Waxaan jeclaan lahaa inaan la wadaago waayo-aragnimadayda isku dhafka shabakadaha saddex guri oo juqraafi ahaan fogfog, mid kasta oo ka mid ah waxay u isticmaashaa OpenWRT router ahaan albaab ahaan, hal shabakad wadaag ah. Markaad dooranayso habka isku dhafka shabakadaha u dhexeeya L3 oo leh marin-hawleed hoose iyo L2 oo leh isku-xirid, marka dhammaan qanjidhada shabakadu ay ku jiri doonaan isla subnet, doorbidid ayaa la siiyay habka labaad, taas oo aad u adag in la habeeyo, laakiin waxay bixisaa fursado waaweyn, tan iyo markii isticmaalka hufan ee tignoolajiyada ayaa la qorsheeyay in shabakada la abuuray Wake-on-Lan iyo DLNA.
Qaybta 1: Taariikhda
Hab-maamuuska loo doortay in lagu hirgeliyo hawshan ayaa markii hore ahaa OpenVPN, sababtoo ah, marka hore, waxay abuuri kartaa qalab tuubo oo lagu dari karo buundada iyada oo aan wax dhibaato ah la kulmin, marka labaadna, OpenVPN Waxay taageertaa TCP, taas oo sidoo kale muhiim ahayd, maadaama mid ka mid ah guryaha uusan lahayn cinwaan IP ah oo gaar ah. Ma aanan isticmaali karin STUN sababtoo ah ISP-gaygu, sabab qaar awgeed, wuxuu xannibaa xiriirada UDP ee soo galaya shabakadihiisa. TCP wuxuu ii oggolaaday inaan dekedda server-ka VPN u gudbiyo VPS-ka kirada ah anigoo adeegsanaya SSH. Iyadoo habkani uu abuurayo kharash badan, maadaama xogtu ay tahay mid labanlaab ah, ma aanan rabin inaan VPS ku daro shabakaddayda gaarka ah, maadaama ay jirtay khatar ah in dhinacyo saddexaad ay gacanta ku dhigaan. Sidaa darteed, lahaanshaha qalab noocaas ah shabakadda gurigaygu aad bay u xumayd, sidaa darteed waxaan go'aansaday inaan bixiyo kharash badan oo amniga ah.
Si aan u gudbiyo dekedda router-ka halkaas oo server-ku u qorshaysnaa in la geeyo, waxaan isticmaalay barnaamijka sshtunnel. Ma geli doono faahfaahinta qaab-dhismeedkiisa - waa mid aad u fudud. Waxaan kaliya ogaan doonaa in ujeeddadiisu ahayd in dekedda TCP 1194 laga soo wareejiyo router-ka una gudbiyo VPS. Marka xigta, waxaan habeeyey server-ka. OpenVPN Qalabka tap0, kaas oo ku xirnaa buundada br-lan. Ka dib markii aan tijaabiyay xiriirka server-ka cusub ee laga sameeyay laptop-kayga, waxaa caddaatay in fikradda gudbinta dekeddu ay shaqaysay, laptop-kayguna uu xubin ka noqday shabakadda router-ka, inkastoo uusan qayb ka ahayn.
Waxa kaliya ee haray waa in cinwaanada IP-ga lagu qaybiyo guryaha kala duwan si aysan isku dhacin oo aysan u habayn router-yada sida OpenVPN-macaamiisha.
Ciwaanka IP-ga ee soo socda iyo tirada server-ka DHCP ayaa la doortay:
- 192.168.10.1 leh kala duwan 192.168.10.2 - 192.168.10.80 loogu talagalay server-ka
- 192.168.10.100 leh kala duwan 192.168.10.101 - 192.168.10.149 loogu talagalay router-ka guriga No. 2
- 192.168.10.150 leh kala duwan 192.168.10.151 - 192.168.10.199 loogu talagalay router-ka guriga No. 3
Waxa kale oo lagama maarmaan ahayd in cinwaanadan loo qoondeeyo router-yada macaamiisha. OpenVPN-server, adigoo ku daraya xariiqda soo socota qaab-dhismeedkeeda:
ifconfig-pool-persist /etc/openvpn/ipp.txt 0oo lagu daro khadadka soo socda faylka /etc/openvpn/ipp.txt:
flat1_id 192.168.10.100
flat2_id 192.168.10.150
halkaasoo flat1_id iyo flat2_id ay yihiin magacyada qalabka ee la cayimay marka la samaynayo shahaadooyin lagu xidho OpenVPN
Marka xigta, router-yada ayaa la dejiyay OpenVPN- macaamiisha, aaladaha tap0 ee labada dhinacba waxaa lagu daray buundada br-lan. Waqtigan xaadirka ah, wax walba waxay u muuqdeen kuwo fiican, maadaama saddexda shabakadoodba ay is arki karaan oo ay u shaqeyn karaan sidii hal unug. Si kastaba ha ahaatee, faahfaahin aan fiicnayn ayaa soo baxday: mararka qaarkood qalabku wuxuu ka heli jiray cinwaan IP ah router-ka khaldan, iyadoo dhammaan cawaaqib xumada ka dhalatay ay jiraan. Sabab qaar awgeed, router-ka mid ka mid ah guryaha ayaa ku guuldareystay inuu ka jawaabo DHCPDISCOVER waqtigii loogu talagalay, qalabkuna wuxuu helay cinwaan khaldan. Waxaan ogaaday inaan u baahanahay inaan codsiyada noocaas ah ku shaandheeyo tap0 router kasta, laakiin sida ay noqotay, iptables ma shaqeyn karaan qalab haddii ay qayb ka tahay buundada, markaa waxaan u baahday inaan isticmaalo ebtables. Nasiib darro, firmware-kaygu kuma jirin, markaa waxaan ku qasbanaaday inaan dib u dhiso sawirrada qalab kasta. Ka dib markii aan tan sameeyay oo aan ku daray khadadka soo socda /etc/rc.local router kasta, dhibaatada waa la xaliyay:
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
Qaabayntani waxay socotay muddo saddex sano ah.
Qaybta 2aad: Barashada WireGuard
Dhawaanahan, waxaa sii kordhayay hadal haynta ku saabsan internetka WireGuard, iyadoo la yaaban fududaynta habaynta, xawaaraha wareejinta sare, ping hooseeya, iyo amniga la midka ah. Raadinta macluumaad dheeraad ah oo ku saabsan ayaa muujisay inaysan taageerin taageerada xubinta buundada ama borotokoolka TCP, taasoo igu kaliftay inaan rumaysto inaysan jirin wax beddel ah. OpenVPN Aniga ahaan weli ma jirto. Markaa waan dib u dhigay barashada WireGuard.
Dhowr maalmood ka hor, wararku waxay ku faafeen ilo la xiriira IT-ga si uun ama si kale taas oo WireGuard ugu dambeyntii waxaa lagu dari doonaa xudunta Linux, oo ka bilaabmaya nooca 5.6. Maqaallada wararka, sidii had iyo jeer, waa la ammaanay WireGuardMar kale ayaan ku dhex milmay raadinta siyaabo aan ku beddelo kuwii hore ee wanaagsanaa OpenVPNMarkan waxaan la kulmay . Waxay ka hadashay abuurista tunnel Ethernet ka badan L3 iyadoo la adeegsanayo GRE. Maqaalkani waxa uu i siiyay rajo. Ma cadda waxa lagu sameeyo nidaamka UDP. Baadhitaanku wuxuu ii horseeday maqaallo ku saabsan isticmaalka socat ee la xidhiidha tunnel SSH si loogu gudbiyo dekedda UDP, si kastaba ha ahaatee, waxay xuseen in habkani uu ku shaqeeyo kaliya hal qaab oo isku xiran, taas oo ah, shaqada macaamiil badan oo VPN ah ayaa noqon doonta mid aan macquul ahayn. Waxaan la yimid fikradda ah in lagu rakibo server-ka VPN VPS iyo dejinta GRE ee macaamiisha, laakiin sida ay soo baxday, GRE ma taageerto sirta, taas oo horseedi doonta xaqiiqda ah in haddii qolo saddexaad ay galaan server-ka. , Dhammaan gaadiidka u dhexeeya shabakadahaygu waxay ku jiri doonaan gacmahooda, taas oo aan aniga igu habboonayn.
