ProHoster > Блог > Whakahaerenga > Te huri mai i OpenVPN ki WireGuard hei whakakotahi i nga whatunga ki te whatunga L2 kotahi

Te huri mai i OpenVPN ki WireGuard hei whakakotahi i nga whatunga ki te whatunga L2 kotahi

Te huri mai i OpenVPN ki WireGuard hei whakakotahi i nga whatunga ki te whatunga L2 kotahi

E hiahia ana ahau ki te whakapuaki i taku wheako ki te whakakotahi i nga whatunga i roto i nga whare noho mamao e toru, ka whakamahia e ia nga pouara me te OpenWRT hei kuaha, ki te whatunga noa. I te wa e whiriwhiri ana i tetahi tikanga mo te whakakotahi i nga whatunga i waenga i te L3 me te ararere kupenga-roto me te L2 me te piriti, ka noho nga pona whatunga katoa i roto i te kupenga-roto kotahi, i hoatu te manakohanga ki te tikanga tuarua, he uaua ake te whirihora, engari he nui ake nga huarahi, mai i te I whakamaheretia te whakamahi maamaa o nga hangarau i roto i te whatunga e hangaia ana Wake-on-Lan me DLNA.

Wāhanga 1: He whakamārama

I whiriwhiria tuatahi a OpenVPN hei kawa mo te whakatinana i tenei mahi, na te mea, tuatahi, ka taea e ia te hanga i tetahi taputapu tap ka taea te taapiri atu ki te piriti kaore he raru, tuarua, ka tautoko a OpenVPN i te mahi i runga i te kawa TCP, he mea nui ano hoki, na te mea kaore tetahi. o nga whare noho he wahitau IP i whakatapua, a kaore i taea e au te whakamahi i te STUN, na te mea ka aukati taku kaiwhakarato mo etahi take i nga hononga UDP taumai mai i o raatau whatunga, i te wa i whakaaetia e te kawa TCP ki te tuku i te tauranga tūmau VPN ki te utu i te VPS ma te whakamahi i te SSH. Ae, he nui te kawenga o tenei huarahi, na te mea kua whakamunatia nga raraunga e rua, engari kaore au i pai ki te whakauru i tetahi VPS ki roto i taku whatunga motuhake, na te mea kei te tupono tonu te mana o te hunga tuatoru ki runga i a raatau, na reira, he penei te whakaaro. i runga i taku whatunga kaainga he tino kino, ka whakatauhia he utu mo te haumarutanga me te utu nui.

Hei tuku i te tauranga i runga i te pouara i whakamaheretia ai ki te tuku i te tūmau, i whakamahia te kaupapa sshtunnel. E kore ahau e whakaahua i nga riipene o tana whirihoranga - he ngawari noa te mahi, ka kite noa ahau ko tana mahi ko te tuku i te tauranga TCP 1194 mai i te pouara ki te VPS. I muri mai, i whirihorahia te tūmau OpenVPN i runga i te taputapu tap0, i honoa ki te piriti br-lan. I te tirotiro i te hononga ki te tūmau hou i hangaia mai i te pona, ka marama kua tika te whakaaro mo te tuku tauranga, ka uru taku pona hei mema mo te whatunga o te pouara, ahakoa kaore i te tinana.

Kotahi noa te mea iti i toe ki te mahi: he mea tika ki te tohatoha i nga wahitau IP i roto i nga kaainga rereke kia kore ai e taupatupatu me te whirihora i nga pouara hei kaihoko OpenVPN.
Ko nga wahitau IP pouara e whai ake nei me nga awhe tūmau DHCP i tohua:

  • 192.168.10.1 me te awhe 192.168.10.2 - 192.168.10.80 mo te tūmau
  • 192.168.10.100 me te awhe 192.168.10.101 - 192.168.10.149 mo te pouara i roto i te whare No
  • 192.168.10.150 me te awhe 192.168.10.151 - 192.168.10.199 mo te pouara i roto i te whare No

