ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Txhim kho OpenVPN ntawm Openwrt router. Lwm version yam tsis muaj soldering hlau thiab kho vajtse extremism

Txhim kho OpenVPN ntawm Openwrt router. Lwm version yam tsis muaj soldering hlau thiab kho vajtse extremism

Txhim kho OpenVPN ntawm Openwrt router. Lwm version yam tsis muaj soldering hlau thiab kho vajtse extremism

Nyob zoo sawv daws, kuv nyuam qhuav nyeem tsab xov xwm qub hais txog yuav ua li cas koj tuaj yeem ceev OpenVPN ntawm lub router los ntawm kev xa cov encryption mus rau ib qho khoom siv cais, uas yog soldered hauv lub router nws tus kheej. Kuv muaj ib qho xwm txheej zoo sib xws rau tus sau - TP-Txuas WDR3500 nrog 128 megabytes ntawm RAM thiab cov txheej txheem tsis zoo uas tsis tuaj yeem tiv thaiv qhov nkag nkag. Txawm li cas los xij, kuv yeej tsis xav nkag mus rau hauv lub router nrog cov hlau soldering. Hauv qab no yog kuv qhov kev paub dhau los ntawm kev txav OpenVPN mus rau ib qho khoom siv sib cais nrog kev thaub qab ntawm lub router thaum muaj xwm txheej.

Hom phiaj

Muaj TP-Txuas WDR3500 router thiab Orange Pi Zero H2. Peb xav kom Orange Pi encrypt cov tunnels li niaj zaus, thiab yog tias muaj qee yam tshwm sim rau nws, kev ua haujlwm VPN yuav rov qab mus rau lub router. Txhua qhov chaw firewall ntawm lub router yuav tsum ua haujlwm zoo li ua ntej. Thiab feem ntau, ntxiv cov khoom siv ntxiv yuav tsum yog pob tshab thiab tsis paub meej rau txhua tus. OpenVPN ua haujlwm dhau TCP, TAP adapter yog nyob rau hauv choj hom (server-bridge).

kev txiav txim siab

Hloov chaw ntawm kev sib txuas ntawm USB, kuv txiav txim siab siv ib qho chaw nres nkoj ntawm lub router thiab txuas tag nrho cov subnets uas muaj tus choj VPN rau Orange Pi. Nws hloov tawm tias cov khoom siv yuav lub cev dai rau tib lub network xws li VPN server ntawm lub router. Tom qab ntawd, peb teeb tsa tib lub servers ntawm Orange Pi, thiab ntawm lub router peb teeb tsa qee yam npe kom nws xa tag nrho cov kev sib txuas nkag mus rau lwm tus neeg rau zaub mov, thiab yog tias Orange Pi tuag lossis tsis muaj, tom qab ntawd mus rau lub server. internal fallback server. Kuv coj HAProxy.

Nws hloov tawm li no:

  1. Ib tug neeg tuaj txog
  2. Yog tias tus neeg rau zaub mov sab nraud tsis muaj, zoo li ua ntej, kev sib txuas mus rau lub server sab hauv
  3. Yog tias muaj, tus neeg siv khoom tau txais los ntawm Orange Pi
  4. VPN ntawm Orange Pi decrypts cov pob ntawv thiab nplawm lawv rov qab rau hauv lub router
  5. Lub router qhia lawv qhov chaw

Kev ua piv txwv

Yog li, cia peb hais tias peb muaj ob lub network ntawm lub router - lub ntsiab (1) thiab qhua (2), rau txhua tus ntawm lawv muaj OpenVPN server rau kev txuas sab nraud.

Network configuration

Peb yuav tsum xa ob lub network los ntawm ib qho chaw nres nkoj, yog li peb tsim 2 VLANs.

