Labari game da yadda na gudanar da tafiyar da uwar garken VPN a bayan NAT na mai ba da gida na (ba tare da farar adireshin IP ba). Bari in yi ajiyar wuri nan da nan: cewa Ayyukan wannan aiwatarwa kai tsaye ya dogara da nau'in NAT da mai samar da ku ke amfani da shi, da kuma na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
Don haka, ina buƙatar haɗawa daga wayar hannu ta Android zuwa kwamfutar gida ta, na'urorin biyu suna haɗa su da Intanet ta hanyar samar da NATs, ƙari kuma ana haɗa kwamfutar ta hanyar na'ura mai ba da hanya tsakanin hanyoyin sadarwa, wanda kuma haɗin NATs.
Tsarin al'ada ta amfani da VPS/VDS da aka yi hayar tare da farar adireshin IP, da kuma hayar farin adireshin IP daga mai bayarwa, ba a yi la'akari da shi ba saboda dalilai da yawa.
Yin la'akari
$ stun stun.sipnet.ru
ya samu sakamako:
STUN abokin ciniki 0.97
Firamare: Taswira mai zaman kanta, Tace mai zaman kanta, tashar jiragen ruwa bazuwar, zai yi gashi
Ƙimar dawowa ita ce 0x000002
Fassarar zahiri:
Taswira mai zaman kanta - taswira mai zaman kansa
Tace mai zaman kanta - tace mai zaman kanta
bazuwar tashar jiragen ruwa - bazuwar tashar jiragen ruwa
za a yi gashin gashi - za a yi gashin gashi
Gudun irin wannan umarni akan PC na, na samu:
STUN abokin ciniki 0.97
Firamare: Taswirar Mai zaman kanta, Tace Dogara ta Port, tashar jiragen ruwa bazuwar, za ta yi gashi
Ƙimar dawowa ita ce 0x000006
Tace Dependent Port - Tace mai dogaro da tashar jiragen ruwa
Bambanci a cikin sakamakon fitowar umarni ya nuna cewa na'ura mai ba da hanya tsakanin hanyoyin sadarwa na gida yana ba da "gudunmawarsa" ga tsarin watsa fakiti daga Intanet; wannan ya bayyana a cikin gaskiyar cewa lokacin aiwatar da umarni akan kwamfutar:
stun stun.sipnet.ru -p 11111 -v
Ina samun sakamako:
...
MappedAdress = XX.1XX.1X4.2XX:4398
...
A wannan lokacin, an buɗe taron UDP na ɗan lokaci, idan a wannan lokacin kun aika buƙatar UDP (misali: netcat XX.1XX.1X4.2XX 4398 -u), to buƙatar ta zo ga na'ura mai ba da hanya tsakanin hanyoyin sadarwa, wanda shine. tabbatar da TCPDump yana gudana akan shi, amma buƙatar ba ta isa kwamfutar ba - IPtables, a matsayin mai fassarar NAT akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, ya jefar da shi.
Amma gaskiyar cewa buƙatar UDP ta wuce ta hanyar NAT mai bayarwa ya ba da bege ga nasara. Tun da na'ura mai ba da hanya tsakanin hanyoyin sadarwa tana cikin ikona, na magance matsalar ta hanyar tura tashar UDP/11111 zuwa kwamfutar:
iptables -t nat -A PREROUTING -i eth1 -p udp -d 10.1XX.2XX.XXX --dport 11111 -j DNAT --to-destination 192.168.X.XXX
Don haka, na sami damar fara zaman UDP kuma na karɓi buƙatun daga Intanet daga kowane adireshin IP. A wannan lokacin, na ƙaddamar da uwar garken OpenVPN (wanda aka tsara shi a baya) sauraron tashar tashar UDP / 11111, ya nuna adireshin IP na waje da tashar jiragen ruwa (XX.1XX.1X4.2XX: 4398) akan wayar hannu kuma an samu nasarar haɗa shi daga wayar zuwa wayar zuwa wayar. kwamfutar. Amma a cikin wannan aiwatarwa matsala ta taso: ya zama dole don ko ta yaya kiyaye zaman UDP har sai abokin ciniki na OpenVPN ya haɗa da uwar garken; Ba na son zaɓi na ƙaddamar da abokin ciniki na STUN lokaci-lokaci - Ba na so in ɓata kaya a kan. sabobin STUN.
Nima na lura da shigar"
Gyaran gashi yana ba da damar injin guda ɗaya a cibiyar sadarwar gida a bayan NAT don samun damar shiga wata na'ura akan hanyar sadarwa iri ɗaya a adireshin waje na na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
A sakamakon haka, kawai na warware matsalar kiyaye zaman UDP - Na ƙaddamar da abokin ciniki akan wannan kwamfutar tare da uwar garke.
Ya yi aiki kamar haka:
- kaddamar da STUN abokin ciniki a kan gida tashar jiragen ruwa 11111
- An karɓi amsa tare da adireshin IP na waje da tashar jiragen ruwa XX.1XX.1X4.2XX:4398
- aika bayanai tare da adireshin IP na waje da tashar jiragen ruwa zuwa imel (kowane sabis na yiwuwa) wanda aka saita akan wayar
- ya ƙaddamar da uwar garken OpenVPN akan kwamfutar da ke sauraron tashar tashar UDP/11111
- ƙaddamar da abokin ciniki na OpenVPN akan kwamfutar da ke ƙayyade XX.1XX.1X4.2XX: 4398 don haɗi
- a kowane lokaci ya ƙaddamar da abokin ciniki na OpenVPN akan wayar hannu yana nuna adireshin IP da tashar jiragen ruwa (a cikin akwati na adireshin IP bai canza ba) don haɗawa.
Ta wannan hanyar na sami damar haɗa kwamfutar tawa daga wayar salula ta. Wannan aiwatarwa yana ba ku damar haɗa kowane abokin ciniki na OpenVPN.
Yi aiki
Kuna buƙatar:
# apt install openvpn stun-client sendemail
Bayan rubuta rubutun biyu, fayilolin sanyi guda biyu, da kuma samar da takaddun shaida masu mahimmanci (tunda abokin ciniki akan wayar hannu yana aiki kawai tare da takaddun shaida), mun sami aiwatar da sabawar uwar garken OpenVPN.
Babban rubutun akan kwamfutar
# cat vpn11.sh
#!/bin/bash
until [[ -n "$iftosrv" ]]; do echo "$(date) Определяю сетевой интерфейс"; iftosrv=`ip route get 8.8.8.8 | head -n 1 | sed 's|.*dev ||' | awk '{print $1}'`; sleep 5; done
ABSOLUTE_FILENAME=`readlink -f "$0"`
DIR=`dirname "$ABSOLUTE_FILENAME"`
localport=11111
until [[ $a ]]; do
address=`stun stun.sipnet.ru -v -p $localport 2>&1 | grep "MappedAddress" | sort | uniq | head -n 1 | sed 's/:/ /g' | awk '{print $3" "$4}'`
ip=`echo "$address" | awk {'print $1'}`
port=`echo "$address" | awk {'print $2'}`
srv="openvpn --config $DIR/server.conf --port $localport --daemon"
$srv
echo "$(date) Сервер запущен с внешним адресом $ip:$port"
$DIR/sendemail.sh "OpenVPN-Server" "$ip:$port"
sleep 1
openvpn --config $DIR/client.conf --remote $ip --port $port
echo "$(date) Cоединение клиента с сервером разорвано"
for i in `ps xa | grep "$srv" | grep -v grep | awk '{print $1}'`; do
kill $i && echo "$(date) Завершен процесс сервера $i ($srv)"
done
echo "Жду 15 сек"
sleep 15
done
Rubutun don aika bayanai ta imel:
# cat sendemail.sh
#!/bin/bash
from="От кого"
pass="Пароль"
to="Кому"
theme="$1"
message="$2"
server="smtp.yandex.ru:587"
sendEmail -o tls=yes -f "$from" -t "$to" -s "$server" -xu "$from" -xp "$pass" -u "$theme" -m "$message"