Mar labaad, go'aanka waxaa loo doortay sirta qarsoodiga ah, iyadoo la adeegsanayo VPN ka badan VPN iyadoo la adeegsanayo nidaamka soo socda:
Heerka XNUMX VPN:
VPS Waa server oo leh ciwaanka gudaha 192.168.30.1
MS Waa macmiilka VPS oo leh ciwaanka gudaha 192.168.30.2
MK2 Waa macmiilka VPS oo leh ciwaanka gudaha 192.168.30.3
MK3 Waa macmiilka VPS oo leh ciwaanka gudaha 192.168.30.4
Heerka labaad VPN:
MS Waa server oo leh ciwaanka dibadda 192.168.30.2 iyo gudaha 192.168.31.1
MK2 Waa macmiilka MS oo leh ciwaanka 192.168.30.2 oo wata IP gudaha 192.168.31.2
MK3 Waa macmiilka MS oo leh ciwaanka 192.168.30.2 oo wata IP gudaha 192.168.31.3
* MS - router-server guriga 1, MK2 - router guriga 2, MK3 - router guriga dhexdiisa 3
* Habaynta aaladaha waxaa lagu daabacaa qaswadayaasha dhamaadka maqaalka.
Oo sidaas daraaddeed, pings waxay u dhexeeyaan noodhka shabakada 192.168.31.0/24, waa waqtigii loo gudbi lahaa dejinta tunnel GRE. Taas ka hor, si aysan u lumin marinka router-ka, waxaa habboon in la dejiyo tunnel-ka SSH si loogu gudbiyo dekedda 22 ee VPS, si, tusaale ahaan, router ka soo baxa guriga 10022 ayaa laga heli karaa dekedda 2 ee VPS, iyo router ka Apartment 11122 waxaa laga heli karaa on dekedda 3 router ka Apartment XNUMX. Waxaa fiican in la habeeyo gudbinta isticmaalaya sshtunnel la mid ah, maadaama ay soo celin doonaa tunnel haddii ay ku guuldareystaan.
Tunnelka waa la habeeyey, waxaad ku xidhi kartaa SSH adigoo u maraya dekedda la soo gudbiyay:
ssh root@МОЙ_VPS -p 10022Marka xigta waa inaad damisaa OpenVPN:
/etc/init.d/openvpn stopHadda aan u dejinno tunnel GRE router-ka guriga 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set grelan0 up
Oo ku dar interface-ka la abuuray buundada:
brctl addif br-lan grelan0
Aynu ku samayno hab la mid ah serverka router:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set grelan0 up
Oo weliba ku dar interface-ka la abuuray buundada:
brctl addif br-lan grelan0
laga bilaabo wakhtigan, pings waxay bilaabaan inay si guul leh u tagaan shabakada cusub, aniga oo ku qanacsan, waxaan u tagaa inaan cabbo qaxwaha. Kadib, si loo qiimeeyo sida shabakadu uga shaqeyso dhinaca kale ee khadka, waxaan isku dayaa inaan SSH ku galo mid ka mid ah kombiyuutarada ku jira Apartment 2, laakiin macmiilka ssh wuu qaboojiyaa isagoon ku kicin furaha sirta ah. Waxaan isku dayayaa in aan ku xidho kombuyuutarkan telnet ee dekedda 22 waxaanan arkay khad aan ka fahmi karo in xidhiidhka la sameeyay, server-ka SSH ayaa ka jawaabaya, laakiin sababo jira kaliya iguma kicinayso inaan galo gudaha
$ telnet 192.168.10.110 22
SSH-2.0-OpenSSH_8.1
Waxaan isku dayayaa inaan ku xiro VNC oo aan arko shaashad madow. Waxaan naftayda ku qanciyaa in dhibaatadu ay tahay kombuyuutarka fog, sababtoo ah waxaan si sahlan ugu xiri karaa router gurigan anigoo isticmaalaya cinwaanka gudaha. Si kastaba ha ahaatee, waxaan go'aansaday in aan ku xidho SSH ee kombiyuutarkan iyada oo loo marayo router waxaana la yaabay in la ogaado in xiriirku uu guulaystay, kombuyuutarka foguna si caadi ah ayuu u shaqeeyaa, laakiin sidoo kale kuma xidhi karo kombuyuutarkayga.
Waxaan qalabka green0 ka soo saaraa buundada oo waan socodsiiyaa OpenVPN Router-ka ku jira aqal 2, waxaan xaqiijiyay in shabakadu si fiican u shaqaynaysay mar kale oo xiriirku uusan hoos u dhacayn. Markii aan raadinayay, waxaan la kulmay goobo ay dadku ka cabanayeen isla arrimahaas, iyo halkaas oo lagula taliyay inay kordhiyaan MTU-ga. Isla markiiba la yidhi, waan dhammeeyay. Si kastaba ha ahaatee, ilaa MTU-ga la dejiyo heer sare oo ku filan—7000 oo loogu talagalay aaladaha gretap—waxaan la kulmay xiriirro TCP oo hoos u dhacay ama xawaare wareejin oo hooseeya. Sababtoo ah MTU-ga sare ee gretap, MTU-ga isku xirka WireGuard Heerarka koowaad iyo labaad waxaa loo dejiyay 8000 iyo 7500 siday u kala horreeyaan.
