Ndinoda kugovera ruzivo rwangu rwekubatanidza network mudzimba nhatu dziri kure, imwe neimwe inoshandisa OpenWRT routers segedhi, mune imwechete yakajairika network. Pakusarudza nzira yekubatanidza mambure pakati peL3 ne subnet routing uye L2 ine bhiriji, apo ese mambure node achange ari mune imwechete subnet, sarudzo yakapihwa kune yechipiri nzira, iyo yakanyanya kuoma kugadzirisa, asi inopa mikana mikuru, sezvo kushandiswa kwakajeka kwetekinoroji kwakarongwa munetiweki ichigadzirwa Wake-on-Lan uye DLNA.
Chikamu 1: Background
OpenVPN pakutanga yakasarudzwa seprotocol yekuita basa iri, sezvo, kutanga, inogona kugadzira chigadziro chepombi chinogona kuwedzerwa kubhiriji pasina matambudziko, uye chechipiri, OpenVPN inotsigira kushanda pamusoro peTCP protocol, iyo yakanga yakakoshawo, nokuti hapana. dzemafurati aive nekero yeIP yakatsaurirwa, uye ini handina kukwanisa kushandisa STUN, sezvo mupi wangu nekuda kwechimwe chikonzero anovharira maUDP anouya kubva kunetiweki yavo, nepo TCP protocol yakandibvumira kuendesa VPN server port kunorenda VPS uchishandisa SSH. Hongu, nzira iyi inopa mutoro wakakura, sezvo data yakavharidzirwa kaviri, asi ini ndakanga ndisingadi kuunza VPS muhutano hwangu hwepachivande, sezvo pakanga pachine njodzi yevechitatu kuwana simba pamusoro payo, saka, kuva nechigadzirwa chakadaro. pane network yangu yekumba yaisada zvakanyanya uye zvakasarudzwa kubhadhara kuchengetedza nepamusoro pepamusoro.
Kuendesa mberi chiteshi pane router iyo yakarongwa kuendesa sevha, iyo sshtunnel chirongwa chakashandiswa. Ini handisi kuzotsanangura kuoma kwekugadzirisa kwayo - zvakaitwa zviri nyore, ndinongoona kuti basa rayo raive rekuendesa TCP port 1194 kubva router kuenda kuVPS. Tevere, iyo OpenVPN sevha yakagadziridzwa pane tap0 mudziyo, yaive yakabatana nebr-lan bhiriji. Mushure mekutarisa chinongedzo kune ichangobva kugadzirwa sevha kubva palaptop, zvakava pachena kuti zano rekufambisa chiteshi raive rakakodzera uye laptop yangu yakava nhengo yetiweki ye router, kunyangwe yanga isiri mairi.
Paive nechinhu chidiki chimwe chete chakasara kuita: zvaive zvakafanira kugovera IP kero mudzimba dzakasiyana kuitira kuti vasapokana uye kugadzirisa ma routers se OpenVPN vatengi.
Aya anotevera router IP kero uye DHCP server mitsara yakasarudzwa:
- 192.168.10.1 with range 192.168.10.2 - 192.168.10.80 zve server
- 192.168.10.100 with range 192.168.10.101 - 192.168.10.149 ye router mufurati Nhamba 2
- 192.168.10.150 with range 192.168.10.151 - 192.168.10.199 ye router mufurati Nhamba 3
Zvaive zvakafanira kugovera chaizvo kero idzi kune vatengi routers yeOpenVPN server nekuwedzera mutsara kune kwayo kumisikidzwa:
ifconfig-pool-persist /etc/openvpn/ipp.txt 0uye kuwedzera mitsara inotevera ku /etc/openvpn/ipp.txt faira:
flat1_id 192.168.10.100
flat2_id 192.168.10.150
uko flat1_id uye flat2_id ndiwo mazita emudziyo anotsanangurwa paunenge uchigadzira zvitupa zvekubatanidza kuOpenVPN
Tevere, vatengi veOpenVPN vakagadziridzwa pamarouter, tap0 zvishandiso pane ese ari maviri akawedzerwa kune br-lan bhiriji. Panguva ino, zvese zvaiita kunge zvakanaka sezvo ese matatu network aikwanisa kuonana uye kushanda sechinhu chimwe. Nekudaro, iyo isinganakidze zvakadzama yakabuda: dzimwe nguva michina yaigona kugamuchira IP kero kwete kubva kune yavo router, nemhedzisiro yese inotevera. Nokuda kwechimwe chikonzero, router mune imwe yefurati yakanga isina nguva yekupindura kuDHCPDISCOVER munguva uye chigadziro chakagamuchira kero yakanga isina kurongwa. Ndakaona kuti ndinofanira kusefa zvikumbiro zvakadaro mu tap0 pane imwe neimwe ye router, asi sezvazvakazoitika, iptables haigoni kushanda nemudziyo kana iri chikamu chebhiriji uye ebtables inofanira kuuya kuzondibatsira. Kuzvidemba kwangu, yakanga isiri mune yangu firmware uye ndaifanira kuvaka zvakare mifananidzo yechinhu chimwe nechimwe. Nekuita izvi uye nekuwedzera mitsara iyi ku /etc/rc.local yega yega router, dambudziko rakagadziriswa:
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
Iyi gadziriso yakagara kwemakore matatu.
