Umume kasus, nyambungake router menyang VPN ora angel, nanging yen sampeyan pengin nglindhungi kabeh jaringan lan ing wektu sing padha njaga kacepetan sambungan sing optimal, solusi sing paling apik yaiku nggunakake trowongan VPN.
Router Mikrotik mbuktekaken dadi solusi dipercaya lan fleksibel banget, nanging sayangé
Nanging saiki, sayangé, kanggo ngatur WireGuard ing router Mikrotik, sampeyan kudu ngganti firmware.
Flashing Mikrotik, nginstal lan konfigurasi OpenWrt
Pisanan sampeyan kudu nggawe manawa OpenWrt ndhukung model sampeyan. Delengen yen model cocog karo jeneng lan gambar marketing
Bukak openwrt.com
Kanggo piranti iki, kita butuh 2 file:
Sampeyan kudu ndownload loro file kasebut: nginstal и upgrade.
1. Persiyapan jaringan, download lan persiyapan server PXE
Download
Unzip menyang folder kapisah. Ing file config.ini nambah parameter rfc951=1 bagean [dhcp]. Parameter iki padha kanggo kabeh model Mikrotik.
Ayo pindhah menyang setelan jaringan: sampeyan kudu ndhaptar alamat ip statis ing salah sawijining antarmuka jaringan komputer.
IP Sadurungé: 192.168.1.10
Netmask: 255.255.255.0
Mbukak Server PXE cilik atas jenenge Administrator lan pilih ing lapangan DHCP Server server karo alamat 192.168.1.10
Ing sawetara versi Windows, antarmuka iki mung katon sawise sambungan Ethernet. Aku nyaranake nyambungake router lan langsung ngalih router lan PC nggunakake kabel tembelan.
Pencet tombol "..." (tengen ngisor) lan nemtokake folder ing ngendi sampeyan ndownload file firmware kanggo Mikrotik.
Pilih file sing jenenge dipungkasi karo "initramfs-kernel.bin utawa elf"
2. Booting router saka server PXE
Kita nyambungake PC nganggo kabel lan port pisanan (wan, internet, poe in, ...) saka router. Sawisé iku, njupuk tusuk untu, nempelake menyang bolongan kanthi tulisan "Reset".
Kita nguripake daya router lan ngenteni 20 detik, banjur ngeculake tusuk untu.
Ing menit sabanjure, pesen ing ngisor iki bakal katon ing jendhela Tiny PXE Server:
Yen pesen katon, sampeyan ana ing arah sing bener!
Mulihake setelan ing adaptor jaringan lan nyetel nampa alamat kanthi dinamis (liwat DHCP).
Sambungake menyang port LAN saka router Mikrotik (2…5 ing kasus kita) nggunakake kabel patch sing padha. Cukup ngalih saka port 1 menyang port 2. Bukak alamat
Mlebu menyang antarmuka administratif OpenWRT banjur pindhah menyang bagean menu "System -> Backup/Flash Firmware".
Ing bagean "Flash new firmware image", klik tombol "Pilih file (Browse)".
Nemtokake path menyang berkas kang jeneng ends karo "-squashfs-sysupgrade.bin".
Sawise iku, klik tombol "Flash Image".
Ing jendhela sabanjuré, klik tombol "Terusake". Firmware bakal miwiti ndownload menyang router.
!!! SAIKI AJA MUTUS KEKUATAN ROUTER SAJEN PROSES FIRMWARE !!!
Sawise sumunar lan reboot router, sampeyan bakal nampa Mikrotik kanthi firmware OpenWRT.
Masalah lan solusi sing bisa ditindakake
Akeh piranti Mikrotik sing dirilis ing taun 2019 nggunakake chip memori FLASH-NOR jinis GD25Q15 / Q16. Masalahe yaiku nalika sumunar, data babagan model piranti ora disimpen.
Yen sampeyan ndeleng kesalahan "Berkas gambar sing diunggah ora ngemot format sing didhukung. Priksa manawa sampeyan milih format gambar umum kanggo platform sampeyan." banjur paling kamungkinan masalah ing lampu kilat.
Iku gampang kanggo mriksa iki: mbukak printah kanggo mriksa ID model ing terminal piranti
root@OpenWrt: cat /tmp/sysinfo/board_name
Lan yen sampeyan entuk jawaban "ora dingerteni", sampeyan kudu nemtokake model piranti kanthi manual ing wangun "rb-951-2nd"
Kanggo entuk model piranti, jalanake printah kasebut
root@OpenWrt: cat /tmp/sysinfo/model
MikroTik RouterBOARD RB951-2nd
Sawise nampa model piranti, instal kanthi manual:
echo 'rb-951-2nd' > /tmp/sysinfo/board_name
Sawise iku, sampeyan bisa kerlip piranti liwat antarmuka web utawa nggunakake printah "sysupgrade".
Gawe server VPN nganggo WireGuard
Yen sampeyan wis duwe server karo WireGuard dikonfigurasi, sampeyan bisa ngliwati langkah iki.
Aku bakal nggunakake aplikasi kanggo nyiyapake server VPN pribadi
Konfigurasi WireGuard Client ing OpenWRT
Sambungake menyang router liwat protokol SSH:
ssh [email protected]
Instal WireGuard:
opkg update
opkg install wireguard
Siapke konfigurasi (nyalin kode ing ngisor iki menyang file, ganti nilai sing ditemtokake karo sampeyan dhewe lan mbukak ing terminal).
Yen sampeyan nggunakake MyVPN, banjur ing konfigurasi ing ngisor iki sampeyan mung kudu ngganti WG_SERV - IP server WG_KEY - tombol pribadi saka file konfigurasi wireguard lan WG_PUB - kunci umum.
WG_IF="wg0"
WG_SERV="100.0.0.0" # ip адрес сервера
WG_PORT="51820" # порт wireguard
WG_ADDR="10.8.0.2/32" # диапазон адресов wireguard
WG_KEY="xxxxx" # приватный ключ
WG_PUB="xxxxx" # публичный ключ
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key=""
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/1"
uci add_list network.wgserver.allowed_ips="128.0.0.0/1"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart
Iki ngrampungake persiyapan WireGuard! Saiki kabeh lalu lintas ing kabeh piranti sing disambungake dilindhungi sambungan VPN.
referensi
Source: www.habr.com