Ndewo onye ọ bụla, m gụrụ na nso nso a banyere otu ị ga-esi mee ngwa ngwa OpenVPN na rawụta site na ịnyefe nzuzo na ngwa ngwa dị iche, nke a na-ere n'ime rawụta n'onwe ya. Enwere m ikpe yiri nke ahụ na onye edemede - TP-Link WDR3500 nwere megabytes 128 nke RAM na ihe nrụpụta adịghị mma nke na-enweghị ike ịnagide nzuzo nzuzo ọwara. Otú ọ dị, achọghị m nnọọ iji ígwè na-ere ere banye na rawụta. N'okpuru bụ ahụmịhe m nke ịkwaga OpenVPN gaa na ngwaike dị iche yana nkwado ndabere na mpaghara rawụta ma ọ bụrụ na enwere ihe mberede.
Ebumnuche
Enwere TP-Link WDR3500 rawụta yana Orange Pi Zero H2. Anyị chọrọ ka Orange Pi zoo ọwara dị ka ọ na-adị, ma ọ bụrụ na ihe emee ya, nhazi VPN ga-alaghachi azụ na rawụta. Ntọala firewall niile na rawụta kwesịrị ịrụ ọrụ dịka ọ dị na mbụ. Na n'ozuzu, ịgbakwunye ngwaike ndị ọzọ kwesịrị ịbụ nke doro anya na onye ọ bụla na-adịghị ahụta ya. OpenVPN na-arụ ọrụ n'elu TCP, ihe nkwụnye TAP nọ na ọnọdụ akwa mmiri (ihe nkesa-akwa).
mkpebi
Kama ijikọ site na USB, ekpebiri m iji otu ọdụ ụgbọ mmiri nke rawụta wee jikọọ subnets niile nwere akwa VPN na Orange Pi. Ọ tụgharịrị na mpempe ngwaike ahụ ga-adagide n'otu netwọkụ dị ka sava VPN na rawụta. Mgbe nke ahụ gasịrị, anyị na-etinye otu sava ahụ na Orange Pi, na rawụta anyị na-edozi ụdị proxy ka ọ na-eziga njikọ niile na-abata na ihe nkesa mpụga, ma ọ bụrụ na Orange Pi anwụọla ma ọ bụ adịghị adị, wee gaa na ihe nkesa fallback nke ime. Ana m ewere HAProxy.
Ọ tụgharịrị dị ka nke a:
- Onye ahịa abịarute
- Ọ bụrụ na ihe nkesa mpụga adịghị, dị ka ọ dị na mbụ, njikọ ahụ na-aga na nkesa nke ime
- Ọ bụrụ na ọ dị, Orange Pi na-anabata onye ahịa ya
- VPN dị na Orange Pi na-ewepụ ngwugwu ma fesa ha azụ na rawụta
- Ndị rawụta na-eduga ha ebe
Ihe atụ mmejuputa
Yabụ, ka anyị nwee netwọkụ abụọ na rawụta - isi (1) na ọbịa (2), maka nke ọ bụla n'ime ha enwere sava OpenVPN maka ijikọ na mpụga.
Nhazi netwọkụ
Anyị kwesịrị ibugharị netwọkụ abụọ ahụ site n'otu ọdụ ụgbọ mmiri, yabụ anyị mepụtara VLAN 2.
Na rawụta, na ngalaba Network / Gbanwee, mepụta VLANs (dịka ọmụmaatụ 1 na 2) wee mee ka ha nwee ọnọdụ mkpado na ọdụ ụgbọ mmiri achọrọ, tinye eth0.1 na eth0.2 emepụtara ọhụrụ na netwọkụ kwekọrọ (dịka ọmụmaatụ. tinye ha na brigde).
Na Orange Pi anyị na-emepụta oghere VLAN abụọ (Enwere m Archlinux ARM + netctl):
/etc/netctl/vlan-main
Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no
/etc/netctl/vlan-guest
Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no
Anyị ozugbo mepụtakwara ha àkwà mmiri abụọ:
/etc/netctl/br-main
Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp
/etc/netctl/br-ọbịa
Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp
Kwado autostart maka profaịlụ anọ niile (netctl nwee ike). Ugbu a ka ịmalitegharịchara, Orange Pi ga-adagide na netwọkụ abụọ achọrọ. Anyị na-ahazi adreesị interface na Orange Pi na Static Leases na rawụta.
ip addr show
4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
valid_lft 29379sec preferred_lft 21439sec
inet6 fe80::50c7:fff:fe89:716e/64 scope link
valid_lft forever preferred_lft forever
7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
valid_lft forever preferred_lft forever
inet6 fe80::ecea:19ff:fe31:3432/64 scope link
valid_lft forever preferred_lft forever
Ịtọlite VPN
Ọzọ, detuo ntọala maka OpenVPN yana igodo sitere na rawụta. Enwere ike ịhụ ntọala na ya /tmp/etc/openvpn*.conf
Site na ndabara, openvpn na-agba ọsọ na ọnọdụ TAP na sava-bridge na-eme ka interface ya ghara ịdị irè. Ka ihe niile wee rụọ ọrụ, ịkwesịrị ịgbakwunye edemede na-agba ọsọ mgbe njikọ na-arụ ọrụ.
/etc/openvpn/main.conf
dev vpn-main
dev-type tap
client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3
setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh
/etc/openvpn/vpn-up.sh
#!/bin/sh
ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}
N'ihi ya, ozugbo njikọ ahụ mere, a ga-agbakwunye vpn-isi interface na br-main. Maka grid ndị ọbịa - n'otu aka ahụ, ruo aha interface na adreesị na sava-bridge.
Ntugharị arịrịọ na mpụga yana proxying
Na nzọụkwụ a, Orange Pi enweela ike ịnakwere njikọ yana jikọọ ndị ahịa na netwọk achọrọ. Naanị ihe fọdụrụ bụ ịhazi proxying nke njikọ mbata na rawụta.
Anyị na-ebufe sava VPN rawụta na ọdụ ụgbọ mmiri ndị ọzọ, wụnye HAProxy na rawụta wee hazie:
/etc/haproxy.cfg
global
maxconn 256
uid 0
gid 0
daemon
defaults
retries 1
contimeout 1000
option splice-auto
listen guest_vpn
bind :444
mode tcp
server 0-orange 192.168.2.3:444 check
server 1-local 127.0.0.1:4444 check backup
listen main_vpn
bind :443
mode tcp
server 0-orange 192.168.1.3:443 check
server 1-local 127.0.0.1:4443 check backup
Nwee obi ụtọ
Ọ bụrụ na ihe niile na-aga dị ka atụmatụ si dị, ndị ahịa ga-agbanwe na Orange Pi na onye na-ahụ maka rawụta agaghịzi ekpo ọkụ, ọsọ VPN ga-abawanye nke ukwuu. N'otu oge ahụ, iwu netwọk niile edebanyere aha na rawụta ga-anọgide na-adị mkpa. N'ihe banyere ihe mberede na Orange Pi, ọ ga-adaba na HAProxy ga-ebufe ndị ahịa na sava mpaghara.
Daalụ maka nlebara anya gị, a na-anabata aro na mmezi.
isi: www.habr.com