Ndikufuna kugawana zomwe ndakumana nazo pakuphatikiza maukonde m'zipinda zitatu zakutali, iliyonse yomwe imagwiritsa ntchito ma routers okhala ndi OpenWRT ngati chipata, kukhala netiweki imodzi wamba. Posankha njira yophatikizira maukonde pakati pa L3 ndi subnet routing ndi L2 ndi bridging, pomwe node zonse za netiweki zidzakhala mu subnet yomweyo, zokonda zidaperekedwa ku njira yachiwiri, yomwe ndi yovuta kuyikonza, koma imapereka mwayi wokulirapo, popeza Kugwiritsa ntchito bwino matekinoloje kunakonzedwa mu netiweki yomwe idapangidwa Wake-on-Lan ndi DLNA.
Gawo 1: Mbiri
OpenVPN poyamba inasankhidwa ngati ndondomeko yoyendetsera ntchitoyi, popeza, choyamba, ikhoza kupanga chipangizo chopopera chomwe chitha kuwonjezeredwa ku mlatho popanda mavuto, ndipo kachiwiri, OpenVPN imathandizira kugwira ntchito pa TCP protocol, yomwe inali yofunikanso, chifukwa palibe. za zipindazo zinali ndi adilesi yodzipatulira ya IP, ndipo sindinathe kugwiritsa ntchito STUN, popeza wondithandizira pazifukwa zina amaletsa maulumikizidwe a UDP omwe akubwera kuchokera pamanetiweki awo, pomwe protocol ya TCP idandilola kutumiza doko la VPN kubwereka VPS pogwiritsa ntchito SSH. Inde, njira iyi imapereka katundu wambiri, popeza deta imasungidwa kawiri, koma sindinkafuna kuwonetsa VPS mu intaneti yanga yachinsinsi, popeza panali chiwopsezo choti anthu ena azilamulira, choncho, kukhala ndi chipangizo choterocho. pa network yanga yakunyumba kunali kosafunika kwambiri ndipo adaganiza zolipira chitetezo chokhala ndi mutu waukulu.
Kupititsa patsogolo doko pa rauta yomwe idakonzedweratu kuyika seva, pulogalamu ya sshtunnel idagwiritsidwa ntchito. Sindingafotokoze zovuta za kasinthidwe kake - zachitika mosavuta, ndingowona kuti ntchito yake inali kutumiza doko la TCP 1194 kuchokera pa rauta kupita ku VPS. Kenako, seva ya OpenVPN idakhazikitsidwa pa chipangizo cha tap0, chomwe chidalumikizidwa ndi mlatho wa br-lan. Nditayang'ana kulumikizidwa kwa seva yomwe idangopangidwa kumene kuchokera pa laputopu, zidawonekeratu kuti lingaliro la kutumiza doko linali lolondola ndipo laputopu yanga idakhala membala wa netiweki ya rauta, ngakhale sizinali momwemo.
Panali chinthu chimodzi chokha chotsalira: kunali koyenera kugawira ma adilesi a IP m'nyumba zosiyanasiyana kuti asasemphane ndikusintha ma routers ngati makasitomala a OpenVPN.
Ma adilesi a IP a rauta ndi ma seva a DHCP adasankhidwa:
- 192.168.10.1 ndi range 192.168.10.2 - 192.168.10.80 kwa seva
- 192.168.10.100 ndi range 192.168.10.101 - 192.168.10.149 kwa rauta mu nyumba No. 2
- 192.168.10.150 ndi range 192.168.10.151 - 192.168.10.199 kwa rauta mu nyumba No. 3
Zinalinso zofunikira kupatsanso maadiresi awa kwa ma routers a kasitomala a seva ya OpenVPN powonjezera mzere pamasinthidwe ake:
ifconfig-pool-persist /etc/openvpn/ipp.txt 0ndikuwonjezera mizere yotsatirayi ku fayilo /etc/openvpn/ipp.txt:
flat1_id 192.168.10.100
flat2_id 192.168.10.150
pomwe flat1_id ndi flat2_id ndi mayina a chipangizocho omwe amatchulidwa popanga ziphaso zolumikizira ku OpenVPN
Chotsatira, makasitomala a OpenVPN adakonzedwa pa ma routers, zida za tap0 zonse zidawonjezedwa ku mlatho wa br-lan. Panthawiyi, zonse zinkawoneka ngati zili bwino, chifukwa maukonde onse atatu amatha kuwonana ndikugwira ntchito limodzi. Komabe, tsatanetsatane wosasangalatsa adawonekera: nthawi zina zida zimatha kulandira adilesi ya IP osati kuchokera ku rauta yawo, ndi zotsatira zake zonse. Pazifukwa zina, rauta mu imodzi mwa zipindazo analibe nthawi yoyankha DHCPDISCOVER mu nthawi ndipo chipangizocho chinalandira adilesi yolakwika. Ndinazindikira kuti ndiyenera kusefa zopempha zoterezi mu tap0 pa ma routers, koma monga momwe zinakhalira, iptables sangathe kugwira ntchito ndi chipangizocho ngati chiri gawo la mlatho ndipo ma ebtables ayenera kundithandiza. Zodandaula zanga, sizinali mu firmware yanga ndipo ndimayenera kumanganso zithunzi za chipangizo chilichonse. Pochita izi ndikuwonjezera mizere iyi ku /etc/rc.local ya rauta iliyonse vuto linathetsedwa:
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
Kusintha kumeneku kunatenga zaka zitatu.
Gawo 2: Kuyambitsa WireGuard
Posachedwapa, anthu pa intaneti ayamba kuyankhula za WireGuard, akusilira kuphweka kwa kasinthidwe kake, kuthamanga kwambiri, kutsika kwa ping ndi chitetezo chofanana. Kufufuza zambiri za izo kunawonetseratu kuti ngakhale kugwira ntchito ngati membala wa mlatho kapena kugwira ntchito pa protocol ya TCP sikunathandizidwe ndi izo, zomwe zinandipangitsa kuganiza kuti panalibe njira zina za OpenVPN kwa ine. Chifukwa chake ndinasiya kudziwana ndi WireGuard.
Masiku angapo apitawo, nkhani zidafalikira pazinthu zina mwanjira ina zokhudzana ndi IT kuti WireGuard pamapeto pake adzaphatikizidwa mu Linux kernel, kuyambira ndi mtundu 5.6. Nkhani, monga nthawi zonse, zidayamika WireGuard. Ndidalowanso mukusaka njira zosinthira OpenVPN yabwino yakale. Nthawi iyi ndinathamangira . Idalankhula za kupanga ngalande ya Ethernet pa L3 pogwiritsa ntchito GRE. Nkhaniyi inandipatsa chiyembekezo. Sizikudziwikabe chochita ndi protocol ya UDP. Kufufuzako kunanditsogolera ku nkhani zokhudzana ndi kugwiritsa ntchito socat molumikizana ndi msewu wa SSH kuti upititse patsogolo doko la UDP, komabe, adawona kuti njirayi imagwira ntchito munjira imodzi yolumikizirana, ndiko kuti, ntchito yamakasitomala angapo a VPN sizingatheke. Ndidabwera ndi lingaliro lakuyika seva ya VPN pa VPS ndikukhazikitsa GRE kwa makasitomala, koma zidapezeka kuti GRE sichigwirizana ndi kubisa, zomwe zingapangitse kuti ngati anthu ena apeza mwayi wopeza seva. , magalimoto onse pakati pa maukonde anga adzakhala m'manja mwawo, zomwe sizinandigwirizane nazo konse.
Apanso, chigamulocho chinapangidwa mokomera kubisa kosafunikira, pogwiritsa ntchito VPN pa VPN pogwiritsa ntchito dongosolo ili:
Gawo XNUMX VPN:
VPS ndi Seva ndi adilesi yamkati 192.168.30.1
MS ndi kasitomala VPS yokhala ndi adilesi yamkati 192.168.30.2
MK2 ndi kasitomala VPS yokhala ndi adilesi yamkati 192.168.30.3
MK3 ndi kasitomala VPS yokhala ndi adilesi yamkati 192.168.30.4
Mulingo Wachiwiri wa VPN:
MS ndi Seva ndi adilesi yakunja 192.168.30.2 ndi mkati 192.168.31.1
MK2 ndi kasitomala MS ndi adilesi 192.168.30.2 ndipo ali mkati IP 192.168.31.2
MK3 ndi kasitomala MS ndi adilesi 192.168.30.2 ndipo ali mkati IP 192.168.31.3
* MS - seva ya router mu nyumba 1, MK2 - rauta mu nyumba 2, MK3 - rauta mu nyumba 3
* Kukonzekera kwa chipangizo kumasindikizidwa mu spoiler kumapeto kwa nkhaniyo.
Ndipo kotero, ma pings akuyenda pakati pa node za netiweki 192.168.31.0/24, ndi nthawi yoti mupitirize kukhazikitsa njira ya GRE. Izi zisanachitike, kuti musataye mwayi wopeza ma routers, ndikofunikira kukhazikitsa masinthidwe a SSH kuti apititse patsogolo doko 22 kupita ku VPS, kotero kuti, mwachitsanzo, rauta yochokera ku nyumba 10022 ipezeka pa doko 2 la VPS, ndi rauta kuchokera ku nyumba 11122 ipezeka pa doko 3 rauta kuchokera ku nyumba XNUMX. Ndi bwino kukonza kutumiza pogwiritsa ntchito sshtunnel yomweyo, chifukwa idzabwezeretsanso ngalandeyo ngati ikulephera.
Msewuwo wakonzedwa, mutha kulumikizana ndi SSH kudzera padoko lotumizidwa:
ssh root@МОЙ_VPS -p 10022Kenako muyenera kuletsa OpenVPN:
/etc/init.d/openvpn stopTsopano tiyeni tikhazikitse msewu wa GRE pa rauta kuchokera ku nyumba 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set grelan0 up
Ndipo onjezani mawonekedwe opangidwa pamlatho:
brctl addif br-lan grelan0
Tiyeni tichitenso chimodzimodzi pa router ya seva:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set grelan0 up
Komanso onjezani mawonekedwe opangidwa ku mlatho:
brctl addif br-lan grelan0
kuyambira nthawi ino, pings akuyamba bwino kupita maukonde latsopano ndipo ine, ndi kukhutitsidwa, kupita kumwa khofi. Kenako, kuti ndiwone momwe netiweki ikugwirira ntchito kumbali ina ya mzerewo, ndimayesa SSH mu imodzi mwamakompyuta omwe ali munyumba 2, koma kasitomala wa ssh amaundana osafunsa mawu achinsinsi. Ndikuyesera kulumikiza kompyuta iyi kudzera pa telnet pa doko 22 ndipo ndikuwona mzere womwe ndimatha kumvetsetsa kuti kulumikizana kukukhazikitsidwa, seva ya SSH ikuyankha, koma pazifukwa zina sizimandipangitsa kuti ndilembetse. mu.
$ telnet 192.168.10.110 22
SSH-2.0-OpenSSH_8.1
Ndikuyesera kulumikiza izo kudzera pa VNC ndikuwona chophimba chakuda. Ndimadzitsimikizira ndekha kuti vuto lili ndi kompyuta yakutali, chifukwa ndimatha kulumikizana mosavuta ndi rauta kuchokera mnyumba muno pogwiritsa ntchito adilesi yamkati. Komabe, ndasankha kulumikiza ku SSH ya kompyutayi kudzera pa rauta ndipo ndikudabwa kupeza kuti kugwirizanako kukuyenda bwino, ndipo kompyuta yakutali imagwira ntchito bwino, koma siyingagwirizane ndi kompyuta yanga.
Ndimachotsa chipangizo cha grelan0 pamlatho ndikuyendetsa OpenVPN pa rauta m'chipinda cha 2 ndikuwonetsetsa kuti maukonde akugwiranso ntchito monga momwe amayembekezeredwanso ndipo maulumikizidwewo sagwetsedwa. Pofufuza ndimakumana ndi mabwalo omwe anthu amadandaula za mavuto omwewo, pomwe amalangizidwa kuti akweze MTU. Zosavuta kuzinena koma zovuta kuchita. Komabe, mpaka MTU idakhazikitsidwa mokwanira - 7000 pazida za gretap, kulumikizidwa kwa TCP kapena kutsika kwatsika kunawonedwa. Chifukwa cha kuchuluka kwa MTU kwa gretap, ma MTU a Layer 8000 ndi Layer 7500 WireGuard adayikidwa ku XNUMX ndi XNUMX motsatana.
Ndidapanganso kukhazikitsidwa kofananako pa rauta kuchokera ku nyumba 3, kusiyana kokhako kunali kuti mawonekedwe achiwiri a gretap otchedwa grelan1 adawonjezedwa pa seva rauta, yomwe idawonjezedwanso pa mlatho wa br-lan.
Zonse zikuyenda. Tsopano mutha kuyika msonkhano wa gretap poyambira. Za ichi:
Ndinayika mizere iyi /etc/rc.local pa rauta mu nyumba 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Onjezani izi ku /etc/rc.local pa rauta mu nyumba 3:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Ndipo pa seva ya router:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
ip link add grelan1 type gretap remote 192.168.31.3 local 192.168.31.1
ip link set dev grelan1 mtu 7000
ip link set grelan1 up
brctl addif br-lan grelan1
Nditayambiranso ma routers a kasitomala, ndidazindikira kuti pazifukwa zina sanali kulumikizana ndi seva. Nditalumikizidwa ndi SSH yawo (mwamwayi, ndidakonza kale sshtunnel ya izi), zidapezeka kuti WireGuard pazifukwa zina ikupanga njira yofikira kumapeto, koma zinali zolakwika. Kotero, kwa 192.168.30.2, tebulo la njira limasonyeza njira yodutsa mu mawonekedwe a pppoe-wan, ndiko kuti, kudzera pa intaneti, ngakhale kuti njira yopitako iyenera kuyendetsedwa kudzera pa wg0 mawonekedwe. Pambuyo pochotsa njira iyi, kulumikizana kunabwezeretsedwa. Sindinathe kupeza malangizo kulikonse momwe ndingakakamize WireGuard kuti asapange njira izi. Komanso, sindinamvetsetse ngati iyi inali gawo la OpenWRT kapena WireGuard palokha. Popanda kuthana ndi vutoli kwa nthawi yayitali, ndidangowonjezera mzere ku ma routers onse palemba lanthawi lomwe lachotsa njira iyi:
route del 192.168.30.2
Kuphatikizidwa
Sindinakwanitse kusiyidwa kwathunthu kwa OpenVPN, chifukwa nthawi zina ndimayenera kulumikiza netiweki yatsopano kuchokera pa laputopu kapena foni, ndikuyika chipangizo cha gretap pa iwo nthawi zambiri sizingatheke, koma ngakhale izi, ndidapeza mwayi pa liwiro. Kusamutsa deta pakati pa zipinda komanso, mwachitsanzo, kugwiritsa ntchito VNC sikukhalanso kovuta. Ping idatsika pang'ono, koma idakhazikika:
Mukamagwiritsa ntchito OpenVPN:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=133 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=125 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19006ms
rtt min/avg/max/mdev = 124.722/126.152/136.907/3.065 ms
Mukamagwiritsa ntchito WireGuard:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=124 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=124 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19003ms
rtt min/avg/max/mdev = 123.954/124.423/126.708/0.675 ms
Zimakhudzidwa kwambiri ndi ping yapamwamba ku VPS, yomwe ili pafupifupi 61.5 ms
Komabe, liwiro lawonjezeka kwambiri. Kotero, m'nyumba yokhala ndi router ya seva ndili ndi liwiro la intaneti la 30 Mbit / sec, ndipo m'nyumba zina ndi 5 Mbit / sec. Panthawi imodzimodziyo, ndikugwiritsa ntchito OpenVPN, sindinathe kukwaniritsa liwiro la kutumiza deta pakati pa maukonde oposa 3,8 Mbit / sec malinga ndi kuwerengera kwa iperf, pamene WireGuard "adalimbikitsa" ku 5 Mbit / sec yomweyo.
Kusintha kwa WireGuard pa VPS[Interface]
Address = 192.168.30.1/24
ListenPort = 51820
PrivateKey = <ЗАКРЫТЫЙ_КЛЮЧ_ДЛЯ_VPS>
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_1_МС>
AllowedIPs = 192.168.30.2/32
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2>
AllowedIPs = 192.168.30.3/32
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3>
AllowedIPs = 192.168.30.4/32
Kusintha kwa WireGuard pa MS (kuwonjezeredwa ku /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.2/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МС'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - сервер
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option listen_port '51821'
list addresses '192.168.31.1/24'
option auto '1'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list allowed_ips '192.168.31.2'
config wireguard_wg1ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list allowed_ips '192.168.31.3'
Kusintha kwa WireGuard pa MK2 (kuwonjezeredwa ku /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.3/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК2'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list addresses '192.168.31.2/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Kusintha kwa WireGuard pa MK3 (kuwonjezeredwa ku /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.4/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК3'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list addresses '192.168.31.3/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
M'makonzedwe ofotokozedwa a VPN yachiwiri, ndikulozera makasitomala a WireGuard ku doko la 51821. Mwachidziwitso, izi siziri zofunikira, popeza kasitomala adzakhazikitsa kugwirizana kuchokera ku doko lililonse laulere, koma ndinapanga kuti nditheke kuletsa. maulumikizidwe onse omwe akubwera pamayendedwe a wg0 a ma routers onse kupatula maulumikizidwe a UDP omwe akubwera ku doko 51821.
Ndikukhulupirira kuti nkhaniyi ithandiza munthu wina.
PS Komanso, ndikufuna kugawana zolemba zanga zomwe zimanditumizira chidziwitso cha PUSH ku foni yanga mu pulogalamu ya WirePusher pomwe chida chatsopano chikawonekera pa netiweki yanga. Nawu ulalo wa script: .
LIPOTI: Kukonzekera kwa seva ya OpenVPN ndi makasitomala
OpenVPN seva
client-to-client
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn-server.crt
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/vpn-server.key
dev tap
ifconfig-pool-persist /etc/openvpn/ipp.txt 0
keepalive 10 60
proto tcp4
server-bridge 192.168.10.1 255.255.255.0 192.168.10.80 192.168.10.254
status /var/log/openvpn-status.log
verb 3
comp-lzoOpenVPN kasitomala
client
tls-client
dev tap
proto tcp
remote VPS_IP 1194 # Change to your router's External IP
resolv-retry infinite
nobind
ca client/ca.crt
cert client/client.crt
key client/client.key
dh client/dh.pem
comp-lzo
persist-tun
persist-key
verb 3
Ndinagwiritsa ntchito Easy-rsa kupanga satifiketi
Source: www.habr.com