Chikamu 2: Kusuma WireGuard
Munguva pfupi yapfuura, vanhu paInternet vakawedzera kutaura nezve WireGuard, vachiyemura kuve nyore kwekugadzirisa kwayo, kukurumidza kutapurirana, ping yakaderera ine kuchengetedzeka kwakafanana. Kutsvaga rumwe ruzivo nezvazvo kwakajekesa kuti kusashanda senhengo yebhiriji kana kushanda pamusoro peTCP protocol kwakatsigirwa nazvo, izvo zvakaita kuti ndifunge kuti pakanga pachine dzimwe nzira dzeOpenVPN kwandiri. Saka ndakaverengera kuziva WireGuard.
Mazuva mashoma apfuura, nhau dzakapararira kune zviwanikwa neimwe nzira kana imwe ine hukama neIT kuti WireGuard yaizopedzisira yaverengerwa muLinux kernel, kutanga neshanduro 5.6. Zvinyorwa zvenhau, senguva dzose, zvakarumbidza WireGuard. Ini zvakare ndakanyura mukutsvaga nzira dzekutsiva yakanaka yekare OpenVPN. Apa ndakamhanyira . Yakataura nezve kugadzira mugero weEthernet pamusoro peL3 uchishandisa GRE. Nyaya iyi yakandipa tariro. Zvakaramba zvisina kujeka zvekuita neUDP protocol. Kutsvaga kwakandiendesa kune zvinyorwa nezve kushandisa socat pamwe chete neSSH tunnel kuendesa mberi UDP port, zvisinei, vakacherechedza kuti nzira iyi inongoshanda chete mune imwe nzira yekubatanidza, ndiko kuti, basa revatengi veVPN vakati wandei raizogoneka. Ndakauya nepfungwa yekuisa VPN server paVPS uye kumisikidza GRE yevatengi, asi zvakazoitika, GRE haitsigire encryption, izvo zvinozotungamira kune chokwadi chekuti kana mapato echitatu akawana mukana kune server. , traffic yese pakati pemanetiweki angu ichave mumaoko avo, izvo zvisina kundikodzera zvachose.
Zvekare, sarudzo yakaitwa mukufarira kusaverengeka encryption, nekushandisa VPN pamusoro peVPN uchishandisa chirongwa chinotevera:
Level XNUMX VPN:
VPS zviri server ine kero yemukati 192.168.30.1
MS zviri client VPS ine kero yemukati 192.168.30.2
MK2 zviri client VPS ine kero yemukati 192.168.30.3
MK3 zviri client VPS ine kero yemukati 192.168.30.4
Chechipiri nhanho VPN:
MS zviri server nekero yekunze 192.168.30.2 uye mukati 192.168.31.1
MK2 zviri client MS ine kero 192.168.30.2 uye ine yemukati IP 192.168.31.2
MK3 zviri client MS ine kero 192.168.30.2 uye ine yemukati IP 192.168.31.3
* MS - router-server mufurati 1, MK2 - router mufurati 2, MK3 - router mufurati 3
* Zvigadziriso zvechishandiso zvinoburitswa muparadzi pakupera kwechinyorwa.
Uye saka, pings iri kushanda pakati pe network node 192.168.31.0/24, inguva yekuenderera mberi kumisikidza GRE tunnel. Izvi zvisati zvaitika, kuitira kuti usarasikirwe nekuwana ma routers, zvakakosha kumisikidza SSH tunnels kuendesa mberi port 22 kuVPS, kuitira kuti, semuenzaniso, iyo router kubva mufurati 10022 iwanikwe pachiteshi 2 cheVPS, uye router kubva mufurati 11122 ichave inowanikwa pachiteshi 3 router kubva mufurati XNUMX. Zvakanakisisa kugadzirisa kutumira mberi uchishandisa sshtunnel imwechete, sezvo ichadzorera mugero kana ikakundikana.
