Nthawi zambiri, kulumikiza rauta ku VPN sikovuta, koma ngati mukufuna kuteteza maukonde onse ndipo nthawi yomweyo kusunga liwiro mulingo woyenera kugwirizana, ndiye njira yabwino ndi ntchito VPN ngalande. .
Ma routers Mikrotik zidakhala zodalirika komanso zosinthika, koma mwatsoka sichinatero ndipo sichidziwika kuti chidzawonekera liti komanso mukuchita chiyani. Posachedwapa za zomwe opanga njira ya WireGuard VPN adanena , zomwe zipangitsa mapulogalamu awo a VPN kukhala gawo la Linux kernel, tikukhulupirira kuti izi zithandizira kukhazikitsidwa kwa RouterOS.
Koma pakadali pano, mwatsoka, kukonza WireGuard pa Mikrotik rauta, muyenera kusintha firmware.
Kuwala kwa Mikrotik, kukhazikitsa ndi kukonza OpenWrt
Choyamba muyenera kuonetsetsa kuti OpenWrt imathandizira mtundu wanu. Onani ngati chitsanzo chikufanana ndi dzina lake la malonda ndi chithunzi .
Pitani ku openwrt.com .
Pa chipangizochi, tikufuna mafayilo awiri:
Muyenera kutsitsa mafayilo onse awiri: Sakani ΠΈ Mokweza.
1. Kukhazikitsa netiweki, tsitsani ndi kukhazikitsa seva ya PXE
Tsitsani za Windows zaposachedwa.
Tsegulani ku chikwatu chosiyana. Mu fayilo ya config.ini yonjezerani chizindikiro rfc951=1 gawo [dhcp]. Izi ndizofanana pamitundu yonse ya Mikrotik.
Tiyeni tipitirire ku zoikamo za netiweki: muyenera kulembetsa adilesi ya ip yokhazikika pa imodzi mwamakompyuta anu.
IP adilesi: 192.168.1.10
Netmask: 255.255.255.0
Thamangani Seva yaying'ono ya PXE m'malo mwa Administrator ndikusankha m'munda DHCP Seva seva yokhala ndi adilesi 192.168.1.10
M'matembenuzidwe ena a Windows, mawonekedwewa amatha kuwoneka pokhapokha atalumikizidwa ndi Ethernet. Ndikupangira kulumikiza rauta ndikusintha mwachangu rauta ndi PC pogwiritsa ntchito chingwe.
Dinani batani "..." (pansi kumanja) ndikutchula chikwatu chomwe mudatsitsa mafayilo amtundu wa Mikrotik.
Sankhani fayilo yomwe dzina lake limathera ndi "initramfs-kernel.bin kapena elf"
2. Kuyatsa rauta kuchokera pa seva ya PXE
Timagwirizanitsa PC ndi waya ndi doko loyamba (wan, intaneti, poe in, ...) la router. Pambuyo pake, timatenga chotokosera mano, ndikuchiyika mu dzenje ndi mawu akuti "Bwezerani".
Timayatsa mphamvu ya rauta ndikudikirira masekondi 20, ndikumasula chotokosera.
Mumphindi yotsatira, mauthenga otsatirawa ayenera kuwonekera pawindo la Tiny PXE Server:
Ngati uthengawo ukuwoneka, ndiye kuti muli panjira yoyenera!
Bwezerani zoikika pa adaputala ya netiweki ndikukhazikitsa kuti mulandire adilesiyo mwamphamvu (kudzera pa DHCP).
Lumikizani ku madoko a LAN a rauta ya Mikrotik (2β¦5 mwa ife) pogwiritsa ntchito chingwe chomwechi. Ingosinthani kuchoka ku doko loyamba kupita ku doko lachiwiri. Tsegulani adilesi mu msakatuli.
Lowani ku mawonekedwe oyang'anira OpenWRT ndikupita kugawo la "System -> Backup/Flash Firmware"
Pagawo la "Flash new firmware image", dinani "Sankhani fayilo (Sakatulani)" batani.
