ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Ku dadajinta OpenVPN router Openwrt Nooc kale oo aan lahayn alxanka birta iyo xagjirnimada qalabka

Ku dadajinta OpenVPN router Openwrt Nooc kale oo aan lahayn alxanka birta iyo xagjirnimada qalabka

Ku dadajinta OpenVPN router Openwrt Nooc kale oo aan lahayn alxanka birta iyo xagjirnimada qalabka

Waad salaaman tihiin dhamaantiin, dhawaan baan akhriyay maqaal hore ku saabsan sida aad u dadajin karto OpenVPN on router adiga oo u wareejinaya sirta qayb ka mid ah qalabka gaarka ah, kaas oo lagu iibiyo gudaha router laftiisa. Waxaan haystaa kiis la mid ah qoraaga - TP-Link WDR3500 oo leh 128 megabytes ee RAM ah iyo processor liita oo aan si buuxda u awoodin inuu la qabsado sirta tunnel-ka. Si kastaba ha ahaatee, gabi ahaanba ma rabin in aan galo router-ka oo leh birta alxanka. Hoos waxaa ku yaal waayo-aragnimadayda u wareejinta OpenVPN qalab gaar ah oo leh kaydinta router haddii shil dhaco.

Ujeeddo

Waxaa jira TP-Link WDR3500 router iyo Orange Pi Zero H2. Waxaan rabnaa Orange Pi si ay u sireeyaan tunnel-yada sida caadiga ah, oo haddii ay wax ku dhacaan, howsha VPN waxay ku soo noqon doontaa router-ka. Dhammaan goobaha dab-damiska ee router-ka waa inay u shaqeeyaan sidii hore. Iyo guud ahaan, ku darida qalab dheeri ah waa inay noqotaa mid hufan oo aan la dareemin qof walba. OpenVPN waxay ka shaqeysaa in ka badan TCP, adabtarada TAP waxay ku jirtaa qaabka buundada (server-bridge).

go'aanka

Halkii aan ku xidhi lahaa USB, waxaan go'aansaday inaan isticmaalo hal deked oo router ah oo aan ku xidho dhammaan shabakadaha hoose ee leh buundada VPN ee Orange Pi. Waxay soo baxday in qalabku jir ahaan ku xirnaan doono shabakadaha isku midka ah ee server-ka VPN ee router-ka. Taas ka dib, waxaan ku rakibnay isla isla server-ka Orange Pi, router-ka waxaan dejinay nooc wakiil ah si ay ugu dirto dhammaan xiriirada soo galaya server-ka dibadda, iyo haddii Orange Pi uu dhintay ama aan la heli karin, ka dibna server fallback gudaha. Waxaan qaatay HAProxy.

Waxay u egtahay sidan:

  1. macmiil ayaa imanaya
  2. Haddii serfarka dibadda aan la heli karin, sidii hore oo kale, xiriirku wuxuu tagayaa server-ka gudaha
  3. Haddii la heli karo, macmiilka waxaa aqbalay Orange Pi
  4. VPN-ka Orange Pi wuxuu furfuraa baakadaha oo dib ugu soo tufo router-ka
  5. Router-ku wuxuu u maraa meel

Tusaalaha fulinta

Marka, aynu nidhaahno waxaan ku leenahay laba shabakadood router - ugu weyn (1) iyo martida (2), mid kasta oo iyaga ka mid ah waxaa jira server OpenVPN ah oo loogu talagalay isku xirka dibadda.

Qaabeynta shabakada

Waxaan u baahanahay inaan labada shabakadood marno hal deked, markaa waxaan abuurnaa 2 VLANs.

Dhanka router-ka, qaybta Shabakadda/Beddelka, samee VLAN-yada (tusaale 1 iyo 2) oo u suurtageli habka sumadda leh ee dekedda la rabo, ku dar eth0.1 cusub iyo eth0.2 shabakadaha u dhigma (tusaale ahaan, ku darso guuto).

On Orange Pi waxaan ku abuureynaa laba VLAN interfaces (waxaan haystaa Archlinux ARM + netctl):

/etc/netctl/vlan-main

Description='Main VLAN on eth0'
Interface=vlan-main
Connection=vlan
BindsToInterfaces=eth0
VLANID=1
IP=no

/etc/netctl/vlan-guest

Description='Guest VLAN on eth0'
Interface=vlan-guest
Connection=vlan
BindsToInterfaces=eth0
VLANID=2
IP=no

Waxaana isla markiiba u abuurnay laba buundo.

