ProHoster > Π‘Π»ΠΎΠ³ > Administrasi > Nyepetake OpenVPN ing router Openwrt. Versi alternatif tanpa wesi soldering lan extremism hardware

Nyepetake OpenVPN ing router Openwrt. Versi alternatif tanpa wesi soldering lan extremism hardware

Nyepetake OpenVPN ing router Openwrt. Versi alternatif tanpa wesi soldering lan extremism hardware

Hello everyone, Aku bubar maca artikel lawas babagan carane sampeyan bisa nyepetake OpenVPN ing router kanthi nransfer enkripsi menyang piranti keras sing kapisah, sing disolder ing router kasebut. Aku duwe kasus sing padha karo penulis - TP-Link WDR3500 kanthi 128 megabyte RAM lan prosesor sing ora apik sing ora bisa ngatasi enkripsi trowongan. Nanging, aku pancene ora pengin njaluk menyang dalan karo wesi soldering. Ing ngisor iki pengalamanku mindhah OpenVPN menyang piranti keras sing kapisah kanthi serep ing router yen ana kacilakan.

Tujuan

Ana router TP-Link WDR3500 lan Orange Pi Zero H2. Kita pengin Orange Pi enkripsi trowongan kaya biasane, lan yen ana kedadeyan, pangolahan VPN bakal bali menyang dalan. Kabeh setelan firewall ing router kudu bisa digunakake kaya sadurunge. Lan umume, nambah hardware tambahan kudu transparan lan ora katon kanggo kabeh wong. OpenVPN dianggo liwat TCP, adaptor TAP ing mode bridge (server-bridge).

kaputusan

Tinimbang nyambung liwat USB, Aku mutusakΓ© kanggo nggunakake siji port router lan nyambung kabeh subnets sing duwe jembatan VPN menyang Orange Pi. Pranyata hardware bakal digantung ing jaringan sing padha karo server VPN ing router. Sawise iku, kita instal persis server sing padha ing Orange Pi, lan ing router kita nyiyapake sawetara jinis proxy supaya ngirim kabeh sambungan mlebu menyang server njaba, lan yen Orange Pi mati utawa ora kasedhiya, banjur menyang server fallback internal. Aku njupuk HAProxy.

Pranyata kaya mangkene:

  1. A klien teka
  2. Yen server eksternal ora kasedhiya, kaya sadurunge, sambungan menyang server internal
  3. Yen kasedhiya, klien ditampa dening Orange Pi
  4. VPN ing Orange Pi decrypts paket lan spits menyang router
  5. Router ngarahake menyang ngendi wae

Tuladha Implementasine

Dadi, ayo ngomong kita duwe rong jaringan ing router - utama (1) lan tamu (2), kanggo saben ana server OpenVPN kanggo nyambungake eksternal.

Konfigurasi jaringan

We kudu rute loro jaringan liwat siji port, supaya kita nggawe 2 VLAN.

Ing router, ing bagean Network / Switch, kita nggawe VLAN (contone, 1 lan 2) lan ngaktifake ing mode sing diwenehi tag ing port sing dikarepake, nambah eth0.1 lan eth0.2 sing mentas digawe menyang jaringan sing cocog (kanggo contone, nambah menyang brigde).

Ing Orange Pi kita nggawe rong antarmuka VLAN (Aku duwe Archlinux ARM + netctl):

/etc/netctl/vlan-utama

Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no

/etc/netctl/vlan-guest

Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no

Lan kita langsung nggawe rong jembatan kanggo dheweke:

/etc/netctl/br-utama

Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp

/etc/netctl/br-guest

Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp

Aktifake wiwitan otomatis kanggo kabeh 4 profil (netctl ngaktifake). Saiki sawise urip maneh, Orange Pi bakal digantung ing rong jaringan sing dibutuhake. Kita ngatur alamat antarmuka ing Orange Pi ing Static Leases ing router.

nuduhake ad addr

4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
       valid_lft 29379sec preferred_lft 21439sec
    inet6 fe80::50c7:fff:fe89:716e/64 scope link 
       valid_lft forever preferred_lft forever

7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::ecea:19ff:fe31:3432/64 scope link 
       valid_lft forever preferred_lft forever

Nggawe VPN

Sabanjure, kita nyalin setelan kanggo OpenVPN lan tombol saka router. Setelan biasane bisa ditemokake ing /tmp/etc/openvpn*.conf

Kanthi gawan, openvpn mlaku ing mode TAP lan server-bridge supaya antarmuka ora aktif. Kanggo kabeh bisa, sampeyan kudu nambah script sing mlaku nalika sambungan diaktifake.

/etc/openvpn/main.conf

dev vpn-main
dev-type tap

client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3

setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh

/etc/openvpn/vpn-up.sh

#!/bin/sh

ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}

AkibatΓ©, sanalika sambungan dumadi, antarmuka vpn-utama bakal ditambahake menyang br-utama. Kanggo kothak tamu - padha, nganti jeneng antarmuka lan alamat ing server-bridge.

Nuntun panjalukan eksternal lan proxying

Ing langkah iki, Orange Pi wis bisa nampa sambungan lan nyambungake klien menyang jaringan sing dibutuhake. Kabeh sing isih ana yaiku ngatur proxying sambungan sing mlebu ing router.

Kita nransfer server VPN router menyang port liyane, nginstal HAProxy ing router lan konfigurasi:

/etc/haproxy.cfg

global
        maxconn 256
        uid 0
        gid 0
        daemon

defaults
        retries 1
        contimeout 1000
        option splice-auto

listen guest_vpn
        bind :444
        mode tcp
        server 0-orange 192.168.2.3:444 check
        server 1-local  127.0.0.1:4444 check backup

listen main_vpn
        bind :443
        mode tcp
        server 0-orange 192.168.1.3:443 check
        server 1-local  127.0.0.1:4443 check backup

Sekeca

Yen kabeh mlaku miturut rencana, klien bakal ngalih menyang Orange Pi lan prosesor router ora bakal panas maneh, lan kacepetan VPN bakal saya tambah akeh. Ing wektu sing padha, kabeh aturan jaringan sing didaftar ing router bakal tetep relevan. Yen ana kacilakan ing Orange Pi, bakal tiba lan HAProxy bakal nransfer klien menyang server lokal.

Matur nuwun kanggo kawigatosan, saran lan koreksi.

Source: www.habr.com

Add a comment