ProHoster > Pūnaewele > Nā Administration > E hoʻomaka ana i ka OpenVPN ma kahi alalai Openwrt. Manaʻo ʻokoʻa me ka hao hao a me ka extremism lako

E hoʻomaka ana i ka OpenVPN ma kahi alalai Openwrt. Manaʻo ʻokoʻa me ka hao hao a me ka extremism lako

E hoʻomaka ana i ka OpenVPN ma kahi alalai Openwrt. Manaʻo ʻokoʻa me ka hao hao a me ka extremism lako

Aloha mai kākou, ua heluhelu au ʻatikala kahiko e pili ana pehea e hiki ai iā ʻoe ke wikiwiki i ka OpenVPN ma kahi alalai ma o ka hoʻololi ʻana i ka hoʻopili ʻana i kahi ʻāpana ʻāpana ʻokoʻa, i kūʻai ʻia i loko o ke alalai ponoʻī. Loaʻa iaʻu kahi hihia like me ka mea kākau - TP-Link WDR3500 me 128 megabytes o RAM a me kahi kaʻina hana maikaʻi ʻole i hiki ʻole ke hoʻokō me ka hoʻopili tunnel. Eia naʻe, ʻaʻole loa wau i makemake e komo i ke alalai me kahi hao hao. Ma lalo iho nei koʻu ʻike i ka neʻe ʻana iā OpenVPN i kahi ʻāpana ʻokoʻa o ka lako me ka hoʻihoʻi ʻana ma ke alalai inā loaʻa kahi ulia.

Nń Pahuhopu

Aia kahi TP-Link WDR3500 router a me ka Orange Pi Zero H2. Makemake mākou i ka Orange Pi e hoʻopili i nā tunnels e like me ka mea maʻamau, a inā loaʻa kekahi mea iā ia, e hoʻi ka hana VPN i ke alalai. Pono nā hoʻonohonoho pā ahi a pau ma ke alalai e hana e like me ka wā ma mua. A ma ka laulā, ʻo ka hoʻohui ʻana i nā hāmeʻa ʻē aʻe e pono e ʻike a ʻike ʻole ʻia e nā mea a pau. Hana ʻo OpenVPN ma luna o TCP, aia ka TAP adapter ma ke ala alahaka (server-bridge).

olelo hooholo

Ma kahi o ka hoʻopili ʻana ma o USB, ua hoʻoholo wau e hoʻohana i hoʻokahi awa o ke alalai a hoʻopili i nā subnets āpau i loaʻa kahi alahaka VPN i ka Orange Pi. ʻIke ʻia e kau kino ʻia ka ʻāpana o ka lako i nā pūnaewele like me ka server VPN ma ke alalai. Ma hope o kēlā, hoʻokomo mākou i nā kikowaena like ma ka Orange Pi, a ma luna o ke alalai ua hoʻonohonoho mākou i kekahi ʻano proxy i hoʻouna ʻia i nā pili komo a pau i ka kikowaena waho, a inā ua make a ʻaʻole loaʻa paha ka Orange Pi, a laila i ka kikowaena fallback kūloko. Ua lawe au i ka HAProxy.

E like me kēia:

  1. Hiki mai kekahi mea kūʻai
  2. Inā loaʻa ʻole ka kikowaena waho, e like me ka wā ma mua, hele ka pilina i ka kikowaena kūloko
  3. Inā loaʻa, ʻae ʻia ka mea kūʻai e Orange Pi
  4. Hoʻokaʻawale ʻo VPN ma Orange Pi i nā ʻeke a hoʻihoʻi iā lākou i loko o ke alalai
  5. Hoʻokele ka mea alalai iā lākou ma kahi

Laʻana hoʻokō

No laila, e ʻōlelo mākou he ʻelua pūnaewele ma ke alalai - nui (1) a me ka malihini (2), no kēlā me kēia o lākou aia kahi kikowaena OpenVPN no ka hoʻopili ʻana i waho.

Hoʻonohonoho pūnaewele

Pono mākou e ala i nā pūnaewele ʻelua ma o hoʻokahi awa, no laila mākou e hana i 2 VLAN.