He mea tika ano kia tautapahia enei wahitau ki nga kaitarai o te kaitoro o te OpenVPN server ma te taapiri i te raina ki tana whirihoranga:

ifconfig-pool-persist /etc/openvpn/ipp.txt 0

me te taapiri i nga rarangi e whai ake nei ki te konae /etc/openvpn/ipp.txt:

flat1_id 192.168.10.100
flat2_id 192.168.10.150

kei hea te flat1_id me te flat2_id ko nga ingoa taputapu i tohua i te wa e hanga tiwhikete mo te hono ki OpenVPN

I muri mai, i whirihorahia nga kiritaki OpenVPN i runga i nga pouara, tap0 taputapu i runga i nga mea e rua i taapiri atu ki te piriti br-lan. I tenei wa, he pai nga mea katoa i te mea ka taea e nga whatunga e toru te kite tetahi ki tetahi me te mahi kotahi. Heoi, i puta mai he korero kaore i tino pai: i etahi wa ka whiwhi nga taputapu i tetahi wahitau IP ehara i to ratou pouara, me nga hua katoa ka whai ake. Mo etahi take, ko te pouara i roto i tetahi o nga kaainga kaore i whai wa ki te whakautu ki te DHCPDISCOVER i roto i te waa ka whiwhi te taputapu i tetahi wahitau kaore i whakaarohia. I mohio ahau me tarai e au nga tono penei i te tap0 i runga i ia o nga pouara, engari i te mea kua puta, kaore e taea e nga iptables te mahi me te taputapu mena he waahanga o te piriti me haere mai nga ebtables ki te awhina i ahau. Ki taku pouri, karekau i roto i taku firmware me hanga ano e au nga whakaahua mo ia taputapu. Ma te mahi i tenei me te taapiri i enei raina ki /etc/rc.local o ia pouara, kua whakatauhia te raru:

ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

E toru tau te roa o tenei whirihoranga.

Wāhanga 2: Te Whakataki WaeaGuard

Ina tata nei, kua kaha haere nga tangata o runga ipurangi ki te korero mo te WireGuard, e mihi ana ki te ngawari o tana whirihoranga, te tere tuku tere, te iti o te ping me te haumarutanga rite. I te rapu mo etahi atu korero mo taua mea, ka marama ko te mahi hei mema piriti me te mahi i runga i te kawa TCP i tautokohia e ia, na reira ahau i whakaaro ai kaore ano he huarahi ke atu mo OpenVPN mo au. Na ka mutu taku mohio ki a WireGuard.

I etahi ra kua pahure ake nei, ka horahia nga korero puta noa i nga rauemi i tetahi huarahi, i tetahi atu ranei e pa ana ki te IT ka whakaurua a WireGuard ki te kernel Linux, timata mai i te putanga 5.6. Ko nga korero korero, pera i nga wa katoa, ka mihi ki a WireGuard. I uru ano ahau ki te rapu huarahi hei whakakapi i te OpenVPN tawhito pai. I tenei wa ka tutaki ahau ki roto tenei tuhinga. I korero mo te hanga i te kauhanga Ethernet i runga i te L3 ma te whakamahi GRE. Na tenei tuhinga i homai he tumanako ki ahau. Kaore i tino marama he aha te mahi ki te kawa UDP. Ko te rapunga i arahi ahau ki nga tuhinga mo te whakamahi i te socat i te taha o te kohanga SSH ki te tuku i tetahi tauranga UDP, heoi, i kii ratou ko tenei huarahi ka mahi i roto i te aratau hononga kotahi, ara, ka kore e taea te mahi a etahi kaihoko VPN. I puta mai taku whakaaro ki te whakauru i tetahi tūmau VPN i runga i te VPS me te whakarite i te GRE mo nga kaihoko, engari i te mea kua puta, kaore a GRE e tautoko i te whakamunatanga, ka puta mai ki te mea ka uru atu nga roopu tuatoru ki te tūmau. , ko nga hokohoko katoa i waenga i aku whatunga ka noho ki o raatau ringaringa, kaore i pai ki ahau.

