Talofa tagata uma, na ou faitau talu ai nei e uiga i le auala e mafai ona e fa'avavevave ai OpenVPN I luga o le router, o loʻo ou siiina le faʻailoga i se isi vaega o masini komepiuta ua faʻapipiʻiina i totonu o le router lava ia. E tutusa loʻu tulaga ma le tusitala—o se TP-Link WDR3500 ma le 128 MB o le RAM ma se processor vaivai e le mafai ona taulimaina le faʻailoga i le alalaupapa. Peitaʻi, ou te leʻi manaʻo lava e ulufale i le router ma se uʻamea faʻapipiʻi. O loʻu poto masani e le o atoatoa. OpenVPN i se isi vaega o masini komepiuta faatasi ai ma se faaleoleo i luga o le router pe a tupu se faalavelave faafuasei.
Faamoemoega
O lo'o ia i matou le router TP-Link WDR3500 ma le Orange Pi Zero H2. Matou te manana'o i le Orange Pi e taulimaina le fa'ailogaina o le alalaupapa i le tulaga masani, ae afai e tupu se mea i ai, o le a taulimaina le fa'agasologa e le Pi. VPN O le a toe faʻafoʻi atu i le router. O faʻatulagaga uma o le firewall i luga o le router e tatau ona galue e pei ona sa i ai muamua. Ma i le aotelega, o le faʻaopoopoga o masini faʻaopoopo e tatau ona manino ma le le matauina e tagata uma. OpenVPN e galue e ala i le TCP, TAP adapter i le faiga fa'apipi'i (server-bridge).
faaiuga
Nai lo le faʻafesoʻotaʻi e ala i le USB, na ou filifili e faʻaoga se tasi o taulaga o le router ma faʻafesoʻotaʻi uma subnets o loʻo i ai se alalaupapa VPN i le Orange Pi. E aliali mai o le vaega o meafaigaluega o le a tautau faʻapitoa i fesoʻotaʻiga tutusa ma le VPN server i luga o le router. A maeʻa lena, matou te faʻapipiʻi tutusa lava sapalai i luga o le Orange Pi, ma i luga o le alalaupapa matou te setiina se ituaiga sui e tuʻuina atu uma fesoʻotaʻiga o loʻo oʻo mai i le server i fafo, ma afai o le Orange Pi ua mate pe le avanoa, ona alu lea i le. server fallback totonu. Na ou ave HAProxy.
E foliga mai e faapea:
- Ua taunuu mai se tagata o tausia
- Afai e le avanoa le server i fafo, e pei ona i ai muamua, e alu le fesoʻotaʻiga i le server i totonu
- Afai e maua, e talia le kalani e Orange Pi
- VPN i luga ole Orange Pi e fa'a'ese'ese pepa ma toe feanu i totonu ole alalaupapa
- O le router e ta'ita'ia i latou i se mea
Fa'ata'ita'iga fa'atinoga
Ia, se'i tatou fa'apea e lua a tatou feso'ota'iga i luga o le router - main(1) ma le guest(2), mo feso'ota'iga ta'itasi e iai OpenVPN 'au'aunaga mo le feso'ota'iga mai fafo.
Feso'ota'iga feso'ota'iga
Matou te manaʻomia le faʻaogaina o fesoʻotaʻiga e lua i le tasi uafu, o lea matou te fatuina 2 VLANs.
I luga o le alalaupapa, i le vaega Network / Switch, fatuina VLANs (mo se faʻataʻitaʻiga 1 ma 2) ma faʻatagaina i latou i le faʻailoga faʻailoga i luga o le uafu manaʻomia, faʻaopoopo le eth0.1 ma le eth0.2 fou fou i fesoʻotaʻiga tutusa (mo se faʻataʻitaʻiga, faaopoopo i latou i brigde).
I luga o Orange Pi matou te fatuina ni fesoʻotaʻiga VLAN se lua (O loʻo ia te aʻu Archlinux ARM + netctl):
/etc/netctl/vlan-main
Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no
/etc/netctl/vlan-guest
Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no
Ma matou vave faia ni alalaupapa se lua mo i latou:
/etc/netctl/br-main
Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp
/etc/netctl/br-guest
Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp
Fa'aaga le autostart mo fa'amatalaga uma e 4 (netctl enable). A maeʻa le toe faʻafouina, o le Orange Pi o le a tautau i luga o fesoʻotaʻiga manaʻomia e lua. Matou te faʻatulagaina tuatusi faʻaoga ile Orange Pi i Static Leases ile router.
ip addr faʻaali
4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42:f0ff:fef8:23c8/64 scope link
valid_lft forever preferred_lft forever
6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
valid_lft 29379sec preferred_lft 21439sec
inet6 fe80::50c7:fff:fe89:716e/64 scope link
valid_lft forever preferred_lft forever
7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
valid_lft forever preferred_lft forever
inet6 fe80::ecea:19ff:fe31:3432/64 scope link
valid_lft forever preferred_lft forever
Seti se VPN
Sosoo ai, matou te kopiina faʻatulagaga mai le router mo OpenVPN ma ki. E masani ona mafai ona ave fa'atulagaga mai /tmp/etc/openvpn*.conf
Ona o le faaletonu, o le openvpn o loʻo tamoʻe i le TAP mode ma le server-bridge e faʻatumauina lona faʻaoga e le mafai. Mo mea uma e galue, e te manaʻomia le faʻaopoopoina o se faʻamatalaga e faʻaogaina pe a faʻagaoioia le fesoʻotaʻiga.
/etc/openvpn/main.conf
dev vpn-main
dev-type tap
client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3
setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh
/etc/openvpn/vpn-up.sh
#!/bin/sh
ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}
O se taunuuga, o le taimi lava e tupu ai le fesoʻotaʻiga, o le a faʻaopoopoina le vpn-main interface i le br-main. Mo le fa'asologa o malo - fa'apena, e o'o atu i le igoa fa'aoga ma le tuatusi ile alalaupapa-server.
Talosagaina talosaga i fafo ma sui
I lenei laasaga, ua mafai e Orange Pi ona talia fesoʻotaʻiga ma faʻafesoʻotaʻi tagata faʻatau i fesoʻotaʻiga manaʻomia. Pau lava le mea o loʻo totoe o le faʻatulagaina o sui o fesoʻotaʻiga ulufale mai i luga o le router.
Matou te tuʻuina atu le router VPN servers i isi ports, faʻapipiʻi HAProxy i luga o le router ma faʻapipiʻi:
/etc/haproxy.cfg
global
maxconn 256
uid 0
gid 0
daemon
defaults
retries 1
contimeout 1000
option splice-auto
listen guest_vpn
bind :444
mode tcp
server 0-orange 192.168.2.3:444 check
server 1-local 127.0.0.1:4444 check backup
listen main_vpn
bind :443
mode tcp
server 0-orange 192.168.1.3:443 check
server 1-local 127.0.0.1:4443 check backup
Fiafia
Afai e alu mea uma e tusa ai ma le fuafuaga, o le a sui tagata i le Orange Pi ma o le a le toe vevela le faʻaogaina o le router, ma o le a faʻateleina le saoasaoa VPN. I le taimi lava e tasi, o tulafono fesoʻotaʻiga uma o loʻo lesitala i luga o le router o le a tumau pea le talafeagai. I le tulaga o se faʻalavelave i luga o le Orange Pi, o le a pa'ū ma HAProxy o le a faʻafeiloaʻi tagata faʻatau i le lotoifale.
Fa'afetai mo lou fa'alogo, e talia fautuaga ma fa'asa'oga.
puna: www.habr.com
