I le tele o tulaga, o le faʻafesoʻotaʻi o se router i se VPN e le faigata, ae afai e te manaʻo e puipuia le fesoʻotaʻiga atoa ma i le taimi lava e tasi ia faatumauina le saoasaoa o fesoʻotaʻiga, o le fofo sili lea o le faʻaaogaina o se VPN tunnel. .
Auala mikrotic fa'amaonia e fa'atuatuaina ma matua fetuutuuna'i fofo, ae paga lea e le o iloa lava ma e le o iloa po o afea e aliali mai ai ma o le a le faatinoga. Talu ai nei e uiga i mea na fautuaina e le au atiaʻe o le WireGuard VPN tunnel , lea o le a avea ai a latou VPN tunneling software o se vaega o le fatu Linux, matou te faʻamoemoe o le a fesoasoani lea i le vaetamaina i RouterOS.
Ae mo le taimi nei, o le mea e leaga ai, e faʻapipiʻi WireGuard i luga o se router Mikrotik, e tatau ona e suia le firmware.
Faʻamalama Mikrotik, faʻapipiʻi ma faʻapipiʻi OpenWrt
Muamua e tatau ona e mautinoa o OpenWrt e lagolagoina lau faʻataʻitaʻiga. Va'ai pe fetaui se fa'ata'ita'iga ma lona igoa maketi ma ata .
Alu ile openwrt.com .
Mo lenei masini, matou te manaʻomia 2 faila:
E mana'omia lou la'uina o faila uma e lua: faatuina и faaleleia.
1. Seti fesoʻotaʻiga, download ma seti PXE server
Sii mai mo Windows lomiga fou.
Tatala ise faila i se isi faila. I le config.ini faila faaopoopo le parakalafa rfc951=1 vaega [dhcp]. O lenei parakalafa e tutusa mo faʻataʻitaʻiga Mikrotik uma.
Sei o tatou agai i luga i le tulaga o fesoʻotaʻiga: e manaʻomia lou resitalaina o se tuatusi IP i luga o se tasi o fesoʻotaʻiga fesoʻotaʻiga o lau komepiuta.
tuatusi IP: 192.168.1.10
Netmask: 255.255.255.0
Tamoe Laiti PXE Server e fai ma sui o le Pule ma filifili i le fanua DHCP Server server ma tuatusi 192.168.1.10
I nisi fa'aliliuga o Windows, e na'o le fa'aalia o lenei fa'aoga pe a mae'a se feso'ota'iga Ethernet. Ou te fautuaina le faʻafesoʻotaʻi o le router ma sui vave le router ma le PC e faʻaaoga ai se uaea patch.
Oomi le "..." faʻamau (i lalo taumatau) ma faʻamaonia le faila na e siiina ai faila firmware mo Mikrotik.
Filifili se faila e faaiʻu lona igoa i le "initramfs-kernel.bin poʻo le elf"
2. Fa'aosoina le router mai le PXE server
Matou te faʻafesoʻotaʻi le PC i se uaea ma le taulaga muamua (wan, internet, poe in, ...) o le router. A maeʻa lena, matou te ave se toothpick, faʻapipiʻi i totonu o le pu ma le faʻaupuga "Reset".
Matou te ki le mana o le router ma faʻatali mo le 20 sekone, ona tatala lea o le toothpick.
I totonu o le isi minute, o savali nei e tatau ona aliali mai i le Tiny PXE Server window:
Afai e aliali mai le fe'au, ona e sa'o lea!
Toe fa'afo'i fa'atonuga i luga ole feso'ota'iga feso'ota'iga ma fa'atulaga e maua le tuatusi fa'amalosi (e ala i le DHCP).
Faʻafesoʻotaʻi i ports LAN o le router Mikrotik (2…5 i la matou tulaga) faʻaaoga le laina patch tutusa. Na'o le sui mai le 1st port i le 2nd port. Tatala tuatusi i le browser.
Ulufale i totonu o le OpenWRT pulega faʻaoga ma alu i le "System -> Backup/Flash Firmware" vaega lisi.
