ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Dejinta BGP si ay uga gudubto xannibaadda, ama "Sida aan u joojiyay cabsida oo aan jeclaaday RKN"

Dejinta BGP si ay uga gudubto xannibaadda, ama "Sida aan u joojiyay cabsida oo aan jeclaaday RKN"

Hagaag, okay, ku saabsan "jecel" waa buunbuunin. Halkii, "waxa uu awooday in uu la noolaado."

Sida aad wada ogtihiin, laga soo bilaabo Abriil 16, 2018, Roskomnadzor wuxuu xannibay gelitaanka ilaha internetka ee istaroogga aad u ballaaran, isagoo ku daray "Diiwaangelinta Midaysan ee magacyada domain, tusmooyinka boggaga internetka iyo cinwaannada shabakadda ee oggolaanaya aqoonsiga goobaha Internetka," oo ay ku jiraan macluumaadka qaybinta taas oo mamnuuc ka ah Federaalka Ruushka" (qoraalka - kaliya diiwaanka) by /10 mararka qaarkood. Natiijo ahaan, muwaadiniinta Ruushka iyo ganacsiyada ayaa la dhibtoonaya, iyagoo lumiyay helitaanka ilaha sharciga ah ee ay u baahan yihiin.

Ka dib markii aan ku idhi faallooyinka mid ka mid ah maqaallada HabrΓ© in aan diyaar u ahay in aan caawiyo dhibbanayaasha samaynta nidaam la dhaafo, dhawr qof ayaa ii yimid iyaga oo codsanaya caawimaad noocaas ah. Marka wax waliba u shaqeeyaan iyaga, mid ka mid ah ayaa ku taliyay in lagu qeexo farsamada maqaal. Fikir ka dib, waxaan go'aansaday in aan aamusnaanta ka jebiyo goobta oo aan isku dayo hal mar in aan qoro wax u dhexeeya mashruuc iyo qoraal Facebook ah, i.. habrapost. Natiijadu waa hortaada.

Afeef

Maadaama aysan sharci ahayn in la daabaco siyaabaha looga gudbi karo xannibaadda helitaanka macluumaadka laga mamnuucay dhulka Ruushka, ujeedada maqaalkani waxay noqon doontaa in laga hadlo hab kuu ogolaanaya inaad si toos ah u hesho helitaanka ilaha loo oggol yahay dhulka Federaalka Ruushka, laakiin ficilka qof kale darteed si toos ah uma heli karo bixiyahaaga. Iyo helitaanka kheyraadka kale ee lagu helay natiijada ficillada maqaalku waa saameyn nasiib darro ah oo aan sinaba ahayn ujeedada maqaalka.

Sidoo kale, maadaama aan ugu horrayn ahay naqshadeeye shabakad xirfad ahaan, xirfad iyo dariiq nololeed, barnaamijyada iyo Linux ma ahan qodobbadayda xooggan. Sidaa darteed, dabcan, qoraallada si fiican ayaa loo qori karaa, arrimaha amniga ee VPS ayaa si qoto dheer looga shaqeyn karaa, iwm. Talooyinkaada waxaa lagu aqbali doonaa mahadnaq, haddii ay si faahfaahsan u faahfaahsan yihiin - waxaan ku farxi doonaa inaan ku daro qoraalka maqaalka.

TL, DR

Waxaan si otomaatig ah u marinaa marinka tunnelkaaga jira anagoo adeegsanayna nuqul ka mid ah diiwaanka iyo borotokoolka BGP. Hadafka ayaa ah in laga saaro dhammaan taraafikada lagu hagaajiyo agabka xannibay ee la geliyo tunnelka. Sharaxaada ugu yar, badiyaa tilmaamo tallaabo-tallaabo ah.

Maxaad uga baahan tahay tan?

