Xaaladaha intooda badan, isku xirka router ee VPN ma aha mid adag, laakiin haddii aad rabto inaad ilaaliso shabakada oo dhan isla markaana aad ilaaliso xawaaraha ugu fiican, markaa xalka ugu fiican waa isticmaalka tunnel VPN.
Routers Mikrotik waxay caddeeyeen inay yihiin xalal la isku halleyn karo oo aad u dabacsan, laakiin nasiib daro
Laakiin hadda, nasiib daro, si aad u dejiso WireGuard on router Mikrotik, waxaad u baahan tahay inaad bedesho firmware-ka.
Mikrotik biligleynaya, rakibida iyo habaynta OpenWrt
Marka hore waxaad u baahan tahay inaad hubiso in OpenWrt uu taageerayo moodelkaaga. Eeg haddii moodalku uu ku habboon yahay magaciisa suuqgeyneed iyo muuqaalkiisa
Tag openwrt.com
Qalabkan, waxaan u baahanahay 2 fayl:
Waxaad u baahan tahay inaad soo dejiso labada fayl: Ku rakib ΠΈ casriyayn.
1. Dejinta shabakada, soo dejinta iyo habaynta server-ka PXE
Soo dejiso
Ka fur gal gal gaar ah. Faylka config.ini ku dar cabbirka rfc951=1 qaybta [dhcp]. Halbeeggani waxa uu la mid yahay dhammaan moodooyinka Mikrotik.
Aan u gudubno goobaha shabakada: waxaad u baahan tahay inaad iska diiwaan geliso ciwaanka IP static mid ka mid ah shabakadaha isku xidhka kombiyuutarkaaga.
Cinwaanka IP: 192.168.1.10
Shabakadda Shabakadda: 255.255.255.0
Orod Server yar oo PXE ah Adigoo ku hadlaya magaca maamulaha oo dooro goobta dhexdeeda DHCP Server server ciwaan leh 192.168.1.10
Noocyada qaarkood ee Windows, interface-kani waxa uu soo bixi karaa oo kaliya ka dib xidhiidhka Ethernet. Waxaan ku talinayaa in la isku xidho router oo isla markiiba beddelo router-ka iyo PC adiga oo isticmaalaya xadhig balastar ah.
Riix badhanka "..." (midig hoose) oo cadee galka meesha aad ka soo dejisay faylasha firmware ee Mikrotik.
Dooro fayl magaciisa ku dhamaanayo "initramfs-kernel.bin ama elf"
2. Ka xayuubinta router ka server-ka PXE
Waxaan ku xireynaa PC-ga siligga iyo dekedda koowaad (wan, internet, poe in, ...) ee router. Taas ka dib, waxaan qaadanaa cadayga, ku dheji godka oo leh qoraalka "Dib u habeyn".
Waxaan shidnaa awoodda router oo aan sugno 20 ilbiriqsi, ka dibna sii daayo cadayga.
Daqiiqada soo socota gudahooda, fariimaha soo socdaa waa inay ka soo muuqdaan daaqada Serverka yar ee PXE:
Haddii fariintu u muuqato, markaa waxaad ku socotaa jihada saxda ah!
Soo celi jaangooyooyinka ku yaal adabtarada shabakadda oo deji si aad u hesho ciwaanka si firfircooni leh (iyada oo loo sii marayo DHCP).
Ku xidh dekedaha LAN ee router-ka Mikrotik (2β¦5 xaaladeena) adoo isticmaalaya isla xadhig balastar ah. Kaliya ka beddel dekedda 1-aad una beddel dekedda 2-aad. Ciwaanka furan
Gal interface-ka maamul ee OpenWRT oo aad qaybta "System -> Backup/Flash Firmware" qaybta menu.
Gudaha "Flash new firmware image" qayb hoosaadka, dhagsii badhanka "Dooro faylka (Browse)".
Sheeg dariiqa loo maro faylka magaciisa ku dhamaado "-squashfs-sysupgrade.bin".
