ProHoster > Блог > Gudanarwa > Gudun sabar VPN a bayan NAT na mai bayarwa

Gudun sabar VPN a bayan NAT na mai bayarwa

Labari game da yadda na gudanar da tafiyar da uwar garken VPN a bayan NAT na mai ba da gida na (ba tare da farar adireshin IP ba). Bari in yi ajiyar wuri nan da nan: cewa Ayyukan wannan aiwatarwa kai tsaye ya dogara da nau'in NAT da mai samar da ku ke amfani da shi, da kuma na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
Don haka, ina buƙatar haɗawa daga wayar hannu ta Android zuwa kwamfutar gida ta, na'urorin biyu suna haɗa su da Intanet ta hanyar samar da NATs, ƙari kuma ana haɗa kwamfutar ta hanyar na'ura mai ba da hanya tsakanin hanyoyin sadarwa, wanda kuma haɗin NATs.
Tsarin al'ada ta amfani da VPS/VDS da aka yi hayar tare da farar adireshin IP, da kuma hayar farin adireshin IP daga mai bayarwa, ba a yi la'akari da shi ba saboda dalilai da yawa.
Yin la'akari kwarewa daga abubuwan da suka gabata, Bayan gudanar da gwaje-gwaje da yawa tare da STUNs da NAT na masu samarwa. Na yanke shawarar yin ɗan gwaji kaɗan ta hanyar gudanar da umarni akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa na gida da ke gudana OpenWRT firmware: 

$ stun stun.sipnet.ru

ya samu sakamako:

STUN abokin ciniki 0.97
Firamare: Taswira mai zaman kanta, Tace mai zaman kanta, tashar jiragen ruwa bazuwar, zai yi gashi
Ƙimar dawowa ita ce 0x000002

Fassarar zahiri:
Taswira mai zaman kanta - taswira mai zaman kansa
Tace mai zaman kanta - tace mai zaman kanta
bazuwar tashar jiragen ruwa - bazuwar tashar jiragen ruwa
za a yi gashin gashi - za a yi gashin gashi
Gudun irin wannan umarni akan PC na, na samu:

STUN abokin ciniki 0.97
Firamare: Taswirar Mai zaman kanta, Tace Dogara ta Port, tashar jiragen ruwa bazuwar, za ta yi gashi
Ƙimar dawowa ita ce 0x000006

Tace Dependent Port - Tace mai dogaro da tashar jiragen ruwa
Bambanci a cikin sakamakon fitowar umarni ya nuna cewa na'ura mai ba da hanya tsakanin hanyoyin sadarwa na gida yana ba da "gudunmawarsa" ga tsarin watsa fakiti daga Intanet; wannan ya bayyana a cikin gaskiyar cewa lokacin aiwatar da umarni akan kwamfutar:

stun stun.sipnet.ru -p 11111 -v

Ina samun sakamako:

...
MappedAdress = XX.1XX.1X4.2XX:4398
...

A wannan lokacin, an buɗe taron UDP na ɗan lokaci, idan a wannan lokacin kun aika buƙatar UDP (misali: netcat XX.1XX.1X4.2XX 4398 -u), to buƙatar ta zo ga na'ura mai ba da hanya tsakanin hanyoyin sadarwa, wanda shine. tabbatar da TCPDump yana gudana akan shi, amma buƙatar ba ta isa kwamfutar ba - IPtables, a matsayin mai fassarar NAT akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, ya jefar da shi.
Gudun sabar VPN a bayan NAT na mai bayarwa
Amma gaskiyar cewa buƙatar UDP ta wuce ta hanyar NAT mai bayarwa ya ba da bege ga nasara. Tun da na'ura mai ba da hanya tsakanin hanyoyin sadarwa tana cikin ikona, na magance matsalar ta hanyar tura tashar UDP/11111 zuwa kwamfutar:

iptables -t nat -A PREROUTING -i eth1 -p udp -d 10.1XX.2XX.XXX --dport 11111 -j DNAT --to-destination 192.168.X.XXX