Nasiib darro, qoraalkani maaha mid loogu talagalay qof kasta. Si aad u isticmaasho farsamadan, waxaad u baahan doontaa inaad isu geyso dhowr walxood:

  1. Waa inaad haysataa server-ka linux meel ka baxsan goobta xannibaadda. Ama ugu yaraan rabitaanka in la helo server-ka noocaas ah - nasiib wanaag hadda waxay ku kacaysaa $ 9 / sannadkii, iyo suurtagal ahaan ka yar. Habka sidoo kale waa ku haboon yahay haddii aad leedahay tunnel VPN gaar ah, markaa server-ka wuxuu ku yaalaa gudaha garoonka xannibaadda.
  2. Router-kaagu waa inuu ahaado mid caqli ku filan si uu u awoodo
    • macmiil kasta oo VPN ah oo aad jeceshahay (waxaan doorbidayaa OpenVPN, laakiin waxay noqon kartaa PPTP, L2TP, GRE + IPSec ama ikhtiyaar kasta oo kale oo abuura interface tunnel);
    • BGPv4 borotokoolka. Taas oo macnaheedu yahay in SOHO ay u noqon karto Mikrotik ama router kasta oo leh OpenWRT/LEDE/ firmware la mid ah oo kuu ogolaanaya inaad ku rakibto Quagga ama Shimbir. Isticmaalka router PC sidoo kale ma mamnuuc. Arrinka ganacsi, ka raadi taageerada BGP dukumeentiga routerkaaga xadka.
  3. Waa inaad fahantaa isticmaalka Linux iyo tignoolajiyada isku xidhka, oo ay ku jiraan borotokoolka BGP. Ama ugu yaraan raba inaad hesho fikrad noocaas ah. Maaddaama aanan diyaar u ahayn in aan qaato baaxadda waqtigan, waa inaad barataa dhinacyo aan adiga keligaa kuu fahmin. Si kastaba ha noqotee, waxaan, dabcan, uga jawaabi doonaa su'aalo gaar ah faallooyinka mana u badna inaan noqdo ka kaliya ee ka jawaabaya, markaa ha ka waaban inaad waydiiso.

Maxaa loo adeegsaday tusaalaha

  • Nuqul ka mid ah diiwaanka - laga bilaabo https://github.com/zapret-info/z-i 
  • VPS - Ubuntu 16.04
  • Adeegga marin-siinta - shimbir 1.6.3   
  • Router- Mikrotik hAP ac
  • Faylasha shaqada - maadaama aan u shaqeyneyno xidid ahaan, wax walba intooda badan waxay ku yaalaan galka guriga ee xididka. siday u kala horreeyaan:
    • /root/liiska madow - gal shaqaynaya oo leh qoraalka la isku duba ridey
    • /root/zi - nuqul ka mid ah diiwaanka github
    • /etc/bird - galka caadiga ah ee goobaha adeegga shimbiraha
  • Ciwaanka IP-ga dibadeed ee VPS oo leh server-ka dariiqa iyo barta joojinta tunnel-ka waa 194.165.22.146, ASN 64998; Ciwaanka IP-ga dibadda ee router-ka - 81.177.103.94, ASN 64999
  • Ciwaanka IP-ga ee gudaha tunnelku waa 172.30.1.1 iyo 172.30.1.2, siday u kala horreeyaan.

Dejinta BGP si ay uga gudubto xannibaadda, ama "Sida aan u joojiyay cabsida oo aan jeclaaday RKN"

Dabcan, waxaad isticmaali kartaa router kasta oo kale, nidaamyada hawlgalka iyo alaabta software, hagaajinta xalka si ay macquulka ah.

Si kooban - caqli-galnimada xalka

  1. Falalka diyaargarowga
    1. Helitaanka VPS
    2. Kor u qaadista tunnel-ka router-ka ilaa VPS
  2. Waxaan helnaa oo si joogto ah u cusboonaysiinnaa nuqulka diiwaanka
  3. Rakibaadda iyo habaynta adeegga dariiqa
  4. Waxaan u abuurnaa liiska dariiqyada taagan ee adeegga dariiqa iyadoo ku saleysan diiwaanka
  5. Waxaan ku xireynaa router-ka adeegga waxaanan habeyneynaa in dhammaan taraafikada loo diro tunnel-ka.