Fayil ɗin daidaitawar uwar garken:
# cat server.conf
proto udp
dev tun
ca /home/vpn11-srv/ca.crt
cert /home/vpn11-srv/server.crt
key /home/vpn11-srv/server.key
dh /home/vpn11-srv/dh2048.pem
server 10.2.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
tls-server
tls-auth /home/vpn11-srv/ta.key 0
tls-timeout 60
auth SHA256
cipher AES-256-CBC
client-to-client
keepalive 10 30
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
log /var/log/vpn11-server.log
verb 3
mute 20
Fayil ɗin daidaitawar abokin ciniki:
# cat client.conf
client
dev tun
proto udp
ca "/home/vpn11-srv/ca.crt"
cert "/home/vpn11-srv/client1.crt"
key "/home/vpn11-srv/client1.key"
tls-client
tls-auth "/home/vpn11-srv/ta.key" 1
auth SHA256
cipher AES-256-CBC
auth-nocache
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
log /var/log/vpn11-clent.log
verb 3
mute 20
ping 10
ping-exit 30
An samar da takaddun shaida ta amfani da su
Gudanar da rubutun:
# ./vpn11.sh
Da farko sanya shi aiwatar
# chmod +x vpn11.sh
A gefen wayar salula
Ta hanyar shigar da aikace-aikacen BudeVPN don Android, Bayan kwafi fayil ɗin sanyi, takaddun shaida da kuma daidaita shi, ya zama kamar haka:
Ina duba imel na akan wayar hannu ta
Ina gyara lambar tashar jiragen ruwa a cikin saitunan
Na kaddamar da abokin ciniki kuma na haɗa
Yayin rubuta wannan labarin, na canja wurin daidaitawa daga kwamfutata zuwa Rasberi Pi 3 kuma na yi ƙoƙarin gudanar da duka a kan modem na LTE, amma bai yi aiki ba! Sakamakon Umurni
# stun stun.ekiga.net -p 11111
STUN abokin ciniki 0.97
Firamare: Taswirar Mai zaman kanta, Tace Dogara ta Port, tashar jiragen ruwa bazuwar, za ta yi gashi
Ƙimar dawowa ita ce 0x000006
ma'ana Tace Dogaran Port bai bari tsarin ya fara ba.
Amma mai bada gida ya ƙyale tsarin ya fara akan Rasberi Pi 3 ba tare da wata matsala ba.
A haɗe tare da kyamarar gidan yanar gizo, tare da VLC don
ƙirƙirar rafin RTSP daga kyamarar gidan yanar gizo
$ cvlc v4l2:///dev/video0:chroma=h264 :input-slave=alsa://hw:1,0 --sout '#transcode{vcodec=x264,venc=x264{preset=ultrafast,profile=baseline,level=31},vb=2048,fps=12,scale=1,acodec=mpga,ab=128,channels=2,samplerate=44100,scodec=none}:rtp{sdp=rtsp://10.2.0.1:8554/}' --no-sout-all --sout-keep
da VLC akan wayar salula don kallo (rafi rtsp://10.2.0.1:8554/), ya zama tsarin sa ido na bidiyo mai kyau na nesa, zaku iya shigar da Samba, zirga-zirgar zirga-zirga ta hanyar VPN, sarrafa kwamfutar ku da yawa da yawa. Kara...
ƙarshe
Kamar yadda aikin ya nuna, don tsara uwar garken VPN, zaku iya yin ba tare da adireshin IP na waje wanda kuke buƙatar biya ba, kamar na VPS/VDS haya. Amma duk ya dogara da mai bayarwa. Tabbas, Ina so in sami ƙarin bayani game da masu samarwa da nau'ikan NAT da aka yi amfani da su, amma wannan shine farkon…
Na gode da hankali!
source: www.habr.com