Ntawm lub router, hauv ntu Network / Hloov, tsim VLANs (piv txwv li 1 thiab 2) thiab pab kom lawv nyob rau hauv hom tagged ntawm qhov chaw nres nkoj xav tau, ntxiv cov tshiab tsim eth0.1 thiab eth0.2 rau cov tes hauj lwm sib txuas (piv txwv li, ntxiv lawv rau brigde).

Ntawm Orange Pi peb tsim ob VLAN interfaces (Kuv muaj Archlinux ARM + netctl):

/etc/netctl/vlan-main

Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no

/etc/netctl/vlan-guest

Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no

Thiab tam sim ntawd peb tsim ob choj rau lawv:

/etc/netctl/br-main

Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp

/etc/netctl/br-guest

Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp

Qhib autostart rau tag nrho 4 profiles (netctl enable). Tam sim no tom qab rov pib dua, Orange Pi yuav dai ntawm ob lub network xav tau. Peb teeb tsa qhov chaw nyob interface ntawm Orange Pi hauv Static Leases ntawm lub router.

ip addr yeeb yam

4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
       valid_lft 29379sec preferred_lft 21439sec
    inet6 fe80::50c7:fff:fe89:716e/64 scope link 
       valid_lft forever preferred_lft forever

7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::ecea:19ff:fe31:3432/64 scope link 
       valid_lft forever preferred_lft forever

Kev teeb tsa VPN

Tom ntej no, peb luam cov chaw rau OpenVPN thiab cov yuam sij los ntawm router. Cov chaw feem ntau tuaj yeem pom hauv /tmp/etc/openvpn*.conf

Los ntawm lub neej ntawd, openvpn khiav hauv TAP hom thiab server-choj ua rau nws lub interface tsis ua haujlwm. Rau txhua yam ua haujlwm, koj yuav tsum tau ntxiv ib tsab ntawv uas khiav thaum qhov kev sib txuas tau qhib.

/etc/openvpn/main.conf

dev vpn-main
dev-type tap

client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3

setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh

/etc/openvpn/vpn-up.sh

#!/bin/sh

ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}

Yog li ntawd, sai li sai tau thaum qhov kev sib txuas tshwm sim, vpn-lub ntsiab interface yuav muab ntxiv rau br-main. Rau cov qhua - zoo sib xws, mus txog lub npe interface thiab chaw nyob hauv server-choj.

Routing thov sab nraud thiab proxying

Hauv cov kauj ruam no, Orange Pi twb muaj peev xwm lees txais kev sib txuas thiab txuas cov neeg siv khoom mus rau cov tes hauj lwm xav tau. Txhua yam uas tseem tshuav yog txhawm rau teeb tsa kev tso npe ntawm kev sib txuas tuaj ntawm lub router.

Peb hloov lub router VPN servers mus rau lwm qhov chaw nres nkoj, nruab HAProxy ntawm lub router thiab teeb tsa:

/etc/haproxy.cfg

global
        maxconn 256
        uid 0
        gid 0
        daemon

defaults
        retries 1
        contimeout 1000
        option splice-auto

listen guest_vpn
        bind :444
        mode tcp
        server 0-orange 192.168.2.3:444 check
        server 1-local  127.0.0.1:4444 check backup

listen main_vpn
        bind :443
        mode tcp
        server 0-orange 192.168.1.3:443 check
        server 1-local  127.0.0.1:4443 check backup

Txaus siab rau

Yog tias txhua yam mus raws li txoj kev npaj, cov neeg siv yuav hloov mus rau Orange Pi thiab lub router tus processor yuav tsis kub, thiab VPN ceev yuav nce ntxiv. Nyob rau tib lub sijhawm, tag nrho cov kev cai network uas tau sau npe rau ntawm lub router yuav tseem cuam tshuam. Thaum muaj xwm txheej ntawm Orange Pi, nws yuav poob thiab HAProxy yuav hloov cov neeg siv khoom mus rau cov servers hauv zos.

Ua tsaug rau koj mloog, cov lus qhia thiab kev kho yog txais tos.

Tau qhov twg los: www.hab.com

Ntxiv ib saib