Waxaan sameeyay hab la mid ah router-ka oo ka yimid dabaqa 3, iyada oo farqiga kaliya ee uu yahay in interface gretap labaad oo loo yaqaan grelan1 lagu daray server-ka, kaas oo sidoo kale lagu daray buundada br-lan.
Wax walba way shaqaynayaan. Hadda waxaad gelin kartaa kulanka gretap bilowga. Tan awgeed:
Waxaan dhigay khadadkan gudaha /etc/rc.local routerka guriga 2:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.2
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Tan waxaa lagu daray /etc/rc.local on the router in apartment 3:
ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
Iyo router serverka:
ip link add grelan0 type gretap remote 192.168.31.2 local 192.168.31.1
ip link set dev grelan0 mtu 7000
ip link set grelan0 up
brctl addif br-lan grelan0
ip link add grelan1 type gretap remote 192.168.31.3 local 192.168.31.1
ip link set dev grelan1 mtu 7000
ip link set grelan1 up
brctl addif br-lan grelan1
Ka dib markii aan dib u bilaabay router-ka macaamiisha, waxaan ogaaday in sabab qaar awgeed aysan ku xirnayn server-ka. Ka dib markii aan ku xiray SSH-kooda (nasiib wanaag, hore ayaan u habeeyey sshtunnel tan), waxaan ogaaday taas WireGuard Sabab qaar awgeed, waxay abuurtaa waddo loogu talagalay dhammaadka, laakiin waa khalad. Tusaale ahaan, 192.168.30.2, jadwalka wadada wuxuu qeexay waddo loo maro is-dhexgalka pppoe-wan, tusaale ahaan, iyada oo loo marayo internetka, inkasta oo wadada loo maro ay ahayd in lagu hago is-dhexgalka wg0. Ka dib markii la tirtiro wadadan, xiriirkii waa la soo celiyay. Ma heli karaa tilmaamo meel kasta oo ku saabsan sida loo qasbo WireGuard Ma aanan ka fogaan karin abuurista waddooyinkan. Intaa waxaa dheer, xitaa ma aanan fahmin in tani ay tahay astaamo ka mid ah OpenWRT ama mid ka mid ah WireGuardAnigoon waqti badan ku bixin xallinta dhibaatada, waxaan si fudud ugu daray xariiq qoraalka ku salaysan saacadda labada router ee tirtiray wadadan:
route del 192.168.30.2
Soo koobid
Diidmo buuxda OpenVPN Weli tan ma aanan gaarin, maadaama aan mararka qaarkood u baahdo inaan ku xidho shabakad cusub laptop ama taleefan, dejinta qalab gretap ahna guud ahaan waa wax aan macquul ahayn. Si kastaba ha ahaatee, inkastoo ay taasi jirto, waxaan ka faa'iidaystay xawaaraha wareejinta xogta ee u dhexeeya guryaha, isticmaalka VNC, tusaale ahaan, hadda waa mid aan dhib lahayn. Ping wax yar ayuu hoos u dhacay laakiin wuu sii xasilloonaa:
Markaad isticmaasho OpenVPN:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=133 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=125 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19006ms
rtt min/avg/max/mdev = 124.722/126.152/136.907/3.065 ms
Markaad isticmaasho WireGuard:
[r0ck3r@desktop ~]$ ping -c 20 192.168.10.110
PING 192.168.10.110 (192.168.10.110) 56(84) bytes of data.
64 bytes from 192.168.10.110: icmp_seq=1 ttl=64 time=124 ms
...