Ano ano, i whakatauhia te whakatau mo te whakamunatanga taapiri, ma te whakamahi VPN mo VPN ma te whakamahi i te kaupapa e whai ake nei:

Taumata XNUMX VPN:
VPS ko te reira tūmau me te wahitau o roto 192.168.30.1
MS ko te reira kiritaki VPS me te wahitau o roto 192.168.30.2
MK2 ko te reira kiritaki VPS me te wahitau o roto 192.168.30.3
MK3 ko te reira kiritaki VPS me te wahitau o roto 192.168.30.4

VPN taumata tuarua:
MS ko te reira tūmau me te wahitau o waho 192.168.30.2 me roto 192.168.31.1
MK2 ko te reira kiritaki MS me te wāhitau 192.168.30.2 me te IP ā-roto 192.168.31.2
MK3 ko te reira kiritaki MS me te wāhitau 192.168.30.2 me te IP ā-roto 192.168.31.3

* MS — pouara-tūmau i roto i te whare 1, MK2 - pouara i roto i te whare 2, MK3 - pouara i roto i te whare 3
* Ko nga whirihoranga taputapu ka whakaputaina i roto i te kaipahua i te mutunga o te tuhinga.

Na, kei te rere nga pings i waenga i nga node whatunga 192.168.31.0/24, kua tae ki te wa ki te neke ki te whakatuu i tetahi kohanga GRE. I mua i tenei, kia kore ai e ngaro te uru ki nga pouara, he mea tika ki te whakatu i nga kohanga SSH ki te tuku i te tauranga 22 ki te VPS, na, hei tauira, ka uru te pouara mai i te whare 10022 ki te tauranga 2 o te VPS, me te Ko te pouara mai i te whare 11122 ka uru atu ki te tauranga 3 pouara mai i te whare XNUMX. He pai ake te whirihora i te tuku whakamua ma te whakamahi i te sshtunnel ano, na te mea ka whakahokia mai te kauhanga mena ka rahua.

Kua whirihorahia te kauhanga, ka taea e koe te hono atu ki te SSH ma te tauranga whakamua:

ssh root@МОЙ_VPS -p 10022

I muri mai me whakakore koe i te OpenVPN:

/etc/init.d/openvpn stop

Inaianei me whakarite he kohanga GRE i runga i te pouara mai i te whare 2:

ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set grelan0 up

Na ka taapirihia te atanga hanga ki te piriti:

brctl addif br-lan grelan0

Kia rite ano te mahi i runga i te pouara tūmau:

ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set grelan0 up

Me taapiri ano te atanga hanga ki te piriti:

brctl addif br-lan grelan0

timata mai i tenei wa, ka timata nga pings ki te haere angitu ki te whatunga hou, a, me te pai, ka haere ahau ki te inu kawhe. Na, ki te arotake me pehea te mahi a te whatunga ki tera pito o te raina, ka ngana ahau ki te SSH ki tetahi o nga rorohiko i te whare 2, engari ka peke te kaihoko ssh me te kore tono mo te kupuhipa. Kei te ngana ahau ki te hono atu ki tenei rorohiko ma te waea waea i runga i te tauranga 22 ka kite ahau i tetahi raina e mohio ana ahau kei te whakatuu te hononga, kei te whakautu te tūmau SSH, engari mo etahi take karekau e akiaki i ahau ki te takiuru i roto.

$ telnet 192.168.10.110 22
SSH-2.0-OpenSSH_8.1

Kei te ngana ahau ki te hono atu ma te VNC ka kite i tetahi mata pango. Ka whakapono ahau ko te raru kei te rorohiko mamao, na te mea ka taea e au te hono atu ki te pouara mai i tenei whare ma te whakamahi i te wahitau o roto. Heoi, ka whakatau ahau ki te hono atu ki te SSH o tenei rorohiko na roto i te pouara ka miharo ahau ki te mohio kua angitu te hononga, me te mahi noa te rorohiko mamao, engari kaore e taea te hono atu ki taku rorohiko.

Ka tangohia e ahau te taputapu grelan0 mai i te piriti ka whakahaere i te OpenVPN i runga i te pouara i roto i te whare 2 me te whakarite kia mahi ano te whatunga kia rite ki te tumanako ka kore nga hononga e taka. Ma te rapu ka tae atu ahau ki nga huihuinga e amuamu ai nga tangata mo nga raruraru ano, i reira ka tohutohuhia kia hiki te MTU. Kare i roa te korero. Heoi, tae noa ki te whakatau i te MTU kia nui - 7000 mo nga taputapu gretap, i heke nga hononga TCP, iti ranei nga reiti whakawhiti i kitea. Na te nui o te MTU mo te gretap, ko nga MTU mo nga hononga Waea 8000 me te Apa 7500 WireGuard i whakaritea ki te XNUMX me te XNUMX.

