawa, bayan haka ana tura tashar jiragen ruwa na kowane sabis zuwa waje.
Madadin haka, na kafa VPN tare da samun dama ga LAN na gida. Amfanin wannan maganin:
- nuna gaskiya: Ina jin a gida a kowane hali.
- 'yanci: saita shi kuma manta da shi, babu buƙatar yin tunani game da tura kowane tashar jiragen ruwa.
- Cost: Na riga na sami VPS; don irin waɗannan ayyuka, VPN na zamani kusan kyauta ne ta fuskar albarkatu.
- Tsaro: babu abin da ya tsaya, za ku iya barin MongoDB ba tare da kalmar sirri ba kuma babu wanda zai saci bayanan ku.
Kamar ko da yaushe, akwai downsides. Da farko, dole ne ku saita kowane abokin ciniki daban, gami da gefen uwar garken. Yana iya zama da wahala idan kana da adadi mai yawa na na'urori waɗanda kake son samun dama ga ayyuka. Abu na biyu, kuna iya samun LAN tare da kewayo iri ɗaya a wurin aiki - dole ne ku warware wannan matsalar.
Muna buƙatar:
- VPS (a cikin akwati na akan Debian 10).
- OpenWRT na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
- Waya.
- Sabar gida tare da wasu sabis na yanar gizo don gwaji.
- Hannu madaidaici.
Fasahar VPN da zan yi amfani da ita ita ce Wireguard. Wannan maganin kuma yana da ƙarfi da rauni, ba zan kwatanta su ba. Don VPN Ina amfani da subnet 192.168.99.0/24, kuma a gidana 192.168.0.0/24.
Tsarin VPS
Ko da VPS mafi wahala ga 30 rubles a wata ya isa kasuwanci, idan kun yi sa'a don samun ɗaya. .
Ina yin duk ayyuka akan uwar garken azaman tushen akan na'ura mai tsabta; idan ya cancanta, ƙara 'sudo' kuma daidaita umarnin.
Wireguard ba shi da lokacin da za a kawo shi cikin barga, don haka sai na gudanar da 'madaidaitan tushen gyara-tushen' kuma in ƙara bayanan baya cikin layi biyu a ƙarshen fayil ɗin:
deb http://deb.debian.org/debian/ buster-backports main
# deb-src http://deb.debian.org/debian/ buster-backports main
An shigar da kunshin ta hanyar da aka saba: apt update && apt install wireguard.
Na gaba, muna samar da maɓalli biyu: wg genkey | tee /etc/wireguard/vps.private | wg pubkey | tee /etc/wireguard/vps.public. Maimaita wannan aikin sau biyu ga kowace na'ura da ke shiga cikin kewaye. Canja hanyar zuwa fayilolin maɓalli don wata na'ura kuma kar a manta game da amincin maɓallan masu zaman kansu.
Yanzu mun shirya config. Don fayil /etc/wireguard/wg0.conf an sanya config:
[Interface]
Address = 192.168.99.1/24
ListenPort = 57953
PrivateKey = 0JxJPUHz879NenyujROVK0YTzfpmzNtbXmFwItRKdHs=
[Peer] # OpenWRT
PublicKey = 36MMksSoKVsPYv9eyWUKPGMkEs3HS+8yIUqMV8F+JGw=
AllowedIPs = 192.168.99.2/32,192.168.0.0/24
[Peer] # Smartphone
PublicKey = /vMiDxeUHqs40BbMfusB6fZhd+i5CIPHnfirr5m3TTI=
AllowedIPs = 192.168.99.3/32
A cikin sashin [Interface] Saitunan na'urar da kanta suna nunawa, kuma a ciki [Peer] - saituna ga waɗanda za su haɗa da shi. IN AllowedIPs An ware ta waƙafi, ƙayyadaddun rukunonin da za a tura su zuwa ga takwarorinsu masu dacewa an ƙayyade. Saboda wannan, takwarorinsu na na'urorin "abokin ciniki" a cikin rukunin yanar gizon VPN dole ne su sami abin rufe fuska /32, duk abin da za a fatattaka ta uwar garken. Tunda za a tura hanyar sadarwar gida ta hanyar OpenWRT, in AllowedIPs Muna ƙara subnet na gida na daidaitaccen takwarorinsu. IN PrivateKey и PublicKey lalata maɓallin keɓaɓɓen da aka samar don VPS da maɓallan jama'a na takwarorinsu daidai.
