Kia ora koutou katoa, no tata nei ahau i panui me pehea e taea ai e koe te tere ake i te OpenVPN i runga i te pouara ma te whakawhiti whakamunatanga ki tetahi waahanga taputapu motuhake, ka whakauruhia ki roto i te pouara. He rite ano taku ki te kaituhi - TP-Link WDR3500 me te 128 megabytes o te RAM me te tukatuka rawakore e kore e kaha ki te whakatutuki i te whakamunatanga kauhanga. Heoi, kaore au i tino hiahia ki te uru ki roto i te pouara me te rino whakapiri. Kei raro nei taku wheako mo te neke i te OpenVPN ki tetahi waahanga taputapu motuhake me te taapiri i runga i te pouara mena he aitua.
Whāinga
He pouara TP-Link WDR3500 me te Orange Pi Zero H2. Kei te pirangi matou kia whakamunahia e te Orange Pi nga kauhanga pera i mua, a ki te pa mai tetahi mea, ka hoki ano te tukatuka VPN ki te pouara. Ko nga tautuhinga pātūahi katoa i runga i te pouara me mahi pera i mua. A, i te nuinga o te waa, ko te taapiri i nga taputapu taapiri kia marama, kia kore e kitea e te katoa. Ka mahi a OpenVPN i runga i te TCP, kei te aratau piriti te urutau TAP (tūmau-piriti).
whakatau
Engari i te hono ma te USB, i whakatau ahau ki te whakamahi i tetahi tauranga o te pouara me te hono i nga kupengaroto katoa he piriti VPN ki te Orange Pi. Te ahua nei ka iri-a-tinana te waahanga o te taputapu i roto i nga whatunga rite ki te tūmau VPN i runga i te pouara. I muri i tera, ka whakauruhia e matou nga kaitoro rite tonu ki te Orange Pi, a ki runga i te pouara ka whakaturia e matou etahi momo takawaenga kia tukuna ai e ia nga hononga taumai katoa ki te tūmau o waho, a ki te mate te Orange Pi, karekau ranei, katahi ki te tūmau takahuri ā-roto. I tango ahau i te HAProxy.
Ka puta penei:
- Ka tae mai he kiritaki
- Mena kaore i te waatea te tūmau o waho, pera i mua, ka haere te hononga ki te tūmau o roto
- Mena kei te waatea, ka whakaaetia te kaihoko e Orange Pi
- Ko te VPN i runga i te Orange Pi ka wetewete i nga paakete ka tuwha ki roto i te pouara
- Ka aratakihia e te pouara ki tetahi waahi
Tauira whakatinanatanga
Na, me kii tatou e rua nga whatunga kei runga i te pouara - matua(1) me te manuhiri(2), mo ia o ratou he tūmau OpenVPN mo te hono ki waho.
whirihoranga whatunga
Me whakawhiti e matou nga whatunga e rua ma te tauranga kotahi, no reira ka hanga e matou nga VLAN e rua.
I runga i te pouara, i te waahanga Whatunga/Whakawhiti, hanga VLAN (hei tauira 1 me te 2) ka taea ki te aratau tohu i runga i te tauranga e hiahiatia ana, taapirihia te eth0.1 me te eth0.2 hou i hangaia ki nga whatunga e pa ana (hei tauira, tāpirihia ki te piriti).
I te Orange Pi ka hangaia e matou nga atanga VLAN e rua (kei a au te Archlinux ARM + netctl):
/etc/netctl/vlan-main
Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no
/etc/netctl/vlan-manuhiri
Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no
Na ka hangaia e matou nga piriti e rua mo ratou:
/etc/netctl/br-main
Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp
/etc/netctl/br-manuhiri
Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp
Whakahohehia te tiimata aunoa mo nga korero e 4 katoa (netctl enable). Inaianei i muri i te whakaara ano, ka whakairihia te Orange Pi ki runga i nga hononga e rua e hiahiatia ana. Ka whirihorahia e matou nga wahitau atanga i runga i te Pi karaka i roto i nga Riihi Static i runga i te pouara.
ip whakaatu addr
4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
valid_lft 29379sec preferred_lft 21439sec
inet6 fe80::50c7:fff:fe89:716e/64 scope link
valid_lft forever preferred_lft forever
7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
valid_lft forever preferred_lft forever
inet6 fe80::ecea:19ff:fe31:3432/64 scope link
valid_lft forever preferred_lft forever
Te whakatu VPN
I muri mai, ka kapehia e matou nga tautuhinga mo OpenVPN me nga taviri mai i te pouara. Ka kitea nga tautuhinga i te nuinga o te waa /tmp/etc/openvpn*.conf
Ma te taunoa, ka rere te openvpn i roto i te aratau TAP me te piriti-tumau kia noho koretake tana atanga. Kia mahi nga mea katoa, me whakauru koe i tetahi tuhinga ka rere i te wa e whakahohehia ana te hononga.
/etc/openvpn/main.conf
dev vpn-main
dev-type tap
client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3
setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh
/etc/openvpn/vpn-up.sh
#!/bin/sh
ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}
Ko te mutunga, ka puta te hononga, ka taapirihia te atanga vpn-matua ki te br-main. Mo te matiti manuhiri - he pera ano, tae noa ki te ingoa atanga me te wahitau i roto i te piriti-tumau.
Nga tono ararere ki waho me te takawaenga
I tenei taahiraa, kua taea e Orange Pi te whakaae ki nga hononga me te hono i nga kaihoko ki nga whatunga e hiahiatia ana. Ko nga mea e toe ana ko te whirihora takawaenga o nga hononga taumai i runga i te pouara.
Ka whakawhitihia e matou nga kaitoro VPN pouara ki etahi atu tauranga, whakauruhia te HAProxy ki te pouara me te whirihora:
/etc/haproxy.cfg
global
maxconn 256
uid 0
gid 0
daemon
defaults
retries 1
contimeout 1000
option splice-auto
listen guest_vpn
bind :444
mode tcp
server 0-orange 192.168.2.3:444 check
server 1-local 127.0.0.1:4444 check backup
listen main_vpn
bind :443
mode tcp
server 0-orange 192.168.1.3:443 check
server 1-local 127.0.0.1:4443 check backup
Kia pai
Mena i haere nga mea katoa i runga i te mahere, ka huri nga kaihoko ki te Orange Pi ka kore e wera ake te tukatuka o te pouara, ka tino piki ake te tere VPN. I te wa ano, ko nga ture whatunga katoa kua rehitatia i runga i te pouara ka mau tonu. Mena he aitua i runga i te Orange Pi, ka hinga, ka whakawhitia e HAProxy nga kaihoko ki nga kaitoro o te rohe.
He mihi nui ki a koe mo to whakaaro, he pai nga whakaaro me nga whakatikatika.
Source: will.com