Xalka dhabta ah

Falalka diyaargarowga

Waxaa jira adeegyo badan oo internetka ah oo bixiya VPS qiimo aad macquul ah. Ilaa hadda waxaan helay oo aan isticmaalayaa ikhtiyaarka $ 9 / sannadkii, laakiin xitaa haddii aadan aad u dhibin, waxaa jira fursado badan oo loogu talagalay 1E / bishii gees kasta. Su'aasha doorashada VPS waxay aad uga fog tahay baaxadda maqaalkan, markaa haddii qof uusan wax ka fahmin arrintan, weydii faallooyinka.

Haddii aad u isticmaashid VPS kaliya maahan adeegga dariiqa, laakiin sidoo kale si aad u joojiso tunnel-ka, waxaad u baahan tahay inaad kor u qaaddo tunnelkan iyo, ku dhawaad, u habeyn NAT. Waxaa jira tiro badan oo tilmaamo ah oo ku saabsan falalkan internetka, kuma celin doono halkan. Shuruuda ugu weyn ee tunnel-ka noocan oo kale ah waa inay ku abuurto is-dhexgal gaar ah routerkaaga kaas oo taageera tunnel-ka dhanka VPS. Teknoloojiyada VPN ee inta badan la isticmaalo ayaa buuxiya shuruudahan - tusaale ahaan, OpenVPN in tun mode waa qumman yahay.

Helitaanka nuqulka diiwaanka

Sida Jabrail yidhi, β€œQofkii naga hor istaagaa wuu ina caawin doonaa”. Maadaama RKN ay abuurayso diiwaanka agabka la mamnuucay, waxay noqon doontaa dembi inaanan isticmaalin diiwaankan si aan u xalino dhibaheena. Waxaan ka heli doonaa nuqulka diiwaanka github.

Waxaan u tagnaa server-kaaga Linux, ku dhaca macnaha asalka ah (sudo su -) oo rakib git haddii aan hore loo rakibin.

apt install git

Aad tusaha guriga oo soo saar nuqul ka mid ah diiwaanka.

cd ~ && git clone --depth=1 https://github.com/zapret-info/z-i 

Waxaan dejinay cusboonaysiinta cron (waxaan sameeyaa hal mar 20kii daqiiqoba, laakiin waxaad dooran kartaa dhexda kasta oo ku xiisaysa). Si tan loo sameeyo waxaan bilaabaynaa baarista kuna dar xariiqda soo socota:

*/20 * * * * cd ~/z-i && git pull && git gc

Waxaan isku xireynaa jillaab u abuuri doona faylal adeegga dariiqa kadib cusboonaysiinta diiwaanka. Si tan loo sameeyo, samee fayl /root/zi/.git/hooks/post-merge oo leh nuxurka soo socda:

#!/usr/bin/env bash
changed_files="$(git diff-tree -r --name-only --no-commit-id ORIG_HEAD HEAD)"
check_run() {
    echo "$changed_files" | grep --quiet "$1" && eval "$2"
}
check_run dump.csv "/root/blacklist/makebgp"

hana ilaawin inaad ka dhigto mid la fulin karo

chmod +x /root/z-i/.git/hooks/post-merge

Waxaan abuuri doonaa qoraalka makebgp ee jillaabku tilmaamayo wax yar ka dib.

Rakibaadda iyo habaynta adeegga dariiqa

Ku rakib shimbir. Nasiib darrose, nooca shimbiraha ee hadda lagu dhejiyay kaydka Ubuntu wuxuu la mid yahay nadiifinta saxarada Archeopteryx, marka waxaan u baahanahay inaan marka hore ku darno PPA-ga rasmiga ah ee soosaarayaasha softiweerka nidaamka.

add-apt-repository ppa:cz.nic-labs/bird
apt update
apt install bird

Taas ka dib, waxaanu isla markiiba ka joojinaa shimbiraha IPv6 - uma baahnid rakibiddan.

systemctl stop bird6
systemctl disable bird6

Hoos waxaa ah faylka qaabeynta adeegga shimbiraha ee ugu yar (/etc/bird/bird.conf), taas oo nagu filan (oo waxaan mar kale ku xasuusinayaa in qofna ma mamnuucayo horumarinta iyo hagaajinta fikradda si aad ugu habboonaato baahiyahaaga)

log syslog all;
router id 172.30.1.1;

protocol kernel {
        scan time 60;
        import none;
#       export all;   # Actually insert routes into the kernel routing table
}

protocol device {
        scan time 60;
}

protocol direct {
        interface "venet*", "tun*"; # Restrict network interfaces it works with
}

protocol static static_bgp {
        import all;
        include "pfxlist.txt";
        #include "iplist.txt";
}

protocol bgp OurRouter {
        description "Our Router";
        neighbor 81.177.103.94 as 64999;
        import none;
        export where proto = "static_bgp";
        local as 64998;
        passive off;
        multihop;
}

router id - aqoonsiga router, kaas oo muuqaal ahaan u eg cinwaanka IPv4, laakiin aan mid ahayn. Xaaladeena, waxay noqon kartaa nambar kasta oo 32-bit ah oo ku jira qaabka cinwaanka IPv4, laakiin waa qaab wanaagsan in lagu muujiyo sida saxda ah cinwaanka IPv4 ee qalabkaaga (kiiskan, VPS).

borotokoolka tooska ah ayaa qeexaya is dhexgalka la shaqeyn doona habka dariiqa. Tusaalaha wuxuu bixiyaa dhowr magac oo tusaale ah, waxaad ku dari kartaa kuwa kale. Waxaad si fudud u tirtiri kartaa khadka; kiiskan, adeeguhu wuxuu dhagaysan doonaa dhammaan isdhexgalka la heli karo oo leh ciwaanka IPv4.

Protocol static waa sixirkeena oo buuxiya liisaska horgalayaasha iyo cinwaanada IP-ga (kuwaasi oo runtii ah /32 horgaleyaal, dabcan) faylalka ku dhawaaqida xiga. Meesha ay liisaskani ka yimaadeen ayaa lagu falanqeyn doonaa hoos. Fadlan la soco in soo raritaanka ciwaannada IP-ga si toos ah looga faallooday, sababta tani waa mugga weyn ee wax-soo-saarka. Marka la barbardhigo, wakhtiga qorista, waxaa jira 78 sadar oo ku jira liiska horgalayaasha, iyo 85898 liiska cinwaannada IP-ga. Waxaan si adag ugu talinayaa in la bilaabo oo laga saaro kaliya liiska horgalayaasha, iyo haddii ay suurtagal tahay iyo in kale si ay u suurtageliso soo dejinta IP-ga gudaha. mustaqbalka adiga ayay kugu xiran tahay inaad go'aansato ka dib markaad tijaabiso routerkaaga. Mid kasta oo iyaga ka mid ah si sahal ah uma dheefi karo 85 kun oo galmood oo ku jira miiska wadista.

borotokoolka bgp, dhab ahaantii, waxa uu dejinayaa bgp in uu la socdo routerkaaga. Ciwaanka IP-ga waa ciwaanka interneedka dibadda ee router-ka (ama ciwaanka tunnel-ka dhanka router-ka), 64998 iyo 64999 waa nambarada nidaamyada iskood isu-tagga. Xaaladdan oo kale, waxaa lagu meelayn karaa qaab kasta oo nambarada 16-bit ah, laakiin waxaa habboon in la isticmaalo nambarada AS ee kala duwanaanta gaarka ah ee lagu qeexay RFC6996 - 64512-65534 oo lagu daro (waxaa jira qaab loogu talagalay 32-bit ASNs). laakiin xaaladdeenna tani waa hubaal xad-dhaaf ah). Qaabeynta la sharraxay waxay isticmaashaa eBGP peering, taas oo ay tahay in lambarada nidaamyada iskood u madaxbannaan ee adeegga dariiqa iyo routerku ay ka duwan yihiin.

Sida aad arki karto, adeeggu wuxuu u baahan yahay inuu ogaado ciwaanka IP-ga ee router-ka, markaa haddii aad leedahay ciwaanka firfircoon ama non-routable gaarka ah (RFC1918) ama la wadaago (RFC6598), ma lihid ikhtiyaarka ah inaad kor u qaaddo aragtida dibadda interface, laakiin adeeggu wuxuu wali ka shaqayn doonaa gudaha tunnelka.

Waxa kale oo aad cad in hal adeeg aad ka bixin karto waddooyin dhowr router oo kala duwan - kaliya nuqul ka samee dejimaha iyaga adiga oo koobiyeeya qaybta borotokoolka bgp oo beddelo ciwaanka IP-ga deriska. Taasi waa sababta tusaaluhu u muujinayo jaangooyooyin loogu talagalay in lagu eego bannaanka tunnelka, sida kuwa ugu caalamisan. Way fududahay in laga saaro tunnel-ka adiga oo beddelaya ciwaannada IP-yada ee goobaha si habboon.

Ka baaraandegida diiwaanka adeega dariiqa

Hadda waxaan u baahanahay, dhab ahaantii, si aan u abuurno liisaska horgalayaasha iyo cinwaannada IP, kuwaas oo lagu sheegay hab-maamuuska hab-socodka marxaladdii hore. Si tan loo sameeyo, waxaanu qaadnaa faylka diiwaanka oo aanu ka samaynaa faylasha aan uga baahanahay annaga oo isticmaalaya qoraalka soo socda, oo lagu dhejiyay /root/liiska madow/makebgp

#!/bin/bash
cut -d";" -f1 /root/z-i/dump.csv| tr '|' 'n' |  tr -d ' ' > /root/blacklist/tmpaddr.txt
cat /root/blacklist/tmpaddr.txt | grep / | sed 's_.*_route & reject;_' > /etc/bird/pfxlist.txt
cat /root/blacklist/tmpaddr.txt | sort | uniq | grep -Eo "([0-9]{1,3}[.]){3}[0-9]{1,3}" | sed 's_.*_route &/32 reject;_' > /etc/bird/iplist.txt
/etc/init.d/bird reload
logger 'bgp list compiled'

Ha ilaawin inaad ka dhigto mid la fulin karo

chmod +x /root/blacklist/makebgp

Hadda waxaad ku socodsiin kartaa gacanta oo aad u fiirsato muuqaalka faylasha ku jira /etc/bird.

Waxay u badan tahay, shimbirku hadda kuma shaqeynayo adiga, sababtoo ah marxaladii hore waxaad waydiisatay inaad raadiso faylasha aan weli jirin. Sidaa darteed, waxaanu daah-furnay oo hubinaynaa inuu bilaabmay:

systemctl start bird
birdc show route

Soosaarka amarka labaad waa inuu muujiyaa ilaa 80 diiwaan (tani waa hadda, laakiin markaad dejiso, wax walba waxay ku xirnaan doonaan xiisaha RKN ee xannibaadda shabakadaha) wax sidan oo kale ah:

54.160.0.0/12      unreachable [static_bgp 2018-04-19] * (200)

kooxda

birdc show protocol

waxay tusi doontaa heerka borotokoolka adeega dhexdiisa. Ilaa inta aad habaynayso router-ka (eeg barta xigta), borotokoolka OurRouter wuxuu ku jiri doonaa heerka bilowga (Connect or Active phase), ka dib xiriir guul leh wuxuu aadi doonaa heerka sare (Wejiga la aasaasay). Tusaale ahaan, nidaamkayga soo-saarka amarkani wuxuu u eg yahay sidan:

BIRD 1.6.3 ready.
name     proto    table    state  since       info
kernel1  Kernel   master   up     2018-04-19
device1  Device   master   up     2018-04-19
static_bgp Static   master   up     2018-04-19
direct1  Direct   master   up     2018-04-19
RXXXXXx1 BGP      master   up     13:10:22    Established
RXXXXXx2 BGP      master   up     2018-04-24  Established
RXXXXXx3 BGP      master   start  2018-04-22  Connect       Socket: Connection timed out
RXXXXXx4 BGP      master   up     2018-04-24  Established
RXXXXXx5 BGP      master   start  2018-04-24  Passive

Isku xirka router

Qof kastaa malaha wuu ku daalay akhrinta marada cagtan, laakiin qalbi qabo - aakhirka waa soo dhow yahay. Waxaa intaa dheer, qaybtan ma awoodi doono inaan bixiyo tilmaamo tallaabo-tallaabo ah - waxay noqon doontaa mid ka duwan soo saaraha kasta.

Si kastaba ha ahaatee, waxaan ku tusi karaa dhowr tusaale. Caqliga ugu weyni waa in kor loo qaado peering BGP oo loo qoondeeyo nexthop dhammaan horgalayaasha la helay, annagoo tilmaamaya tunnel-kayaga (haddii aan u baahanahay inaan u dirno taraafikada interneedka p2p) ama ciwaanka IP-ga xiga haddii taraafku aadi doono ethernet).

Tusaale ahaan, Mikrotik ee RouterOS tan waxaa loo xalliyaa sida soo socota

/routing bgp instance set default as=64999 ignore-as-path-len=yes router-id=172.30.1.2
/routing bgp peer add in-filter=dynamic-in multihop=yes name=VPS remote-address=194.165.22.146 remote-as=64998 ttl=default
/routing filter add action=accept chain=dynamic-in protocol=bgp comment="Set nexthop" set-in-nexthop=172.30.1.1

iyo in Cisco IOS - sida tan

router bgp 64999
  neighbor 194.165.22.146 remote-as 64998
  neighbor 194.165.22.146 route-map BGP_NEXT_HOP in
  neighbor 194.165.22.146 ebgp-multihop 250
!
route-map BGP_NEXT_HOP permit 10
  set ip next-hop 172.30.1.1

Haddii tunnel isku mid ah loo isticmaalo isku dhafka BGP iyo gudbinta taraafikada waxtarka leh, muhiim ma aha in la dejiyo nexthop; si sax ah ayaa loo dejin doonaa iyadoo la adeegsanayo nidaamka. Laakiin haddii aad gacanta ku dejiso, sidoo kale ka sii dari mayso.

Goobaha kale, waa inaad ogaataa qaabeynta naftaada, laakiin haddii aad wax dhib ah kala kulanto, ku qor faallooyinka, waxaan isku dayi doonaa inaan caawiyo.

Ka dib markii fadhigaaga BGP uu bilaabmay, wadooyinka shabakadaha waaweyn ayaa yimid oo lagu rakibay miiska, gaadiidka ayaa ku qulqulay ciwaannada iyaga iyo farxaddu waa dhowdahay, waxaad ku noqon kartaa adeegga shimbiraha oo aad isku daydo inaad wax ka qabato gelitaanka halkaas oo isku xira Liiska ciwaannada IP-ga, fulin intaas ka dib

systemctl reload bird

oo arag sida router-kaagu u wareejiyay 85 kun ee wadooyin. U diyaargarow inaad furto oo ka fakar waxa aad ku samaynayso :)

Wadarta

Fikrad ahaan, ka dib markaad dhammaystirto tillaabooyinka kor lagu sharraxay, hadda waxaad haysataa adeeg si toos ah ugu jiheeya taraafikada cinwaannada IP-ga ee laga mamnuucay Ruushka ee nidaamka shaandhaynta.

Dabcan, waa la hagaajin karaa. Tusaale ahaan, way fududahay in la soo koobo liiska cinwaannada IP-ga iyadoo la adeegsanayo xalalka perl ama python. Qoraal Perl fudud oo tan isticmaalaya Net::CIDR:: Lite wuxuu u rogaa 85 kun horgalayaasha 60 (maaha kun), laakiin, dabcan, waxay dabooshaa cinwaanno aad uga weyn inta la xannibay.

Maadaama adeeggu uu ka shaqeeyo heerka saddexaad ee qaabka ISO/OSI, kama badbaadin doono inaad xannibto bogag/bog haddii ay ku xalliso ciwaan khaldan sida ku qoran diiwaanka. Laakiin oo ay weheliso diiwaanka, feylka nxdomain.txt wuxuu ka yimaadaa github, kaas oo leh dhowr istaroog oo qoraal ah oo si fudud u beddelaya isha cinwaannada, tusaale ahaan, plugin SwitchyOmega ee Chrome.