/etc/netctl/br-main

Description="Main Bridge connection"
Interface=br-main
Connection=bridge
BindsToInterfaces=(vlan-main)
IP=dhcp

/etc/netctl/br-guest

Description="Guest Bridge connection"
Interface=br-guest
Connection=bridge
BindsToInterfaces=(vlan-guest)
IP=dhcp

Daar autostart dhammaan 4-ta profile (netctl karti). Hadda ka dib dib-u-kicinta, Orange Pi wuxuu ku dhegganaan doonaa labada shabakadood ee loo baahan yahay. Waxaan ku habeyneynaa ciwaanka is dhexgalka ee Orange Pi ee Heshiisyada Joogtada ah ee router-ka.

ip addr show

4: vlan-main@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-main state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

5: vlan-guest@eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 02:42:f0:f8:23:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42:f0ff:fef8:23c8/64 scope link 
       valid_lft forever preferred_lft forever

6: br-main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:c7:0f:89:71:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global dynamic noprefixroute br-main
       valid_lft 29379sec preferred_lft 21439sec
    inet6 fe80::50c7:fff:fe89:716e/64 scope link 
       valid_lft forever preferred_lft forever

7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:ea:19:31:34:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.3/24 brd 192.168.2.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::ecea:19ff:fe31:3432/64 scope link 
       valid_lft forever preferred_lft forever

Dejinta VPN

Marka xigta, waxaan nuqul ka samaynaa goobaha OpenVPN iyo furayaasha router-ka. Dejinta inta badan waxaa laga heli karaa gudaha /tmp/etc/openvpn*.conf

Sida caadiga ah, openvpn oo ku shaqeeya qaabka TAP iyo buundada server-ka waxay ilaalisaa is-dhexgalkeeda mid aan shaqayn. Si wax kastaa u shaqeeyaan, waxaad u baahan tahay inaad ku darto qoraal shaqaynaya marka xidhiidhku shaqaynayo.

/etc/openvpn/main.conf

dev vpn-main
dev-type tap

client-to-client
persist-key
persist-tun
ca /etc/openvpn/main/ca.crt
cert /etc/openvpn/main/main.crt
cipher AES-256-CBC
comp-lzo yes
dh /etc/openvpn/main/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp_main.txt
keepalive 10 60
key /etc/openvpn/main/main.key
port 443
proto tcp
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
server-bridge 192.168.1.3 255.255.255.0 192.168.1.200 192.168.1.229
status /tmp/openvpn.main.status
verb 3

setenv profile_name main
script-security 2
up /etc/openvpn/vpn-up.sh

/etc/openvpn/vpn-up.sh

#!/bin/sh

ifconfig vpn-${profile_name} up
brctl addif br-${profile_name} vpn-${profile_name}

Natiijo ahaan, isla marka xiriirku dhaco, interface-ka vpn-main ayaa lagu dari doonaa br-main. Shabakadda martida - si la mid ah, ilaa magaca interface iyo ciwaanka ee buundada server-ka.

Codsiyada habaynta dibadda iyo wakiilnimada

Tallaabadan, Orange Pi waxay mar hore awood u leedahay inay aqbasho isku xirka oo ay ku xirto macaamiisha shabakadaha loo baahan yahay. Waxa kaliya ee hadhay waa in la habeeyo wakiilnimada xidhiidhada soo galaya ee router-ka.

Waxaan u wareejinaa router VPN server dekedo kale, ku rakib HAProxy router oo aan ku habeyno:

/etc/haproxy.cfg

global
        maxconn 256
        uid 0
        gid 0
        daemon

defaults
        retries 1
        contimeout 1000
        option splice-auto

listen guest_vpn
        bind :444
        mode tcp
        server 0-orange 192.168.2.3:444 check
        server 1-local  127.0.0.1:4444 check backup

listen main_vpn
        bind :443
        mode tcp
        server 0-orange 192.168.1.3:443 check
        server 1-local  127.0.0.1:4443 check backup

Ku raaxayso

Haddii wax walba u dhaceen sidii qorshuhu ahaa, macaamiishu waxay u wareegi doonaan Orange Pi oo processor-ka router-ku ma sii kululaan doono, xawaaraha VPN-na aad buu u kordhi doonaa. Isla mar ahaantaana, dhammaan sharciyada shabakada ee ka diiwaan gashan router-ka waxay ahaan doonaan kuwo khuseeya. Haddii ay dhacdo shil ka dhacay Orange Pi, way dhici doontaa oo HAProxy waxay u wareejin doontaa macaamiisha server-yada maxalliga ah.

Waad ku mahadsan tahay dareenkaaga, soo jeedinta iyo toosinta waa la soo dhaweynayaa.

Source: www.habr.com

Add a comment