I le vaega "Flash new firmware image", kiliki i le "Filifili faila (Su'esu'e)" faamau.
Fa'ailoa le ala ile faila e faai'u lona igoa ile "-squashfs-sysupgrade.bin".
A maeʻa lena, kiliki le "Flash Image" button.
I le isi faʻamalama, kiliki le "Faʻagasolo" faʻamau. O le firmware o le a amata ona sii mai i le router.
!!! E LE'AI SE MEA A'O LE TOTONU LE MANA O LE ROUTER I LE TULAFONO FAAMAUINA !!!
A uma ona emo ma toe faʻafou le router, o le ae mauaina Mikrotik ma OpenWRT firmware.
Fa'afitauli ma fofo
O le tele o masini Mikrotik na fa'atuina i le 2019 e fa'aoga ai le FLASH-NOR memory chip o le GD25Q15 / Q16 type. O le faʻafitauli o le taimi e moli ai, o faʻamatalaga e uiga i le faʻataʻitaʻiga masini e le faʻasaoina.
Afai e te vaʻai i le mea sese "O le faila ata faʻapipiʻi e le o iai se faʻapipiʻi lagolago. Ia mautinoa e te filifilia le faʻasologa o ata lautele mo lau faʻavae." e foliga mai o le faʻafitauli o loʻo i le uila.
E faigofie ona siaki lenei mea: faʻataʻitaʻi le poloaiga e siaki le ID faʻataʻitaʻiga i le masini masini
root@OpenWrt: cat /tmp/sysinfo/board_nameMa afai e te mauaina le tali "le iloa", ona e manaʻomia lea e faʻamaonia ma le lima le faʻataʻitaʻiga masini i le pepa "rb-951-2nd"
Ina ia maua le faʻataʻitaʻiga o le masini, faʻatautaia le poloaiga
root@OpenWrt: cat /tmp/sysinfo/model
MikroTik RouterBOARD RB951-2ndA uma ona maua le faʻataʻitaʻiga o le masini, faʻapipiʻi ma le lima:
echo 'rb-951-2nd' > /tmp/sysinfo/board_nameA maeʻa lena, e mafai ona e moli le masini e ala i le upega tafaʻilagi poʻo le faʻaaogaina o le "sysupgrade" poloaiga
Fausia se VPN server ma WireGuard
Afai ua uma ona i ai sau server ma WireGuard configured, e mafai ona e faase'e le laasaga lea.
O le a ou faʻaogaina le talosaga e faʻapipiʻi ai se VPN patino e uiga i le pusi ua uma .
Fa'atulagaina le WireGuard Client ile OpenWRT
Faʻafesoʻotaʻi le router e ala i le SSH protocol:
ssh [email protected]Fa'apipi'i le WireGuard:
opkg update
opkg install wireguardSaunia le faʻatulagaga (kopi le faʻailoga o loʻo i lalo i se faila, sui tulaga faʻamaonia ma oe lava ma tamoe i le laina).
Afai o loʻo e faʻaaogaina MyVPN, ona i ai lea i le faʻatulagaina o loʻo i lalo e naʻo lou manaʻomia e sui WG_SERV - Server IP WG_KEY - ki tumaoti mai le faila seti wireguard ma WG_PUB - ki lautele.
WG_IF="wg0"
WG_SERV="100.0.0.0" # ip адрес сервера
WG_PORT="51820" # порт wireguard
WG_ADDR="10.8.0.2/32" # диапазон адресов wireguard
WG_KEY="xxxxx" # приватный ключ
WG_PUB="xxxxx" # публичный ключ
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key=""
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/1"
uci add_list network.wgserver.allowed_ips="128.0.0.0/1"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restartUa mae'a le seti WireGuard! O le taimi nei o fefaʻatauaiga uma i luga o masini fesoʻotaʻi uma e puipuia e se VPN fesoʻotaʻiga.
mau
(fa'aopoopo fa'atonuga avanoa mo le fa'atūina o le L2TP, PPTP i luga o le firmware masani Mikrotik)
puna: www.habr.com