Bonjou tout moun, mwen fèk li sou fason ou ka akselere OpenVPN sou yon routeur lè w transfere chifreman nan yon moso pyès ki nan konpitè separe, ki soude andedan routeur nan tèt li. Mwen gen yon ka ki sanble ak otè a - TP-Link WDR3500 ak 128 megabit RAM ak yon processeur pòv ki konplètman kapab fè fas ak chifreman tinèl. Sepandan, mwen absoliman pa t 'vle antre nan routeur la ak yon fè soude. Anba a se eksperyans mwen nan deplase OpenVPN nan yon moso pyès ki nan konpitè separe ak backup sou routeur la nan ka ta gen yon aksidan.
Objektif Travay la
Gen yon routeur TP-Link WDR3500 ak yon Orange Pi Zero H2. Nou vle Orange Pi a ankripte tinèl yo kòm dabitid, epi si yon bagay rive li, pwosesis VPN la ap retounen tounen nan routeur la. Tout paramèt pare-feu sou routeur la ta dwe travay tankou anvan. Ak an jeneral, ajoute kenkayri adisyonèl yo ta dwe transparan ak inapèsi pou tout moun. OpenVPN travay sou TCP, adaptè TAP a nan mòd pon (sèvè-pon).
desizyon
Olye pou yo konekte via USB, mwen deside sèvi ak yon sèl pò nan routeur la epi konekte tout subnet ki gen yon pon VPN nan Orange Pi a. Li sanble ke pyès ki nan konpitè a pral fizikman pann nan rezo yo menm jan ak sèvè VPN a sou routeur la. Apre sa, nou enstale egzakteman menm sèvè yo sou Orange Pi a, ak sou routeur a nou mete yon kalite proxy pou li voye tout koneksyon k ap rantre nan sèvè ekstèn lan, epi si Orange Pi a mouri oswa pa disponib, Lè sa a, nan entèn sèvè sevè. Mwen te pran HAProxy.
Li sanble tankou sa a:
- Yon kliyan rive
- Si sèvè ekstèn lan pa disponib, tankou anvan, koneksyon an ale nan sèvè entèn la
- Si disponib, kliyan an aksepte pa Orange Pi
- VPN sou Orange Pi dekripte pake epi krache yo tounen nan routeur la
- Routeur la route yo yon kote
Egzanp aplikasyon
Se konsa, an n di nou gen de rezo sou routeur la - prensipal (1) ak envite (2), pou chak nan yo gen yon sèvè OpenVPN pou konekte deyò.
Konfigirasyon rezo a
Nou bezwen wout tou de rezo yo atravè yon sèl pò, kidonk nou kreye 2 VLAN.
Sou routeur la, nan seksyon Rezo/Switch la, kreye VLAN (pa egzanp 1 ak 2) epi pèmèt yo nan mòd tag sou pò a vle, ajoute eth0.1 ak eth0.2 ki fèk kreye nan rezo korespondan yo (pa egzanp, ajoute yo nan bridge).
Sou Orange Pi nou kreye de entèfas VLAN (mwen gen Archlinux ARM + netctl):
/etc/netctl/vlan-main
Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no
/etc/netctl/vlan-guest
Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no
Epi nou imedyatman kreye de pon pou yo:
/etc/netctl/br-main
Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp
/etc/netctl/br-guest
Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp
Pèmèt autostart pou tout 4 pwofil (netctl pèmèt). Koulye a, apre yon rdemare, Orange Pi a pral pann sou de rezo obligatwa yo. Nou konfigirasyon adrès koòdone yo sou Orange Pi a nan Lwaye estatik sou routeur la.
ip addr montre
4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
valid_lft 29379sec preferred_lft 21439sec
inet6 fe80::50c7:fff:fe89:716e/64 scope link
valid_lft forever preferred_lft forever
7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
valid_lft forever preferred_lft forever
inet6 fe80::ecea:19ff:fe31:3432/64 scope link
valid_lft forever preferred_lft forever
vpn konfigirasyon
Apre sa, nou kopye anviwònman yo pou OpenVPN ak kle nan routeur la. Anjeneral ka jwenn anviwònman yo nan /tmp/etc/openvpn*.conf
Pa default, openvpn kouri nan mòd TAP ak sèvè-pon kenbe koòdone li inaktif. Pou tout bagay travay, ou bezwen ajoute yon script ki kouri lè koneksyon an aktive.
/etc/openvpn/main.conf
dev vpn-main
dev-type tap
client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3
setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh
/etc/openvpn/vpn-up.sh
#!/bin/sh
ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}
Kòm yon rezilta, le pli vit ke koneksyon an rive, koòdone nan vpn-principal yo pral ajoute nan br-principal. Pou kadriyaj la envite - menm jan an, jiska non an koòdone ak adrès nan sèvè-pon.
Wout demann deyò ak proxy
Nan etap sa a, Orange Pi deja kapab aksepte koneksyon ak konekte kliyan nan rezo ki nesesè yo. Tout sa ki rete se configured proxy nan koneksyon fèk ap rantre sou routeur la.
Nou transfere sèvè VPN routeur yo nan lòt pò, enstale HAProxy sou routeur la ak konfigirasyon:
/etc/haproxy.cfg
global
maxconn 256
uid 0
gid 0
daemon
defaults
retries 1
contimeout 1000
option splice-auto
listen guest_vpn
bind :444
mode tcp
server 0-orange 192.168.2.3:444 check
server 1-local 127.0.0.1:4444 check backup
listen main_vpn
bind :443
mode tcp
server 0-orange 192.168.1.3:443 check
server 1-local 127.0.0.1:4443 check backup
Jwi
Si tout bagay te ale selon plan an, kliyan yo pral chanje nan Orange Pi ak processeur routeur a pa pral chofe ankò, ak vitès VPN ap ogmante anpil. An menm tan an, tout règ rezo ki anrejistre sou routeur la ap rete enpòtan. Nan ka ta gen yon aksidan sou Orange Pi a, li pral tonbe epi HAProxy pral transfere kliyan nan sèvè lokal yo.
Mèsi pou atansyon ou, sijesyon ak koreksyon yo akeyi.
Sous: www.habr.com