Intaa ka dib, dhagsii badhanka "Flash Image".
Daaqada xigta, dhagsii badhanka "sii wad". Firmware-ku wuxuu bilaabi doonaa soo dejinta router-ka.
!!! DHACDADA MA JIRTO AWOODDA ROUTERKA INTA UU SOCODKA FIMWARE !
Ka dib markaad biligleyso oo dib u kiciso router-ka, waxaad heli doontaa Mikrotik oo leh OpenWRT firmware.
Dhibaatooyinka suurtagalka ah iyo xalalka
Aalado badan oo Mikrotik ah oo la sii daayay sanadka 2019 ayaa isticmaala FLASH-NOR chip memory oo ah nooca GD25Q15/Q16. Dhibaatadu waxay tahay marka uu biligleynayo, xogta ku saabsan qaabka qalabka lama kaydiyo.
Haddii aad aragto qaladka "Faylka sawirka la soo galiyay kuma jiro qaab la taageeray. Hubi inaad dooratay qaabka sawirka guud ee goobtaada." markaa waxay u badan tahay in dhibaatadu ay tahay mid toosan.
Way fududahay in tan la hubiyo: socodsii amarka si aad u hubiso aqoonsiga moodeelka ee ku yaal terminalka aaladda
root@OpenWrt: cat /tmp/sysinfo/board_name
Oo haddii aad hesho jawaabta "aan la garanayn", markaa waxaad u baahan tahay inaad gacanta ku qeexdo qaabka qalabka ee foomka "rb-951-2nd"
Si aad u hesho qaabka aaladda, socodsii amarka
root@OpenWrt: cat /tmp/sysinfo/model
MikroTik RouterBOARD RB951-2nd
Ka dib markaad hesho qaabka qalabka, ku rakib gacanta:
echo 'rb-951-2nd' > /tmp/sysinfo/board_name
Taas ka dib, waxaad ku iftiimin kartaa aaladda dhex-dhexaadinta shabakadda ama waxaad isticmaali kartaa amarka "sysupgrade".
Ku samee server VPN leh WireGuard
Haddii aad hore u lahayd server leh WireGuard habaysan, waad ka boodi kartaa tallaabadan.
Waxaan u isticmaali doonaa codsiga si aan u dejiyo server-ka gaarka ah ee VPN
Ku-habaynta Macmiilka WireGuard ee OpenWRT
Ku xidh router adiga oo isticmaalaya borotokoolka SSH:
ssh [email protected]
Ku rakib WireGuard:
opkg update
opkg install wireguard
Diyaari qaabeynta (ku koobi koodhka hoose faylka, ku beddel qiyamka la cayimay adiga oo ku orod terminalka).
Haddii aad isticmaalayso MyVPN, markaa qaabeynta hoose waxaad u baahan tahay oo kaliya inaad bedesho WG_SERV - Adeegga IP WG_KEY - furaha gaarka ah ka file qaabeynta wireguard iyo WG_PUB - furaha dadweynaha.
WG_IF="wg0"
WG_SERV="100.0.0.0" # ip Π°Π΄ΡΠ΅Ρ ΡΠ΅ΡΠ²Π΅ΡΠ°
WG_PORT="51820" # ΠΏΠΎΡΡ wireguard
WG_ADDR="10.8.0.2/32" # Π΄ΠΈΠ°ΠΏΠ°Π·ΠΎΠ½ Π°Π΄ΡΠ΅ΡΠΎΠ² wireguard
WG_KEY="xxxxx" # ΠΏΡΠΈΠ²Π°ΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
WG_PUB="xxxxx" # ΠΏΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key=""
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/1"
uci add_list network.wgserver.allowed_ips="128.0.0.0/1"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart
Tani waxay dhamaystiraysaa habaynta WireGuard! Hadda dhammaan taraafikada dhammaan aaladaha ku xiran waxaa ilaalinaya xiriirka VPN.
tixraacyada
Source: www.habr.com