Ndinoda kugovera ruzivo rwangu rwekubatanidza network mudzimba nhatu dziri kure, imwe neimwe inoshandisa OpenWRT routers segedhi, mune imwechete yakajairika network. Pakusarudza nzira yekubatanidza mambure pakati peL3 ne subnet routing uye L2 ine bhiriji, apo ese mambure node achange ari mune imwechete subnet, sarudzo yakapihwa kune yechipiri nzira, iyo yakanyanya kuoma kugadzirisa, asi inopa mikana mikuru, sezvo kushandiswa kwakajeka kwetekinoroji kwakarongwa munetiweki ichigadzirwa Wake-on-Lan uye DLNA.
Chikamu 1: Background
Nzira yakasarudzwa yekuita basa iri pakutanga yaive OpenVPN, nekuti, chekutanga, inogona kugadzira mudziyo wepombi unogona kuwedzerwa pabhiriji pasina matambudziko, uye chechipiri, OpenVPN Inotsigira TCP, iyo yaive yakakoshawo, sezvo hapana imwe yefurati yaive nekero yeIP yakatsaurirwa. Handina kukwanisa kushandisa STUN nekuti ISP yangu, nekuda kwechimwe chikonzero, inovhara ma UDP connections anouya kubva kuma network ayo. TCP yakandibvumira kutumira VPN server port kuVPS yakarendwa ndichishandisa SSH. Kunyange zvazvo nzira iyi ichigadzira overhead yakakura, sezvo data racho rakavharirwa kaviri, handina kuda kubatanidza VPS kune yangu private network, sezvo paive nenjodzi yekuti vamwe vanhu vawane simba pamusoro payo. Saka, kuva nemudziyo wakadaro pane yangu home network kwaisafarirwa zvakanyanya, saka ndakasarudza kubhadhara overhead yakawanda yekuchengetedza.
Kuti nditumire chiteshi pa router kwairongwa kuti server iendeswe, ndakashandisa sshtunnel program. Handizotauri zvakadzama nezvemagadzirirwo ayo—zviri nyore. Ndichangoona kuti chinangwa chayo chaive chekutumira TCP port 1194 kubva pa router kuenda kuVPS. Zvadaro, ndakagadzirisa server. OpenVPN Pamudziyo we tap0, waive wakabatana ne br-lan bridge. Mushure mekuedza kubatana ne server itsva yakagadzirwa kubva pa laptop yangu, zvakava pachena kuti pfungwa yekutumira port yakanga yashanda, uye laptop yangu yakanga yava nhengo ye network ye router, kunyangwe yakanga isiri chikamu chayo.
Chinhu chega chaive chasara kwaive kugovera ma IP address mumafurati akasiyana kuitira kuti asazopesana uye kugadzirisa ma routers se OpenVPN-vatengi.
Aya anotevera router IP kero uye DHCP server mitsara yakasarudzwa:
- 192.168.10.1 with range 192.168.10.2 - 192.168.10.80 zve server
- 192.168.10.100 with range 192.168.10.101 - 192.168.10.149 ye router mufurati Nhamba 2
- 192.168.10.150 with range 192.168.10.151 - 192.168.10.199 ye router mufurati Nhamba 3
Zvaivewo zvakakosha kupa kero idzi kuma router evatengi. OpenVPN-server, nekuwedzera mutsetse unotevera pakugadziriswa kwawo:
ifconfig-pool-persist /etc/openvpn/ipp.txt 0uye kuwedzera mitsara inotevera ku /etc/openvpn/ipp.txt faira:
flat1_id 192.168.10.100
flat2_id 192.168.10.150
apo flat1_id uye flat2_id ndiwo mazita emidziyo anotsanangurwa pakugadzira zvitupa zvekubatanidza ku OpenVPN
Zvadaro, ma routers akagadzirirwa OpenVPN- vatengi, zvishandiso zvetap0 pazvose zvakawedzerwa kubhiriji rebr-lan. Panguva iyi, zvese zvaiita sezvakanaka, sezvo ma network ese matatu aigona kuonana uye kushanda seyuniti imwe chete. Zvisinei, chimwe chinhu chisingafadzi chakabuda: dzimwe nguva zvishandiso zvaizogamuchira kero yeIP kubva kurouter isiriyo, nemigumisiro yese yakatevera. Neimwe chikonzero, router iri mune imwe yefurati yakakundikana kupindura DHCPDISCOVER nenguva, uye mudziyo wakagamuchira kero isiriyo. Ndakaona kuti ndaifanira kusefa zvikumbiro zvakadaro mutap0 pane router yega yega, asi sezvakazoitika, iptables haigone kushanda nemudziyo kana iri chikamu chebhiriji, saka ndaifanira kushandisa ebtables. Zvinosuwisa kuti firmware yangu haina kuiisa, saka ndaifanira kuvakazve mifananidzo yemudziyo wega wega. Mushure mekuita izvi nekuwedzera mitsara inotevera ku /etc/rc.local pane router yega yega, dambudziko rakagadziriswa:
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
Iyi gadziriso yakagara kwemakore matatu.
Chikamu 2: Kuziva WireGuard
Munguva pfupi yapfuura, kwave kuchitaura zvakawanda paInternet nezve WireGuard, vachiyemura nyore kwayo, kumhanya kwayo kukuru kwekutumira data, ping yakaderera, uye kuchengetedzeka kwakafanana. Kutsvaga rumwe ruzivo nezvayo kwakaratidza kuti haitsigire rutsigiro rwechikamu chebridge kana rutsigiro rweprotocol yeTCP, izvo zvakaita kuti nditende kuti pakanga pasina imwe nzira. OpenVPN kwandiri hazvisati zviripo. Saka ndakambomira kuziva WireGuard.
Mazuva mashoma apfuura, nhau dzakapararira kuburikidza nezvishandiso zvine chekuita neIT nenzira imwe kana imwe yekuti WireGuard pakupedzisira ichabatanidzwa mu kernel Linux, kutanga nevhezheni 5.6. Nyaya dzenhau, sezvagara zvichiitwa, dzakarumbidzwa WireGuardNdakatangazve kutsvaga nzira dzekutsiva zvinhu zvekare zvakanaka OpenVPNPanguva ino ndakasangana ne . Yakataura nezve kugadzira mugero weEthernet pamusoro peL3 uchishandisa GRE. Nyaya iyi yakandipa tariro. Zvakaramba zvisina kujeka zvekuita neUDP protocol. Kutsvaga kwakandiendesa kune zvinyorwa nezve kushandisa socat pamwe chete neSSH tunnel kuendesa mberi UDP port, zvisinei, vakacherechedza kuti nzira iyi inongoshanda chete mune imwe nzira yekubatanidza, ndiko kuti, basa revatengi veVPN vakati wandei raizogoneka. Ndakauya nepfungwa yekuisa VPN server paVPS uye kumisikidza GRE yevatengi, asi zvakazoitika, GRE haitsigire encryption, izvo zvinozotungamira kune chokwadi chekuti kana mapato echitatu akawana mukana kune server. , traffic yese pakati pemanetiweki angu ichave mumaoko avo, izvo zvisina kundikodzera zvachose.
Zvekare, sarudzo yakaitwa mukufarira kusaverengeka encryption, nekushandisa VPN pamusoro peVPN uchishandisa chirongwa chinotevera:
Level XNUMX VPN:
VPS zviri server ine kero yemukati 192.168.30.1
MS zviri client VPS ine kero yemukati 192.168.30.2
MK2 zviri client VPS ine kero yemukati 192.168.30.3
MK3 zviri client VPS ine kero yemukati 192.168.30.4
Chechipiri nhanho VPN:
MS zviri server nekero yekunze 192.168.30.2 uye mukati 192.168.31.1
MK2 zviri client MS ine kero 192.168.30.2 uye ine yemukati IP 192.168.31.2
MK3 zviri client MS ine kero 192.168.30.2 uye ine yemukati IP 192.168.31.3
* MS - router-server mufurati 1, MK2 - router mufurati 2, MK3 - router mufurati 3
* Zvigadziriso zvechishandiso zvinoburitswa muparadzi pakupera kwechinyorwa.
Uye saka, pings iri kushanda pakati pe network node 192.168.31.0/24, inguva yekuenderera mberi kumisikidza GRE tunnel. Izvi zvisati zvaitika, kuitira kuti usarasikirwe nekuwana ma routers, zvakakosha kumisikidza SSH tunnels kuendesa mberi port 22 kuVPS, kuitira kuti, semuenzaniso, iyo router kubva mufurati 10022 iwanikwe pachiteshi 2 cheVPS, uye router kubva mufurati 11122 ichave inowanikwa pachiteshi 3 router kubva mufurati XNUMX. Zvakanakisisa kugadzirisa kutumira mberi uchishandisa sshtunnel imwechete, sezvo ichadzorera mugero kana ikakundikana.