Mugero wakagadziridzwa, unogona kubatana neSSH kuburikidza nechiteshi chinotumirwa:
ssh root@МОЙ_VPS -p 10022Zvadaro unofanira kudzima OpenVPN:
/etc/init.d/openvpn stopZvino ngatimisei GRE mugero pane router kubva mufurati 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set grelan0 up
Uye wedzera iyo yakagadzirwa interface kune bhiriji:
brctl addif br-lan grelan0
Ngatiitei maitiro akafanana pane server router:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set grelan0 up
Uye zvakare wedzera iyo yakagadzirwa interface kune bhiriji:
brctl addif br-lan grelan0
kutanga kubva panguva ino, pings inotanga kubudirira kuenda kune network itsva uye ini, nekugutsikana, ndinoenda kunonwa kofi. Zvadaro, kuti ndiongorore kuti network iri kushanda sei kune rumwe rutivi rwemutsara, ndinoedza SSH mune imwe yemakomputa ari mufurati 2, asi ssh mutengi anoomesa pasina kukurudzira password. Ndiri kuedza kubatanidza kune komputa iyi kuburikidza ne telnet pachiteshi 22 uye ndinoona mutsara kubva kwandinogona kunzwisisa kuti kubatana kuri kusimbiswa, iyo SSH server iri kupindura, asi nekuda kwechimwe chikonzero haingondikurudzira kuti nditore. mu.
$ telnet 192.168.10.110 22
SSH-2.0-OpenSSH_8.1
Ndiri kuedza kubatana nayo kuburikidza neVNC uye kuona dema screen. Ndinozvisimbisa kuti dambudziko riri nekombuta iri kure, nekuti ini ndinogona nyore kubatana kune router kubva mufurati iri ndichishandisa kero yemukati. Nekudaro, ini ndinosarudza kubatana neSSH yekombuta iyi kuburikidza nerouter uye ndinoshamisika kuona kuti kubatana kuri kubudirira, uye komputa iri kure inoshanda zvakajairika, asi zvakare haigone kubatana nekombuta yangu.
Ini ndinobvisa iyo grelan0 mudziyo kubva pabhiriji uye ndinomhanyisa OpenVPN pane router mufurati 2 uye ita shuwa kuti network inoshanda sezvaitarisirwa zvakare uye kubatanidzwa hakuna kudonhedzwa. Ndichiri kutsvaga, ndinosangana nemaforamu apo vanhu vanogunun'una nezvematambudziko akafanana, kwavanorayirwa kusimudza MTU. Hapana kupera nguva. Nekudaro, kudzamara iyo MTU yaiswa yakakwira zvakakwana - 7000 yemidziyo yegretap, ingave yakadonhedza TCP yekubatanidza kana yakaderera mareti ekutamisa akaonekwa. Nekuda kweMTU yakakwira yegretap, iyo MTU yeLayer 8000 uye Layer 7500 WireGuard yekubatanidza yakaiswa kuXNUMX uye XNUMX zvakateerana.
Ndakaita setup yakafanana paiyo router kubva mufurati 3, nemusiyano chete uri wekuti yechipiri gretap interface inonzi grelan1 yakawedzerwa kune server router, iyo yakawedzerwawo kune br-lan bhiriji.
Zvose zviri kushanda. Iye zvino unogona kuisa iyo gretap musangano mukutanga. Nokuda kweizvi:
Ndakaisa mitsara iyi mukati /etc/rc.local pane router mufurati 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Yakawedzera izvi ku /etc/rc.local pane router mufurati 3:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Uye pane server router:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
ip link add grelan1 type gretap remote 192.168.31.3 local 192.168.31.1
ip link set dev grelan1 mtu 7000
ip link set grelan1 up
brctl addif br-lan grelan1
Mushure mekutangazve ma routers evatengi, ndakaona kuti nekuda kwechimwe chikonzero ivo vaive vasingabatanidzi kune server. Sezvo ndakabatana neSSH yavo (nerombo rakanaka, ini ndakanga ndambogadzira sshtunnel yeizvi), zvakaonekwa kuti WireGuard nekuda kwechimwe chikonzero yaive kugadzira nzira yekugumira, asi yaive isiriyo. Saka, kune 192.168.30.2, tafura yemugwagwa yakaratidza nzira kuburikidza ne pppoe-wan interface, kureva, kuburikidza neInternet, kunyange zvazvo nzira yekuenda nayo yaifanira kunge yakafambiswa kuburikidza ne wg0 interface. Mushure mekudzima nzira iyi, kubatana kwakadzorerwa. Ini handina kukwanisa kuwana mirairo chero kupi kwemaitiro ekumanikidza WireGuard kusagadzira nzira idzi. Uyezve, handina kana kunzwisisa kuti ichi chaive chimiro cheOpenWRT kana WireGuard pachayo. Pasina kutarisana nedambudziko iri kwenguva yakareba, ini ndakangowedzera mutsara kune ese marouters mune yakarongwa script yakadzima nzira iyi:
route del 192.168.30.2
Summing up