Waxa kale oo lagama maarmaan ah in la sheego in xalku u baahan yahay hagaajin dheeraad ah haddii aadan ahayn kaliya isticmaale internetka, laakiin sidoo kale daabac kheyraadkaaga qaar ka mid ah (tusaale ahaan, website-ka ama server-ka boostada ayaa ku shaqeeya xiriirkan). Isticmaalka habka router-ka, waa lagama maarmaan in si adag loogu xidho gaadiidka ka baxaya adeegan iyo cinwaankaaga dadweynaha, haddii kale waxaad lumin doontaa isku xirnaanta agabyada ay ku qoran yihiin liiska horgalayaasha uu helay router.

Haddii aad wax su'aalo ah qabtid, weydii, diyaar ayaan u ahay inaan ka jawaabo.

UPD Mahadsanid badda ΠΈ TerAnYu loogu talagalay qiyaasaha git ee u oggolaanaya dhimista mugga soo dejinta.

UPD2. Asxaabta, waxay u egtahay inaan khalad sameeyay anigoo aan ku darin tilmaamaha dejinta tunnel u dhexeeya VPS iyo router maqaalka. Su'aalo badan ayaa ka dhashay arrintan.
Kaliya haddii ay dhacdo, waxaan mar kale ogaan doonaa in ka hor intaadan bilaabin hagahan, waxaad horeyba u habaysay tunnel VPN jihada aad u baahan tahay oo aad hubisay shaqeynteeda (tusaale ahaan, adigoo u rogaya taraafikada halkaas si caadi ah ama si joogto ah). Haddii aadan weli buuxin wejigan, macno badan ma samaynayso inaad raacdo tillaabooyinka maqaalka. Weli ma hayo qoraal ii gaar ah, laakiin haddii aad Google-ka "dejinta server-ka OpenVPN" oo ay weheliso magaca nidaamka hawlgalka ee lagu rakibay VPS, iyo "dejinta macmiilka OpenVPN" oo wata magaca routerkaaga , waxay u badan tahay inaad ka heli doonto maqaallo badan oo mawduucan ku saabsan, oo ay ku jiraan HabrΓ©.

UPD3. Aan hurayn Waxaan qoray kood u beddelaya dump.csv faylka shimbiraha oo soo koobaya ikhtiyaari ikhtiyaari ah oo cinwaannada IP ah. Sidaa darteed, qaybta "Ka-hortagga diiwaanka adeegga marin-u-socodka" waxaa lagu bedeli karaa iyada oo la wacayo barnaamijkeeda. https://habr.com/post/354282/#comment_10782712

UPD4. Waxoogaa shaqo ah oo ku saabsan khaladaadka (kuma darin qoraalka):
1) beddelkeeda systemctl dib u soo deji shimbiraha waxay macno u leedahay in la isticmaalo amarka configure birdc.
2) ee router-ka Mikrotik, halkii laga beddeli lahaa xiga ee IP-ga dhinaca labaad ee tunnel-ka. Filter-ka-socodku wuxuu ku daraa ficil = aqbal silsiladda = dynamic-in borotokool = bgp faallo =Β» Deji nexthopΒ» set-in-nexthop=172.30.1.1 macno ayay samaynaysaa in si toos ah loo cayimo dariiqa loo maro interface tunnel-ka, iyada oo aan ciwaan laga lahayn /routing filter add action=accept chain=dynamic-in protocol=bgp comment=Β»Deji nexthopΒ» set-in-nexthop-direct=<interface name>

UPD5. Adeeg cusub ayaa soo muuqday https://antifilter.download, halkaas oo aad ka soo qaadan karto liisaska diyaarsan ee ciwaanka IP-ga. La cusboonaysiiyo nus saac kasta. Dhinaca macmiilka, waxa hadhay oo dhan waa in lagu qaabeeyo diiwaanada "dariiqa... diido".
Halkaa marka ay marayso, malaha, way ku filan tahay in aad ayeeyadaa jeexjeexdo oo aad cusboonaysiiso maqaalka.

UPD6. Nooca maqaalka oo dib loo eegay oo loogu talagalay kuwa aan rabin inay ogaadaan, laakiin raba inay bilaabaan - halkan.

Source: www.habr.com

Add a comment