Ma ke alalai, ma ka ʻāpana Network/Switch, hana i nā VLAN (no ka laʻana 1 a me 2) a hiki iā lākou i ke ʻano hōʻailona ma ke awa i makemake ʻia, e hoʻohui i ka eth0.1 a me ka eth0.2 hou i hana ʻia i nā pūnaewele pili (no ka laʻana, hoʻohui iā lākou i ka brigde).

Ma Orange Pi hana mākou i ʻelua mau kikowaena VLAN (Loaʻa iaʻu ʻo Archlinux ARM + netctl):

/etc/netctl/vlan-main

Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no

/etc/netctl/vlan-guest

Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no

A hana koke mākou i ʻelua alahaka no lākou:

/etc/netctl/br-main

Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp

/etc/netctl/br-guest

Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp

E ho'ā i ka autostart no nā 4 profile a pau (netctl enable). I kēia manawa ma hope o ka hoʻomaka hou ʻana, e kau ka Orange Pi ma nā pūnaewele pono ʻelua. Hoʻonohonoho mākou i nā leka uila ma ka Orange Pi ma Static Leases ma ke alalai.

ip addr hōʻike

4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
       valid_lft 29379sec preferred_lft 21439sec
    inet6 fe80::50c7:fff:fe89:716e/64 scope link 
       valid_lft forever preferred_lft forever

7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::ecea:19ff:fe31:3432/64 scope link 
       valid_lft forever preferred_lft forever

Hoʻonohonoho i kahi VPN

A laila, kope mākou i nā hoʻonohonoho no OpenVPN a me nā kī mai ke alalai. Hiki ke loaʻa nā hoʻonohonoho ma /tmp/etc/openvpn*.conf

ʻO ka mea maʻamau, e holo ana ka openvpn ma ke ʻano TAP a me ke alahaka-server e mālama ʻole i kāna interface. No ka hana ʻana o nā mea a pau, pono ʻoe e hoʻohui i kahi palapala e holo ana i ka wā e hoʻāla ʻia ai ka pilina.

/etc/openvpn/main.conf

dev vpn-main
dev-type tap

client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3

setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh

/etc/openvpn/vpn-up.sh

#!/bin/sh

ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}

ʻO ka hopena, i ka wā e loaʻa ai ka pilina, e hoʻohui ʻia ka vpn-main interface i br-main. No ka mākaʻikaʻi malihini - like, a hiki i ka inoa interface a me ka helu wahi ma ka server-bridge.

Ke hoʻololi nei i nā noi ma waho a me ka proxying

Ma kēia ʻanuʻu, ua hiki iā Orange Pi ke ʻae i nā pilina a hoʻopili i nā mea kūʻai aku i nā pūnaewele pono. ʻO nā mea a pau i koe, ʻo ia ka hoʻonohonoho ʻana i ka proxying o nā pilina e hiki mai ana ma ke alalai.

Hoʻololi mākou i nā kikowaena VPN i nā awa ʻē aʻe, e hoʻokomo iā HAProxy ma ke alalai a hoʻonohonoho:

/etc/haproxy.cfg

global
        maxconn 256
        uid 0
        gid 0
        daemon

defaults
        retries 1
        contimeout 1000
        option splice-auto

listen guest_vpn
        bind :444
        mode tcp
        server 0-orange 192.168.2.3:444 check
        server 1-local  127.0.0.1:4444 check backup

listen main_vpn
        bind :443
        mode tcp
        server 0-orange 192.168.1.3:443 check
        server 1-local  127.0.0.1:4443 check backup

Nanea

Inā hele nā ​​mea a pau e like me ka hoʻolālā, e hoʻololi nā mea kūʻai aku i ka Orange Pi a ʻaʻole e wela hou ke kaʻina hana o ka router, a piʻi nui ka wikiwiki VPN. I ka manawa like, e hoʻomau ʻia nā lula āpau i hoʻopaʻa inoa ʻia ma ke alalai. Inā loaʻa kahi pōʻino ma ka Orange Pi, e hāʻule ia a e hoʻoneʻe ʻo HAProxy i nā mea kūʻai aku i nā kikowaena kūloko.

Mahalo iā ʻoe no kou nānā ʻana, ʻae ʻia nā manaʻo a me nā hoʻoponopono.

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka