Pulogalamu ya ProHoster > Blog > Ulamuliro > Kufulumizitsa OpenVPN pa rauta ya Openwrt. Mtundu wina wopanda chitsulo chosungunuka ndi hardware monyanyira

Kufulumizitsa OpenVPN pa rauta ya Openwrt. Mtundu wina wopanda chitsulo chosungunuka ndi hardware monyanyira

Kufulumizitsa OpenVPN pa rauta ya Openwrt. Mtundu wina wopanda chitsulo chosungunuka ndi hardware monyanyira

Moni nonse, ndawerenga posachedwa nkhani yakale za momwe mungathamangitsire OpenVPN pa rauta mwa kusamutsa encryption ku gawo lina la hardware, lomwe limagulitsidwa mkati mwa rauta yokha. Ndili ndi vuto lofanana ndi wolemba - TP-Link WDR3500 yokhala ndi 128 megabytes ya RAM ndi purosesa yosauka yomwe siyingathe kupirira kubisa kwangalande. Komabe, sindinkafuna mwamtheradi kulowa rauta ndi chitsulo soldering. Pansipa pali chondichitikira changa chosuntha OpenVPN kupita ku chipangizo china chokhala ndi zosunga zobwezeretsera pa rauta pakachitika ngozi.

Cholinga

Pali TP-Link WDR3500 rauta ndi Orange Pi Zero H2. Tikufuna kuti Orange Pi ibisire ngalandezo monga mwachizolowezi, ndipo ngati china chake chitachitika, kukonza kwa VPN kumabwereranso ku rauta. Zokonda zonse za firewall pa rauta ziyenera kugwira ntchito monga kale. Ndipo zambiri, kuwonjezera zida zowonjezera ziyenera kukhala zowonekera komanso zosazindikirika kwa aliyense. OpenVPN imagwira ntchito pa TCP, adapter ya TAP ili mu mlatho (server-bridge).

chisankho

M'malo molumikiza kudzera pa USB, ndinaganiza zogwiritsa ntchito doko limodzi la rauta ndikulumikiza ma subnet onse omwe ali ndi mlatho wa VPN kupita ku Orange Pi. Zikuoneka kuti hardware adzakhala mwathupi pamanetiweki ofanana VPN seva pa rauta. Pambuyo pake, timayika ma seva omwewo pa Orange Pi, ndipo pa rauta timakhazikitsa mtundu wina wa projekiti kuti itumize zolumikizira zonse zomwe zikubwera ku seva yakunja, ndipo ngati Orange Pi yafa kapena palibe, ndiye seva yobwereranso mkati. Ndinatenga HAProxy.

Zimakhala motere:

  1. kasitomala afika
  2. Ngati seva yakunja siyikupezeka, monga kale, kulumikizana kumapita ku seva yamkati
  3. Ngati alipo, kasitomala amavomerezedwa ndi Orange Pi
  4. VPN pa Orange Pi imachotsa mapaketi ndikuwalavulira mu rauta
  5. Router amawatsogolera kwinakwake

Chitsanzo chokhazikitsa

Chifukwa chake, tinene kuti tili ndi maukonde awiri pa rauta - chachikulu (1) ndi mlendo (2), kwa aliyense wa iwo pali seva ya OpenVPN yolumikizira kunja.

Kasinthidwe Network

Tiyenera kuyendetsa maukonde onse kudzera padoko limodzi, kotero timapanga ma VLAN awiri.

Pa rauta, mu gawo la Network/Switch, pangani ma VLAN (mwachitsanzo 1 ndi 2) ndikuwapangitsa kukhala odziwika pa doko lomwe mukufuna, yonjezerani eth0.1 ndi eth0.2 yomwe yangopangidwa kumene ku maukonde ofanana (mwachitsanzo, onjezerani ku brigde).

Pa Orange Pi timapanga mawonekedwe awiri a VLAN (ndili ndi Archlinux ARM + netctl):

/etc/netctl/vlan-main

Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no

/etc/netctl/vlan-guest

Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no

Ndipo nthawi yomweyo timawapangira milatho iwiri:

/etc/netctl/br-main

Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp

/etc/netctl/br-guest

Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp

Yambitsani autostart pamitundu yonse 4 (netctl yambitsani). Tsopano mutatha kuyambiranso, Orange Pi idzapachikidwa pa maukonde awiri ofunikira. Timakonza maadiresi a mawonekedwe pa Orange Pi mu Static Leases pa rauta.

ip yowonjezera

4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
       valid_lft 29379sec preferred_lft 21439sec
    inet6 fe80::50c7:fff:fe89:716e/64 scope link 
       valid_lft forever preferred_lft forever

7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::ecea:19ff:fe31:3432/64 scope link 
       valid_lft forever preferred_lft forever

Kupanga VPN

Kenako, timakopera zosintha za OpenVPN ndi makiyi a rauta. Zokonda nthawi zambiri zimapezeka mkati /tmp/etc/openvpn*.conf

Mwachikhazikitso, openvpn ikuyenda mu TAP mode ndi seva-mlatho imasunga mawonekedwe ake osagwira ntchito. Kuti chilichonse chigwire ntchito, muyenera kuwonjezera script yomwe imayenda pomwe kulumikizana kwatsegulidwa.

/etc/openvpn/main.conf

dev vpn-main
dev-type tap

client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3

setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh

/etc/openvpn/vpn-up.sh

#!/bin/sh

ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}

Zotsatira zake, kugwirizana kukangochitika, mawonekedwe a vpn-main adzawonjezedwa ku br-main. Kwa gridi ya alendo - chimodzimodzi, mpaka dzina la mawonekedwe ndi adilesi mu seva-mlatho.

Kutumiza zopempha zakunja ndi kuyimbira

Pa sitepe iyi, Orange Pi ikutha kale kuvomereza zolumikizira ndikulumikiza makasitomala kumanetiweki ofunikira. Zomwe zatsala ndikukonza ma proxying a maulumikizidwe omwe akubwera pa rauta.

Timasamutsa ma seva a router VPN kumadoko ena, kukhazikitsa HAProxy pa rauta ndikukonza:

/etc/haproxy.cfg

global
        maxconn 256
        uid 0
        gid 0
        daemon

defaults
        retries 1
        contimeout 1000
        option splice-auto

listen guest_vpn
        bind :444
        mode tcp
        server 0-orange 192.168.2.3:444 check
        server 1-local  127.0.0.1:4444 check backup

listen main_vpn
        bind :443
        mode tcp
        server 0-orange 192.168.1.3:443 check
        server 1-local  127.0.0.1:4443 check backup

Sangalalani

Ngati chirichonse chikuyenda molingana ndi dongosolo, makasitomala adzasinthira ku Orange Pi ndipo purosesa ya router sichidzawotcha, ndipo liwiro la VPN lidzawonjezeka kwambiri. Pa nthawi yomweyi, malamulo onse a pa intaneti omwe amalembedwa pa router adzakhalabe oyenera. Pakachitika ngozi pa Orange Pi, idzagwa ndipo HAProxy idzasamutsa makasitomala kumaseva am'deralo.

Zikomo chifukwa cha chidwi chanu, malingaliro ndi zowongolera ndizolandilidwa.

Source: www.habr.com

Kuwonjezera ndemanga