I mahia e ahau he tatūnga rite i runga i te pouara mai i te whare 3, ko te rereke anake ko te atanga tuarua o te gretap ko grelan1 i honoa ki te pouara tūmau, i honoa ano ki te piriti br-lan.

Kei te mahi nga mea katoa. Ka taea e koe te whakauru i te huihuinga gretap ki te whakaoho. Mo tenei:

I whakanohoia e ahau enei raina ki /etc/rc.local ki runga i te pouara i te whare 2:

ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0

I taapirihia tenei ki /etc/rc.local i runga i te pouara i te whare 3:

ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0

A i runga i te pouara tūmau:

ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0

ip link add grelan1 type gretap remote 192.168.31.3 local 192.168.31.1
ip link set dev grelan1 mtu 7000
ip link set grelan1 up
brctl addif br-lan grelan1

Whai muri i te whakaara ano i nga pouara kiritaki, ka kitea e au na etahi take kaore ratou e hono atu ki te tūmau. I te hono atu ki a raatau SSH (waimarie, kua whirihora e ahau i mua i te sshtunnel mo tenei), ka kitea ko WireGuard mo etahi take kei te hanga huarahi mo te mutunga, engari he he. Na, mo te 192.168.30.2, i tohuhia e te ripanga ara he ara i roto i te atanga pppoe-wan, ara, ma te Ipurangi, ahakoa ko te huarahi ki reira i tukuna ma te atanga wg0. I muri i te whakakore i tenei ara, i whakahokia mai te hononga. Kaore au i kite i nga tohutohu ki hea me pehea te akiaki i a WireGuard kia kaua e hanga enei ara. I tua atu, kaore au i te mohio he ahuatanga tenei o OpenWRT, WireGuard ranei. Ma te kore e pa ki tenei raru mo te wa roa, ka taapiri noa ahau i tetahi raina ki nga pouara e rua i roto i te tuhinga tuhi kua whakakorehia tenei huarahi: 

route del 192.168.30.2

Kohia ana

Kaore ano kia tutuki i ahau te tino whakarere o OpenVPN, na te mea me hono ahau ki tetahi whatunga hou mai i te pona, i te waea ranei, me te whakarite i tetahi taputapu gretap ki runga i a raatau kaore e taea, engari ahakoa tenei, ka whai hua ahau i te tere. o te whakawhiti raraunga i waenga i nga kaainga me, hei tauira, ko te whakamahi i te VNC kua kore e pai. He iti te heke o te ping, engari kua pai ake:

Ina whakamahi OpenVPN:

[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=133 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=125 ms

--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19006ms
rtt min/avg/max/mdev = 124.722/126.152/136.907/3.065 ms

Ina whakamahi WireGuard:

[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=124 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=124 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19003ms
rtt min/avg/max/mdev = 123.954/124.423/126.708/0.675 ms

He nui ake te paanga o te ping teitei ki te VPS, e tata ana ki te 61.5 ms

Heoi, kua tino piki ake te tere. Na, i roto i te whare me te pouara tūmau kei a au te tere hononga Ipurangi o 30 Mbit/sec, me etahi atu whare he 5 Mbit/sec. I te wa ano, i te wa e whakamahi ana i te OpenVPN, kaore au i kaha ki te whakatutuki i te tere whakawhiti raraunga i waenga i nga whatunga neke atu i te 3,8 Mbit/sec e ai ki nga panui iperf, i te wa i "whakanuia" e WireGuard ki te 5 Mbit/sec.