Don haka, na sami damar fara zaman UDP kuma na karɓi buƙatun daga Intanet daga kowane adireshin IP. A wannan lokacin, na ƙaddamar da uwar garken OpenVPN (wanda aka tsara shi a baya) sauraron tashar tashar UDP / 11111, ya nuna adireshin IP na waje da tashar jiragen ruwa (XX.1XX.1X4.2XX: 4398) akan wayar hannu kuma an samu nasarar haɗa shi daga wayar zuwa wayar zuwa wayar. kwamfutar. Amma a cikin wannan aiwatarwa matsala ta taso: ya zama dole don ko ta yaya kiyaye zaman UDP har sai abokin ciniki na OpenVPN ya haɗa da uwar garken; Ba na son zaɓi na ƙaddamar da abokin ciniki na STUN lokaci-lokaci - Ba na so in ɓata kaya a kan. sabobin STUN.
Nima na lura da shigar"za a yi gashin gashi - za a yi gashin gashi", wannan yanayin

Gyaran gashi yana ba da damar injin guda ɗaya a cibiyar sadarwar gida a bayan NAT don samun damar shiga wata na'ura akan hanyar sadarwa iri ɗaya a adireshin waje na na'ura mai ba da hanya tsakanin hanyoyin sadarwa.

Gudun sabar VPN a bayan NAT na mai bayarwa
A sakamakon haka, kawai na warware matsalar kiyaye zaman UDP - Na ƙaddamar da abokin ciniki akan wannan kwamfutar tare da uwar garke.
Ya yi aiki kamar haka:

  • kaddamar da STUN abokin ciniki a kan gida tashar jiragen ruwa 11111
  • An karɓi amsa tare da adireshin IP na waje da tashar jiragen ruwa XX.1XX.1X4.2XX:4398
  • aika bayanai tare da adireshin IP na waje da tashar jiragen ruwa zuwa imel (kowane sabis na yiwuwa) wanda aka saita akan wayar
  • ya ƙaddamar da uwar garken OpenVPN akan kwamfutar da ke sauraron tashar tashar UDP/11111
  • ƙaddamar da abokin ciniki na OpenVPN akan kwamfutar da ke ƙayyade XX.1XX.1X4.2XX: 4398 don haɗi
  • a kowane lokaci ya ƙaddamar da abokin ciniki na OpenVPN akan wayar hannu yana nuna adireshin IP da tashar jiragen ruwa (a cikin akwati na adireshin IP bai canza ba) don haɗawa.

Gudun sabar VPN a bayan NAT na mai bayarwa
Ta wannan hanyar na sami damar haɗa kwamfutar tawa daga wayar salula ta. Wannan aiwatarwa yana ba ku damar haɗa kowane abokin ciniki na OpenVPN.

Yi aiki

Kuna buƙatar: 

# apt install openvpn stun-client sendemail

Bayan rubuta rubutun biyu, fayilolin sanyi guda biyu, da kuma samar da takaddun shaida masu mahimmanci (tunda abokin ciniki akan wayar hannu yana aiki kawai tare da takaddun shaida), mun sami aiwatar da sabawar uwar garken OpenVPN.

Babban rubutun akan kwamfutar

# cat vpn11.sh

#!/bin/bash
until [[ -n "$iftosrv" ]]; do echo "$(date) Определяю сетевой интерфейс"; iftosrv=`ip route get 8.8.8.8 | head -n 1 | sed 's|.*dev ||' | awk '{print $1}'`; sleep 5; done
ABSOLUTE_FILENAME=`readlink -f "$0"`
DIR=`dirname "$ABSOLUTE_FILENAME"`
localport=11111
until [[ $a ]]; do
	address=`stun stun.sipnet.ru -v -p $localport 2>&1 | grep "MappedAddress" | sort | uniq | head -n 1 | sed 's/:/ /g' | awk '{print $3" "$4}'`
        ip=`echo "$address" | awk {'print $1'}`
        port=`echo "$address" | awk {'print $2'}`
	srv="openvpn --config $DIR/server.conf --port $localport --daemon"
	$srv
	echo "$(date) Сервер запущен с внешним адресом $ip:$port"
	$DIR/sendemail.sh "OpenVPN-Server" "$ip:$port"
	sleep 1
	openvpn --config $DIR/client.conf --remote $ip --port $port
	echo "$(date) Cоединение клиента с сервером разорвано"
	for i in `ps xa | grep "$srv" | grep -v grep | awk '{print $1}'`; do
		kill $i && echo "$(date) Завершен процесс сервера $i ($srv)"
		done
	echo "Жду 15 сек"
	sleep 15
	done

Rubutun don aika bayanai ta imel:

# cat sendemail.sh 

#!/bin/bash
from="От кого"
pass="Пароль"
to="Кому"
theme="$1"
message="$2"
server="smtp.yandex.ru:587"
sendEmail -o tls=yes -f "$from" -t "$to" -s "$server" -xu "$from" -xp "$pass" -u "$theme" -m "$message"

Fayil ɗin daidaitawar uwar garken:

# cat server.conf

proto udp
dev tun
ca      /home/vpn11-srv/ca.crt
cert    /home/vpn11-srv/server.crt
key     /home/vpn11-srv/server.key
dh      /home/vpn11-srv/dh2048.pem
server 10.2.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
tls-server
tls-auth /home/vpn11-srv/ta.key 0
tls-timeout 60
auth    SHA256
cipher  AES-256-CBC
client-to-client
keepalive 10 30
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
log /var/log/vpn11-server.log
verb 3
mute 20

Fayil ɗin daidaitawar abokin ciniki:

# cat client.conf

client
dev tun
proto udp
ca      "/home/vpn11-srv/ca.crt"
cert    "/home/vpn11-srv/client1.crt"
key     "/home/vpn11-srv/client1.key"
tls-client
tls-auth "/home/vpn11-srv/ta.key" 1
auth SHA256
cipher AES-256-CBC
auth-nocache
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
log /var/log/vpn11-clent.log
verb 3
mute 20
ping 10
ping-exit 30

An samar da takaddun shaida ta amfani da su wannan labarin.
Gudanar da rubutun:

# ./vpn11.sh

Da farko sanya shi aiwatar 

# chmod +x vpn11.sh

A gefen wayar salula

Ta hanyar shigar da aikace-aikacen BudeVPN don Android, Bayan kwafi fayil ɗin sanyi, takaddun shaida da kuma daidaita shi, ya zama kamar haka:
Ina duba imel na akan wayar hannu taGudun sabar VPN a bayan NAT na mai bayarwa
Ina gyara lambar tashar jiragen ruwa a cikin saitunanGudun sabar VPN a bayan NAT na mai bayarwa
Na kaddamar da abokin ciniki kuma na haɗaGudun sabar VPN a bayan NAT na mai bayarwa

Yayin rubuta wannan labarin, na canja wurin daidaitawa daga kwamfutata zuwa Rasberi Pi 3 kuma na yi ƙoƙarin gudanar da duka a kan modem na LTE, amma bai yi aiki ba! Sakamakon Umurni 

# stun stun.ekiga.net -p 11111

STUN abokin ciniki 0.97
Firamare: Taswirar Mai zaman kanta, Tace Dogara ta Port, tashar jiragen ruwa bazuwar, za ta yi gashi
Ƙimar dawowa ita ce 0x000006

ma'ana Tace Dogaran Port bai bari tsarin ya fara ba.
Amma mai bada gida ya ƙyale tsarin ya fara akan Rasberi Pi 3 ba tare da wata matsala ba.
A haɗe tare da kyamarar gidan yanar gizo, tare da VLC don
ƙirƙirar rafin RTSP daga kyamarar gidan yanar gizo

$ cvlc v4l2:///dev/video0:chroma=h264 :input-slave=alsa://hw:1,0 --sout '#transcode{vcodec=x264,venc=x264{preset=ultrafast,profile=baseline,level=31},vb=2048,fps=12,scale=1,acodec=mpga,ab=128,channels=2,samplerate=44100,scodec=none}:rtp{sdp=rtsp://10.2.0.1:8554/}' --no-sout-all --sout-keep

da VLC akan wayar salula don kallo (rafi rtsp://10.2.0.1:8554/), ya zama tsarin sa ido na bidiyo mai kyau na nesa, zaku iya shigar da Samba, zirga-zirgar zirga-zirga ta hanyar VPN, sarrafa kwamfutar ku da yawa da yawa. Kara...

ƙarshe

Kamar yadda aikin ya nuna, don tsara uwar garken VPN, zaku iya yin ba tare da adireshin IP na waje wanda kuke buƙatar biya ba, kamar na VPS/VDS haya. Amma duk ya dogara da mai bayarwa. Tabbas, Ina so in sami ƙarin bayani game da masu samarwa da nau'ikan NAT da aka yi amfani da su, amma wannan shine farkon…
Na gode da hankali!

source: www.habr.com

Add a comment