A kan VPS, duk abin da ya rage shi ne gudanar da umarnin da zai haifar da dubawa kuma ƙara shi zuwa autorun: systemctl enable --now wg-quick@wg0. Ana iya duba halin haɗin kai na yanzu tare da umarnin wg.
BudeWRT Kanfigareshan
Duk abin da kuke buƙata don wannan matakin yana cikin ma'aunin luci (OpenWRT mahaɗin yanar gizo). Shiga kuma buɗe shafin software a cikin menu na tsarin. OpenWRT ba ya adana cache akan na'ura, don haka kuna buƙatar sabunta jerin fakitin da ake da su ta danna kan maballin Lissafin Sabunta kore. Bayan an gama, fitar da cikin tace luci-app-wireguard kuma, kallon taga tare da kyakkyawan itacen dogaro, shigar da wannan kunshin.
A cikin menu na hanyoyin sadarwa, zaɓi Interfaces kuma danna maballin Ƙara Sabon Interface koren ƙarƙashin jerin waɗanda suke. Bayan shigar da sunan (kuma wg0 a cikin akwati na) da zaɓar ka'idar WireGuard VPN, tsarin saiti tare da shafuka huɗu yana buɗewa.
A shafin Saitunan Gabaɗaya, kuna buƙatar shigar da maɓallin keɓaɓɓen da adireshin IP da aka shirya don OpenWRT tare da rukunin yanar gizo.
A shafin Saitunan Wuta, haɗa mahaɗin zuwa cibiyar sadarwar gida. Ta wannan hanyar, haɗi daga VPN za su shiga cikin yankin cikin yardar kaina.
A kan Takwarorinsu shafin, danna maɓallin kawai, bayan haka kun cika bayanan uwar garken VPS a cikin sigar da aka sabunta: maɓallin jama'a, IPs da aka ba da izini (yana buƙatar tura duk subnet na VPN zuwa uwar garken). A cikin Mai watsa shiri na Ƙarshen Ƙarshen da Ƙarshen Ƙarshen, shigar da adireshin IP na VPS tare da tashar jiragen ruwa da aka ƙayyade a baya a cikin umarnin ListenPort, bi da bi. Bincika hanyoyin da aka ba da izinin IP don ƙirƙirar hanyoyin. Kuma tabbas kun cika Ci gaba da Rayuwa, in ba haka ba ramin daga VPS zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa zai karye idan karshen yana bayan NAT.
Bayan haka, zaku iya ajiye saitunan, sannan a shafin da ke da jerin abubuwan mu'amala, danna Ajiye sannan ku yi amfani da shi. Idan ya cancanta, ƙaddamar da dubawa a fili tare da maɓallin Sake kunnawa.
Saita wayar hannu
Kuna buƙatar abokin ciniki na Wireguard, yana samuwa a ciki , da App Store. Bayan buɗe aikace-aikacen, danna alamar ƙari kuma a cikin sashin Interface shigar da sunan haɗin kai, maɓallin sirri (maɓallin jama'a za a ƙirƙira ta atomatik) da adireshin waya tare da abin rufe fuska /32. A cikin ɓangaren Peer, saka maɓallin jama'a na VPS, adireshi biyu: tashar uwar garken VPN azaman Ƙarshen Ƙarshen, da kuma hanyoyin zuwa VPN da subnet na gida.
Hoton hoto mai ƙarfi daga waya
Danna kan floppy diski a kusurwar, kunna shi kuma...
An yi
Yanzu zaku iya samun damar saka idanu na gida, canza saitunan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, ko yin wani abu a matakin IP.
Hotunan hotuna daga yankin gida
source: www.habr.com