64 bytes from 192.168.10.110: icmp_seq=20 ttl=64 time=124 ms
--- 192.168.10.110 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19003ms
rtt min/avg/max/mdev = 123.954/124.423/126.708/0.675 ms
Waxaa aad u saameeya ping-ga sare ee VPS, kaas oo qiyaastii ah 61.5 ms
Si kastaba ha ahaatee, xawaaruhu si weyn ayuu u kordhay. Markaa, aqalka ku yaal router-server-ka, waxaan leeyahay xawaare isku xirka internetka oo ah 30 Mbps, guryaha kalena waa 5 Mbps. Intaa waxaa dheer, inta lagu jiro isticmaalka. OpenVPN Ma aanan awoodin inaan gaaro xawaaraha wareejinta xogta ee u dhexeeya shabakadaha ka weyn 3,8 Mbps sida ku cad akhrinta iperf, halka WireGuard "Waxaan ku shubay" ilaa isla 5 Mbit/sec.
Qaabeynta WireGuard VPS-ka[Interface]
Address = 192.168.30.1/24
ListenPort = 51820
PrivateKey = <ЗАКРЫТЫЙ_КЛЮЧ_ДЛЯ_VPS>
[Faca]
Furaha Dadweynaha = <VPN_1_MS_PUBLIC_KEY>
AllowedIPs = 192.168.30.2/32
[Faca]
Furaha Dadweynaha = <VPN_2_MK2_PUBLIC_KEY>
AllowedIPs = 192.168.30.3/32
[Faca]
Furaha Dadweynaha = <VPN_2_MK3_PUBLIC_KEY>
AllowedIPs = 192.168.30.4/32
Qaabeynta WireGuard MS (lagu daray /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.2/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МС'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - сервер
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option listen_port '51821'
list addresses '192.168.31.1/24'
option auto '1'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list allowed_ips '192.168.31.2'
config wireguard_wg1ip link add grelan0 type gretap remote 192.168.31.1 local 192.168.31.3
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list allowed_ips '192.168.31.3'
Qaabeynta WireGuard MK2 (lagu daray /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.3/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК2'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК2'
list addresses '192.168.31.2/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Qaabeynta WireGuard MK3 (lagu daray /etc/config/network)
#VPN первого уровня - клиент
config interface 'wg0'
option proto 'wireguard'
list addresses '192.168.30.4/24'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_1_МК3'
option auto '1'
option mtu '8000'
config wireguard_wg0
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_1_VPS'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
option endpoint_host 'IP_АДРЕС_VPS'
#VPN второго уровня - клиент
config interface 'wg1'
option proto 'wireguard'
option private_key 'ЗАКРЫТЫЙ_КЛЮЧ_VPN_2_МК3'
list addresses '192.168.31.3/24'
option auto '1'
option listen_port '51821'
option mtu '7500'
config wireguard_wg1
option public_key 'ОТКРЫТЫЙ_КЛЮЧ_VPN_2_МС'
option endpoint_host '192.168.30.2'
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '192.168.31.0/24'
Qaabeynta lagu sharraxay heerka labaad ee VPN, waxaan u sheegayaa macaamiisha WireGuard Dekedda 51821. Tani waa inaysan daruuri ahayn, maadaama macmiilku uu xiriir ka samayn doono deked kasta oo bilaash ah oo aan mudnaan lahayn, laakiin waxaan sidan u sameeyay si aan u diido dhammaan xiriirada soo socda ee ku jira is-dhexgalka wg0 ee dhammaan router-yada, marka laga reebo xiriirada UDP ee soo socda ee dekedda 51821.
Waxaan rajeynayaa in maqaalku uu noqon doono mid waxtar u leh qof.
PS Sidoo kale, waxaan rabaa in aan la wadaago qoraalkayga ogaysiinta PUSH ee teleefankayga ku jira codsiga WirePusher marka qalab cusub uu ka soo muuqdo shabakadayda. Waa kan isku xirka qoraalka: .
WARSIDAHA: Qaabeynta OpenVPN- macaamiisha iyo server-yada
OpenVPN-server
client-to-client
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn-server.crt
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/vpn-server.key
dev tap
ifconfig-pool-persist /etc/openvpn/ipp.txt 0
keepalive 10 60
proto tcp4
server-bridge 192.168.10.1 255.255.255.0 192.168.10.80 192.168.10.254
status /var/log/openvpn-status.log
verb 3
comp-lzoOpenVPN-macmiil
client
tls-client
dev tap
proto tcp
remote VPS_IP 1194 # Change to your router's External IP
resolv-retry infinite
nobind
ca client/ca.crt
cert client/client.crt
key client/client.key
dh client/dh.pem
comp-lzo
persist-tun
persist-key
verb 3 Waxaan isticmaalay Easy-rsa si aan u soo saaro shahaadooyin
Source: www.habr.com