Tchulani njira yopita ku fayilo yomwe dzina lake limathera ndi "-squashfs-sysupgrade.bin".
Pambuyo pake, dinani batani la "Flash Image".
Pazenera lotsatira, dinani batani la "Pitirizani". Firmware idzayamba kutsitsa ku rauta.
!!! POSACHITIKA MUSAMALEKEZE MPHAMVU YA ROUTER PANTHAWI YA FIRMWARE !!!
Pambuyo pakuwunikira ndikuyambitsanso rauta, mudzalandira Mikrotik ndi OpenWRT firmware.
Mavuto ndi njira zomwe zingatheke
Zida zambiri za Mikrotik zomwe zidatulutsidwa mu 2019 zimagwiritsa ntchito chip memory FLASH-NOR chamtundu wa GD25Q15 / Q16. Vuto ndiloti pakuwunikira, deta yokhudzana ndi chipangizochi sichisungidwa.
Ngati muwona cholakwika "Fayilo yazithunzi yomwe idakwezedwa ilibe mawonekedwe othandizidwa. Onetsetsani kuti mwasankha mtundu wazithunzi za pulatifomu yanu." ndiye mwina vuto liri mu flash.
Ndikosavuta kuyang'ana izi: yendetsani lamulo kuti muwone ID yachitsanzo mu terminal ya chipangizo
root@OpenWrt: cat /tmp/sysinfo/board_nameNdipo ngati mupeza yankho "losadziwika", muyenera kufotokozera pamanja chipangizochi mu mawonekedwe a "rb-951-2nd"
Kuti mupeze mtundu wa chipangizocho, yendetsani lamulo
root@OpenWrt: cat /tmp/sysinfo/model
MikroTik RouterBOARD RB951-2ndMukalandira mtundu wa chipangizocho, yikani pamanja:
echo 'rb-951-2nd' > /tmp/sysinfo/board_namePambuyo pake, mutha kuwunikira chipangizocho kudzera pa intaneti kapena kugwiritsa ntchito lamulo la "sysupgrade".
Pangani seva ya VPN ndi WireGuard
Ngati muli ndi seva yokhala ndi WireGuard yokonzedwa, mutha kudumpha izi.
Ndigwiritsa ntchito pulogalamuyo kukhazikitsa seva yanu ya VPN za mphaka ine kale .
Kukonza Client WireGuard pa OpenWRT
Lumikizani ku rauta kudzera pa protocol ya SSH:
ssh [email protected]Ikani WireGuard:
opkg update
opkg install wireguardKonzani kasinthidwe (koperani nambala yomwe ili pansipa ku fayilo, sinthani zomwe zatchulidwazo ndi zanu ndikuyendetsa mu terminal).
Ngati mukugwiritsa ntchito MyVPN, ndiye mumasinthidwe omwe ali pansipa muyenera kusintha WG_SERV - Seva IP WG_KEY - kiyi yachinsinsi kuchokera pa fayilo yosintha ya wireguard ndi WG_PUB - kiyi yapagulu.
WG_IF="wg0"
WG_SERV="100.0.0.0" # ip Π°Π΄ΡΠ΅Ρ ΡΠ΅ΡΠ²Π΅ΡΠ°
WG_PORT="51820" # ΠΏΠΎΡΡ wireguard
WG_ADDR="10.8.0.2/32" # Π΄ΠΈΠ°ΠΏΠ°Π·ΠΎΠ½ Π°Π΄ΡΠ΅ΡΠΎΠ² wireguard
WG_KEY="xxxxx" # ΠΏΡΠΈΠ²Π°ΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
WG_PUB="xxxxx" # ΠΏΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key=""
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/1"
uci add_list network.wgserver.allowed_ips="128.0.0.0/1"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restartIzi zimamaliza kukhazikitsidwa kwa WireGuard! Tsopano magalimoto onse pazida zonse zolumikizidwa amatetezedwa ndi kulumikizana kwa VPN.
powatsimikizira
(Malangizo owonjezera omwe alipo pakukhazikitsa L2TP, PPTP pa firmware yokhazikika ya Mikrotik)
Source: www.habr.com