Ini handisati ndawana kuraswa kwakazara kweOpenVPN, sezvo ini dzimwe nguva ndinoda kubatana kune network nyowani kubva palaptop kana foni, uye kumisikidza gretap mudziyo pavari kazhinji hazvigoneke, asi zvisinei neizvi, ndakawana mukana mukumhanya. yekufambisa data pakati pemafurati uye, semuenzaniso, kushandisa VNC hakuchave kunetsa. Ping yakadzikira zvishoma, asi yakawedzera kugadzikana:
Paunenge uchishandisa OpenVPN:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=133 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=125 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19006ms
rtt min/avg/max/mdev = 124.722/126.152/136.907/3.065 ms
Paunenge uchishandisa WireGuard:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=124 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=124 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19003ms
rtt min/avg/max/mdev = 123.954/124.423/126.708/0.675 ms
Inonyanya kukanganiswa nepamusoro ping kuVPS, iyo inenge 61.5 ms
Zvisinei, kumhanya kwakawedzera zvikuru. Saka, mune imwe imba ine server router ndine Internet yekubatanidza kukurumidza kwe30 Mbit / sec, uye mune dzimwe dzimba ndeye 5 Mbit / sec. Panguva imwecheteyo, ndichishandisa OpenVPN, handina kukwanisa kumhanyisa data pakati pematanho anopfuura 3,8 Mbit/sec maererano nekuverenga iperf, nepo WireGuard "yaisimudzira" kune imwecheteyo 5 Mbit/sec.
WireGuard kumisikidzwa paVPS[Interface]
Address = 192.168.30.1/24
ListenPort = 51820
PrivateKey = <ЗАКРЫТЫЙ_КЛЮЧ_ДЛЯ_VPS>
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_1_МС>
AllowedIPs = 192.168.30.2/32
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2>
AllowedIPs = 192.168.30.3/32
[Peer]
PublicKey = <ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3>
AllowedIPs = 192.168.30.4/32
WireGuard kumisikidzwa paMS (yakawedzerwa ku /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.2/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МС'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - сервер
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option listen_port '51821'
list addresses '192.168.31.1/24'
option auto '1'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list allowed_ips '192.168.31.2'
config wireguard_wg1ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list allowed_ips '192.168.31.3'
WireGuard kumisikidzwa paMK2 (yakawedzerwa ku /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.3/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК2'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list addresses '192.168.31.2/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
WireGuard kumisikidzwa paMK3 (yakawedzerwa ku /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.4/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК3'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list addresses '192.168.31.3/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Mune zvakatsanangurwa zvigadziriso zvechipiri-nhanho VPN, ndinonongedza vatengi veWireGuard kuchiteshi 51821. Mukutaura, izvi hazvidiwi, sezvo mutengi achagadzira hukama kubva kune chero chiteshi chemahara chisina kurongeka, asi ndakazviita kuti zvigone kurambidza. zvese zvinopinda zvinongedzo pane wg0 interfaces yeese ma routers kunze kwekuuya kweUDP yekubatanidza kune port 51821.
Ndinovimba kuti nyaya yacho ichabatsira mumwe munhu.
PS Zvakare, ini ndoda kugovera script yangu inonditumira PUSH chiziviso kufoni yangu muWirePusher application kana mudziyo mutsva ukabuda panetiweki yangu. Heino chinongedzo kune script: .
UPDATE: Kugadziriswa kweOpenVPN server uye vatengi
OpenVPN server
client-to-client
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn-server.crt
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/vpn-server.key
dev tap
ifconfig-pool-persist /etc/openvpn/ipp.txt 0
keepalive 10 60
proto tcp4
server-bridge 192.168.10.1 255.255.255.0 192.168.10.80 192.168.10.254
status /var/log/openvpn-status.log
verb 3
comp-lzoOpenVPN mutengi
client
tls-client
dev tap
proto tcp
remote VPS_IP 1194 # Change to your router's External IP
resolv-retry infinite
nobind
ca client/ca.crt
cert client/client.crt
key client/client.key
dh client/dh.pem
comp-lzo
persist-tun
persist-key
verb 3
Ndakashandisa easy-rsa kugadzira zvitupa
Source: www.habr.com