ProHoster > Blog > Utongi > Kumhanyisa OpenVPN pane Openwrt router. Alternative vhezheni isina soldering iron uye hardware extremism

Kumhanyisa OpenVPN pane Openwrt router. Alternative vhezheni isina soldering iron uye hardware extremism

Kumhanyisa OpenVPN pane Openwrt router. Alternative vhezheni isina soldering iron uye hardware extremism

Mhoroi mose, ndichangoverenga chinyorwa chekare pamusoro pekuti iwe unogona sei kukurumidza OpenVPN pane router nekuendesa encryption kune imwe chidimbu che hardware, iyo inotengeswa mukati me router pachayo. Ndine nyaya yakafanana nemunyori - TP-Link WDR3500 ine 128 megabytes ye RAM uye ine hurombo processor isingakwanise zvachose kubata netunnel encryption. Zvisinei, ini ndakanga ndisingadi zvachose kupinda mu router nesimbi yekusimbisa. Pazasi pane chiitiko changu chekufambisa OpenVPN kune imwe chidimbu chehardware ine backup pane router kana njodzi.

Basa

Kune TP-Link WDR3500 router uye Orange Pi Zero H2. Tinoda iyo Orange Pi kuti ivhare matani semazuva ese, uye kana chimwe chinhu chikaitika kwairi, iyo VPN kugadzirisa inodzokera kurouter. Zvese zvigadziriso zvefirewall pane router zvinofanirwa kushanda sepakutanga. Uye kazhinji, kuwedzera mamwe Hardware kunofanirwa kuve pachena uye kusingaonekwe kune wese munhu. OpenVPN inoshanda pamusoro peTCP, iyo TAP adapta iri mubhiriji modhi (server-bhiriji).

chisarudzo

Panzvimbo pekubatanidza kuburikidza ne USB, ndakafunga kushandisa imwe chiteshi che router uye kubatanidza ese ma subnets ane VPN bhiriji kuOrange Pi. Zvinoitika kuti iyo Hardware icharembera mune imwechete network sevhavha yeVPN pane router. Mushure meizvozvo, isu tinoisa iwo chaiwo maseva paOrange Pi, uye pane router tinomisa imwe mhando yeproxy kuitira kuti itumire zvese zvinopinda zvinongedzo kune yekunze server, uye kana iyo Orange Pi yakafa kana isipo, ipapo kune mukati fallback server. Ndakatora HAProxy.

Zvinoitika seizvi:

  1. Mutengi anosvika
  2. Kana iyo yekunze sevha isingawanikwe, sepakutanga, kubatana kunoenda kune yemukati server
  3. Kana iripo, mutengi anogamuchirwa neOrange Pi
  4. VPN paOrange Pi decrypts mapaketi uye inoapfira kumashure mu router
  5. Iyo router inovaendesa kune imwe nzvimbo

Implementation muenzaniso

Saka, ngativei nemanetiweki maviri pane router - main(1) uye muenzi(2), kune yega yega pane OpenVPN server yekubatanidza kunze.

Network configuration

Isu tinofanirwa kufambisa ese ma network kuburikidza nechiteshi chimwe, saka tinogadzira maviri VLAN.

Pane router, muchikamu cheNetwork/Switch, gadzira maVLAN (semuenzaniso 1 uye 2) uye wovagonesa mune tagged modhi pachiteshi chaunoda, wedzera iyo ichangobva kugadzirwa eth0.1 uye eth0.2 kune inoenderana network (semuenzaniso, vawedzere kune brigde).

PaOrange Pi tinogadzira maviri maVLAN interfaces (ndine Archlinux ARM + netctl):

/etc/netctl/vlan-main

Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no

/etc/netctl/vlan-guest

Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no

Uye isu tinobva tagadzira mabhiriji maviri kwavari:

/etc/netctl/br-main

Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp

/etc/netctl/br-guest

Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp

Gonesa autostart kune ese mana profiles (netctl gonesa). Zvino mushure mekutangazve, iyo Orange Pi icharembera pane maviri anodiwa network. Isu tinogadzirisa iyo interface kero paOrange Pi muStatic Leases pane router.

ip addr show

4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
       valid_lft 29379sec preferred_lft 21439sec
    inet6 fe80::50c7:fff:fe89:716e/64 scope link 
       valid_lft forever preferred_lft forever

7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::ecea:19ff:fe31:3432/64 scope link 
       valid_lft forever preferred_lft forever

Kugadzira VPN

Tevere, tinotevedzera marongero eOpenVPN uye makiyi kubva kune router. Zvirongwa zvinowanzowanikwa mukati /tmp/etc/openvpn*.conf

Nekumisikidza, openvpn inomhanya muTAP modhi uye server-bhiriji inochengeta iyo interface isingashande. Kuti zvese zvishande, unofanirwa kuwedzera script inomhanya kana kubatana kwaitwa.

/etc/openvpn/main.conf

dev vpn-main
dev-type tap

client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3

setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh

/etc/openvpn/vpn-up.sh

#!/bin/sh

ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}

Nekuda kweizvozvo, nekukurumidza kana kubatana kuchiitika, iyo vpn-main interface ichawedzerwa kune br-main. Kune grid yevaenzi - zvakafanana, kusvika kune iyo interface zita nekero mune server-bhiriji.

Kuendesa zvikumbiro kunze uye proxying

Pane iyi nhanho, Orange Pi yatove kukwanisa kugamuchira zvinongedzo uye kubatanidza vatengi kune inodiwa network. Chasara ndechekugadzirisa proxying yeinouya yekubatanidza pane router.

Isu tinotamisa iyo router VPN maseva kune mamwe madoko, isa HAProxy pane router uye gadzirisa:

/etc/haproxy.cfg

global
        maxconn 256
        uid 0
        gid 0
        daemon

defaults
        retries 1
        contimeout 1000
        option splice-auto

listen guest_vpn
        bind :444
        mode tcp
        server 0-orange 192.168.2.3:444 check
        server 1-local  127.0.0.1:4444 check backup

listen main_vpn
        bind :443
        mode tcp
        server 0-orange 192.168.1.3:443 check
        server 1-local  127.0.0.1:4443 check backup

Enjoy

Kana zvese zvikafamba zvinoenderana nehurongwa, vatengi vanochinja kuOrange Pi uye processor yerouter haichapisa, uye kumhanya kweVPN kuchawedzera zvakanyanya. Panguva imwecheteyo, mitemo yese yetiweki yakanyoreswa pane router icharamba yakakosha. Muchiitiko chetsaona paOrange Pi, inodonha uye HAProxy ichaendesa vatengi kumaseva emuno.

Ndatenda nekutarisisa kwenyu, mazano nekugadzirisa zvinogamuchirwa.

Source: www.habr.com

Voeg