ProHoster > Blog > Utongi > Kumhanyisa VPN sevha kuseri kweNAT yemupi

Kumhanyisa VPN sevha kuseri kweNAT yemupi

Chinyorwa pamusoro pekuti ndakakwanisa sei kumhanyisa VPN sevha kuseri kweNAT yemupi wemba yangu (isina chena IP kero). Rega ndiite chengetedzo ipapo ipapo: izvo kushanda kwekuita uku zvakananga kunoenderana nerudzi rweNAT inoshandiswa nemupi wako, pamwe nerouter.
Saka, ini ndaida kubatanidza kubva kuAndroid yangu smartphone kune komputa yangu yekumba, ese maturusi akabatana neInternet kuburikidza nemupi weNATs, pamwe nekombuta yakabatana kuburikidza nerouter yekumba, iyo zvakare NATs inobatana.
Iyo yekirasi chirongwa uchishandisa yakarejeswa VPS/VDS ine chena IP kero, pamwe nekurenda chena IP kero kubva kumupi, haina kutariswa nekuda kwezvikonzero zvakati.
Kufunga nezvazvo ruzivo kubva muzvinyorwa zvekare, yaita ongororo dzakati wandei neSTUNs uye NATs yevanopa. Ndakafunga kuita kuyedza zvishoma nekumhanyisa rairo pane router yekumba inomhanya OpenWRT firmware: 

$ stun stun.sipnet.ru

ndawana mhinduro:

STUN mutengi shanduro 0.97
Chekutanga: Yakazvimirira Mepu, Yakazvimirira Sefa, isina kurongeka port, ichaita hairpin
Kudzorera kukosha ndiko 0x000002

Shanduro yeshoko:
Yakazvimirira Mepu - yakazvimirira mepu
Yakazvimirira Sefa - yakazvimirira sefa
random port - random port
will hairpin - pachave ne hairpin
Kumhanyisa murairo wakafanana paPC yangu, ndakawana:

STUN mutengi shanduro 0.97
Chekutanga: Yakazvimirira Mepu, Port Inotsamira Sefa, isina kurongeka chiteshi, ichaita hairpin
Kudzorera kukosha ndiko 0x000006

Port Dependent Filter - port dependent filter
Musiyano mumhedzisiro yekubuda kwemirairo wakaratidza kuti router yekumba yaive ichipa "mupiro wayo" kunzira yekutumira mapaketi kubva kuInternet; izvi zvakaratidzwa mukuti pakuita murairo pakombuta:

stun stun.sipnet.ru -p 11111 -v

Ndanga ndichiwana mhedzisiro:

...
MappedAddress = XX.1XX.1X4.2XX:4398
...

panguva ino, chirongwa cheUDP chakavhurwa kwenguva yakati, kana panguva ino iwe uchitumira chikumbiro cheUDP (somuenzaniso: netcat XX.1XX.1X4.2XX 4398 -u), ipapo chikumbiro chakauya kune router yeimba, iyo yakanga yakasimbiswa neTCPDump ichimhanya pairi, asi chikumbiro hachina kusvika pakombiyuta - IPtables, semushanduri weNAT pa router, akaikanda.
Kumhanyisa VPN sevha kuseri kweNAT yemupi
Asi iyo chokwadi chekuti chikumbiro cheUDP chakapfuura kuburikidza nemupi weNAT chakapa tariro yekubudirira. Sezvo router iri munzvimbo yangu, ndakagadzirisa dambudziko nekudzosera chiteshi cheUDP/11111 pakombuta:

iptables -t nat -A PREROUTING -i eth1 -p udp -d 10.1XX.2XX.XXX --dport 11111 -j DNAT --to-destination 192.168.X.XXX

Nokudaro, ndakakwanisa kutanga musangano weUDP uye kugamuchira zvikumbiro kubva paInternet kubva kune chero kero ye IP. Panguva ino, ndakatanga OpenVPN-server (ndakamboigadzirisa) ndichiteerera kuUDP / 11111 port, yakaratidza kunze IP kero uye chiteshi (XX.1XX.1X4.2XX:4398) pa smartphone uye yakabudirira kubatana kubva ku-smartphone kusvika kombiyuta. Asi mukuita uku pakamuka dambudziko: zvaive zvakakodzera kuchengetedza UDP chikamu kusvika OpenVPN mutengi abatana neserver; ini handina kufarira sarudzo yenguva nenguva kuvhura STUN mutengi - handina kuda kutambisa mutoro pa. iyo STUN maseva.
Ndakaonawo pakapinda"will hairpin - pachave ne hairpin", modhi iyi

Hairpinning inobvumira muchina mumwe pane network yemuno kuseri kweNAT kuti uwane mumwe muchina pane imwecheteyo network kukero yekunze ye router.