WireGuard whirihoranga i runga i te VPS[Interface] Address = 192.168.30.1/24
ListenPort = 51820
PrivateKey = <ЗАКРЫТЫЙ_КЛЮЧ_ДЛЯ_VPS>

[Peer] PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_1_МС>
AllowedIPs = 192.168.30.2/32

[Peer] PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2>
AllowedIPs = 192.168.30.3/32

[Peer] PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3>
AllowedIPs = 192.168.30.4/32

Te whirihoranga WireGuard i runga i te MS (kua tapirihia ki /etc/config/network)

#VPN первого уровня - клиент
config interface 'wg0'
        option proto 'wireguard'
        list addresses '192.168.30.2/24'
        option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МС'
        option auto '1'
        option mtu '8000'

config wireguard_wg0
        option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '192.168.30.0/24'
        option endpoint_host 'IP_АДРЕС_VPS'

#VPN второго уровня - сервер
config interface 'wg1'
        option proto 'wireguard'
        option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
        option listen_port '51821'
        list addresses '192.168.31.1/24'
        option auto '1'
        option mtu '7500'

config wireguard_wg1
        option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
        list allowed_ips '192.168.31.2'

config wireguard_wg1ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3

        option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
        list allowed_ips '192.168.31.3'

whirihoranga WireGuard i runga i te MK2 (kua tapirihia ki /etc/config/network)

#VPN первого уровня - клиент
config interface 'wg0'
        option proto 'wireguard'
        list addresses '192.168.30.3/24'
        option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК2'
        option auto '1'
        option mtu '8000'

config wireguard_wg0
        option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '192.168.30.0/24'
        option endpoint_host 'IP_АДРЕС_VPS'

#VPN второго уровня - клиент
config interface 'wg1'
        option proto 'wireguard'
        option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
        list addresses '192.168.31.2/24'
        option auto '1'
        option listen_port '51821'
        option mtu '7500'

config wireguard_wg1
        option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
        option endpoint_host '192.168.30.2'
        option endpoint_port '51821'
        option persistent_keepalive '25'
        list allowed_ips '192.168.31.0/24'

whirihoranga WireGuard i runga i te MK3 (kua tapirihia ki /etc/config/network)

#VPN первого уровня - клиент
config interface 'wg0'
        option proto 'wireguard'
        list addresses '192.168.30.4/24'
        option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК3'
        option auto '1'
        option mtu '8000'

config wireguard_wg0
        option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '192.168.30.0/24'
        option endpoint_host 'IP_АДРЕС_VPS'

#VPN второго уровня - клиент
config interface 'wg1'
        option proto 'wireguard'
        option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
        list addresses '192.168.31.3/24'
        option auto '1'
        option listen_port '51821'
        option mtu '7500'

config wireguard_wg1
        option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
        option endpoint_host '192.168.30.2'
        option endpoint_port '51821'
        option persistent_keepalive '25'
        list allowed_ips '192.168.31.0/24'

I roto i nga whirihoranga kua whakamaramatia mo te VPN taumata tuarua, ka tohuhia e ahau nga kaihoko WireGuard ki te tauranga 51821. I roto i te ariā, kaore e tika ana, na te mea ka whakapumautia e te kaihoko he hononga mai i tetahi tauranga kore utu, engari i mahia e au kia taea ai te aukati. nga hononga taumai katoa i runga i nga atanga wg0 o nga pouara katoa engari ko nga hononga UDP taumai ki te tauranga 51821.

Kei te tumanako ahau ka whai hua te tuhinga ki tetahi.

PS Ano, e hiahia ana ahau ki te whakapuaki i taku tuhinga ka tukuna mai he panui PUSH ki taku waea i roto i te tono WirePusher ina puta mai he taputapu hou ki taku whatunga. Anei te hono ki te tuhinga: github.com/r0ck3r/device_discover.

WHAKAHOU: Whirihoranga o OpenVPN tūmau me ngā kiritaki

OpenVPN tūmau

client-to-client

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn-server.crt
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/vpn-server.key

dev tap
ifconfig-pool-persist /etc/openvpn/ipp.txt 0
keepalive 10 60
proto tcp4
server-bridge 192.168.10.1 255.255.255.0 192.168.10.80 192.168.10.254
status /var/log/openvpn-status.log
verb 3
comp-lzo

Kiritaki OpenVPN

client
tls-client
dev tap
proto tcp
remote VPS_IP 1194 # Change to your router's External IP
resolv-retry infinite
nobind

ca client/ca.crt
cert client/client.crt
key client/client.key
dh client/dh.pem

comp-lzo
persist-tun
persist-key
verb 3

I whakamahia e ahau te ngawari-rsa ki te whakaputa tiwhikete

Source: will.com

Tāpiri i te kōrero