Mugero wakagadziridzwa, unogona kubatana neSSH kuburikidza nechiteshi chinotumirwa:
ssh root@МОЙ_VPS -p 10022Tevere unofanira kudzima OpenVPN:
/etc/init.d/openvpn stopZvino ngatimisei GRE mugero pane router kubva mufurati 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set grelan0 up
Uye wedzera iyo yakagadzirwa interface kune bhiriji:
brctl addif br-lan grelan0
Ngatiitei maitiro akafanana pane server router:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set grelan0 up
Uye zvakare wedzera iyo yakagadzirwa interface kune bhiriji:
brctl addif br-lan grelan0
kutanga kubva panguva ino, pings inotanga kubudirira kuenda kune network itsva uye ini, nekugutsikana, ndinoenda kunonwa kofi. Zvadaro, kuti ndiongorore kuti network iri kushanda sei kune rumwe rutivi rwemutsara, ndinoedza SSH mune imwe yemakomputa ari mufurati 2, asi ssh mutengi anoomesa pasina kukurudzira password. Ndiri kuedza kubatanidza kune komputa iyi kuburikidza ne telnet pachiteshi 22 uye ndinoona mutsara kubva kwandinogona kunzwisisa kuti kubatana kuri kusimbiswa, iyo SSH server iri kupindura, asi nekuda kwechimwe chikonzero haingondikurudzira kuti nditore. mu.
$ telnet 192.168.10.110 22
SSH-2.0-OpenSSH_8.1
Ndiri kuedza kubatana nayo kuburikidza neVNC uye kuona dema screen. Ndinozvisimbisa kuti dambudziko riri nekombuta iri kure, nekuti ini ndinogona nyore kubatana kune router kubva mufurati iri ndichishandisa kero yemukati. Nekudaro, ini ndinosarudza kubatana neSSH yekombuta iyi kuburikidza nerouter uye ndinoshamisika kuona kuti kubatana kuri kubudirira, uye komputa iri kure inoshanda zvakajairika, asi zvakare haigone kubatana nekombuta yangu.
Ndinobvisa mudziyo wegrelan0 kubva pabhiriji ndoumhanyisa OpenVPN Pa router mufurati rechipiri, ndakasimbisa kuti network yaishanda zvakanaka zvakare uye ma connections akanga asiri kudzikira. Pandakanga ndichitsvaga, ndakawana maforamu apo vanhu vainyunyuta nezvematambudziko akafanana, uye pavakarayirwa kuti vakwidze MTU. Pasina nguva. Zvisinei, kusvika MTU yaiswa pakakwirira zvakakwana—7000 yemidziyo yegretap—ndakasangana nekudzikira kweTCP connections kana kuti kumhanyisa kwe transfer speed kwakaderera. Nekuda kweMTU yakakwira yegretap, MTU yekubatanidza WireGuard Danho rekutanga nerechipiri zvakaiswa pa8000 uye 7500 zvichiteerana.
Ndakaita setup yakafanana paiyo router kubva mufurati 3, nemusiyano chete uri wekuti yechipiri gretap interface inonzi grelan1 yakawedzerwa kune server router, iyo yakawedzerwawo kune br-lan bhiriji.
Zvose zviri kushanda. Iye zvino unogona kuisa iyo gretap musangano mukutanga. Nokuda kweizvi:
Ndakaisa mitsara iyi mukati /etc/rc.local pane router mufurati 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Yakawedzera izvi ku /etc/rc.local pane router mufurati 3:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Uye pane server router:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
ip link add grelan1 type gretap remote 192.168.31.3 local 192.168.31.1
ip link set dev grelan1 mtu 7000
ip link set grelan1 up
brctl addif br-lan grelan1
Mushure mekuvhurazve ma router evatengi, ndakaona kuti nekuda kwechimwe chikonzero vakanga vasiri kubatana ne server. Mushure mekubatanidza ku SSH yavo (nerombo rakanaka, ndakanga ndambogadzira sshtunnel yeizvi), ndakaona kuti WireGuard Neimwe nzira, inogadzira nzira ye endpoint, asi haina kururama. Semuenzaniso, ye192.168.30.2, tafura yenzira yakaratidza nzira kuburikidza ne pppoe-wan interface, kureva, kuburikidza ne internet, kunyangwe nzira yekuenda kwairi yaifanira kunge yakatungamirirwa kuburikidza ne wg0 interface. Mushure mekudzima nzira iyi, kubatana kwakadzorerwa. Ndingawana mirairo chero kupi kuti ndingamanikidza sei WireGuard Handina kukwanisa kudzivirira kugadzira nzira idzi. Uyezve, handina kutonzwisisa kana ichi chaive chinhu cheOpenWRT kana che WireGuardPasina kupedza nguva yakawanda ndichifunga nezvedambudziko iri, ndakangowedzera mutsetse kune script yakavakirwa pa timer pama router ese ari maviri akabvisa nzira iyi:
route del 192.168.30.2
Summing up