Kumhanyisa VPN sevha kuseri kweNAT yemupi
Nekuda kweizvozvo, ini ndakangogadzirisa dambudziko rekuchengetedza UDP chikamu - ndakatangisa mutengi pakombuta imwe chete neseva.
Yakashanda seizvi:

  • yakatanga STUN mutengi pachiteshi chemuno 11111
  • yakagamuchira mhinduro neyekunze IP kero uye port XX.1XX.1X4.2XX:4398
  • yakatumira data ine yekunze IP kero uye chiteshi kune email (chero imwe sevhisi inogoneka) yakagadziridzwa pane iyo smartphone
  • akatanga OpenVPN server pakombuta inoteerera UDP/11111 port
  • akatanga OpenVPN mutengi pakombiyuta achitsanangura XX.1XX.1X4.2XX:4398 kuti ubatanidze
  • chero nguva yakatanga OpenVPN mutengi pane smartphone inoratidza IP kero uye chiteshi (munyaya yangu iyo IP kero haina kuchinja) kubatanidza.

Kumhanyisa VPN sevha kuseri kweNAT yemupi
Nenzira iyi ndakakwanisa kubatanidza kune komputa yangu kubva ku smartphone yangu. Kuita uku kunobvumira kuti ubatanidze chero OpenVPN mutengi.

Dzidzira

Zvinotora: 

# apt install openvpn stun-client sendemail

Tanyora zvinyorwa zvishoma, akati wandei mafaera ekugadzirisa, uye kugadzira zvitupa zvinodikanwa (sezvo mutengi pa-smartphone anoshanda chete nezvitupa), isu takawana iyo yakajairwa kuita yeOpenVPN server.

Main script pakombuta

# cat vpn11.sh

#!/bin/bash
until [[ -n "$iftosrv" ]]; do echo "$(date) ΠžΠΏΡ€Π΅Π΄Π΅Π»ΡΡŽ сСтСвой интСрфСйс"; iftosrv=`ip route get 8.8.8.8 | head -n 1 | sed 's|.*dev ||' | awk '{print $1}'`; sleep 5; done
ABSOLUTE_FILENAME=`readlink -f "$0"`
DIR=`dirname "$ABSOLUTE_FILENAME"`
localport=11111
until [[ $a ]]; do
	address=`stun stun.sipnet.ru -v -p $localport 2>&1 | grep "MappedAddress" | sort | uniq | head -n 1 | sed 's/:/ /g' | awk '{print $3" "$4}'`
        ip=`echo "$address" | awk {'print $1'}`
        port=`echo "$address" | awk {'print $2'}`
	srv="openvpn --config $DIR/server.conf --port $localport --daemon"
	$srv
	echo "$(date) Π‘Π΅Ρ€Π²Π΅Ρ€ Π·Π°ΠΏΡƒΡ‰Π΅Π½ с внСшним адрСсом $ip:$port"
	$DIR/sendemail.sh "OpenVPN-Server" "$ip:$port"
	sleep 1
	openvpn --config $DIR/client.conf --remote $ip --port $port
	echo "$(date) CΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠ΅ ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π° с сСрвСром Ρ€Π°Π·ΠΎΡ€Π²Π°Π½ΠΎ"
	for i in `ps xa | grep "$srv" | grep -v grep | awk '{print $1}'`; do
		kill $i && echo "$(date) Π—Π°Π²Π΅Ρ€ΡˆΠ΅Π½ процСсс сСрвСра $i ($srv)"
		done
	echo "Π–Π΄Ρƒ 15 сСк"
	sleep 15
	done

Script yekutumira data neemail:

# cat sendemail.sh 

#!/bin/bash
from="ΠžΡ‚ ΠΊΠΎΠ³ΠΎ"
pass="ΠŸΠ°Ρ€ΠΎΠ»ΡŒ"
to="ΠšΠΎΠΌΡƒ"
theme="$1"
message="$2"
server="smtp.yandex.ru:587"
sendEmail -o tls=yes -f "$from" -t "$to" -s "$server" -xu "$from" -xp "$pass" -u "$theme" -m "$message"

Sevha yekumisikidza faira:

# cat server.conf

proto udp
dev tun
ca      /home/vpn11-srv/ca.crt
cert    /home/vpn11-srv/server.crt
key     /home/vpn11-srv/server.key
dh      /home/vpn11-srv/dh2048.pem
server 10.2.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
tls-server
tls-auth /home/vpn11-srv/ta.key 0
tls-timeout 60
auth    SHA256
cipher  AES-256-CBC
client-to-client
keepalive 10 30
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
log /var/log/vpn11-server.log
verb 3
mute 20

Client configuration file:

# cat client.conf

client
dev tun
proto udp
ca      "/home/vpn11-srv/ca.crt"
cert    "/home/vpn11-srv/client1.crt"
key     "/home/vpn11-srv/client1.key"
tls-client
tls-auth "/home/vpn11-srv/ta.key" 1
auth SHA256
cipher AES-256-CBC
auth-nocache
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
log /var/log/vpn11-clent.log
verb 3
mute 20
ping 10
ping-exit 30

Zvitupa zvakagadzirwa pachishandiswa ichi chinyorwa.
Kumhanyisa script:

# ./vpn11.sh

Nekutanga kuita kuti iite executable 

# chmod +x vpn11.sh

Pamusoro pe smartphone

Nekuisa iyo application OpenVPN ye Android, mushure mekukopa faira yekumisikidza, zvitupa uye nekuigadzirisa, zvakazoitika seizvi:
Ndinotarisa email yangu pane yangu smartphoneKumhanyisa VPN sevha kuseri kweNAT yemupi
Ini ndinogadzirisa nhamba yechiteshi muzvirongwaKumhanyisa VPN sevha kuseri kweNAT yemupi
Ini ndinotanga mutengi uye ndinobatanaKumhanyisa VPN sevha kuseri kweNAT yemupi

Ndichiri kunyora chinyorwa ichi, ndakatamisa gadziriso kubva pakombuta yangu kuenda kuRaspberry Pi 3 uye ndikaedza kumhanyisa chinhu chose paLTE modem, asi haina kushanda! Command Result 

# stun stun.ekiga.net -p 11111

STUN mutengi shanduro 0.97
Chekutanga: Yakazvimirira Mepu, Port Inotsamira Sefa, isina kurongeka chiteshi, ichaita hairpin
Kudzorera kukosha ndiko 0x000006

kukosha Port Dependent Sefa haina kubvumira kuti system itange.
Asi mupi wepamba akabvumira sisitimu kuti itange paRaspberry Pi 3 pasina matambudziko.
Mukubatana ne webcam, ine VLC ye
kugadzira RTSP rukova kubva kune webcam

$ cvlc v4l2:///dev/video0:chroma=h264 :input-slave=alsa://hw:1,0 --sout '#transcode{vcodec=x264,venc=x264{preset=ultrafast,profile=baseline,level=31},vb=2048,fps=12,scale=1,acodec=mpga,ab=128,channels=2,samplerate=44100,scodec=none}:rtp{sdp=rtsp://10.2.0.1:8554/}' --no-sout-all --sout-keep

uye VLC pane smartphone yekuona (rukova rtsp://10.2.0.1:8554/), yakazova yakanaka kure kure vhidhiyo yekutarisa system, unogona zvakare kuisa Samba, nzira traffic kuburikidza neVPN, kure kure kudzora komputa yako uye zvakawanda. zvimwe...

mhedziso

Sekuratidzwa kwakaratidza, kuronga sevha yeVPN, unogona kuita pasina kero yekunze yeIP yaunoda kubhadhara, sekunge VPS/VDS yakahaiwa. Asi zvose zvinoenderana nemupi. Ehe, ndaida kuwana rumwe ruzivo nezve vakasiyana vanopa uye marudzi eNAT anoshandiswa, asi uku ndiko kutanga ...
Бпасибо за вниманиС!

Source: www.habr.com

Voeg