Nyob zoo sawv daws, kuv nyuam qhuav nyeem
Hom phiaj
Muaj TP-Txuas WDR3500 router thiab Orange Pi Zero H2. Peb xav kom Orange Pi encrypt cov tunnels li niaj zaus, thiab yog tias muaj qee yam tshwm sim rau nws, kev ua haujlwm VPN yuav rov qab mus rau lub router. Txhua qhov chaw firewall ntawm lub router yuav tsum ua haujlwm zoo li ua ntej. Thiab feem ntau, ntxiv cov khoom siv ntxiv yuav tsum yog pob tshab thiab tsis paub meej rau txhua tus. OpenVPN ua haujlwm dhau TCP, TAP adapter yog nyob rau hauv choj hom (server-bridge).
kev txiav txim siab
Hloov chaw ntawm kev sib txuas ntawm USB, kuv txiav txim siab siv ib qho chaw nres nkoj ntawm lub router thiab txuas tag nrho cov subnets uas muaj tus choj VPN rau Orange Pi. Nws hloov tawm tias cov khoom siv yuav lub cev dai rau tib lub network xws li VPN server ntawm lub router. Tom qab ntawd, peb teeb tsa tib lub servers ntawm Orange Pi, thiab ntawm lub router peb teeb tsa qee yam npe kom nws xa tag nrho cov kev sib txuas nkag mus rau lwm tus neeg rau zaub mov, thiab yog tias Orange Pi tuag lossis tsis muaj, tom qab ntawd mus rau lub server. internal fallback server. Kuv coj HAProxy.
Nws hloov tawm li no:
- Ib tug neeg tuaj txog
- Yog tias tus neeg rau zaub mov sab nraud tsis muaj, zoo li ua ntej, kev sib txuas mus rau lub server sab hauv
- Yog tias muaj, tus neeg siv khoom tau txais los ntawm Orange Pi
- VPN ntawm Orange Pi decrypts cov pob ntawv thiab nplawm lawv rov qab rau hauv lub router
- Lub router qhia lawv qhov chaw
Kev ua piv txwv
Yog li, cia peb hais tias peb muaj ob lub network ntawm lub router - lub ntsiab (1) thiab qhua (2), rau txhua tus ntawm lawv muaj OpenVPN server rau kev txuas sab nraud.
Network configuration
Peb yuav tsum xa ob lub network los ntawm ib qho chaw nres nkoj, yog li peb tsim 2 VLANs.
Ntawm lub router, hauv ntu Network / Hloov, tsim VLANs (piv txwv li 1 thiab 2) thiab pab kom lawv nyob rau hauv hom tagged ntawm qhov chaw nres nkoj xav tau, ntxiv cov tshiab tsim eth0.1 thiab eth0.2 rau cov tes hauj lwm sib txuas (piv txwv li, ntxiv lawv rau brigde).
Ntawm Orange Pi peb tsim ob VLAN interfaces (Kuv muaj Archlinux ARM + netctl):
/etc/netctl/vlan-main
Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no
/etc/netctl/vlan-guest
Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no
Thiab tam sim ntawd peb tsim ob choj rau lawv:
/etc/netctl/br-main
Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp
/etc/netctl/br-guest
Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp
Qhib autostart rau tag nrho 4 profiles (netctl enable). Tam sim no tom qab rov pib dua, Orange Pi yuav dai ntawm ob lub network xav tau. Peb teeb tsa qhov chaw nyob interface ntawm Orange Pi hauv Static Leases ntawm lub router.
ip addr yeeb yam
4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
valid_lft 29379sec preferred_lft 21439sec
inet6 fe80::50c7:fff:fe89:716e/64 scope link
valid_lft forever preferred_lft forever
7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
valid_lft forever preferred_lft forever
inet6 fe80::ecea:19ff:fe31:3432/64 scope link
valid_lft forever preferred_lft forever
Kev teeb tsa VPN
Tom ntej no, peb luam cov chaw rau OpenVPN thiab cov yuam sij los ntawm router. Cov chaw feem ntau tuaj yeem pom hauv /tmp/etc/openvpn*.conf
Los ntawm lub neej ntawd, openvpn khiav hauv TAP hom thiab server-choj ua rau nws lub interface tsis ua haujlwm. Rau txhua yam ua haujlwm, koj yuav tsum tau ntxiv ib tsab ntawv uas khiav thaum qhov kev sib txuas tau qhib.
/etc/openvpn/main.conf
dev vpn-main
dev-type tap
client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3
setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh
/etc/openvpn/vpn-up.sh
#!/bin/sh
ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}
Yog li ntawd, sai li sai tau thaum qhov kev sib txuas tshwm sim, vpn-lub ntsiab interface yuav muab ntxiv rau br-main. Rau cov qhua - zoo sib xws, mus txog lub npe interface thiab chaw nyob hauv server-choj.
Routing thov sab nraud thiab proxying
Hauv cov kauj ruam no, Orange Pi twb muaj peev xwm lees txais kev sib txuas thiab txuas cov neeg siv khoom mus rau cov tes hauj lwm xav tau. Txhua yam uas tseem tshuav yog txhawm rau teeb tsa kev tso npe ntawm kev sib txuas tuaj ntawm lub router.
Peb hloov lub router VPN servers mus rau lwm qhov chaw nres nkoj, nruab HAProxy ntawm lub router thiab teeb tsa:
/etc/haproxy.cfg
global
maxconn 256
uid 0
gid 0
daemon
defaults
retries 1
contimeout 1000
option splice-auto
listen guest_vpn
bind :444
mode tcp
server 0-orange 192.168.2.3:444 check
server 1-local 127.0.0.1:4444 check backup
listen main_vpn
bind :443
mode tcp
server 0-orange 192.168.1.3:443 check
server 1-local 127.0.0.1:4443 check backup
Txaus siab rau
Yog tias txhua yam mus raws li txoj kev npaj, cov neeg siv yuav hloov mus rau Orange Pi thiab lub router tus processor yuav tsis kub, thiab VPN ceev yuav nce ntxiv. Nyob rau tib lub sijhawm, tag nrho cov kev cai network uas tau sau npe rau ntawm lub router yuav tseem cuam tshuam. Thaum muaj xwm txheej ntawm Orange Pi, nws yuav poob thiab HAProxy yuav hloov cov neeg siv khoom mus rau cov servers hauv zos.
Ua tsaug rau koj mloog, cov lus qhia thiab kev kho yog txais tos.
Tau qhov twg los: www.hab.com