Kurambwa zvachose OpenVPN Handisati ndabudirira kuita izvi, sezvo dzimwe nguva ndichida kubatana ne network itsva kubva pa laptop kana foni, uye kuisa mudziyo we gretap pairi kazhinji hazvigoneke. Zvisinei, pasinei neizvi, ndawana mukana wekumhanya kwekutumira data pakati pemafurati, uye kushandisa VNC, semuenzaniso, ikozvino hakuna matambudziko. Ping yadzikira zvishoma asi yave kugadzikana:
Paunoshandisa OpenVPN:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=133 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=125 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19006ms
rtt min/avg/max/mdev = 124.722/126.152/136.907/3.065 ms
Paunoshandisa WireGuard:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=124 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=124 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19003ms
rtt min/avg/max/mdev = 123.954/124.423/126.708/0.675 ms
Inonyanya kukanganiswa nepamusoro ping kuVPS, iyo inenge 61.5 ms
Zvisinei, kumhanya kwacho kwawedzera zvakanyanya. Saka, mufurati ine router-server, ndine internet connection speed ye30 Mbps, uye mune mamwe mafurati ine 5 Mbps. Uyezve, panguva yekushandisa. OpenVPN Handina kukwanisa kuwana kumhanya kwekutumira data pakati penetworks kupfuura 3,8 Mbps zvichienderana nekuverenga kwe iperf, nepo WireGuard "akaipomba" kusvika pa5 Mbit/sekondi imwe chete.
Kugadziriswa WireGuard paVPS[Interface]
Address = 192.168.30.1/24
ListenPort = 51820
PrivateKey = <ЗАКРЫТЫЙ_КЛЮЧ_ДЛЯ_VPS>
[Peer]
Ruzivo rweVanhu = <VPN_1_MS_PUBLIC_KEY>
InobvumirwaIPs = 192.168.30.2/32
[Peer]
Ruzivo rweVanhu = <VPN_2_MK2_PUBLIC_KEY>
InobvumirwaIPs = 192.168.30.3/32
[Peer]
Ruzivo rweVanhu = <VPN_2_MK3_PUBLIC_KEY>
InobvumirwaIPs = 192.168.30.4/32
Kugadziriswa WireGuard paMS (yakawedzerwa ku /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.2/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МС'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - сервер
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option listen_port '51821'
list addresses '192.168.31.1/24'
option auto '1'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list allowed_ips '192.168.31.2'
config wireguard_wg1ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list allowed_ips '192.168.31.3'
Kugadziriswa WireGuard paMK2 (yakawedzerwa ku /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.3/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК2'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list addresses '192.168.31.2/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Kugadziriswa WireGuard paMK3 (yakawedzerwa ku /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.4/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК3'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list addresses '192.168.31.3/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Mumagadzirirwo anotsanangurwa eVPN yedanho rechipiri, ndinoratidza kune vatengi WireGuard Chiteshi 51821. Izvi hazvifanirwe kunge zvichidikanwa, sezvo mutengi achawana kubatana kubva kune chero chiteshi chisina rusununguko, asi ndakazviita nenzira iyi kuitira kuti ndikwanise kuramba ma connection ese ari kuuya pa wg0 interfaces yema router ese, kunze kwe ma UDP connections ari kuuya ku port 51821.
Ndinovimba kuti nyaya yacho ichabatsira mumwe munhu.
PS Zvakare, ini ndoda kugovera script yangu inonditumira PUSH chiziviso kufoni yangu muWirePusher application kana mudziyo mutsva ukabuda panetiweki yangu. Heino chinongedzo kune script: .
UPDATE: Kugadziriswa OpenVPN-maseva nevatengi
OpenVPN-server
client-to-client
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn-server.crt
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/vpn-server.key
dev tap
ifconfig-pool-persist /etc/openvpn/ipp.txt 0
keepalive 10 60
proto tcp4
server-bridge 192.168.10.1 255.255.255.0 192.168.10.80 192.168.10.254
status /var/log/openvpn-status.log
verb 3
comp-lzoOpenVPN-mutengi
client
tls-client
dev tap
proto tcp
remote VPS_IP 1194 # Change to your router's External IP
resolv-retry infinite
nobind
ca client/ca.crt
cert client/client.crt
key client/client.key
dh client/dh.pem
comp-lzo
persist-tun
persist-key
verb 3 Ndakashandisa easy-rsa kugadzira zvitupa
Source: www.habr.com
